July 22, 2019

In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack Domain Name Systems (DNS). The NCSC explains that DNS hijacking refers to the unauthorised alteration of DNS entries in a zone file on an authoritative DNS server, or the modification of domain configurations in relation to a domain registrar, by an attacker. These modifications can be used to achieve objectives such as redirecting traffic to capture sensitive information or to take down or deface a website.

The NCSC has observed various attacks that exploit the DNS system at different levels. Since the NCSC’s alert in January further activity has been observed, with victims of DNS hijacking identified across multiple regions and sectors.

Some of the risks around DNS hijacking include:

• creating malicious DNS records: e.g to create a phishing website that is present within an organisation’s familiar domain. This may be used to phish employees or customers.
• obtaining SSL certificates: – an attacker may obtain valid SSL certificates for a domain name, which could be used to create a phishing website intended to look like an authentic website;
• transparent proxying: transparently proxying traffic to intercept data. The attacker modifies an organisation’s configured domain zone entries to point traffic to its own IP address; and
• domain Hijack: an organisation may lose total control of their domain and often the attackers will change the domain ownership details making it harder to recover.

The document goes on to suggest ways of mitigating the risks:

• Registrar Security

The most common DNS hijacking takes place at the registrar level, simply by gaining unauthorised access to a registrant’s account, using familiar Account Take Over (ATO) techniques, such as phishing, credential stuffing and social engineering. The document suggests ways to mitigate against these risks, such as: regularly auditing who can access the registrar control panel and make changes with the registrar; ensuring that all contact information is up to date, using role accounts (e.g. hostmaster@) instead of individuals’ email addresses for any of the domain contacts; taking advantage of a “registrar lock”, offered by many registries, which prevents the domain being transferred to a new owner without the lock being removed; and keeping evidence, in case the entire domain is hijacked, which can be used to prove ownership.

• Nameserver Security

If operating your own DNS infrastructure, consider robust change control processes to manage any changes to your zone file. Employ strict access controls to infrastructure hosting DNS zone files or providing DNS services for your domain. Monitor and periodically audit entries configured in your zone files to ensure what is present is expected. Use open source tools like crt.sh to monitor for the creation of SSL certificates created that match your organisations domain name(s). Consider configuring DNSSEC on your zone so queries are cryptographically signed.

• Web Application Security

Where an attacker uses a transparent proxy technique to steal credentials or other data, internet traffic would come via the proxy the attacker manages. Typically, this traffic will be forwarded to an organisation’s web facing application from the proxy and thus would likely originate from a single or small pool of IP addresses. Monitoring access or authentication logs for an internet facing web application for traffic coming from a single or small pool of internet facing IP address(es) en mass could be an indicator of this technique in use.

To read the advice document in full, click here.