Common misconfigurations in how Domain Name System (DNS) is carried out in an enterprise surroundings can put air-gapped networks and the high-value property they’re geared toward defending in danger from exterior attackers, researchers have discovered.
Organizations utilizing air-gapped networks that connect with DNS servers can inadvertently expose the property to menace actors, leading to high-impact information breaches, researchers from safety agency Pentera revealed in a weblog put up printed Dec. 8.
Attackers can use DNS as a command-and-control (C2) channel to speak with these networks by way of DNS servers linked to the Internet, and thus breach them even when a company believes the community is efficiently remoted, the researchers revealed.
Air-gapped networks are segregated with out entry to the Internet from the widespread consumer community in a enterprise or enterprise IT surroundings. They are designed this solution to shield a company’s “crown jewels,” the researchers wrote, utilizing VPN, SSL VPN, or the customers’ community through a bounce field for somebody to achieve entry to them.
However, these networks nonetheless require DNS companies, , which is used to assign names to programs for community discoverability. This represents a vulnerability if DNS just isn’t configured fastidiously by community directors.
“Our analysis showcases how DNS misconfigurations can inadvertently affect the integrity of air-gapped networks,” Uriel Gabay, cyberattack researcher at Pentera, tells Dark Reading.
What this implies for the enterprise is that by abusing DNS, hackers have a steady communication line into an air-gapped community, permitting them to exfiltrate delicate information whereas their exercise seems utterly authentic to a company’s safety protocols, Gabay says.
DNS as a Highly Misconfigurable Protocol
The commonest mistake corporations make when organising an air-gapped community is to imagine they’re creating an efficient air hole after they chain it to their native DNS servers, Gabay says. In many instances, these servers may be linked to public DNS servers, which suggests “they’ve unintentionally damaged their very own air hole.”
It’s necessary to know how DNS works to know the way attackers can navigate its complexities to interrupt into an air hole, the researchers defined of their put up.
Sending info over DNS may be accomplished by requesting a file that the protocol handles — comparable to TXT, a textual content file, or NS, a reputation server file — and placing the data into the primary a part of the file’s title, the researchers defined. Receiving info over DNS may be accomplished by requesting a TXT file and receiving a textual content response again for that file.
While DNS protocol can run on TCP, it’s principally primarily based on UDP, which doesn’t have a built-in safety mechanism — one in every of two key elements that come into play for an attacker to make the most of DNS, the researchers mentioned. There additionally is not any management over the move or sequence of information transmission in UDP.
Thanks to this lack of error detection in UDP, attackers can compress a payload previous to sending it and instantly decompress after sending, which may be accomplished with some other sort of encoding, comparable to base64, the researchers defined.
Using DNS to Break an Air Gap
That mentioned, there are challenges for menace actors to speak efficiently with DNS to interrupt an air hole. DNS has restrictions on the kinds of characters it accepts, so not all characters may be despatched; these that may’t are known as “dangerous characters,” the researchers mentioned. There is also a restrict on the size of characters that may be despatched.
To overcome the shortage of management over information move in DNS, menace actors can notify the server which packet ought to be buffered, in addition to what is predicted because the final bundle, the researchers mentioned. A bundle additionally shouldn’t be despatched till an attacker is aware of that the earlier one efficiently arrived, they mentioned.
To keep away from dangerous characters, attackers ought to apply base64 on information despatched proper earlier than sending it, whereas they will slice information into items to be despatched one after the other to keep away from the DNS character size restrict, they mentioned.
To get round a defender blocking a DNS request by blocking entry to the server from which it’s being despatched, an attacker can generate domains primarily based on variables that either side know and count on, the researchers defined.
“While the executable just isn’t essentially troublesome, an attacker or group would wish the infrastructure to proceed to purchase root data,” they famous.
Attackers can also configure malware to generate a website in DNS primarily based on a date, which can permit them to continuously ship new requests over DNS utilizing a brand new, identified root area, the researchers mentioned. Defending in opposition to this sort of configuration “will show difficult to organizations utilizing static strategies and even with fundamental anomaly detection to detect and forestall,” they mentioned.
Mitigating DNS Attacks on Air-Gapped Networks
With DNS assaults occurring extra regularly than ever — with 88% of organizations reporting some sort of DNS assault in 2022, based on the newest IDC Global DNS Threat Report — it is necessary for organizations to know the right way to mitigate and defend in opposition to DNS abuse, the researchers mentioned.
One approach is to create a devoted DNS server for the air-gapped community, Gabay tells Dark Reading. However, organizations should take care to make sure that this server just isn’t chained to some other DNS servers that will exist within the group, as this “will finally chain it to DNS servers on the Internet,” he says.
Companies must also create anomaly-based detection within the community using an IDS/IPS device to observe and determine unusual DNS actions, Gabay says. Given that every one enterprise environments are distinctive, this sort of resolution additionally can be distinctive to a company, he says.
However, there are some widespread examples of what irregular sort of DNS habits ought to be monitored, together with: DNS requests to malicious domains; massive quantities of DNS requests in very quick time frame; and DNS requests made at unusual hours. Gabay provides that organizations additionally ought to implement a SNORT rule to observe for the size of requested DNS data.