Previous month:
November 2013
Next month:
January 2014

December 2013

Are you Monitoring Your DNS?

Why monitor DNS? The obvious reason is to ensure that your Domain Name System is operating as intended. But there’s more to it than that.

6292330496_907445c8c5_m
Image by bizkit

Access to almost every Internet application relies on queries to DNS, a global name resolution database to determine an Internet address associated with a domain name or hyperlink. Yet despite how heavily business relies on DNS, many IT departments overlook how useful DNS monitoring can be in improving network security and performance.

Monitoring DNS involves three different elements of the service:

  • Authoritative name service is the element of the DNS that returns answers to queries using only local databases (zone data) that the domain administrator or registrant configures or authorizes a third party to configure.
  • Recursive resolver service is a DNS server that processes queries made by the systems and devices connected to your private networks.
  • Client device operating systems or applications use very simple stub resolvers. These typically issue queries to recursive resolvers, not only for DNS information about resources in your domains, but also for every publicly registered domain.

Each of these elements can be an important network operations diagnostic or security measure. Let’s take a look at monitoring authoritative name service. We’ll examine the other two elements in future blogs.

Classes of threats

Users and applications make use of zone data that you publish from your domain name servers in order to learn the IP addresses of web, mail, or other hosted Internet services. You and they rely on the accuracy of these data. Two classes of threats exist.

If an attacker gains control over the system where you host authoritative name service, he can alter (or add) records in your zone data so that responses to user queries send users to malicious pages (e.g., defacement or phishing pages) rather than intended web pages. Attackers can alter your mail exchange (MX) service address or add MX records to your zone, causing incoming email to be delivered to the wrong destinations or outgoing email to contain bogus source addresses. Spamming from a domain is attractive because the spammer benefits from the positive reputation your mail service has, and this reputation can be harmed as a consequence of such attacks.

Attackers can also hijack a domain name registration account and change the configuration of the registration so that the name server address in the domain configuration points to a system, name server software, and malicious zone data that the attacker controls. This latter attack is simpler than others. It often involves a social engineering or password guessing attack, and occurs more frequently than you might think. (See cases involving Network SolutionsGoogle, and LinkedIn.)

Monitoring DNS

Beyond hardening the authoritative name server infrastructure and making it resilient to failure (for example, by operating or contracting for secondary service), consider implementing the checklist for monitoring the operational status and zone-data integrity of your name service, as described below, from A Registrant’s Guide to Protecting Domain Name Registration Accounts:

  1. Are the name servers identified in the WHOIS response for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
  2. Are the name servers published in the TLD zone file for the domain name the complete and accurate set of name servers that your organization has identified as providing authoritative name service for the domain?
  3. Are the name servers operational? (For example, do the hosts respond to a ping or simple DNS query?) Are they performing as expected?
  4. Are all the name servers secured (hardened against known attacks)? Are all software (OS, name server) packages current with respect to approved versions (e.g., tested and approved by your technical staff), with released hot fixes and patches?
  5. Are the name servers responding in ways consistent with your baseline correct configuration?
  6. Do all the name servers that provide authoritative name service for the domain return complete and correct zone data for all formulations of DNS queries against the zone?

The guide also explains how you use the WHOIS service to monitor domain registration data for unauthorized changes to IP addresses associated with name servers for your domain names.

If you aren’t already monitoring authoritative name service, it's never too late to begin, so start now. 

This is the first post of a three part series on DNS and domain registration risk and protection:

Part I: Are you monitoring your DNS?

Part II: Harden your resolvers: protect your recursive DNS for you and for everyone else

Part III: Avoid Risks: Manage your DNS Portfolio

 

Originally posted 8/19/2013 at 21st Century IT under Foil Hackers with DNS Monitoring.


Twelve Days of Phishmas - Fifth Anniversary Carol

Phishers remain thankful for how generous so many Internet users continued to be in 2012. As they did in 2009,  2010, 2011, and 2012, carolers are filling IRC channels with new and perennial sounds of Phishmas for the fifth straight year! 

On the first day of Phishmas, End of Year offered me...

Apple discounts that you’ll only see here!

On the second day of Phishmas, Review Rating emailed me...

Your recent credit rating, and Apple discounts that you’ll only see here!

On the third day of Phishmas, Medicare Plan warned me...

Open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the fourth day of Phishmas, Sir James Wilfeson begged of me...

Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the fifth day of Phishmas, DealerClearance said to me...

A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the sixth day of Phishmas, a Growth Promotions assured me...

Nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the seventh day of Phishmas, ppal alerted me...

Update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the eighth day of Phishmas, a follower tweeted me... 

Work at home easy money, update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the ninth day of Phishmas, my own email account sent to me...

Luxury replica watches, work at home easy money, update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the tenth day of Phishmas, RussianBridesTeam offered me...

Chat with Russian beauties, luxury replica watches, work at home easy money, update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the eleventh day of Phishmas, Dlscover texted me...

We’ve noticed suspicious activity, chat with Russian beauties, luxury replica watches, work at home easy money, update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

On the twelfth day of Phishmas, Online Doctorate offered me...

An online degree of your choice, we’ve noticed suspicious activity, chat with Russian beauties, luxury replica watches, work at home easy money, update your Paypal info, nothing beats a huge stick, A ROCK-BOTTOM AUTO DEAL! Help me transfer money, open enrollment’s ending, your recent credit rating, and Apple discounts that you’ll only see here!

I hope you’ve begun to recognize scams from my Phishmas Songs of 2009-2012. Remember: these are perennial phisher phavorites because they remain effective. Remember  as well that phishers exploit email, text, and all forms of social media.

During this holiday season, please remember to Stop, think, connect.