Should companies use white hat hackers to break their DNS? This is an interesting question worthy of attention and exploration. My immediate answer is yes, absolutely, and I am certain you will agree. To fully understand the rationale behind this stance and why DNS should be given such attention and scrutiny, we must first have at least a basic understanding of DNS and its importance to your infrastructure as well as define what a “white hat” hacker is.
“White hat” hackers are ethical hackers or IT security experts that specialize in penetration and other testing to uncover weaknesses in an organization’s IT infrastructure; they must think like a “black hat” or nefarious hacker, but their goals are in the interest of the organization rather than the exploitation. White hat hackers typically hold industry certifications such as Certified Ethical Hacker (CEH) and Global Information Assurance Certification (GIAC).
DNS: An Overview
With regards to most companies and users, DNS can be broken down into three basic categories: Internal Authoritative DNS, External Authoritative DNS, and Recursive DNS. As a whole, DNS (the Domain Name System) is a distributed system that provides domain name to IP address mappings so that users and applications can take advantage of a structured naming convention to remember and connect to distributed services rather than the individual IP addresses of these services. This is much like remembering the name of a friend or associate in your contacts list rather than their actual phone number.
Internal Authoritative DNS is responsible for answering all of the DNS queries from your internal users, applications, servers, and network infrastructure as they look to connect with and interact with your networks and services. For Active Directory, for example, the end-user system must perform DNS lookups to locate Domain Controllers and their services. Tiered applications will perform DNS lookups to locate web servers, database servers, storage and so forth. Internal Authoritative DNS provides all of these answers as quickly as possible—often handling thousands of queries per second—so there are no noticeable delays in common functions such as email retrieval and the loading of web pages within a web browser. Internal Authoritative DNS should contain all of these IP to name mappings for all of the company’s infrastructure.
External Authoritative DNS provides the same type of lookup service for DNS domains and DNS records that are publicly available on the Internet. For a customer to reach a specific company’s public facing website or send an email to this company, the company’s external authoritative DNS servers must be queried. The query responses provide the corresponding IP addresses to be leveraged by the customer’s workstation or mobile device to establish the connection.
Recursive DNS is responsible for processing queries for domains and records for which it is not authoritative for on behalf of clients or other DNS servers. For example, when you ask your Internal DNS server for a record it is not authoritative for (such as www.google.com) it can be configured to recurse to the Internet Root DNS servers to begin tracking down the answer or to a 3rd party Recursive DNS service to provide the answer for you.
Why DNS is at The Core of Your Network Security
So why is DNS important? If your Internal DNS is performing poorly or not available, all your applications will perform poorly or will effectively be down. If your Internal DNS is compromised then the adversaries will have an excellent understanding of what is on your network and where to reach it. A hacker could also potentially control and update DNS records to redirect your internal traffic to their own malicious destinations. If your External DNS is performing poorly or not available then customers may not be able to reach your website or send email to your organization. If the web experience is poor, customers may take their business elsewhere. External DNS represents your brand and availability to the Internet and disruptions there can have a significant impact on your brand and revenue depending on the nature of your business. Compromised External DNS could stealthily lead your customers to malicious sites spoofing your own site in an effort to steal customer information or intercept email. If your Recursive DNS is performing poorly or not available your access to the Internet becomes effectively down or severely degraded. This is because you are not able to quickly resolve the IP addresses for any external websites or resources. Compromised Recursive DNS can lead you to malicious or compromised destinations without your knowledge. Unsecured recursive DNS is also an excellent channel for malware Command & Control (C2) and data exfiltration via DNS.
How White Hat Hackers Can Help You Identify DNS Vulnerabilities
Now that we have a basic understanding of the criticality of DNS and the ramifications if these services are impacted, let’s get back to the question of “should companies use white hat hackers to break their DNS?”. If you do not include DNS in penetration testing and other white hat hacker activities and tests, how do you know your infrastructure is secure, resilient and cannot be easily compromised? Numerous tools exist and are easily accessible to launch volumetric DDoS attacks on DNS infrastructure, search for available exploits, exfiltrate data, create tunnels and abuse DNS for C2 and other malware actives. The black hats of the web are already leveraging these tools, mobile applications, and compromised IoT (Internet-of-Things) devices to further compromise and abuse infrastructure on a global scale. You absolutely should use white hat hackers to break your DNS and identify vulnerabilities that you must and can protect with the proper measures to ensure the uptime and integrity of your infrastructure. No one wants their organization to be a part of the next news headline regarding stolen customer data or significant business impacting infrastructure outages due to unchecked DNS.
Questions To Ask A White Hat Hacker Before You Hire Them
You may want to know how to pick a white hat hacker that will thoroughly test and attempt to break your DNS infrastructure. Here are five questions you can ask the prospective hacker to ensure they are up to speed and have a plan for attack:
- How will you test my DNS for data exfiltration and DNS tunneling?
- How will you test my DNS to determine if it resolves domains associated with malware and nefarious actives such as common C2 (Command & Control) servers?
- How will you attempt to gain control of my DNS and/or retrieve data from all of my DNS zones?
- How will you test my DNS for further known exploits and vulnerabilities?
- How will you test my DNS against volumetric attacks?
Left unchecked, any of the above vulnerabilities can result in significant downtime, compromised networks and lost or stolen data—all of which could result in financial loss and negatively impact to your organization’s reputation. Yes, you should absolutely use a white hat hacker to break your DNS before a black hat hacker gets there first.
