United Kingdom’s NCSC Advisory vs DNS Hijacking Released
The United Kingdom’s National Cyber Security Centre (NCSC) has issued an advisory warning UK citizens using computers and other Internet-connected mobile devices that large-scale DNS hijackings in the Internet are ongoing, and the agency provides simple mitigation advice for IT professionals to implement in their respective areas of coverage. NCSC defined DNS hijacking as an incident where DNS entries of an authoritative DNS server were edited by a 3rd party without permission. Such attack creates an unsafe environment for users, as their traffic get redirected to a false website instead of the genuine website they wish to visit. NCSC highlighted that hackers are concentrating on establishing transparent proxy, Domain hijacking, obtaining TLS certificates without authority and creating malicious DNS records, all without the knowledge of the target victims.
Unfortunately, the majority of what NCSC describes as “Account Take Over” (ATO) cases involve the domain registrar itself, and end-users have nothing to do with it. Though the agency issued a short advice for domain registrars in order to minimize the chance of a take over of their DNS systems by unknown parties. “Registry and Registrar Lock – many registries offer a “registrar lock” service. This lock prevents the domain being transferred to a new owner, without the lock being removed. A “registry lock” (which sometimes involves a fee) is considered an additional level of protection whereby changes cannot be made until additional authentication has taken place which usually involves a call to the owner,” explained the NCSC report.
The focus of heightened alert is for service providers and domain registrars to prioritize offering domain lock for their customers, which comprises of the following functionalities, as directly quoted from NCSC:
- Prevents the nameservers from being changed;
- Prevents domain registrant and / or contact details being changed;
- Prevents the domain from being transferred to another registrar.
DNS server hosting is a regular part of the domain registry and Internet Service Provider business, however, it is not considered as a money-making endeavor. Hence, ISPs and domain registrars are not placing a lot of investment when it comes to securing their DNS infrastructure.
NCSC provided the following security suggestions in order for DNS-hosting organizations to be confident of their DNS server security:
1. Implement DNSSEC
DNSSEC is a security extension that proves the reliability of correspondence information of IP address and host name sent from DNS server. This is to prevent DNS response spoofing attacks such as DNS cache poisoning. In DESSEC, the DNS server that sends the response signs the response using the private key, and the recipient verifies it with the public key. Because you can not sign correctly without the private key, you can detect false responses by verifying the signature. A normal DNS server does not have a means to authenticate the other party, so by supporting DNSSEC, it can have its function.
2. Monitor TLS
TLS certificate creation needs to be done correctly, the “web of trust” truly depends on the level of trust people to the certificate authority. Lost of trust to a certificate authority means lost of business, just like what happened to Diginotar’s and Symantec’s dissolved certificate authority businesses.
3. Auditing and Monitoring
4. Access Control
5. Change Control
“Keep evidence – in case your entire domain is hijacked, you’ll need to appeal to your registry for help. Keep extensive records which can be used to prove ownership,” concluded the NCSC report.
Also Read,
What is DNS Security? Why is it Important?
DNS Servers | How to Secure DNS Servers from hacker attacks?