The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 19-01 in January this year, warning of Domain Name Server (DNS) manipulations for US government sites.
A Domain Name Server (DNS) translates domain names to Internet Protocol (IP) addresses, so browsers can load Internet resources. Internet Protocol version 4 (IPv4) is the fourth version of the Internet Protocol (IP) while Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol. An example of this in action is www.google.com which in IPv4 becomes 126.96.36.199 and in IPv6 becomes 2404:6800:4006:80a::200e. IPv6 is becoming more popular, as the original IPv4 addressing becomes exhausted by the number of devices on the Internet. IPv6 also offers enhanced address management.
A Domain Name Service holds more information than just webserver addresses – it also holds infrastructure information for the domain such as mail server and name server IP addresses. DNS records are maintained by a domain administrator, who authenticates to the DNS server to change DNS entries. This is usually infrequent and pre-empted by changing the DNS data update frequency to a shorter interval.
Using compromised DNS administration credentials, attackers were able to access the DNS records for mail servers and name servers while web hosts were changed to unauthorised hosts, redirecting the traffic destined for the legitimate server to the attacker’s servers instead. Further, as the attackers had access to the administration of the domain, they could generate valid certificates enabling them to read encrypted messages.
DNS hijacking is not just limited to US Government. DNS is used across the Internet by everyone, it is a fundamental part of the World Wide Web, and companies doing business on the Internet need their DNS services to function correctly for uninterrupted operations. Many companies outsource their DNS through a Domain Name provider.
The Department of Homeland Security’s CISA recommends:
- Verify DNS records for accuracy;
- Change passwords for DNS Administrative accounts;
- Implement Multiple Factor Authentication for DNS Administrative accounts; and
- Monitor Certificate Transparency logs for certificates created not requested by the appropriate process.
Agilient has Cybersecurity Consultants and Auditors who can assist with these checks as a specific task, or as a wider security review.
Author: David Steele, Agilient Cyber Security Consultant