In January, the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency (CISA) took the unusual step of issuing an emergency directive (EN 19-01) about Mitigating DNS Infrastructure Tampering. Several days, the National Cyber Security Centre (NCSC) which is part of the UK Government Communications Headquarters (GCHQ) also issued an alert on DNS Hijacking activity.
As I said, both agencies warnings unusual. This is CISA’s first ever emergency directive, and it is one of only 8 guidance posts released. NCSC has only issued 2 other alerts, for the TalkTalk breach and when the NHS was impacted by WannaCry.
If you haven’t read the read these alerts or any of the associated news coverage, let me provide a summary. Attackers have been directing attacks to DNS infrastructure, with organisations and government agencies falling victim. The goal of the attackers, thought to be of Iranian origin, is to redirect and intercept web and email traffic (and other network services).
The attacks have typically followed the pattern:
- Compromising user credentials or an attacker that can make changes to DNS
- Next, altering DNS records replacing legitimate records with addresses the attacker controls. This allows them to redirect user traffic to infrastructure they own. They can them manipulate and inspect all the traffic.
- Attackers can obtain SSL certificates as they have control over DNS. This allows encrypted traffic to be decrypted, exposing private data and credentials.
The CISA guidelines are just as applicable for enterprise environments as they are for government agencies. Let’s look at how your organisation could perform the recommended steps.
Action One: Audit DNS Records
The first action item will be the most difficult for most organisations, auditing all your DNS records. For some organisations, even if they prioritise records that are associated with key services offered to their users and customers, MX records and NS records, that could consist of hundreds of entries.
Thankfully, there are some processes and tools that can help us in this task.
I recommend aiming to setup a tool to manage your DNS records, for example, DNSControl. I have a detailed write up on the why and how of DNSControl in my post, Managing DNS with DNSControl, CloudFlare, DNSimple, GitHub, VSTS, Key Vault, and Docker!.
To get your audit underway, I recommend these steps:
- Get a copy of each DNS zone, most providers will provide one in BIND format.
- Follow the Migration and Getting Started guidance for DNSControl.
- Place your DNSControl file into a Git repository.
- Break the zones and files up into smaller chunks so that multiple members of your team can review each entry.
The goal is to end up with a comment for each DNS entry (or almost every entry), explaining the purpose and who requested the entry. Any suspicious entries should be immediately handled as a potential security issue.
You should keep your eye out for dangling DNS records. These are cases where a DNS entry has been defined in a zone that points to an IP address or another record that is no longer in use. I wrote about these as a potential attack vector in 2017, DNS Squatting with Azure App Services. These attacks have become even more prevalent, with government agencies and businesses falling victim.
Side note: This is also a great time to review the SPF records for each of your domains.
Action Two: Change DNS Account Passwords
The second action is simple. Change the passwords for all accounts that can manage your DNS. If you have a higher risk profile, consider changing passwords on a regular basis.
Don’t just think about DNS hosting, depending upon your environment, your domains might be purchased via a different provider than who hosts your DNS zones. These accounts must also be protected.
I recommend, as does the CISA, that you make use of a password manager. This isn’t a post about the value of password managers, however their benefits are clear and well know. If you are unsure about what tools to use in your organisation, I recommend you look at LastPass Enterprise and 1Password for Business. My personal preference is LastPass due to its ability to use a Yubikey for MFA.
Action Three: Add Multi-Factor Authentication to DNS Accounts
I feel like this should be obvious to everyone by know. You need to use MFA for all accounts involved in the administration of your network.
If your domain registrar or DNS provider doesn’t provide MFA, then you must change to a provider that does. You might think I am being overly dramatic, but this is the only appropriate response. While the CISA directive doesn’t go this far, they are clear that you should ensure that you use a provider that does.
It should also be clear that providers that use SMS-based MFA are not recommended. It is just becoming to easy for attackers to perform sim-swap attacks.
Action Four: Monitor Certificate Transparency Logs
The last action point might sound a bit too difficult for small organisations and small IT teams.
Google’s Certificate Transparency project aims to address some of the structural flaws in SSL certificates. It provides an open framework for monitoring and auditing the issuance of certificates in real-time. It allows us to detect SSL certificates that have been issued by a certificate authority either legitimately, mistakenly issued or maliciously acquired. CT logs really do provide a way for the industry to monitor the CAs to ensure they don’t go rogue.
There are free and commercial tools available to monitor the CT logs. My preferred tool comes from a surprising source, Facebook. Facebook’s Certificate Transparency Monitoring tool allows anyone to search for certificates issued to a domain and to subscribe to notifications for a domain. This tool is rather simple to setup, but you will need a Facebook account and have alerts enabled on your account (and in your mobile apps if you want alerts going there).
To summarise, here is your DNS security checklist:
- Switch to DNSControl and audit your DNS entries.
- Use a password manager to manage the credentials for accounts. Change the passwords if you suspect a breach.
- Use MFA for all DNS management accounts. If your provider doesn’t support MFA, change providers.
- Use Facebook's Certificate Transparency Monitoring tool to identify all certificates being issued for domains you a responsible for.