Operator/NOC feature improvements

Operator/NOC feature improvements

Operator/NOC Feature improvements

Some of our operators have requested a feature to share portions of their monitoring view with their customers. DNSmonitor have listened and is now introducing this new feature without compromising with our long term goal to keep our service and interface easy to operate.

The operator can now without much effort set up any number of read-only accounts for its customers and assign which domain each customer can view. The Operator can configure and send an invitation link to any of its customers (email address) and assign any domain to that specific customer for a read-only view. The customer then simply follow the link to the sign-up page, select a password and confirm their mail address and then they’re up and running. It can’t be any more simple than that.

This feature improves operator customers ability to see what the operator sees.

Posted by hd-admin, 0 comments
Host name integrity check

Host name integrity check

Customers are now able to configure host records to monitor in addition to the default host records monitored by the service. The service is called Host name integrity check and is configured in the Manage Domain facility.

This feature continuously monitor the integrity of each configured host records every available name server and will alert when the record is altered.

This new feature will greatly improve the ability to detect if a customer domain is subject to cyber attacks like the 2019 DNS Hijacking Campaign, where host records were altered causing man-in-the-middle attacks for eavesdropping purposes. By default this check is performed on all NS resource records and their host record counterparts as well as the primary MX resource record.

The development and release of this check is largely due to the above mentioned DNS Hijacking Campaign which as far as anybody knows still is ongoing but in different forms and sophistication. DNS is very much a prime target for hackers mainly because almost every session is preceded by a DNS name lookup and they are always accessible from the Internet. Our hope is that every customer take advantage and configure this check on every domain they monitor.

Sincerely,

The DNSmonitor Development Team

Posted by hd-admin in News, 0 comments
DNS Hijacking Campaign

DNS Hijacking Campaign

In late January 2019 a security alert were issued from DHS CISA concerning attacks targeting DNS servers and their content in a globally widespread DNS Infrastructure Hijacking campaign. The security alert can be found here. The alert went almost instantly global and were spread by all major national CERT organizations around the globe.

12 days before, on the 9th of January, the security firm FireEye had released an article on their Threat Research blog describing this campaign! FireEye’s research team discovered that these types of attacks has been ongoing since (at least) 2017 but had escalated over the last few months. “This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success:”

Read the full article here.

It is absolutely needless to point out that the core problem is as usual poorly managed accounts with weak passwords. Countless articles have already been written about this subject so I will leave that alone and focus on the target. The DNS!

As the research article from FireEye indicates, the news here are the sheer scale and that the targets are DNS servers. I have no doubt that the majority of the breaches have been made on accounts for managed DNS services. Managed DNS services have becoming increasingly popular over the past years (if you have a problem, outsource it and the problem goes away, right?), and why not? I can relate to why using managed DNS services is a good idea for many organisations. They don't require a skilled and expensive staff to manage and features, like DNSSEC are readily available.

DNSSEC is great for detecting man-in-the-middle attacks, so why is it obviously ineffective with these new kind of attacks? The answer is very simple. Man-in-the-middle attacks like the popular Cache poisoning attack some years back were targeted to intercept ongoing DNS traffic to and from DNS resolvers and inject phony IP addresses into the resolver cache redirecting traffic through the attacker controlled sites. If you read the articles, these attacks are quite similar, but very different. They inject the phony IP addresses at the source. Before the DNS resource record is signed! And hence, when a validating resolver performs validation on the record it will show up as legit and the end users will never be aware that their communication is routed through the attackers servers! With that in mind these attacks are quite devious in its way of "hiding in plain sight". At a quick glance you won't make out if an IP address have been changed, especially if you are not looking for it!

FireEye discovered that there are three types of records that are most likely targeted to be used to carry out the different traffic redirections: NS, MX and A (AAAA). The NS records are used to identify which name servers (DNS) that are authoritative for a domain/zone. By altering these records an attacker can redirect all DNS queries through his own DNS infrastructure. The MX records will tell the MTA to where an email will be sent. By altering these records, all incoming mail traffic will be redirected, read and forwarded to the originally intended mail servers. And finally the A and AAAA records, which will redirect traffic through IP addresses the attacker controls.

The only way to detect these types of attacks is by constantly monitoring key DNS records!

DNSmonitor can do this for you. Our current version monitors and alerts when NS, MX and the name servers A and AAAA records are changed. We record and store these values as you set up the monitoring of your domain. Find out more here...

In our next release (in Q 2020) you will be able to set up individual checks for any A, AAAA and CNAME records inside the zone you monitor!

 

Posted by Henrik Dahlberg in Cyber Crime, 0 comments