3 Types of DNS Vulnerabilities and How to Prevent Them

Subdomain takeovers occur when a bad actor takes control of a subdomain of a target domain and is effectively able to change the records to their liking. So how does this occur? It usually happens during the deprovisioning process in which the domain owner deprovisions (removes) a cloud service, but forgets to deprovision the DNS pointer. 

For example, let’s say you have the domain urlexample.com and you want to sell merchandise. So you create a subdomain merch.urlexample.com and you register that subdomain with a hosting provider that specializes in ecommerce platforms. You set up DNS records that direct browsers that want your merch to your virtual hosting provider, but a couple of years later you decide that you don’t need the ecommerce hosting service anymore, so you remove the virtual host from the hosting provider. 

The problem is you forgot to remove the DNS entry point to the virtual hosting provider, so now an attacker can create their own virtual host with the provider, get your subdomain and host their own content under merch.urlexample.com. 

How to prevent subdomain takeovers: A few things that can be done to prevent a subdomain takeover include defining a standard process for provisioning and deprovisioning hosts, creating a detailed inventory of all the domains and hosting providers within your organization and updating it to ensure there are no dangling DNS issues. Identity management tool Okta also has a great article that outlines more steps you can take to mitigate subdomain takeovers.

Email is a relatively open and insecure system that allows people to send messages back and forth with little friction. Spoofed messages are often used by bad actors to get users to install malicious software or give up sensitive information such as passwords, credit card data or wallet seed phrases. 

Also, spammers who send fake emails using your legitimate domain could cause users to mark authentic emails from your organization as spam as well. Not only can spoofing negatively impact your organization’s long term reputation, it also directly affects the trust users have in your service and technology. 

How to prevent anti-spoofing vulnerabilities: Train people in your organization on how to verify whether emails are genuine or not, as well as make use of SPF and DMARC syntax to specify hard fails for subdomains and domains that are not validated.

Although cloud security providers can protect your organization from DDoS attacks, bad actors can still find the IP address of your origin server. There are a few main ways a hacker can obtain information on your origin services including:

1. An application being used with your organization having a direct link to your origin server and that link being discovered
2. Paper trails from certificate transparency records
3. Inadvertently disclosing the DNS records on the system

How to avoid exposing your origin servers: As with other DNS vulnerability recommendations, implementing a system with best practices is a great way to start. Other suggestions include publishing public websites behind cloudflare, avoiding exposing test instances of applications to the internet, and generally supporting your developers as much as possible to make this whole process seamless.

The DNS vulnerabilities outlined so far have the power to compromise your organization’s security and sensitive data, however there are a number of ways to spot them whilst mitigating against any potential damage. 

For more information on how to protect your organization against DNS vulnerabilities, get in touch with Halborn’s cybersecurity experts at halborn@protonmail.com.