Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

3/14/2017
02:00 PM
Merike Ko
Merike Ko
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Debunking 5 Myths About DNS

From the boardroom to IT and the end user, the Domain Name System is often misunderstood, which can leave organizations vulnerable to attacks.

The Domain Name System (DNS) is the common denominator for all communication on the Internet. It touches everyone. Every online transaction – good or bad – begins with a DNS lookup. Despite its critical role in our online lives, DNS is often misunderstood and, as a result, leaves organizations more vulnerable to attacks. I’d like to address five myths about DNS.

Myth 1: DNS Is not a Boardroom Issue
If you were to walk into your average corporate executive suite and say “DNS,” most likely the executives would wonder why this technical detail is being mentioned to them. Most C-level and boardroom execs view DNS purely as an IT issue. Yet that could not be farther from the truth.

Domain names and related subdomains are critical company assets - your brand ambassadors - that need to be carefully managed and protected to ensure a healthy, profitable business. If these assets are used in phishing scams or other cyberattacks, a company’s revenue and reputation can be severely damaged.

Today, too often, it’s the organization’s legal team that truly understands the value of DNS to the corporate brand. In many companies, the IT department initially registers the domain names but leaves the oversight of the domain name to the legal department. A better approach is for legal and technology teams to collaborate to insure that all the domains that are properly registered have policies, procedures, and tools in place to protect them.

Myth 2: DNS Drives on Auto-Pilot
A DNS architecture is not static – it is constantly evolving and requires care. Many corporate infrastructures suffer from considering that DNS is something you configure and leave alone since "it just works." In reality, DNS cannot ride on auto-pilot; DNS hygiene is essential as an ongoing task. I suspect there are many environments that never monitor their DNS traffic to see where the domain name to IP address resolution is being performed. Is the server that is giving the authoritative answers truly authoritative, or is it a malicious server that is impersonating an authoritative role? 

DNS architectures need to be engineered with careful thought as to how long entries should be cached, and where cache miss traffic resolution should be performed. For example, users can change the DNS resolvers they go to and, thereby, significantly impact corporate business risk. Is this allowed in your environment? Robust DNS architectures need to be created that also follow and enforce DNS architecture best practices.

Myth 3: DNS Is not a Security Issue
In 2016, DNS celebrated its 33rd birthday. In its early days, DNS was not a key security issue. In the first edition of my book, “Designing Network Security,” published in 1999, I only made passing mention of securing critical infrastructure services such as DNS. It wasn’t until 2005 that I started incorporating in-depth DNS security into my security workshops and assessments. Over the last five to 10 years, cybercriminals have increasingly utilized DNS for various malware infrastructures. Despite the rise in DNS-related cyberattacks, such as DNS Changer, companies still overlook DNS during security assessments. Today, DNS security is essential for protecting against cyberattacks. Historical and real-time visibility of the DNS can provide critical context for suspicious indicators of compromise (IoCs) for SOCs and other security teams.   

Myth 4: DNS-Related Risks Are Small
Today DNS is integral to online criminal infrastructures. Why? Because purchasing domain names is cheap and easy. In fact, upwards of tens of thousands of domains are generated per day by a single malware family, according to Trend Micro. The number of DNS-related cyberattacks is escalating across all types of industries, from healthcare to retail, as well as across all government agencies. For example, in 2016, enforcement agencies took down 4,500 domain names selling counterfeit luxury goods, sportswear, spare parts, electronics, pharmaceuticals, toiletries and other fake products. According to the APWG Phishing Trends Report Q4 2016, 2016 was the worst year for phishing ever. The total number of phishing attacks observed by the APWG in 2016 was a record 1,220,523, a 65% increase over 2015.  DNS-related risks are great and can have a significant impact on a company’s financial and reputation bottom line.

Myth 5: DNS=Translating Names to Numbers
DNS is not just about mapping domain names to IP addresses. It plays a larger role in Internet communications. DNS also provides critical information, including:

  • MX records -- specifies the domain name of a mail recipient's email address;
  • SRV records -- defines both the port number and the domain name used by a service;
  • DNSSEC (Domain Name System Security Extension) records -- cryptographically signs each DNS CNAME records -- maps a name to another name.

From the boardroom to legal and IT departments and the end user, DNS is critical to the success of every corporation. Understanding the myths about DNS and aligning corporate strategies for assessing and addressing them is an important step to improving your organization’s security posture.

Related Content:

 

Merike is the CTO of Farsight Security, responsible for developing the technical strategy and executing its vision. Prior to joining Farsight Security, Merike held positions as CISO for Internet Identity (IID), and founder of Doubleshot Security, which provided strategic and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
smartmadre
50%
50%
smartmadre,
User Rank: Apprentice
3/14/2017 | 2:22:05 PM
Myth 6 You can't use DNS to motivate your child to learn math
Myth 6 You can't use DNS to get your child to learn math

https://www.reddit.com/r/shamelessplug/comments/5yxbry/we_automated_one_of_the_most_frustrating_parts_of/?st=j09qgdna&sh=0fc143b3

 

 
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.