IT pros must not overlook DNS threats created by IoT security risks when they introduce IoT devices into their organization.
IoT achieves value primarily through connectivity, including data gathering and actions linked to analysis and decision-making. IoT device connections rely heavily on the DNS, a 1980s-vintage decentralized naming system. However, DNS may not be ready for the scale, traffic and security expectations of today’s connected devices.
Some high-profile attacks have taken advantage of DNS, such as a sophisticated cyberespionage campaign known as DNSpionage that Cisco Talos security researchers discovered in 2018. The U.S. Department of Homeland Security put out a notification to government agencies in early 2019 advising them to ensure DNS security across their domains. That kind of action has raised awareness of DNS threats, said Enterprise Strategy Group analyst John Grady.
IT pros must consider the different types of attacks that use DNS, including availability or distributed denial-of-service (DDoS) attacks, malicious redirects for the introduction of malware or exfiltration of data via DNS tunneling. All those concerns have driven new attention to DNS.
“Basically, if you don’t secure DNS, you’re open to a number of different threat vectors,” Grady said.
DNS flag day and DNSSEC aim to remedy DNS threats
DNS vendors and operators began one initiative to address DNS concerns called DNS Flag Day that focuses on implementing extension mechanisms for DNS to enhance security. DNS Flag Day 2020 will focus on DNS-over-TCP, especially IP packet fragmentation. Additionally, IT pros have shown increased interest in encrypted DNS and adoption of DNSSEC, Grady said.
Manali De BhaumikAssistant manager of IoT, Information Services Group
DNSSEC uses digital signatures based on public key infrastructure to ensure DNS data is accurate and unmodified and has originated from the domain owners. Encrypted DNS compares with traditional DNS in a similar way to how HTTPS compares to HTTP.
“As [DNSSEC] relates to IoT devices, for one example, it would help ensure that when a connected device reaches to the web for a software update, it’s being sent to the correct location and not being maliciously redirected,” Grady said.
Likewise, DNSSEC could ensure that IoT devices are not compromised for use in a botnet, which is a well-established attack pattern.
What can organizations do to mitigate DNS threats?
Internet Corporation for Assigned Names and Numbers published a report in 2019 addressing IoT and DNS threats and recommended that vendors try to address the risks. Users must also have good protection on their devices because experience has shown that malicious actors can load malware and create further attacks, said Merritt Maxim, an analyst at Forrester Research. DNS is not necessarily the weakest point; it may be that most often the devices are the problem, he said.
Manali De Bhaumik, assistant manager of IoT at analyst firm Information Services Group, agreed and said that businesses must recognize that IoT is rapidly becoming a significant threat conduit to DNS through ever-larger botnets. That implies that organizations must upgrade their industrial IoT (IIoT) protocol standards such as Message Queue Telemetry Transport and Open Platform Communications Unified Architecture.
“This enables a smooth convergence of IT and [operational technology] interoperability and security standards need to be raised with upgraded DNS services capable of handling DDoS traffic,” De Bhaumik said. Having multiple DNS services can also ensure continuity of key services and an additional DNS security layer for customer-premises equipment could detect various cyberattack patterns, she said.
Organizations must ensure the compatibility of their entire network with protocol upgrades. “[Upgrades] have IoT use cases, but for the most part, I don’t think deployment will be use-case specific, but rather all or nothing,” De Bhaumik said.
Another danger with IoT is that continuous software updates create an adverse side effect of loading burdens on the DNS.
“Even with proper security you could have a device that allows software updates and patches remotely, and if that isn’t written efficiently, similar devices could all be pinging at the same,” Maxim said. “When you’re talking millions or tens of millions of devices, that could create a DDoS effect because DNS can’t take the load.”
The fact that IoT devices are IP-enabled not only continues DNS playing a crucial role in the traditional IoT applications, but could present a significant threat, De Bhaumik said.
“Enterprises need to evaluate their existing on-premises DNS infrastructure efficiency,” she said.
“I think we’ll have chunks of the industry that will not address this and remain vulnerable relative to their IIoT deployments,” Grady said. On the other hand, the proposed changes to DNS that are designed to enhance security will take a long time to implement. “It will be a while before fundamental changes to the DNS infrastructure would render an IoT device useless,” he said.
Forrester analyst Greg Siegfried agreed.
“DNS has remained relatively compatible, and the idea that any changes like this would not eliminate more traditional way of resolving names is unlikely. We are talking about a period of maybe 10 to 20 years; it won’t be switched overnight,” he said.