This document discusses how DNS can be an important part of a company's cybersecurity strategy. It describes how DNS works and how attackers can use DNS for reconnaissance, command and control, tunneling, and data exfiltration. It recommends incorporating DNS into defenses by using it to detect suspicious traffic, as an indicator of compromise, in data loss prevention, with newly observed domains, and as part of DDoS defenses. The document advocates using DNSSEC, DMARC, DKIM and SPF to enhance security and provides examples of how DNS can be leveraged in a cybersecurity ecosystem.
2. What is DNS?
Often called the phone book of the Internet, DNS converts
IP Addresses to human readable names
You may not think you know much about the Domain Name
System (DNS) but whenever you use the Internet, you use
DNS. Every time you send electronic mail or surf the World
Wide Web, you rely on the Domain Name System.
DNS is part of the fabric of both the Internet and corporate
networks. It works so efficiently that you might even forget
it exists—until it is used against you.
5. 1
Reconnaissance
Harvesting email
addresses, conference
information, etc.
2
Weaponization
Coupling exploit with backdoor
into deliverable payload
3
Delivery
Delivering weaponized
bundle to the victim via
email, web, USB, etc.
4
Exploitation
Exploiting a vulnerability to
execute code on victim’s system
5
Installation
Installing malware on
the asset
7
Actions on Objectives
With “Hands on Keyboard”
access, intruders accomplish
their original goal
6
Command & Control (C2)
Command channel for remote
manipulation of victim
DNS Reconnaissance
DNS Infiltration
DNS Tunneling
DNS DDoS
DNS Tunneling
DNS Exfiltration
DNS DDoS
DNS Callback
DNS Tunneling
DNS Protocol Anomalies
DNS Exploits
DNS Hijacking
DNS kill switch
How could DNS be used/exploited?
6. Assessing the risk
Check good DNS practise is in place
Control DNS communication
Understand/Review how DNS is exploited
Registrar security
Risk mitigation for DDoS
Process to deal with a “kill switch”
Blocking malware C&C communication
Exfiltration of data
Leverage DNS based Indicators of Compromise
Test data exfiltration via DNS (don’t assume)
Reviewing the gaps from outside to inside
7. You will do some of this based on risk assessment
Recommendation
Internal
Clients
Internet
DNS
DMZ DNS
Cache
X
Proxies &
Gateways
X
DO NOT allow
Any -> Port 53
Only known
internal DNS
servers can use the
DMZ DNS cache
X
“packet inspection”
Signature
”Machine Learning”
Behaviour
“List of IoCs”
Reputation
“Rules & Policy”
Choke Point
VISIBILITY of
query source
Internal DNS
8. So where does DNS fit in the Cyber Strategy?
More places than you might think.…
9. So where does DNS fit in the Cyber Strategy?
•To detect and block suspicious and malicious traffic
•As highly focused indicators of compromise
•As part of your DLP Strategy
•Pro-active security with Newly Observed Domains
•To enhance the capabilities of other security controls
•As part of your DDoS defences
•DNSSEC / DMARC, DKIM, SPF
10. FQDN based Indicators of Compromise
So let’s talk about false positives…
Dnsduck10[.]duckdns[.]org – Specific C2 indicator hit
within the parent domain
192[.]169[.]69[.]25 – 415 possible domain hits!
Do you want to sift through >400 other results?
11. DNS based Data Exfiltration
DNS can be used as a covert back channel, to exfiltrate
data, download malware or issue remote commands.
There are many off the shelf packages available:
DNS2TCP, TCP-over-DNS, OzymanDNS, Iodine, SplitBrain,
DNScat-P/DNScat2, DNScapy, TUNS, PSUDP, YourFreedom
etc.
12. Not DLP! But this is exfiltration over DNS
Sophisticated (zero-day)
Infected endpoint gets access to file containing
sensitive data
It encrypts and converts info into encoded format
Text broken into chunks and sent via DNS using
hostname.subdomain or TXT records
Exfiltrated data reconstructed at the other end
Can use spoofed addresses to avoid detection
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
Infected
endpoint
DNS server
Attacker controller
server- thief.com
(C&C)
DataC&C commands
MarySmith.foo.thief.com
SSN-543112197.foo.thief.com
DOB-04-10-1999.foo.thief.com
MRN100045429886.foo.thief.com
Data Exfiltration via host/subdomain
Simplified/unencrypted example:
INTERNETENTERPRISE
13. DNS based Data Exfiltration (cont.)
So how can you monitor and prevent DNS tunnelling?
Signature based detection and blocking
Reputation based detection and blocking
Behavioural based detection and blocking
14. Newly Observed Domains (NODs)
Adding NODs into your strategy is a game changer…..
Block that Phishing domain before its campaign even starts
Prevent communication to C2 domains before they become
widely known
Leverage NODs for enhanced Spam Filtering
17. As part of your DDoS Defences
Correct architecture is critical…..
Service Separation – don’t have all your eggs in one
basket.
Leverage Anycast.
Use hardened DNS Servers which can detect and
drop attack traffic.
18. Other ways to leverage DNS
DNSSEC – Chain of trust for your DNS Entries
DMARC Policy – Part of your anti-spam defenses
DKIM and SPF – Key based authentication for mail servers and Sender
Policy Framework, both needed for DMARC policies to function correctly.
19. Summary – DNS should be part of your
layered defences
•To detect and block suspicious and malicious traffic
•As highly focused indicators of compromise
•As part of your DLP Strategy
•Pro-active security with Newly Observed Domains
•To enhance the capabilities of other security controls
•As part of your DDoS defences
•DNSSEC / DMARC, DKIM, SPF
23. Building on almost twenty years of industry
experience with Domain Name System
(DNS), Dynamic Host Configuration Protocol
(DHCP), and IP address management
(IPAM) services (DDI), Infoblox has
developed the Actionable Network
Intelligence Platform.
This platform goes beyond DDI to enable
organizations to harness insights derived
from the rivers of core services data moving
through their networks to enhance all
aspects of management, security, agility,
and cost control
About Infoblox…..
i