Internet Identity

Part of IID’s DNS Dojo Series

It’s not just an important piece of securing an enterprise, it’s essential. No we’re not talking about a firewall, which has long been considered table stakes security for any organization. We’re talking about employing security measures at the DNS (Domain Name System) level for all organizations with a Web presence and those that connect to others via the Internet.

We’ve previously discussed how communications between extended enterprise partners can put those organizations at risk, especially when the connections made between partners aren’t monitored or authenticated at the DNS level. Putting security mechanisms in place can help to ensure connections aren’t inadvertently made to untrusted or unknown nameservers.

We’ve also previously discussed how Domain Name System Security Extensions (DNSSEC) protects Internet users by identifying the legitimacy of a domain’s DNS configuration and telling a user’s software that it’s communicating with the intended destination. This mechanism secures the user by refusing connection to a domain whose DNS configuration cannot be confirmed as legitimate. But DNSSEC doesn’t yet have full Internet-wide adoption and there are many blind spots in its coverage so far.

DNSChanger Danger

So what happens when a security measure like DNSSEC isn’t in place or doesn’t protect completely against malware that attempts to infect your company’s machines? Recently, we saw an example of just what can happen with a piece of malware known as DNSChanger that was at one point present on millions of computers, including machines at half of all Fortune 500 companies and government agencies.

When a computer is infected with DNSChanger malware, its DNS settings are changed to use the criminal’s rogue DNS servers. This, in turn, allows the criminals to drive the affected user’s traffic wherever they desire. In some cases, the cyber criminals used the rogue nameservers to direct traffic to advertisement sites to generate click-traffic for profit.  Even though the criminals behind DNSChanger were arrested and their malicious DNS servers replaced by DNS servers operated by the Internet Systems Consortium (ISC) under a court order, machines still infected with DNSChanger remain vulnerable. Until the July 9 expiration of the court order, the ISC DNS servers provided infected machines with correct DNS resolution. With the ISC DNS servers no longer functional, compromised machines are unable to connect to the Internet until DNSChanger is removed and their proper DNS setting restored.

One reason those machines infected with DNSChanger had to be cut off from the Internet was to prevent them from further infecting other computers they connect to. But keeping those computers offline benefits their owners too, as one factor that makes malware like DNSChanger especially dangerous is that these rogue DNS servers also prevent users from downloading system and anti-virus updates on victim machines, making them more susceptible to other malware attacks. Consensus among security insiders suggests that over 80 percent of all malware takes advantage of DNS insecurity to some degree, making it crucially important to monitor the DNS for unauthorized configuration.

How You Can Take Action

To defend against DNSChanger type malware, enterprises should ensure that computers on their networks aren’t able to connect to rogue DNS servers, which they can do through the redirection of all port 53 traffic to their own recursive DNS servers. Doing so passes all traffic through organizationally approved servers—the way hotels, hospital or universities might—and in effect denies any virus or malware’s attempt to use compromised DNS servers. With all traffic passing through designated internal servers, monitoring for anomalies becomes possible and can give the enterprise insight into possible points of infection.

Monitoring is an absolutely critical part of any security approach, and should include monitoring DNS configurations of the domains you connect with or visit, as well as monitoring your network for connections to rogue DNS server IPs. You can’t avoid the bad guys if you don’t know who they are, so having an up to date list of known bad IPs and nameservers is key. Armed with that crucial information, organizations can detect and protect against malware infections, identify potential sources of data loss, and limit security breaches across their networks.

Monitoring DNS configurations for potentially malicious changes provides a layer of protection similar to that which DNSSEC provides, but without the necessary cooperation of all domains you connect with. Instead, individual organizations can monitor all extended enterprise partner domains they connect with. When potentially malicious changes to the DNS record are detected, communication with those domains can be stopped, eliminating risk to their customers, employees and brand.

This type of monitoring and subsequent action serves as something like a firewall—a DNS firewall—by stopping Internet users from becoming victims of malware or other effects of malicious changes to a domain’s DNS. In our next DNS Dojo installment, we’ll talk about the idea of a firewall for DNS communications and how having one in place might help protect Internet users from stumbling into malware, phishing websites or other fraud online. Stay tuned!