DNSSecurityStrategic ContentTechnical Content

Three personas of DNS in cybersecurity

Cyber attackers leverage DNS differently for different outcomes: DNS as a facilitator, hostage, or weapon. How is your DNS being hijacked?

BlueCat

Last updated: May 16, 2024

It’s easy to understand why cyber attackers use DNS to do malicious things like spread malware and hobble networks to the point of complete denial of service. With all of your internal network traffic flowing through it, DNS service can give attackers complete control of your network.

DNS a contributor in cyberattacks? Yes.

Let’s recall why DNS was created. Since the inception of the internet, every internet address has been defined as a number. As internet use grew, millions of numerical addresses were in play. Managing the addresses and matching them to their correct destinations became increasingly complex. DNS was the brainchild of Paul Mockapetris, who in 1983, linked names to internet addresses in a dynamic and flexible way — simplifying the process of making internet queries.

DNS architecture persists as a the most helpful handshake between the internet user and their requested destination. At its core, DNS is designed to fulfill connections, making it the perfect, naive accomplice in unwanted network activity.

In the absence of preventative policies on network behavior, or without a DNS security solution in place, DNS will simply do what it was designed to do: make connections. And creative attackers know that there are several ways to leverage DNS.

Three personas of DNS

Depending on the (nefarious) intention, naive DNS is pressed into service differently to achieve different results. DNS, in fact, plays three different roles, or personas, to support destructive cyber behavior.

BlueCat Chief Strategy Officer Andrew Wertkin explains the three personas in this three-minute whiteboard session:

  1. DNS as facilitator
  2. DNS as hostage
  3. DNS as weapon

DNS as facilitator

In this scenario, DNS as facilitator, DNS is used as a “naïve resolver”, answering network queries and returning results. DNS goes out to the network, looks up an IP address, and cooperates naively by resolving that request. It acts as facilitator by simply doing its job.

Query results, are of course, compared against Blacklists and Whitelists. Both are known quantities, so confirmed bad actions are blocked, and acceptable ones are given the “all clear”. Things get interesting in the grey area, where queries pop up as aberrations or anomalies, originating from clients or devices that have no business making those calls.

DNS as hostage

As a hostage, DNS in this case is a “naïve messenger”. DNS is used to carry bad messages over the network. DNS tunneling is a good example of this – actually sending data inside DNS requests and responses. As opposed to above, where DNS simply looks up an address and delivers a response, cyber attackers use DNS to send commands, effectively taking DNS hostage.

DNS as weapon

As a weapon, DNS is used as a “naïve producer”, used to attack a third party.

When you hear about an IoT device, like a vending machine, taking down the network across an entire campus, that’s DNS being used a weapon. DNS is a highly distributed system and can generate a tremendous amount of traffic. That overwhelming traffic, a result of DNS being used a weapon, can create a wholesale denial of service.

Because of the role DNS plays across the network, it is also an obvious target for security compromise. If the very backbone of our networks is so easily hijacked, what can be done to make DNS a less naïve facilitator of bad behavior and create more trusted transactions?

The antedote: DNS as defender

The answer to combating DNS use as a weapon lies in DNS data. DNS as defender, a fourth and vitally important persona, provides insights to detect patterns, block questionable queries and identify suspicious actors. Leveraging that goldmine of activity data, and having the ability to act on it by setting policy, would go a long way to making DNS more resilient, and less vulnerable to being used as a facilitator, weapon or hostage.

Published in:

DNSSecurity

September 19, 2017

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Blog

Micetro 11.1 boosts DHCP management for Cisco Meraki SD-WAN

Learn how BlueCat Micetro 11.1 can help you overcome the limitations of Cisco Meraki SD-WAN devices to manage your distributed DHCP architecture.

Read more
Banner announcing BlueCat's acquisition of LiveAction, displaying both logos and the phrase "We're about to get bigger."
Blog

BlueCat acquires LiveAction to drive network modernization and optimization

BlueCat’s acquisition of LiveAction will allow customers to expand their view beyond DNS and dive deeper into the health of their network.

Read more
Blog

Simplify NIS2 compliance with DNS management

Learn whether the EU’s NIS2 requirements apply to your organization and about how DNS management and BlueCat can boost your path to compliance.

Read more
Blog

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

BlueCat has acquired LiveAction

It’s official! BlueCat has acquired LiveAction’s network observability and intelligence platform, which helps large enterprises optimize the performance, resiliency, and security of their networks.

Learn more