Thomas Vis
Established Member
- Impact
- 8
Is Your Domain Name Exposing You to Disastrous Security Risks?
Most people understand the domain name to be a list of characters used to denote a website’s address or URL. However, while the domain name may seem like an innocuous concept, it is more complex than most people think because of the mechanisms that make it possible.The domain name is closely tied to the Domain Name Service, which functions on an ecosystem of devices, agencies, and other actors. Because of all these facets, there are multiple ways to expose companies to security risks through the domain name and the domain name service.
This guide will explore how cybercriminals can hijack your domain name and steal valuable data. Additionally, we’ll examine a few steps you can take to protect yourself from domain name-related exploitation.
Let’s start with the key concepts related to domains and domain names to make it easier to understand how cybercriminals can use the domain name to damage your company’s brand and steal data.
What is the domain name system?
Domain names were invented to make internet protocol (IP) addresses more accessible. An IP address is a set of numerical values corresponding to each network device accessing the internet. They identify a computer or any other device’s location on the world wide web.Because IP addresses are a unique string of numbers, remembering the IP address for every website you want to visit is highly impossible. This is why the advent of domain names is so important. They are easy-to-remember stand-ins for IP addresses.
The domain name system (DNS) is a digital directory that stores and provides information about which domain names correspond to IP addresses. In essence, the DNS converts domain names into IP addresses. Computers and other devices can use these IP addresses to communicate on a network. For instance, Openprovider’s domain name is https://www.openprovider.com – much easier to remember as a company name than the IP address 185.87.187.6.
When you enter a domain name or URL into a web browser, the browser uses the DNS as a directory to match the domain name to the correct IP address. It then uses this information to retrieve the website associated with the domain.
The DNS ecosystem
The DNS ecosystem describes all the network devices, systems, and actors that use or are impacted by the DNS. There is a lot of work going into maintaining the DNS ecosystem, whether it is regarding the development of protocols at organizations at the Internet Engineering Task Force (IETF) or the development of policies at organizations at ICANN.The DNS ecosystem also involves organizations that may not necessarily have direct relationships to the DNS. For instance, there is the Regional Internet Registry (RIR), which is responsible for distributing IP addresses, and the W3C consortium, which is responsible for specifying the protocols for the worldwide web. Additionally, it involves organizations such as the Internet Governance Forum (IGF) and the various participants directly in domain name activities such as the registries, registrars, internet service providers, and software developers. All these entities are involved in the DNS ecosystem and are subject to cyber threats related to domain names.
Types of domain name vulnerabilities
The DNS functions on a simple query-response protocol. When you insert the domain name into a web browser, the web browser sends out a query to a first resolver which then initiates a series of queries to authoritative servers. These authoritative servers either respond with a referral or an answer. This answer is returned to the originating application on behalf of the user.When we talk about the vulnerabilities of the domain names and the domain name system, we have several factors to consider:
DNS namespace
The DNS namespace is the universe of all possible names implemented within the DNS. Traditionally, they consisted of alphanumeric values and a hyphen. However, recent enhancements referred to as internationalized domain names (IDNs) allow for additional character sets to be utilized in the presentation layer of the DNS.This results in some risks related to the namespace, such as homoglyphs/homographs and typo-squatting. Bad actors can use these techniques to phish, hijack URLs, divert users, and damage your company’s reputation and online presence.
This is particularly challenging because it is easy to acquire low or no-cost SSL certificates that will give the browser user a digital padlock indicating the connection is secure. This means an insecure site can masquerade as a secure one. Furthermore, homographic and typo-squatting domain names don’t cost much to acquire these days.
Solutions for these vulnerabilities include user interfaces and applications that make IDN use more apparent. Several browsers now do not display the Unicode version of the strings. Instead, they show what is known as the Punycode (XN– strings).
Other mitigations include registries and registrars limiting what can be registered. Some allocations of problematic domain names remain active to this day for historical reasons.
DNS services
There are three separate classes of intrusions related to DNS services:Redirection
The attacker can change the domain name server to point to an attacker’s controlled authoritative servers. Avoiding redirection issues involves monitoring the addresses of a company’s name servers. Furthermore, if DNSSEC validation is implemented, the change of the name servers that have not been signed will be detected by the validator.Resolver hijacking
The DNS queries are answered by an attacker-controlled resolver. These exploitations also include drive-by attacks where bad actors break into residential Wi-Fi networks and change the resolver to point towards an attacker-controlled resolver. Similarly, they can break into an end user’s operating system and change the resolver configuration.
This is another case where the end-user must be vigilant. They must ensure that the local configuration is valid. If a company runs a local resolve on the end-user machine, you can also detect some of these attacks. Unfortunately, it is quite rare that DNSSEC validation is done at the endpoint. It is usually done at a resolver upstream of the endpoint. If the attacker is redirecting away from that resolver, there’s no way the DNSSEC validation will detect it.
Distributed Denial of Service (DDoS)
Unfortunately, the DNS provides a way of amplifying DDoS attacks since it’s primarily User Datagram Protocol (UDP)-based. Bad actors can spoof source addresses and redirect traffic from multiple sources without any mechanism to validate that the query has returned to the right place.A possible solution involves limiting resolver use. Organizations can also implement response rate limiting that is deployable at the authoritative server level. While it’s an effective form of mitigation, it requires the authoritative servers’ participation.
DNS transitive trust
A concept that isn’t well understood by a lot of people is something known as DNS transitive trust. This describes a situation where a domain is configured to use multiple name servers in different namespaces.If we find a compromise of any of those name servers located in any of those namespaces, then some queries can be compromised. Thus, anyone attempting to look up a name in that domain can get redirected incorrectly.
Provisioning vulnerabilities
There are different levels where most domain name attacks occur:- Registrant. The person registering the domain. If the registrant’s credentials are compromised, a bad actor can infiltrate the system and modify domain data. These types of attacks can be mitigated through the use of registrar locks. It requires an out-of-band mechanism to unlock the domain for modifications to occur. In most cases, it’s an effective form of mitigation, but it is susceptible to social engineering.
- Registrar. The retailers of domain names. If the registrar is compromised, then any of the names that are registered through it can be changed. To mitigate this type of attack, we can use what is known as a registry lock which essentially does the same things as a registrar lock except at the registry level.
- Registry. If registrars are the retailers of domain names, then registries are the wholesalers. If the registry is compromised in any name, the registry’s namespace can be altered in the same way described above.
Software vulnerabilities
The biggest issue with the software side of the DNS is that the protocol has become exceedingly complicated. A term called the DNS Camel describes the problem of too many features being added to the protocol. The original DNS specification consisted of two documents known as Request For Comments (RFC). Currently, there are over 300 RFCs that are relevant to the DNS. Because of the complexity of DNS servers, anyone implementing one may create bugs.To mitigate this, we must have diversity. This involves using multiple implementations, compiling out or turning off unnecessary features, and placing your domain or name servers in a jail so bad actors won’t have complete access if it’s compromised. For software development firms and companies, this means working with cyber security-minded developers who understand the complexity of the DNS specification.
According to statistics, the average developer possesses less than 5 years of hands-on experience. Therefore, developers need to be upskilled and educated on the latest protocols and procedures regarding the DNS’s software vulnerabilities. Developers must be capable of identifying and mitigating API security risks related to your domain name portfolio and the DNS ecosystem.
Know the risks
Today, most companies tend to overlook domain, domain name, and DNS security risks. As a domain registrar, at Openprovider we see all these cases related to top-level domain names, including modern TLDs and ccTLDs. There are security blind spots that many companies are overlooking.And even when companies are taking cybersecurity seriously, mishaps do occur. Mainly, there are threat factors related to digital certificates and the domain name ecosystem that are overlooked. Not only do they leave corporations and their customers vulnerable to attacks, but they also affect online presence.
Online presence is crucial for any company. This online presence serves as an attack surface for bad actors to target. They will target the corporate website, the email infrastructure, and vulnerabilities within the corporation’s exposed applications.
If corporations fail to take the appropriate actions to protect their domain name ecosystem, this may result in compromised email and other network breaches. Cases such as these could result in an organization’s brand being jeopardized in the real world. Even worse, you could experience revenue leakage or data exfiltration where attackers can sell employee or customer data on the Dark Web, the internet’s black market.
How to secure your domain name ecosystem
Today, there are many tools you can use to secure your domain name ecosystem. We’ve already mentioned many solutions for specific vulnerabilities. But on a policy level, the best way to achieve this is by adopting a comprehensive approach toward protecting your company’s online presence and digital assets.The domain name should be looked at as a portfolio that can be secured via registry locks. Your cybersecurity system should also analyze your domain posture. This is the first layer of protection.
It also helps if you have protection for your brand online. If exploitation were to occur, you should be able to protect your brand from abuse, grey market distribution, counterfeiting, etc. These tools are what domain cybersecurity specialists consider the second layer.
This ties into the third layer, which addresses fraud vectors. These include classic exploitations such as phishing, malware, ransomware, etc. Thus, we must look at a corporation’s online presence and provide 360-degree cyber security coverage towards identifying and mitigating all these threat vectors.
Often companies have more than one domain. Some of these domains may be restricted to certain geographical parts of the world. Thus, it’s important to work with a globally secured registrar and use a strong management platform to protect your domain name portfolio.
Again, your company must utilize early warning detection of critical threat vectors outside the enterprise’s parameters. These vectors include phishing, DNS hijacking, sub-domain-names masking, etc. It’s best to work with a globally recognized workforce and security company to mitigate this problem for you.
