Recently we have seen two interesting headlines that point out weaknesses in the DNS of many organizations. The first was the return of cache poisoning in a paper on SAD DNS that demonstrated a remarkably effective and easy way to execute an attack on a recursive server. This type of attack is used to redirect end users to malicious sites without their knowledge. The second was a run of the mill social engineering attack that unfortunately impacted a GoDaddy customer. It reportedly tricked their registrar's support staff to give control over a cryptocurrency company’s domain to someone else. We did a simple write up on the former, so let’s discuss the latter.
In the hierarchy of a domain you have a registrant (probably you, the reader, the beneficial “owner”), a registrar (the retail company that sells you your domain and hosting services) and a registry (i.e. the operator of the top level domain like CIRA for .CA). Each plays an important part in maintaining the integrity of the domain name system by telling the millions of recursive resolvers in the world where our domains should point. CIRA for instance, is the authority over the “.CA” portion of a website, while the registrant is the authority of where their domain should point to (i.e. where a browser can find the server on which your website can be found). The registrar often provides the interface between the registrant and registry for communicating essential DNS information.
This is where the risk comes in. As the authority over the information related to a domain, you are the holder of some very important information; specifically, where to find the website associated with your domain name. If that information gets changed by someone other than you, then they have the power to send people anywhere they like. They can send your customers to their own website that might look like yours but it specially designed to simply capture login and password information.
That is why it is so often targeted by hackers. Registrars have responded by offering various products related to securing permissions over who can change that data. Registries have also responded with similar offerings. CIRA for instance, offers a Registry Lock service for all .CA domains. Adding Registry Lock to a domain registration applies a process where, in order for changes to happen to your DNS settings (or other critical domain name attributes) you need to authenticate the change with CIRA in an online and offline process. Not all registrars offer registry lock because it can cause confusion with their own security offerings.
So what is a domain owner to do? The great news is that we have a solution for that and more.
CIRA Anycast DNS makes your domains faster, more resilient, and more secure
Okay, so a blog that is a sales pitch can make me uncomfortable sometimes. Don’t get me wrong, there is nothing wrong with offering services in a link or two but I am rarely this direct—but stay tuned and you will understand why!
I run a lot of webinars and in them I often poll attendees to ask them how many systems depend on their DNS. The median answer is the >10 category. This isn’t scientific, but think about the anecdote in your own company. Websites, email addresses, CRM systems, marketing automation, mass mail tools, or really any application where you alias with CNAME. Now ask yourself, how much backup do you have for your DNS? In this case the vast majority of people respond with none. The vast majority have also done little to protect it.
I will scream this from the rafters that regardless of whose service you use, backup a basic unicast DNS environment with a secondary anycast service. Second, make sure the supplier has a minimum of two distinct networks (or clouds) acting as authority for your domain name; third, if your domain really matters then add another supplier. It is one of the faster, most set-and-forget, and most affordable things you can do to be more cyber secure with a side benefit of making your domains perform that much better globally. Consider this part a public service, and not a sales pitch.
How could CIRA Anycast DNS have prevented the specific problem?
CIRA Anycast DNS has a domain lock feature built into it. When turned on, if you run your own authoritative servers and transfer zone files to CIRA to act as authority in the wild, then we won’t accept changes to the entire record if it is locked. It will require an administrator with privileged access to unlock it. If you have a third-party acting as your primary supplier of DNS then you can still transfer the authority for .CA domains to the CIRA Anycast clouds AND lock them. This way if there is a social engineering hack then it will be locked at your authoritative level.
Again, speaking to this specific case, while the registrar does not offer Registry Lock, it does offer the ability to easily do a zone transfer to a secondary service. If your domains really matter you have an option to run your DNS on a high quality, globally deployed, dedicated single-purpose infrastructure supplier like CIRA, so what is stopping you?
Interested in learning more? Visit the CIRA Anycast DNS product page.