Last week The National Cyber Security Centre (NCSC) announced that they were investigating recent Domain Name System (DNS) hijacking attacks on government and commercial organisations. Whilst the attacks have mainly been targeted in the Middle East, UK and US governments have been alerted and have issued precautionary guidelines.
The hijack is a typical ‘man-in-the-middle’ attack, where hackers take advantage of how DNS functions and manipulate DNS records to redirect traffic to an infrastructure that they control.
Two DNS hijacking techniques have been identified:
DNS A (Address) record hijack – the attacker alters the A record to point the target domain towards a new IP owned by the hacker by accessing the DNS provider’s admin panel. The hacker then creates a proxy that mirrors the target domain and passes traffic to the genuine IP address through this. New TLS certificates are then issued by the hacker for this domain, meaning that traffic passes through without any bringing up any security warnings for users.
DNS NS (Name Server) record hijack – This works in a similar way to DNS A hijacks, but by altering the Name Server instead of Address records. A certificate is created for the victim domain, which means that browsers can connect without any errors.
Protect your DNS records
With different types of attacks increasing in sophistication on a daily basis, it’s not just government organisations that need to prepare for this kind of attack. All businesses should monitor and secure their DNS records.
One of our Technical Systems Engineers, Tom Andrews, has recommended the following:
– Ensure that your DNS hosting accounts are secured with a strong, complex password. A password manager such as LastPass can help to securely store these.
– If your DNS Host allows, set up two-factor authentication to provide another layer of security to the login process.
– Make sure account recovery details, such as registrant addresses and emails are up-to-date to ensure that your account recovery options are within your control.
– Ensure that your domain is renewed before it expires. If you are set to auto-renew, make sure that your billing details are kept up to date should your details change. The auto-renew process will fail if your card is not valid.
– Monitor critical DNS records for unexpected changes, such as name server records, the address records associated with name server records etc
– Backup your critical DNS zones so that you can recover them in the event of a breach.
Customers who use Hyve for DNS hosting will already be protected by our security procedures. We can set up DNS monitoring to see if any changes are being made to web pages and if A records are changed and the displayed page is different, we will be notified and can act accordingly. DNS records are securely stored on MyHyve and can only be requested for change by authorised contacts who sign into MyHyve.
Even if these types of attacks aren’t currently targeted at businesses, we do recommend monitoring and securing your DNS records as an additional security measure.