The status quo for DNS security isn’t working

/in


The Domain Name System (DNS) is often referred to as the phone book of the internet. DNS translates web addresses, which people use, into IP addresses, which machines use. But DNS was not designed with security in mind. And even though companies have invested incredible amounts of money into their security stack (and even though they’ve had since the 1980s to figure this out), DNS traffic often goes unmonitored.

This has only worsened with the adoption of encrypted DNS, known as DNS-over-HTTPS (DoH). Since its introduction in late 2018, DoH has grown from a personal privacy feature that most IT teams blocked outright, to an encouraged enterprise privacy and security function. While DoH protects traffic in transit, it also leaves organizations with little to no visibility over what’s happening with their DNS queries.

zscaler article 5 body picture1 1200Zscaler

The evolution of DNS

Threat actors regularly exploit this visibility gap. IDC’s 2022 Global DNS Threat Report revealed that 88% of organizations interviewed had suffered DNS-related attacks—primarily phishing, malware, and DDoS attacks—over the previous year. Additionally, 70% had experienced application downtime as a result.

A few DNS attack tactics are particularly popular:

  • DNS tunneling: One of the most popular DNS threats is DNS tunneling, in which threat actors take advantage of the flexible nature of DNS queries to hide communications to command-and-control servers, download malware, or exfiltrate data. Unfortunately, this is challenging to detect due to the broad nature of DNS queries (a website can be called pretty much anything so a DNS query can be pretty much anything) and due to IT visibility gaps, particularly when it comes to encrypted traffic.
  • DNS spoofing: This tactic—frequently executed using Man-in-the-Middle (MitM) techniques—involves altering the DNS entries on a DNS server or entering false information into the DNS cache, resulting in the targeted user traffic getting redirected to an attacker-controlled fraudulent site. This can be used for phishing or to trick users into installing malicious software like worms or viruses.
  • DDoS attacks on DNS servers: Attackers don’t necessarily have to infiltrate a…

Source…