As mission-critical infrastructure, DNS is regularly targeted by bad actors with DDoS attacks, cache poisoning, remote code execution, and other cybercrimes. Vulnerabilities are discovered regularly; without frequent software updates and patching, your business is at risk of downtime, outages or data breaches - all of which can result in customer churn, revenue loss, and/or a tarnished brand reputation.
A number of severe vulnerabilities were identified over the past month within open-source DNS tools, underscoring the importance of keeping your critical software - like your DNS - up-to-date.
Keep reading for more information on the vulnerabilities, as well as some precautions your team can take to protect your DNS from future issues.
Recent DNS Vulnerabilities
Just today, researchers at SIDN Labs, InternetNZ, and the Information Science Institute at the University of Southern California publicly disclosed tsuNAME, a vulnerability in DNS resolver software. They discovered the vulnerability can be weaponized to carry out DDoS attacks against authoritative DNS servers, using domain names misconfigured with cyclically dependent NS records.
About two weeks earlier, developers of BIND 9 DNS server software disclosed a separate trio of high and medium-risk vulnerabilities and released a patch to address the issues. The flaws included:
CVE-2021-25216, the most serious vulnerability out of the 3, is a buffer overflow risk in GSSAPI, the application protocol interface for a secure authentication protocol called GSS-TSIG. It can lead to a server crash and in some cases to remote code execution.
CVE-2021-25215, a vulnerability that involves errors in handling DNAME records
CVE-2021-25214, a lower risk vulnerability caused by a security bug related to processing incremental zone updates that when left unresolved can cause processes to crash.
These aren’t the only DNS vulnerabilities discovered within the last month. At the end of April, researchers at Forescout and JSOF published a report titled NAME:WRECK, which outlined nine DNS vulnerabilities across four widely used open-source TCP/IP stacks used in IoT, operational technology (OT), and IT devices.
None of the vulnerabilities were found to be the target of active exploitation at the moment, though this is sure to change now that the details have been made public. Left unpatched, companies using this software leave themselves open to DNS cache poisoning, Denial of Service (DoS) and Remote Code Execution (RCE), potentially resulting in outages, downtime, or a cybersecurity breach.
Protecting your network against DNS vulnerabilities requires regular monitoring of emerging threats, and regular patching of identified vulnerabilities. Here are a few ways you can stay ahead of new threats.
Monitor the Landscape and Your Infrastructure Regularly
First, subscribe to relevant disclosure notifications lists to ensure you receive an alert whenever a new vulnerability or patch is discovered. The Internet Services Consortium (ISC) has a number of mailing lists split out by specific concerns - you can see the full list here: https://www.isc.org/mailinglists/. The Cybersecurity and Infrastructure Security Agency (US-CERT) offers another good disclosure notification list that is worth subscribing to.
Then, make sure you’re regularly scanning your infrastructure for vulnerabilities like these once they are released, and patching appropriately. In general, emerging vulnerabilities like the ones listed above underscore the importance of keeping your critical infrastructure - like your DNS - up-to-date, especially with any remotely exploitable issues.
Ensure The Providers You Work With Are Equally Vigilant About Security
Finally, do your due diligence on the security practices of your service providers. This is particularly important for providers of your critical infrastructure like your DNS, as a DNS attack can bring down your business-critical applications and sites, both internal and customer-facing. Check to see if your provider regularly invests in the security of their software, follows industry best practices, and if their own employees also follow security protocol best practices.
And if you’re still managing critical infrastructure in-house, consider outsourcing those that are highly exploitable to a provider who can do the legwork for you in keeping software up to date and patched against vulnerabilities.