Cybersecurity Spotlight – Domain Name System (DNS)
What it is:
The Domain Name System (DNS) converts domain names (ex: www.example[.]com) that users enter into a web browser to Internet Protocol (IP) addresses. DNS acts as a phone book to translate the domain names into the location of the server or asset the device is trying to access. Each device and domain that is connected to the internet has a unique IP address. DNS eliminates the need for users to memorize IP addresses in order to access websites and other connected services.
When a user inputs a domain name, the system makes a request to DNS servers, and they return the IP address. This request typically occurs in a fraction of a second and goes through multiple levels of servers on the wider internet. These servers communicate with each other in order to acquire and transmit the correct information back to the user’s system.
DNS servers, and local machines usually maintain a cache (a collection of data) of regularly visited websites. This is similar to how a user may bookmark a particular website on their computer so they can access it quicker. Using a cache like this can save time and significantly reduce the load on DNS servers (think of how many times www.google[.]com is accessed) but can also introduce risks, as described below.
DNS services can be provided by any number of sources. Most commonly, these are Internet Service Providers (ISPs), but can also include commercial providers like Google and Cloudflare, or a government agency’s enterprise IT department.
The diagram below is a high-level illustration of a DNS request.
Why does it matter:
DNS resolution is a powerful tool that has been fundamental to the success of the internet. However, it is also an avenue for malicious actors to conduct attacks against end users. These attacks can result in compromised data or the introduction of malware to a system. Attacks can include, but are not limited to:
- DNS Spoofing involves introducing forged DNS data into a system’s DNS cache, which in turn results in an incorrect IP address being returned. This can happen through the exploitation of a local device or system. When a compromised system attempts to revisit a site that exists in its DNS cache, rather than being routed to the correct IP address, it routes to the forged IP address instead, presumably to engage in other malicious activities.
- DNS Hijacking involves an attacker redirecting a system’s DNS server to one controlled by the malicious actor. In this case, the malicious actor receives all requests from the system and can route them as it wishes to serve its purpose. It may, for instance, route most traffic normally, while routing traffic intended for a bank’s website to a spoofed site. This can be the result of malware being introduced to the ISP or router.
Both these attacks are also referred to as “Man-In-The-Middle” attacks, where malicious actors place themselves between two devices and intercept or modify the communications between them.
Election offices are also responsible for maintaining the security of their own DNS records, and ensuring their configuration does not negatively impact the security of voters trying to access information. Just as election office staff may be vulnerable to attacks while accessing the web, an individual attempting to access an election website is vulnerable to the same attacks. Malicious actors could exploit DNS vulnerabilities to inject malicious code that would re-direct an individual’s query away from the legitimate elections website. DNS Security Extensions (DNSSEC) is a solution that allows election offices to validate their domains to prevent DNS hijacking and spoofing. Similar to DMARC for email, DNSSEC uses cryptography to authenticate a DNS entry and prevent visitors from being redirected to an illegitimate website.
What you can do:
Risk mitigation for DNS weaknesses fall into two areas: 1) protecting election office users and systems against DNS attacks and 2) protecting those accessing election office systems from DNS attacks.
To protect election office end users, enroll in the EI-ISAC’s new Malicious Domain Blocking and Reporting (MDBR) service. MDBR is a new, no-cost service made available in partnership with the Cybersecurity and Infrastructure Security Agency (CISA) and Akamai. In addition to providing DNS services to your organization, MDBR prevents systems from connecting to known and suspected malicious web domains, limiting malware infections. The service is easy to implement and requires virtually no maintenance as EI-ISAC and Akamai fully maintain the systems required to provide the service. Existing EI-ISAC members can sign up for MDBR here.
For an additional layer of defense, election offices should maintain a “blocklist” of IP addresses associated with infected systems. The MS-ISAC sends out a weekly list of Malware IPs and Domains that have been observed throughout the week. It is also recommended that members monitor network traffic, looking for rogue communications that are not authorized on a network. In combination with monitoring, election offices should enable DNS query logging (CIS Control 8.7) to detect hostname lookups for known malicious domains.
To protect those visiting your sites or using your services against DNS attacks, leverage DNS Security Extensions (DNSSEC) for all domains that your organization owns or operates. By using DNSSEC your website will have a digital signature associated with it. From that point forward, any attempt to change the DNS entry for your domain will have to pass a cryptographic authentication, preventing simple forgery used in DNS attacks.
US-CERT provides additional technical recommendations:
- Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
- Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
- Search for encryption certificates related to domains and revoke any fraudulently requested certificates.
Lastly, there have been a number of recent vulnerabilities affecting DNS servers. Election offices should continuously monitor their systems for vulnerabilities and patch identified vulnerabilities to prevent exploitation.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.