A DNS record is a set of instructions that provides information about a domain. It can contain data specific to any individual accessing or using a domain and unfortunately, is prone to cyberattacks.
This is because threat actors know about and take advantage of the vulnerabilities built into the DNS system. All organizations must understand and learn how to secure DNS records. This is especially true for critical infrastructure like healthcare, obliged to safeguard protected health information (PHI) with HIPAA compliant cybersecurity. Read on to learn what DNS cyberattacks are and how you can prevent them.
SEE ALSO: HIPAA compliant email
Defining DNS records
Techopedia defines a DNS (domain name system) record as a “database record used to map a URL to an IP address.” A domain name is the location of a website or the part of a URL that identifies it as belonging to a particular domain.
RELATED: How to unlock the domain name of your dreams
DNS is the protocol that receives a request containing a domain name and responds with a corresponding IP address. Essentially, it routes a user to the website they are looking for. DNS records, also known as resource records or zone files, contain the information to make this happen. The records live on DNS servers as text files and are written in DNS syntax. This is a string of characters used as commands that tell the DNS server what to do.
Each DNS record contains vital information including a record type, expiration time limit, a class, and type-specific data. All domains are required to have a few essential DNS records.
Common types of DNS records
Each type of record describes the format of the data and its general use. There are several common types:A record: holds the IP (IPv4) address of a domain
AAAA record: contains the IPv6 address for a domain
CNAME record: forwards one domain or subdomain to another
MX record: directs mail to an email server
TXT record: lets an admin store text notes in the record
NS record: stores the name server for a DNS entry
SOA record: stores admin information about a domain
SRV record: specifies a port for specific services
PTR record: provides a domain name in reverse-lookups
RELATED: DNS record types cheat sheet
There are around 90 different record types, though some are now obsolete. While DNS records provide useful information for users, they also provide data for cybercriminals to sabotage, corrupt, and manipulate.
What are DNS cyberattacks?
Like all components of information systems, organizations need DNS security to protect all aspects of the DNS infrastructure. This includes DNS records. Unfortunately, like most internet-based things, the DNS system was not designed with cybersecurity in mind.
In fact, DNS traffic typically passes freely through firewalls when someone legitimately asks for access. But the same can be said for illicit users. The DNS system is vulnerable to several common methods of cyberattacks. General reasons for DNS attacks include malware installation, credential theft, hidden communication, data gathering, and data theft.
SEE ALSO: How do I identify my domain host?
The top DNS cyberattacks
1. DNS hijacking
DNS hijacking refers to any attack that tricks a user into thinking they are connected to a legitimate domain. Other names for hijacking include DNS poisoning or DNS redirection. Attackers typically compromise a domain registrar account to modify the DNS name server or change the A record. They could also compromise a router to change the DNS server itself into storing incorrect DNS data using malware.
Through DNS hijacking, a cyberattacker may misdirect a user to a malicious site for further phishing attacks. Moreover, they may want to steal login credentials or distribute false information about the original website’s organization. Indicators of compromise (IOCs) include noticeable slowdowns, browser redirectors, site unavailability, pop-ups, and unusual browser behavior.
2. DNS tunneling
Tunneling is a cyberattack method that sneaks malicious traffic past defenses by encoding data in DNS queries and responses. It often includes data payloads added to an attacked DNS server, allowing remote control of a server and/or applications. DNS tunneling allows cybercriminals to insert malware, create a communication channel that bypasses firewalls, and exfiltrate data. IOCs include unusual domain requests, requests by unusual domains, and high DNS traffic volume.3. DoS (denial of service)
A DoS attack is when a single cybercriminal blocks access to a network, device, or website so that a user cannot access it. The two main ways hackers use DoS are by flooding (i.e., more traffic than a server can handle) or crashing (i.e., sent or exposed information crashes a server). We’ve seen several attacks against popular companies such as Amazon Web Services (AWS) and GitHub.
The primary purpose is not to breach data but to affect an end user’s experience or obtain information. Threat actors use DoS attacks for revenge, blackmail, or political sabotage. IOCs include a slow network, long load times, the inability to load a particular website, and the sudden loss of connectivity across devices on the same network.
4. DDoS (distributed denial of service)
DDoS is when multiple individuals or botnets perform a DoS attack from multiple locations. It makes it harder to track a source. An example is the recent cyberattacks by the AvosLocker ransomware group against numerous critical infrastructure organizations.
During negotiations after ransomware insertion, AvosLocker threatened to carry out DDoS attacks to put pressure on the victims. The purpose and IOCs are the same as DoS attacks but on a large scale.
DNS security and healthcare data breaches
Through any of the above methods (as well as those that accompany them), it is obvious that cyberattackers want to disrupt an organization or a network. They are either trying to bombard and frustrate victims, gain access to a private system, and/or encrypt/exfiltrate sensitive data. And if attacks transpire against healthcare organizations, that could lead to breached PHI as well as HIPAA violations.
This is unfortunately what happened to Boston Children’s Hospital in 2014. Recognizing IOCs does not have to be difficult, but to do so means understanding DNS architecture and data systems. If you know which DNS records correspond to which activity, you can tell when something is out of place. Beyond this understanding of the DNS system, organizations must also invest in protections that can detect and block abnormal traffic.
This means:
- Logging and monitoring DNS queries and responses
- Tightening access to the DNS account (e.g., multi-factor authentication), servers, and routers
- Patching known vulnerabilities
- Configuring against known attack methods
- Running strong antivirus software and a firewall
- Testing frequently for vulnerabilities
And finally, this means having a solid plan in place in case a breach does occur.
DNS and email protection
One aspect of DNS security to focus further on is email defense; DNS plays a crucial role in email delivery. Every email address has a domain name (what follows the @). This then needs to match an IP address to correctly transmit the data (i.e., the email). And it is the MX record that tells the mail server where to send messages. There are a few DNS authentication methods to protect email. First, a DNS SPF (Sender Policy Framework) record is a type of TXT record that lists all the servers authorized to send emails from a particular domain.
When properly configured, an SPF record protects email from spamming, phishing, and spoofing. The second is DKIM (Domain keys Identified Mail). It makes sure that email messages aren’t changed between when an email is sent and when it is received.
Finally, there is also DMARC (Domain Message Authentication, Reporting & Conformance), useful only when a user sets up both DKIM and SPF. It adds linkage to the sender domain name, published policies handling authentication failures, and reporting from receivers to senders. The purpose is to monitor and improve protection from fraudulent email.
Paubox Email Suite for solid protection
And don’t forget how necessary it is to utilize a strong email provider. One that understands DNS security and helps organizations create a durable email security strategy. Paubox helps healthcare organizations protect PHI by providing a strong strategy along with HIPAA compliant email solutions. Paubox Email Suite, our HITRUST CSF certified software, keeps employees from receiving malicious emails and inadvertently sharing information.
In fact, our Plus and Premium solutions include hundreds of checks of incoming emails, including validating DKIM, SPF, and DMARC. Moreover, we added an in-house built tool called DomainAge. Simply, this feature spots emails with recently registered domain names and quarantines them before they can become problematic.
On top of this, our software also provides further inbox protection with Zero Trust Email as well as encryption. Cybercriminals will always look for a way to breach a system. This is why it is up to all organizations to understand the hardware and software they work with. Being proactive and safeguarding DNS records is just one way to secure your data.
HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.