Last month on January 22nd the US Dept of Homeland Security took the unusual step of issuing Emergency Directive 19-01 to all Federal Agencies. The directive issued steps that had to be taken by those agencies to mitigate potential DNS infrastructure tampering.
The directive was issued in direct response to a series of real incidents where attackers had compromised DNS infrastructure that lead to the attackers redirecting traffic to a legitimate service to an external device under the attackers control. This next escalated into the attacker’s being able to obtain valid encryption certificates under the compromised organizations domain name, thus creating the ability to expose user-submitted data to agency systems.
While private and other non-federal public agencies didn’t fall under this directive, all organizations can certainly adopt many of these same practices to help improve the security of their DNS environments.
The DHS listed required actions (in paraphrased form) that all federal agencies were given 10 days to comply with (but for the rest of us are just recommended actions) are:
1 - Audit all public DNS records on all authoritative and secondary DNS servers to verify they resolve to the intended location.
This is simply a recommendation to go look to make sure what you think you should be pointing at is really what you are pointing at and is not compromised. It’s probably a good idea to put this down as regularly scheduled periodic DNS health check item for your team.
2 – Update the passwords for all accounts on systems that can make changes to your organizations DNS records.
This came with an obvious recommendation for the use of strong passwords and password managers. The accounts involved here are not only the accounts on the servers themselves but those involved in maintaining your master domain registration records.
3 – Implement multi-factor authentication (MFA) for all accounts on systems that can make changes to your organization’s DNS records.
This one is a bit trickier to handle depending on the DNS server platform. One other way of handling this is to restrict remote login access to the DNS server platform and then provide other controls on access to the console of that system.
Adding MFA to domain registration accounts and/or cloud DNS providers can be a fairly simple thing to do depending on your provider.
4 – Monitor all actively issued encryption certificates for the existence of unauthorized certificate issuance.
This directive referred to a fairly extensive internal DHS process for federal agencies that tracks certificate issuance for them.
For the rest of us our certificates are generally issued from the same account and provider that our domain registration is done through. This highlights the importance of recommendations 2 & 3 above for that account if at all possible. It also means that an ideal practice would be for periodic monitoring of that account and the certificates issued under it.
This directive is just one of a long list of reminders that the monitoring of all parts of our networks that touch the Internet is no longer an optional topic. As network defenders we must always maintain our vigilance as attackers will use any and all footholds open to them to attempt to gain access to our networks.
You can read more about the directive and its FAQ’s here:
If you need assistance or would like to discuss implementing any of the controls recommended in this post please reach out to our office.