HKCert
Security Blog

Security Advisory: Securing DNS Infrastructure

Release Date: 25 / 01 / 2019
Last Update: 25 / 01 / 2019

In late 2018 and early 2019, Talos [1] and FireEye [2] have released alerts on emerging DNS hijacking attacks. Following the alerts, Cybersecurity and Infrastructure Security Agency (CISA) of US has issued an emergency directive [3] to US government agencies for them to take mandatory actions to safeguard their DNS infrastructure.

 

While the actions are for US government agencies, they are actually basic best practices for every organization to safeguard its own DNS infrastructure against various types of attacks. DNS serves as a ‘translator’ of human readable domain name to server IP address. So its security is critical to Internet security for both organization and end users. Successful DNS hijacking may lead to identity spoofing of the organization, interception of HTTP traffic etc.

 

Here are the precautious measures from CISA for securing the DNS infrastructure [4]:

  • Verify their DNS records to ensure they’re resolving as intended and not redirected elsewhere. This will help spot any active DNS hijacks.
  • Update DNS account passwords. This will disrupt access to accounts an unauthorized actor might currently have.
  • Add multi-factor authentication to the accounts that manage DNS records. This will also disrupt access, and harden accounts to prevent future attacks.
  • Monitor Certificate Transparency logs for certificates issued that the organization did not request. This will help defenders notice if someone is attempting to impersonate them or spy on their users.

Besides, you can also follow the advice of .hk domain registry HKIRC to enhance DNS security [5]:

  • Use strong passwords and change them frequently to protect your domain name administration account. Enable two-factor authentication if there is such support from your registrar.
  • Enable email or SMS notification upon changes of your domain name records in the registrar’s database. Enter an email address which is not in the same domain to avoid such alerts from being intercepted.
  • Enable DNSSEC on your domains with the help of your ISP and registrar. DNSSEC helps to ensure that the domain IP addresses are returned from trusted resolvers without being tampered.
  • Monitor certificate transparency logs regularly to discover unauthorized, dubious or malicious registration of your domain name on Certificate Authorities other than the one you are currently using.

HKIRC also provides .hk LOCK service (https://www.hkirc.hk/content.jsp?id=296) so that any change to .hk domain needs extra authentication. If you own domains other than .hk, you may also check with your domain registry whether a similar service is provided.

 

Reference

[1] https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
[2] https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
[3] https://cyber.dhs.gov/ed/19-01/
[4] https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive
[5] https://www.cybersechub.hk/en/post/170