Large-scale domain name system hijackings — usually in the form of DNS spoofing or DDoS attacks — have been on a steady rise for years. But the unprecedented number of DNS hijackings in 2019 has prompted the U.K.’s National Cyber Security Centre to alert and advise organizations on the threat. Learn how to protect your domain name system from hijacking.

The DNS operates like the switchboard of the internet, connecting alphabetical characters typed into web browsers with correct numeric-based IP addresses on servers where the content resides. If a DNS connection is hijacked, unsuspecting user traffic can be redirected to dangerous websites.

Securing the Foundations of the Internet

DNS attacks, more so than others, damage the primary trust users have on the internet. With consequences ranging from data theft to financial fraud, anyone victimized by a DNS attack will be wary of the internet generally — and especially suspicious of the domain where the attack originated. Customers who have been hurt by DNS hijacking have been known to abandon the affected service in droves, damaging revenue and brand reputation simultaneously.

By hijacking a domain, hackers can effectively weaponize a company’s online presence.

DNS hijacking can have catastrophic consequences for an organization and its brand image. When a company falls victim to DNS hijacking, its customers are exposed to fraud, data theft, breach of privacy, and financial loss. The company’s brand reputation suffers, which leads to lost customers and revenue. Also, the company may be fined or otherwise penalized by regulatory authorities.

Individuals and enterprises can both fall prey to attack, but website owners face the worst consequences.

Internet users trust the websites they visit to be safe, secure, and encrypted to protect their online data.

Penalties from regulatory bodies like the General Data Protection Regulations also take their toll. British Airways was recently fined $230 million over a data breach involving a DNS hijack that redirected traffic to a fraudulent website. More than 400,000 customers were affected when they entered credit card data into what they thought was a legitimate British Airways website.

The loss of revenue, customers, and brand reputation that result from DNS hijacking go directly to a company’s bottom line and capital value.

Why the DNS Is Vulnerable

Given the scale of most organizations’ online presence and operations, it’s not surprising the DNS is a vast network filled with potential vulnerabilities. Abandoned domains, weak password controls, and burdensome management processes compound these weaknesses.

Hackers will often exploit expired or forgotten domains that companies neglect to manage.

A forgotten domain caused a compromise to Dell when it relinquished control over a domain that enabled users to back up their computers to an online service with one click. After hackers discovered the oversight, they appropriated the domain, redirecting Dell computer users worldwide to a website full of explicit content and dangerous downloads. The damage to Dell’s brand reputation was significant.

Unused, or “orphaned,” domains are another issue: When companies manage hundreds — even thousands — of domains, it’s easy to overlook a compromised domain.

In an attack known as “Spammy Bear,” hackers exploited GoDaddy’s DNS system to steal 4,000 orphaned domains from 600 owners, including ING Bank, Hilton, McDonald’s, and Mastercard. The domains were particularly vulnerable because they resided outside the respective owner’s primary DNS services, where they were forgotten and not actively managed.

Correctly operating domains and the DNS depends upon rules and settings such as “zone files,” also known as resource records.

Access to DNS control systems should be restricted to authorized personnel, yet they are often left vulnerable from poor password management. Unauthorized parties frequently gain access to corporate DNS control systems, hijack domains and the DNS, and even cover their tracks to evade detection. Because DNS controls can involve both the DNS owners’ and the DNS service providers’ operations, both systems require secure password control such as two-factor authentication.

Inefficient, ineffective change management processes also weaken DNS security. Small changes can put domains at risk, so administrators must diligently track when, where, why, and how changes are being made. This work is typically done manually, raising the risk of errors and oversights that compromise DNS security.

Inefficient change management can result in omitted or invalid DNS security settings.

Widely considered to be mandatory and essential security measures are settings such as Domain Name System Security Extensions for authenticating users and destinations, and Domain-based Message Authentication, Reporting & Conformance, and Sender Policy Framework to vet email users. Ongoing surveys of Fortune 1,000 companies show that these protections are either missing entirely or they have been deployed incorrectly, exposing the affected organizations’ DNS networks and customers to serious compromise.

Businesses have a responsibility to their customers and their bottom lines to manage the DNS far more effectively.

To protect everyone’s interests, companies must tighten up DNS security by managing the DNS comprehensively and efficiently.

Defending the DNS from All Angles

Preventing DNS attacks is mainly about managing the ever-increasing scale of DNS network operations. Hackers exploit confusion and complexity to their advantage. Simplification is the antidote. Avoid hijacking and secure the DNS using with these strategies:

1. Consolidate to one platform 

Consolidate all domain registrars and DNS service providers to a single enterprise-grade registrar and DNS service. Working on one platform makes it easier to control access, implement stronger password protections, and manage all processes using the same best practices. Single platforms also enable users to activate “auto-renew” and “registrar lock” features to reduce the chance of failed domain renewals and unauthorized DNS changes.

2. Eliminate unwanted domains

All domains, including unused domains, should be managed with the same care and attention as premium domains. Become proactive about eliminating orphaned domains and managing DNS settings that could be vulnerable to misuse, such as unused IP addresses and domains that lack the start of authority (SoA).

3. Integrate change management

Implement a systems-based change management platform that relies on automation rather than manual inputs. Automation will block unauthorized changes, notify administrators of authorized changes, and create a tamper-proof audit of all activity within the system. Ideally, the platform integrates all DNS-related management tasks, including TLS certificates for encryption and security settings like DNSSEC.

4. Automate DNS security

Overcome the complexity of important DNS security features by automating processes. DNSSEC, DMARC, and SPF are challenging to manage and costly to administer, making them economically unsustainable for many companies. Automating DNS security makes it financially viable and administratively easy while ensuring full compliance.

Customers and users will avoid websites they consider unsafe.

Every organization with an online presence needs to treat DNS security as an existential priority. The safety of the internet depends on it.

Peter LaMantia

CEO of Authentic Web

Peter LaMantia is the CEO of Authentic Web, a corporate domain service and management system that equips IT and digital teams to secure and optimize their domain and DNS assets.