What Do We Need to Know About the 2018 Global DNS Threat Report?

Just like the healthcare industry, the financial market players are also a profitable target of cybercriminal elements. The Global DNS Threat Report 2018 by Efficient IP has released a report on the vulnerability of the financial institutions to the threat of DNS-based cyber attacks. All computers on a network require configuration of DNS, last year alone an estimated one billion US Dollars worth of damages was caused by cybercriminals against the financial sector, and this is expected to increase year-on-year.

According to the Global DNS Threat Report, there is a 57% increase in downtime due to DNS-based cyber attacks. Such attacks create artificial downtime for a corporate server, which for a cloud-based industry such as the financial sector is very vulnerable of. “The DNS threat landscape is continually evolving, impacting the financial sector in particular. Many financial organizations rely on security solutions which fail to combat specific DNS threats. Financial services increasingly operate online and rely on internet availability and the capacity to securely communicate information in real time. Therefore, network service continuity and security is a business imperative and a necessity,” said David Williamson, CEO of EfficientIP.

The survey detailed the horrible truth about the financial sector’s very vulnerable operations. In 2017, seven high-profile cyber attacks have been sustained, with an average mitigation time of seven hours after discovery. DNS attacks, AKA DNS poisoning, where remote attackers forge DNS responses to pollute recursive resolvers with malicious records. DNS poisoning attacks can transcend vendor-specific implementations. In a general sense, there are two classes of complementary solutions to DNS poisoning: long-term improvements to resist forgery attacks that implement cryptographic protections and short-term solutions that help the Internet transition to more secure architectures.

Despite efforts to correct known bugs, there is a high potential for further vulnerabilities in the DNS protocol and specific DNS server implementations. This potential has driven interest in interim security solutions—technologies that fall short of DNSSEC, but still, make servers more resistant to DNS forgeries.

DNS uses a tree structure to organize domain name-space into a distributed database. A domain is a node in this tree, with each label separated by a period. To protect against malicious insertion of untrustworthy authority records, name servers typically require answers to be “in bailiwick.” The clique of nodes forms a contiguous tree structure, the top of which is called the start of authority. Authority DNS servers answer queries about their zones, either providing the mappings for leaf nodes or answering with referrals that indicate the delegation of child zones to other authority servers.

This takes the form of “glue records,” IP mappings of nameservers for child zones. Ultimately, when an authority server answers directly from its zone, it signals that the answer is “authoritative” by setting header flags. That is, they insist that the authority record in the same zone cut as the query. The reasoning is that a server should not be trusted to provide answers about sibling zone, only child labels. Thus, if one queries for host.example.com, answers that provide authority records for out-of-bailiwick zones (such as www.website.com), are not trusted. Instead, recursive resolvers will iteratively re-query for the desired nameserver.