Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

DHS Emergency Directive 19-01: How to Detect DNS Attacks

On January 22, 2019, the United State Department of Homeland Security (DHS) released a warning for a DNS infrastructure hijacking attack against US government agencies. Let’s dig into the specifics...
David Gibson
3 min read
Published March 29, 2020
Last updated August 4, 2022

On January 22, 2019, the United State Department of Homeland Security (DHS) released a warning for a DNS infrastructure hijacking attack against US government agencies.

Let’s dig into the specifics of the DHS warning and look at how you can better protect and monitor your DNS services.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

What is a DNS Infrastructure Hijacking Attack?

The Emergency Directive 19-01 calls this attack a DNS Infrastructure Hijacking attack. DHS says that the attackers stole user credentials powerful enough to alter DNS records, and then used those credentials to manipulate DNS records for key servers.

The result? Once attackers had control of DNS, they redirected user traffic so they could intercept and record some or all of it, acting as a “man in the middle.” By intercepting user traffic, attackers can intercept information, like user name and password pairs.

For example, when victims send an email (to their secure email server for handling), they will connect to the attacker’s server first. From the victim’s perspective, it looks like everything is fine because they send and receive emails as usual. Things are not fine, however, because the attackers can eavesdrop, even when the connection appears encrypted (more on that below).

It’s important to note that manipulating DNS records to hijack connections isn’t new, and it doesn’t even take a compromised admin account to do it. This is because DNS is a very old protocol, with many vulnerabilities (for more on DNS and how it works, check out this primer). Not only can attackers exploit DNS to hijack connections – they can use it for reconnaissance, as a command and control channel, and to covertly exfiltrate data.

This attack is more worrisome than some other DNS hijacking attacks for two reasons:

  1. The attackers appear to have compromised authoritative records (instead of just cached records) on DNS servers “upstream” of the victim’s local DNS servers. This means that even if a victim’s local DNS servers aren’t compromised, they can still be vulnerable. For example, if an attacker changed the authoritative record for www.google.com to route to their own server, we’d all be going for an interesting ride, even though nothing changed on our computers or local DNS servers.
  2. The attackers used their power over authoritative DNS records to set up fake certificates that appear valid to end users. This means that the victim’s computer negotiates an encrypted connection with the attacker’s servers, and the attacker’s servers decrypt and re-encrypt the traffic, relaying, or “proxying” it to the destination server. If the victims are using webmail, this setup can even give victims the comforting lock symbol in their browser:

What Do I Need To Do Right Now?

What Do I Need To Do Right Now?

Per Emergency Directive 19-01, government agencies have to:

  • Audit all public DNS records
  • Change all passwords that can access DNS records
  • Implement multi-factor authentication (MFA) for all accounts that have rights to change DNS records
  • Monitor Certificate Transparency logs for new certificates your agency did not request

The scope of this remediation depends on several factors:

  1. How many public facing DNS records need auditing?
  2. How many accounts can change DNS records?
  3. How many of those accounts have MFA already?

Verifying that every DNS record is correct will be a lot of work for organizations with a lot of records. It’s best to take steps to prevent further breaches and make sure things stay fixed.

How to reduce the risk of DNS tampering on your DNS servers

  • Restrict administrative access to DNS servers (on Windows for example, monitor changes and review members of the dnsadmin group, and other administrative groups)
  • Use static DNS records or DHCP reservations for key records, and monitor changes to those records
  • Monitor DNS servers for signs of cache poisoning, reconnaissance, command and control, or data exfiltration
  • If you’re running a windows environment, identify, remediate and monitor other Active Directory vulnerabilities

How to protect yourself from compromised DNS records on servers that aren’t yours:

  • Enforce multi-factor authentication for external services wherever possible
  • Monitor DNS queries and other perimeter devices (e.g. web proxies) for attempted connections to sites with poor reputation scores

How does Varonis help?

Varonis starts by monitoring the right ingredients: First, data — who can touch it, who does touch it and what’s important – on-premises and in the cloud. Second, Active Directory – who’s using which devices with which accounts and how. Third, DNS and Edge devices like web proxies and VPN concentrators– who is getting in, and who and what is going out, and are any of the destinations untrustworthy.

Next, Varonis combines the ingredients and builds context. What kinds of accounts are there and who do they belong to, who uses which devices and which data, when are they active and from where. Varonis automatically builds a baseline, or “peace-time profiles” over hours, days and weeks for every user and device, so when they behave strangely they get noticed.

Varonis customers quickly identify and analyze things like:

Want to learn more? Get a 1:1 demo to see how Varonis can detect DNS attacks – and prevent data breaches.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

what-is-dns-ttl-+-best-practices
What is DNS TTL + Best Practices
This article covers the topic of DNS TTL (time to live), best practices all aspects surrounding implementation. 
how-hackers-spoof-dns-requests-with-dns-cache-poisoning
How Hackers Spoof DNS Requests With DNS Cache Poisoning
An overview of what DNS spoofing and DNS cache poisoning really are and how to protect your organization against them, plus FAQs answers.
what-is-dns-tunneling?-a-detection-guide
What is DNS Tunneling? A Detection Guide
Domain Name System (DNS) tunneling is a prevalent hacking method — learn how it works, the types of threats and how to detect and combat them
what-is-dns,-how-it-works-+-vulnerabilities
What is DNS, How it Works + Vulnerabilities
What is DNS? It’s the address book of the internet. Read on to understand DNS, learn how you are vulnerable to attack through DNS, and how to protect your networks from DNS attacks.