DNSSEC: The Secret Weapon Against DNS Attacks 

The domain name system (DNS) is known as the phone book of the internet, quickly connecting users from their devices to their desired content. But what appears to most users as seamless and instantaneous actually offers multiple opportunities for bad actors to slip through the cracks. In April 2021, a troubling report indicated that an estimated 100 million devices worldwide were susceptible to one of nine vulnerabilities affecting the implementation of DNS. These nine vulnerabilities were packaged under the apt moniker NAME:WRECK.

NAME:WRECK was found to affect some common TCP/IP stacks used in everything from IT devices to the internet of things (IoT) and operational technology (OT). Think: Sensitive and life-supporting equipment such as medical devices, or critical industrial control systems (ICS) such as energy and power equipment. Organizations across multiple industries—from health care and government to financial services, technology, manufacturing and more—could be impacted. NAME:WRECK has the potential to subvert DNS, leading to denial of service or remote code execution; perhaps even expanding the attack surface in the process.

As in most aspects of cybersecurity, there is no single silver bullet to protect against every type of DNS attack, whether spurred by NAME:WRECK or other vectors. The best defense requires implementing a host of measures, such as conducting consistent security reviews, keeping up with vulnerability patch management, maintaining good account hygiene and ensuring appropriate access controls. One lesser-known but effective tool against certain attacks is DNSSEC, or DNS security extensions. DNSSEC can be extremely effective in preventing DNS attacks that deliver bad or false responses to a device’s query, including cache poisoning and domain hijacking. DNSSEC can validate a DNS address and provide end-to-end integrity checks to ensure a high degree of confidence in a connection.

The Dangers of Cache Poisoning, Domain Hijacking

Normally, when a user enters a website address on their device, the device makes a DNS query via its stub resolver. That resolver is configured to ask for a DNS response, which is usually to a large caching recursive resolver. If the address is already in the cache, the stub resolver is notified and the user proceeds to the known site. If not, then the recursive resolver takes steps to find an answer, asking various authoritative servers for a response. Authoritative servers can only provide an answer for their own domains and what a domain name owner elected to publish—webpages, email, content servers and other locations—in that zone. 

With cache poisoning, bad actors do just that: They poison a recursive resolver’s cache with bad or false data. They spoof responses and flood recursive resolvers with them, with the aim of having some false responses cached as legitimate. The false responses typically include a long time-to-live (TTL), and that longevity provides an extended opportunity for exploitation. As a result, many users may be redirected to a false site established to capture sensitive or personally identifiable information (PII) before the security breach is detected. 

In domain hijacking, bad actors take over a domain to make changes, impersonating the legitimate owner. Such attacks are often made possible when cybercriminals gain access to login credentials, such as through successful phishing or social engineering attempts or through outright theft. In some cases, such attacks may be perpetrated by someone inside an enterprise. With DNS access, criminals can populate systems with false data which then gets stored and sent to users, directing them to nefarious sites. 

DNSSEC Provides a Critical Layer of Security

DNSSEC provides enterprises with an additional weapon in their security arsenal. Every DNS owner has both a private key, kept under wraps, and a public key, published via DNS to be visible and usable. Essentially, a key is an enterprise’s digital signature, and DNSSEC uses asymmetric, or public key, encryption. The DNS owner signs their data with their private key, and anyone with the public key can confirm that the signature is the owner’s. A positive association provides assurance that the data is safe and unmodified, while any change to DNS data results in validation failure and prevents connection.

DNSSEC can ensure that users are accessing your online presence with confidence and is one of many tactics that should be implemented to secure internet communications. Any failure in the DNSSEC chain-of-trust will result in a failure of the DNS resolution process—thwarting attacks like cache poisoning or domain hijacking. 

While initial adoption was once technically expensive and resource-intensive for enterprises, deploying DNSSEC has become mainstream over the past few years as a growing number of third-party cloud DNS providers have stepped in to simplify the implementation process and perform the ongoing maintenance required to ensure continued security.

As a security professional, make sure to have DNSSEC as one of many arrows in your quiver. 

Avatar photo

Michael Kaczmarek

Michael Kaczmarek is the VP of Product Management for Neustar’s Security Solutions business unit. He is responsible for evangelizing the vision, strategies, and tactics for the successful launch and expansion of products into new and existing markets. Prior to joining Neustar, Michael was with Verisign for more than 18 years where he served in various capacities including VP of product management and marketing for Verisign Security Services. He previously served as a systems engineering manager for Lockheed Martin in charge of their Solid Rocket Motor Disposition in Russia Program. Michael holds a Bachelor of Science in aerospace engineering from the University of Maryland and a Master of Engineering in environmental engineering from Johns Hopkins University.

michael-kaczmarek has 4 posts and counting.See all posts by michael-kaczmarek