Strengthen the security of your organization’s Domain Name System (DNS) to protect against data loss and insider threats


The importance of the Domain Name System (DNS) to your organization’s cybersecurity cannot be understated. Communication between computers on the Internet depends on DNS to reach its intended destination. Network communications begin with a DNS query to resolve the human-readable domain name to a digital Internet Protocol (IP) address required by computers to route the transmission. A malicious party capable of exploiting a weakness in the DNS can redirect sensitive traffic, including Protected Health Information (PHI), Personally Identifiable Information (PII), and other valuable information from the intended recipient to the malicious actor. Indeed, as the recent attacks against the DNS indicate, even encrypting the communication may not be an effective countermeasure because the transmission can be decrypted after interception. Malicious employees and other insiders can also abuse DNS as a secondary channel to secretly exfiltrate the organization’s most sensitive proprietary information by avoiding data loss prevention (DLP) countermeasures that can operate at different layers of the communication process. Recent attacks reported by the Department of Homeland Security reinforce the need to protect DNS functionality as a fundamental component of your organization’s overall cybersecurity and compliance strategy.

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, GDPR, or the cybersecurity laws or regulations of any state, including California, Massachusetts, or New York, an organization cannot comply with regulatory frameworks requiring reasonable network security guarantees regardless of threats. to DNS. Legal requirements generally do not impose the particular combination of cybersecurity controls required to protect DNS. Rather, executives require organizations to implement formalized processes to anticipate and assess the risks associated with cyber threats, and then adopt reasonable safeguards.[i] Organizations can refer to NIST publications and other technical guidance for a catalog of controls to choose from based on risk assessment.[ii] In line with regulatory imperatives requiring vigilance and appropriate countermeasures to protect data as threats evolve, organizations must review their defenses in light of recent threats to the DNS.

Attackers seek to disrupt the normal functioning of DNS servers and applications responsible for resolving domain names to properly route network communications between computers. DNS looks up the IP address of the computer to receive communication based on its domain name and tells the computer requesting a connection the associated IP address to send the request to. For example, when a user types “” into their web browser or sends an email (for example, “[email protected]”) DNS resolves the domain name (“ ”) to a numeric IP address, such as DNS informs the requesting computer of the IP address corresponding to the domain name, and the requesting computer directs traffic accordingly.

DNS is under constant attack because of its open and distributed nature. Organizations under persistent threat, especially healthcare, financial services and technology companies, should be affected. DHS recently issued its first emergency alert to all of its agencies regarding attacks aimed at hijacking DNS resolutions and hijacking government traffic.[iii] Typically, the attacks involved the compromise of credentials initially through a phishing attack. DHS reported: “By using compromised credentials, an attacker can alter the location to which an organization’s domain name resources resolve. This allows the attacker to redirect user traffic to an infrastructure controlled by the attacker and obtain valid encryption certificates for an organization’s domain names, allowing man-in-the-middle attacks. Additionally, “because the attacker can set DNS record values, he can also obtain valid encryption certificates for an organization’s domain names. This allows redirected traffic to be decrypted, exposing all data submitted by the user. Because the certificate is valid for the domain, end users do not receive any error warnings. DHS emphasizes the criticality of the threat: “It is roughly equivalent to someone lying to the post office about your address, checking your mail, then hand-delivering it to your mailbox. As DHS also noted, security researchers have identified a wave of other DNS hijackings that have affected dozens of government, telecommunications, and Internet infrastructure entities.[iv]

The risks associated with the exploitation of the DNS do not come exclusively from external hackers. Using DNS to exfiltrate information is also a technique well known to malicious insiders, as DNS must allow query resolution to perform its functions. Malicious employees and other insiders will attempt to exploit this feature for illegal purposes, including the theft of trade secrets and protected data, and to conceal their activities. Hacking and tunneling attacks to compromise DNS are not new, but recent attacks highlight just how damaging attacks can be.[v] Additionally, recent case law argues that employers can lose legal protection of their trade secrets if they do not make reasonable efforts to maintain its secrecy and protect it from insider threats.[vi]

Because cybersecurity needs to be a team effort, here are some steps IT, HR, and the legal department should consider to protect their organization’s DNS from hacking and tunneling attacks. Make sure the DNS servers are up to date on all fixes and are running the latest version of name server software. Implement complex passwords and multi-factor authentication for DNS administrator credentials to prevent unauthorized changes. Implement a formalized system to monitor / proxy DNS traffic to ensure that DNS is used as intended. Implement a formalized system to audit DNS logs to verify that queries are resolved in the intended location. Monitor the encryption certificates for your organization’s domain. Consider implementing DNSSEC (which builds confidence in the DNS query and resolution process) if technically possible.[vii] Train your employees in phishing, social engineering, and protecting their credentials. Ask basic questions: for exampleWhat processes are in place to prevent or discover an employee who exploits the DNS to exfiltrate sensitive information? What processes are in place to protect administrator credentials? Implement written policies and procedures regarding DNS protection, including configuration management, patches, passwords, monitoring, and auditing. Ultimately, the right mix of DNS backups depends on the risks to your particular organization after performing a risk assessment.


This document has been provided for informational purposes only and is not intended and should not be construed as constituting legal advice. Please consult with your attorneys regarding any factual situation under federal law and applicable state or local laws that may impose additional obligations on you and your business. © 2020 Epstein Becker & Green, PC


About Author

Comments are closed.