Best practices for thwarting DNS hijacking attacks
The DHS emergency order validates what security experts have been advising customers and organizations to do in general for some time. The use of multifactor authentication and ongoing monitoring of DNS records are basic security measures all organizations should be taking to protect their sites and underlying customer data from DNS hijacking attacks.
We also strongly recommend implementing DNSSEC, which enables recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user. This prevents a criminal from sending a user to a malicious site instead of the intended business web site.
DNS is a critical technology that connects all aspects of IT infrastructure, applications and online services—everything between the server and the user—which makes it an extremely attractive target for cybercriminals.
As organizations around the globe drive more aggressively toward connected, digitally transformed operations, this attack vector will grow in significance. Taking quick action to implement and maintain these basic preventative measures will be imperative in preventing attacks and keeping organizations and customer data safe from cybercriminals.
Here is more on each specific step:
Monitor authoritative DNS activity logs to quickly spot issues
It might seem overwhelming to consider tracking every DNS response. But by monitoring DNS activity and IDS logs, an organization can more easily observe DNS configuration changes and shifting traffic patterns, which can reveal key indicators of compromise. For instance, unexpected and unplanned changes to DNS record configurations or sudden changes in traffic volume can indicate malicious DNS activity.
Use multi-factor authentication for authoritative DNS and registrar logins
Organizations should implement strict access controls that limit access to legitimate users who are responsible for modifying DNS settings. If an organization has multiple DNS administrators, it can assign different functions to different users depending on their role, as well as restrict update access to the zones and records they need to do their job.
It's important to strengthen access controls by implementing multi-factor authentication and single sign-on. If an organization company uses scripts or APIs to update DNS, it should use strong authentication keys and restrict key usage to valid sources using IP whitelisting to add an additional layer of access security.
Finally, organizations should use secure practices in interfacing with their domain registrar and keep the list of authorized contacts with the registrar up to date. This will enable the organization to maintain control over its domain name and avoid missing an expiration notice from the registrar.
Enable Domain Name Security Extensions and zone signing
DNSSEC operates by offering a mechanism for recursive DNS resolvers to check the authenticity of the information received from the previous authoritative DNS server in the series of lookups required to return a DNS answer to a user. With many businesses handling financial, health or personal data, it’s the organization’s duty to protect customers from this form of attack. DNSSEC protects the integrity of DNS information by having each zone of the DNS digitally signed and verified by the top-level domain.