Network Security

DNS Security For Individuals and Small Businesses

What Is DNS?

DNS, or Domain Name System, is an Internet system that is completely decentralized, and provides a capability to translate IP Addresses (example: 172.217.12.163) to a Domain Name (example: roguesecurity.ca). The DNS system is the reason that we don’t have to type in the ip address for the website that we wish to visit, and instead are able to type in a friendly domain name that is more representative of the website. Whether I enter the domain name in my address bar, or the ip address for google.ca, I’ll be taken to the same website.

Many medium and large businesses operate their own DNS servers on their own network, but most small businesses and individuals rely on downstream DNS servers that may be owned by their Internet Service Provider (ISP) or perhaps they are using one of the many open DNS providers such as Google Public DNS.

How Does DNS Work?

Without going into too much detail, a DNS request is fairly simple.

  1. You enter a domain name, roguesecurity.ca, into the address bar of your web browser, and hit Enter.
  2. A request is sent to your designated DNS server with the domain, asking for details on the ip address.
  3. The DNS server receives the request and looks up the domain name in its table of information.
  4. If the DNS server finds a matching domain name, it sends the ip address of the domain back to your browser, which your browser uses to actually connect to the website.
    4a. If the DNS server is unable to find a matching domain name, or isn’t able to find an ip address, it will respond with an error.

DNS Cache: Our devices keep a history of DNS requests that we make in order to save some work when we revisit a website that you’ve previously visited. The DNS cache updates once in a while to make sure that you have the latest information, and can be emptied manually.

How Is DNS Attacked?

DNS, like most software, has vulnerabilities, exploits, and can cause issues when used inappropriately. DNS itself has existed since the 1980’s and even though it’s received numerous updates over the years, the underlying concepts really haven’t changed much. This has given people more time to understand the Domain Name System, and as an important aspect of how the Internet operates, is a very commonly attacked protocol.

The most direct of DNS attacks is when a cyber criminal gains access to your DNS server directly. However, it’s quite common to see host-based attacks on your local devices that include Cache Poisoning (aka Cache Spoofing). This is one of the most common types of DNS attacks and involves an attacker injecting malicious data into your devices DNS cache. If an attacker replaces the ip address of roguesecurity.ca in my local DNS cache with an ip address that connects to a malicious website, then every time I go to roguesecurity.ca I’ll be taken to the malicious website instead.

The Domain Name System can also be used to steal data. Let me explain. We know that we send a domain name each time that we send a request to a DNS server. DNS queries are simply strings, and strings can include data, including encoded data. DNS Tunneling is where an attacker includes data, either plain-text or encoded, in what appear to be normal looking DNS requests. The attacker needs to get these queries so this may also involve gaining access to an internal DNS server or modifying local DNS.

DNS servers are also perfect for generating DDOS attacks via DNS Flooding or NXDomain attacks. In these instances an attacker floods a DNS server with requests, or generates a large number of invalid requests in order to overwhelm the server with the goal of bringing it offline.

DNS Security

Use a Trusted Provider

The best protection from DNS-based attacks is to use a secure DNS provider that you trust. Google and Cloudflare are two companies that offer free DNS services to the general public, and are quite reliable.

Pi-hole

Most home users can’t afford and don’t need their own DNS server, but perhaps you have children and you like the idea of some extra security. That’s where Pi-hole comes in. Pi-hole is a software that acts as a DNS sinkhole and can be used to protect devices on your network from unwanted content, block ads, and even manage network device access.

Pi-hole originated on the Raspberry Pi, but can be installed on most Linux distributions.

The Working From Home Guide to Securing Your Home Internet Connection

Earth Lights

As more and more employees are working from home, and may continue working from home even after Covid-19 restrictions let up, your home Internet as well as your home wireless internet access is going to be used more frequently by you, and everyone else in your home. That is why it is more important today, more than ever before, for you to ensure that your homes access to internet is secure and functional.  This guide provides you with some background, resources, and best practices on getting that done. This isn’t going to be a technically detailed post, but will almost certainly have something for both the technical user and the beginner. Let’s dive in.

Your Home Internet Network – An Overview

Simply put, your internet connection first comes into your home via a router or a modem, this is often referred to as just simply the gateway. It’s the gateway between your home’s network, and the rest of the Internet. A router is used to distribute the connection to devices that are connected to it. A Wireless Access Point (WAP) is a device that allows devices to connect to your home network wirelessly. You may have a router and wireless access point all-in-one. That type of device may also be known as a wireless router, or a wireless modem.

Risks of Inappropriate Security on your Home Internet

The objective is simple. Gain access to a victims home network so as to be able to connect to that network as any other user. Once the malicious actor has gained access to your home internet access their are a variety of tactics and techniques that can be used to either attack the devices on your network, or use your network/devices to commit a cyber crime. Here are some of the risks of a malicious actor having access to your home’s internet connection:

  • Your internet connection can be used to perpetrate a crime. Since your Internet Service Provider (ISP) has your name and address associated with the internet connection to your home, you could be held liable.
  • A malicious actor who has access to your home’s internal network has the ability to “sniff” or record network traffic being sent between devices. This may include passwords and banking information that you are entering into the web browser of your laptop.
  • A malicious actor may gain access to other devices on your network and steal information and files.
  • Your home devices are also at risk of being infected with ransomware or other types of malware. Ransomware is the most common risk with a malicious actor gaining access to your network. Once they’ve taken whatever data they want to take, they can infect your device(s) with ransomware and demand a ransom for safely unlocking your files.

How do Malicious Actors Gain Access to Home Networks?

  • Network devices that are still using default usernames and passwords are a common entry point.
  • Wireless networks that are not setup with a strong authentication method, such as WEP, are susceptible to man-in-the-middle attacks.
  • Outdated software on your home devices, and on your network devices can introduce unpatched vulnerabilities. This allows attackers with means and know-how to gain entry to your network through various avenues.
  • Stolen credentials. Password reuse is a major problem today. Passwords that have been stolen can be reused by attackers who use brute-forcing and password stuffing attacks to find insecure accounts online.
  • Man-in-the-middle attacks are easy to perform with a rogue access point. A malicious actor creates an identical wireless network to your own. When a guest or resident of your home accidentally logs in to the rogue access point, instead of your own; they also record the password that was entered by the unsuspecting victim.
  • Stolen/lost mobile devices often contain a copy of the wireless connection information including password.

So, What Can I Do?

Don’t worry. You’ve taken the first step; learning more. Now, let’s discuss several points that will help you work towards a more secure home internet connection.

  1. Knowing Your Attack Surface
  2. Security For Network Devices
  3. Security For Personal Devices

1. Knowing Your Attack Surface

Knowing your attack surface, or in other words knowing the different parts of your home’s network that could be attacked by a malicious actor. Create a simple list using the categories below of your home’s attack surface. Here is an example to show you that it doesn’t need to be complicated. I’m simply recording a device name that I choose, the device location, and whether it is wired or wireless.

Device NameDevice LocationWIRED/WIRELESS
Bell Aliant ModemBasement Storage RoomWIRED
Mom’s iPhone 11RoamingWIRELESS
Dad’s Android TabletRoamingWIRELESS
Sisters’ LaptopRoamingWIRELESS
AlexaKitchenWIRELESS

Here are some device categories to get you started:

  • The individual devices on your network including laptops, desktop computers, phones, and tablets.
  • Network devices, including the modem or router, that make up your home network.
  • Your Wireless Access Point’s (WAPs).
  • Smart devices and other Internet of Things (IOT) devices.

2. Security For Network Devices

Every Internet Service Provider (ISP) has a slightly different setup and uses different network devices. Unfortunately, it’s infeasible to provide a standard A-Z process for securing your network that is going to work for everyone. Instead, we’re going to give a list of recommendations, and details around those recommendations. At the end of the day it will be your responsibility to research and understand these recommendations to ensure that you are applying appropriate configurations for your individual situation.

Recommendations for home network security:

  • Change the default name of your wireless network, known as the SSID, and ensure that it doesn’t contain anything that would associate to you, anyone in your family, or your home.
    • Really Bad: JacksonFamilyat9902WhistlerSt
    • Bad:  JacksonFamilyWifi
    • Better:  WhistlerStWifi
    • Best:  SomeoneIsAlwaysHome
  • Change the default login on your network devices, such as the router provided by your Internet Service Provider (ISP). This should include changing the default administrator username, if able.
  • Disable logging into your internet router from remote internet computers. It can still be accessed by you from inside of your network.
  • Use WPA2-PSK or WPA2-Personal as the authentication method and AES as the type of encryption when setting up your home’s wireless access. TKIP encryption can be used if, for some remote reason, AES gives you issues or isn’t available. There is no reason to use any authentication method other than WPA2-PSK.
  • Disable SSH/Telnet access on your modem/router. These protocols allow for remote command line access to your device and are not required for the average home internet user.
  • Disable Wi-Fi Protected Setup (WPS). This technology provides a simpler method for connecting devices wirelessly, but is also rarely ever used.
  • MAC address filtering can be used to explicitly restrict access to your network to devices whose MAC address is contained on the access list that you define.
  • Enable the built-in firewall on your router.
  • Setup a separate guest wireless network for house guests. They can access the Internet, but can’t access anything inside of your network.
  • Setup access schedules for devices on your network that don’t required 24/7 Internet access.
  • Modify the Domain Name Servers that your router is using to translate IP Addresses (ie. 123.234.233.12) to Domain Names (roguesecurity.ca).

Advanced:

  • Using a Virtual Private Network (VPN) encrypts your internet communications and makes it difficult for a malicious actor who may be “sniffing” your Internet communications for passwords and other information. Many routers allow the easily configuring of many mainstream VPN providers.
  • Change the default Domain Name Service (DNS) subnet address on your network router. Instead of your local network being 192.168.2.1/24; change the third number group to anything between 0 and 254. For example your local network IP address range might be 192.168.200.1/24.
  • Place Internet of Things devices on a separate subnet then personal devices.
  • Adjust the transmit (Tx) power of your wireless connection. Limiting the distance that your wireless travels will also limit how far a malicious actor can be to interact with your wireless internet.
  •  

3. Security For Personal Devices

  • Ensure that devices on your network have a software anti-virus (AV). Focus on your Windows computers first, and simply use the built-in Windows Defender and Windows Firewall options.*
  • Devices with software firewalls should be enabled. Windows Firewall is a perfect option for Windows users.*
  • Devices should have separate Administrator and Non-Administrator accounts, and the Administrator account should only be used to perform administrative actions.
  • Virtual Private Network (VPN) software is also available for most operating systems and can be used on individual devices if whole-home VPN isn’t desired.
  • Setup devices with automatic updates enabled.

***Note: Mobile phone AV and firewall software is often bloated and bogs down older devices. Mobile malware is far less advanced and less common than Personal Computer (PC) malware. Our recommendation is to avoid both AV and Firewall software on mobile phones, unless its built into the phone’s operating system.***

Congratulations! You’ve successfully done something that so many people do not; you’ve taken steps to make it more difficult for a malicious actor to gain access to your home network. You rock!

Stay tuned for a really, REALLY, big update on this. If you’re continuing to having cybersecurity issues, or are unable to apply some or many of the recommendations above, and would like further information on how Rogue Security can help, please contact help@roguesecurity.ca.