DNS Exfiltration Prevention

5 Best Practices for Preventing DNS Exfiltration

In today’s digital landscape, it is commonly accepted that the DNS (Domain Name System) service is one of the most critical IT services for any company in any industry. DNS is a mission-critical network service, as almost all applications and services, users, and customers must use the DNS service as a basic starting point for communication. Unfortunately, DNS is easy to exploit because it was originally designed to be an open service. As a consequence of their fundamental role in IT infrastructures, DNS servers must be accessible to everyone. These reasons begin to explain why DNS is an appealing target for cybercriminals.

What is DNS Exfiltration?

DNS exfiltration, is an example of an attack on DNS servers. It is a form of data exfiltration where the attacker uses the DNS to leak sensitive information from a targeted network. It is done by breaking down files into smaller chunks (sometimes encrypted) and embedding them in DNS traffic. Since DNS is a fundamental part of internet communication, this method allows attackers to bypass traditional security measures, making it much more difficult for organizations to detect. Cybercriminals benefit from the assumption that DNS isn’t associated with data delivery and are able to bypass most traditional security mechanisms for transporting sensitive data from inside to outside the enterprise.

Cybercriminals typically use either a tunneling protocol or a ‘file transfer’ protocol, which firewalls, and data loss prevention (DLP) systems have a difficult time detecting. Most businesses are not able to detect the data exfiltration until it is far too late. To protect data confidentiality and meet compliance requirements, organizations must improve their security posture around DNS. This blog post will highlight some best practices to protect your data from DNS exfiltration.

 Keep Your Software Up-to-Date

The first best practice that applies not only to DNS, but to every part of cybersecurity is keeping software updated. DNS software happens to be an appealing target for cybercriminals. Whenever there is an update or corrective patch to software, companies should update their software within 24 hours. Additionally, keeping software, operating systems, and applications up to date with security patches can help minimize vulnerabilities that can be exploited by attackers. 

Separate Authoritative and Recursive DNS Servers

While Recursive DNS servers are responsible for obtaining the IP address associated with a given domain name on behalf of the client or another DNS server, authoritative DNS servers are the final authority on a specific domain’s DNS information. They store the DNS records (such as IP addresses associated with domain names) for a particular domain. The best practice is for organizations to use different authoritative and recursive name server machines to separate and isolate these roles according to a logical view of your network.

In addition, they should be configured so that the authoritative name servers accept DNS database updates only from other authoritative name servers (or administrators). Because authoritative name servers do not make use of cache, fraudulent or corrupted database entries in a recursive name server will not affect the authoritative name servers. If an organization only has an authoritative DNS service, the best practice is to install multiple servers ( a primary and a secondary) in two different data centers to ensure availability.

Limit Access & Connections

Implementing strict access controls and user permissions helps limit who can access sensitive data. The best practice is to ensure that only authorized personnel can access and modify critical information. By monitoring and auditing user activities, especially those with access to sensitive data, it becomes much easier to detect and prevent insider threats.

As far as DNS exfiltration prevention goes, the only software running on name server computers should be the name server software and the operating system, with the name server computer dedicated to its role of supporting your network. Any other software running on a name server invites hacking attempts. It can also degrade the name server’s performance and even possibly crash the name server computer if bugs are encountered. Similarly, a name server’s only connections to the outside world should consist of the network links through which the name server gets updates and through which the name server answers DNS queries.  

Hide the Primary DNS Servers from Public View

Another best practice to prevent DNS attacks is to configure the publicly visible DNS servers as secondary and designate the Primary DNS server to be a hidden primary name server. A hidden (or stealth) primary name server is one for which no NS records exist in any publicly accessible DNS database. Only the secondary name servers are known to the outside world. This architecture prevents public interrogation of your hidden primary name servers (either by query or zone transfer). It also protects the integrity of the secondary name servers’ DNS databases, because only the hidden primary server can update the secondary servers. This makes it much more difficult for bad actors to target your DNS servers for DNS exfiltration. 

Implement Physical Security

Insider threats are also a concern for DNS attacks. Attacks on your name servers might come from within your organization, not just from the outside world. A best practice is to set up a name server computing environment that prevents disgruntled or bribed employees from physically accessing the name server computers (not to mention, of course, other mission-critical servers). Different data centers use different methods to establish the physical security of their servers and other critical infrastructure components. Make sure there are effective measures in place to physically secure your name servers, such as security cameras and access-controlled locks. 

Wrapping Up

Preventing data exfiltration is an ongoing process that requires a combination of technical measures, employee awareness, and proactive security practices to safeguard your organization’s valuable information. It’s important to regularly review and update your security measures to adapt to evolving threats and vulnerabilities. For more best practices on DNS security, visit our partner, EfficientIP. To schedule a free DNS exfiltration test, contact us.

Subscribe to Updates

Get latest IT trends and best practices