« Twelve Days of Phishmas - Fifth Anniversary Carol | Main | Harden your resolvers: protect your recursive DNS for you and for everyone else »

Tuesday, 17 December 2013

Are you Monitoring Your DNS?

Why monitor DNS? The obvious reason is to ensure that your Domain Name System is operating as intended. But there’s more to it than that.

6292330496_907445c8c5_m
Image by bizkit

Access to almost every Internet application relies on queries to DNS, a global name resolution database to determine an Internet address associated with a domain name or hyperlink. Yet despite how heavily business relies on DNS, many IT departments overlook how useful DNS monitoring can be in improving network security and performance.

Monitoring DNS involves three different elements of the service:

  • Authoritative name service is the element of the DNS that returns answers to queries using only local databases (zone data) that the domain administrator or registrant configures or authorizes a third party to configure.
  • Recursive resolver service is a DNS server that processes queries made by the systems and devices connected to your private networks.
  • Client device operating systems or applications use very simple stub resolvers. These typically issue queries to recursive resolvers, not only for DNS information about resources in your domains, but also for every publicly registered domain.

Each of these elements can be an important network operations diagnostic or security measure. Let’s take a look at monitoring authoritative name service. We’ll examine the other two elements in future blogs.

Classes of threats

Users and applications make use of zone data that you publish from your domain name servers in order to learn the IP addresses of web, mail, or other hosted Internet services. You and they rely on the accuracy of these data. Two classes of threats exist.

If an attacker gains control over the system where you host authoritative name service, he can alter (or add) records in your zone data so that responses to user queries send users to malicious pages (e.g., defacement or phishing pages) rather than intended web pages. Attackers can alter your mail exchange (MX) service address or add MX records to your zone, causing incoming email to be delivered to the wrong destinations or outgoing email to contain bogus source addresses. Spamming from a domain is attractive because the spammer benefits from the positive reputation your mail service has, and this reputation can be harmed as a consequence of such attacks.

Attackers can also hijack a domain name registration account and change the configuration of the registration so that the name server address in the domain configuration points to a system, name server software, and malicious zone data that the attacker controls. This latter attack is simpler than others. It often involves a social engineering or password guessing attack, and occurs more frequently than you might think. (See cases involving Network SolutionsGoogle, and LinkedIn.)

Monitoring DNS

Beyond hardening the authoritative name server infrastructure and making it resilient to failure (for example, by operating or contracting for secondary service), consider implementing the checklist for monitoring the operational status and zone-data integrity of your name service, as described below, from A Registrant’s Guide to Protecting Domain Name Registration Accounts:

  1. Are the name servers identified in the WHOIS response for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
  2. Are the name servers published in the TLD zone file for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
  3. Are the name servers operational? (For example, do the hosts respond to a ping or simple DNS query?) Are they performing as expected?
  4. Are all the name servers secured (hardened against known attacks)? Are all software (OS, name server) packages current with respect to approved versions (e.g., tested and approved by your technical staff), with released hot fixes and patches?
  5. Are the name servers responding in ways consistent with your baseline correct configuration?
  6. Do all the name servers that provide authoritative name service for the domain return complete and correct zone data for all formulations of DNS queries against the zone?

The guide also explains how you use the WHOIS service to monitor domain registration data for unauthorized changes to IP addresses associated with name servers for your domain names.

If you aren’t already monitoring authoritative name service, it's never too late to begin, so start now. 

This is the first post of a three part series on DNS and domain registration risk and protection:

Part I: Are you monitoring your DNS?

Part II: Harden your resolvers: protect your recursive DNS for you and for everyone else

Part III: Avoid Risks: Manage your DNS Portfolio

 

Originally posted 8/19/2013 at 21st Century IT under Foil Hackers with DNS Monitoring.

Related articles
Domain Internet Groper: Using dig to access DNS zone data
A Chain Saw is a Poor Choice for Surgery and for Blocking Content

Posted at 03:31 PM in Domain names and DNS |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories