DNS is a fundamentally insecure protocol, and DNS hijacking is becoming a common weapon in attackers’ arsenals. To mitigate this problem, the U.S. government’s DotGov domain registrar (responsible for providing .gov domains to local, municipal, and state government entities) has a new policy regarding changes to domain records.
It’s simple: DotGov will send automatically generated system emails to the contacts associated with a domain when any changes are made. It doesn’t matter where the modification came from; whether it was a legitimate change made by a government employee or a malicious one made by a bad actor, the email gets sent.
This places a hurdle in the way of any attacker who wishes not to be discovered. If a modification to DNS is made, the owner of the domain will be immediately aware. Previously, it might have taken them some time to realize and figure out how to revert it, which could give an attacker plenty of time to carry out any malicious actions facilitated by this DNS modification.
This is particularly relevant to American governments in the context of the last few months, since the United States and Iran have been engaged in a series of online conflicts. This has included a sophisticated campaign of DNS hijacking attributed to Iran. By taking over domain names, the attackers were able to redirect a great many services through systems they controlled. This enabled a stealthy man-in-the middle attack, intercepting email, passwords, and unknown amounts of sensitive data from corporations, governments, and individuals.
You may not belong to a government organization, but these kinds of attacks cast a wide net, and private companies can easily be collateral damage. This brings us back to DotGov’s notification email. It’s important to consider whether this (or something like it) can be implemented with the registrars for your domains.
Some commercial domain registrars already do this, but it isn’t mandatory or universal. This is partly because many individual network administrators have their own solution for tracking DNS changes. They use a script to regularly poll the DNS record, compare it to what it’s supposed to be, and notify the administrator if there’s a discrepancy. This is effective, as far as it goes. However, the new DotGov policy reminds us not everyone does IT the same way.
Small organizations may not have a dedicated network administrator, relying instead on a generalist IT person to take care of everything. And the rise of *-as-a-Service cloud offerings means that, in some organizations, there have been changes to who does the ordering and deployment of services. This might be a developer, a manager, or anyone with a company credit card. Thus, the person listed as a contact in the DNS record may not be involved in network administration—in fact, they might not have any IT training at all.
So, the question is who (if anyone) is informed of changes to your organization’s DNS records? Will this person know what to do about an alert if they get one? Perhaps your notification email could contain information on not just what happened, but how to immediately mitigate the action. In this way, even someone who isn’t technically literate could revert any malicious or accidental DNS modifications quickly, easily, and safely—or at least know who to contact for help.
It’s also worth considering how this concept could be extended. Organizations can (and should) implement a similar policy not only for their external, customer-facing domains, but for their API and update domains, as well as mail and any internal domains. Additionally, this could be extended to other services, such as sending an email when a major change occurs to the source code of one of your websites or notifying you when there’s a new login to one of your servers.
A simple email can’t protect against all DNS attacks; a victim’s machine is still vulnerable to any DNS servers advertised via DHCP if it’s configured to use them. All the notification policies in the world do little if a victim’s machine trusts an unverified DNS server to answer queries. However, there are technologies to help there, such as DNSSEC or DNS over HTTPS enforcement, which are discussed elsewhere on this site.
For more in-depth information on the nation-state-level DNS hijacking attacks, including additional prevention tactics, check out this article by security researchers at FireEye.
DNS modification notifications are an important step to avoid malicious DNS attacks. Combined with a properly configured firewall and two-factor authentication on your registrar’s settings, as well as proactive security updates to DNS software, the risk of such attacks can be significantly reduced.