Man-in-the-middle attacks on the rise. Monitor your DNS

With a sudden increase in DNS hijacking and man-in-the-middle attacks, The United States Computer Emergency Readiness Team (US-CERT) issued the following warning on their Alerts and Tips page:

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization’s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization’s domain names, enabling man-in-the-middle attacks.

NCCIC encourages administrators to review the FireEye and Cisco Talos Intelligence blogs on global DNS infrastructure hijacking for more information. Additionally, NCCIC recommends the following best practices to help safeguard networks against this threat:

  • Implement multifactor authentication on domain registrar accounts, or on other systems used to modify DNS records.
  • Verify that DNS infrastructure (second-level domains, sub-domains, and related resource records) points to the correct Internet Protocol addresses or hostnames.
  • Search for encryption certificates related to domains and revoke any fraudulently requested certificates.

How do the DNS/SSL attacks work?

For our tech-minded readers, we strongly recommend you read the suggested articles in the US-CERT notification for detailed examples of how the hijacking takes place, for the rest of you, we’ve put together a summary of how the multifaceted attacks work.

Technique 1: Modified DNS A record

The A record in your DNS records holds the IP address version 4 to your server. Using phishing attacks and other means, an attacker gains access to the administrator’s panel for the DNS provider and changes the IP address to point to a proxy server. The proxy server redirects the user activity to the destination site using a certificate from Let’s Encrypt to form the connection. The attacker collects usernames, passwords, and domain credentials as users access the site.

Technique 2: Modified NS record

Your NS record holds the authoritative name server information for the domain. This technique works like technique 1, but it uses a previously compromised registrar or ccTLD (Country Code Top-Level Domain). The attacker alters the NS record to point to a compromised name server that then feeds the request through a proxy server allowing the attacker to collect login credentials.

Technique 3: DNS redirection

Using one of the two methods above, this technique redirects the request to the attacker-controlled infrastructure.

Who needs to worry about DNS attacks?

Any business can become the victim of an attack such as described above. FireEye says that telecoms, ISP providers, internet infrastructure providers, government, and sensitive commercial entities make up the majority of the attacked targets, which includes most sites and possibly yours.

The techniques use targeted spear-phishing attacks where an unsuspecting user opens a Word document with malicious macros. The document uses several different methods to avoid detection by virus and malware detecting software making them very difficult to identify on the front end.

Protecting your company from a DNS or SSL attack

As the US-CERT recommends above you need to:

  • Use multifactor authentication on registrar accounts.
  • Check your DNS records for proper information.
  • Search for any non-authorized SSL certificates and have them revoked.

We want to add another bullet:

  • Automate your DNS and SSL checks for 24/7 protection.

External monitoring with Uptrends

DNS and SSL certificate issues may affect your entire user base or just isolated regions. By utilizing Uptrends’ global network of over 200 checkpoint locations, you check your DNS records on DNS servers around the world. Instead of the random timing from manual testing, your checks happen once a minute 24/7. Uptrends’ advanced alerting lets you know the moment your monitor encounters any errors or discrepancies in your records.

Monitoring your DNS

It takes only moments to set up DNS monitoring. With DNS monitoring you can verify your:

  • A (IPv4 address)
  • AAAA (IPv6 address)
  • NS (Authoritative Name Server)
  • CNAME (aliases)
  • MX (mail server mapping)
  • SOA (Start of Authority)
  • SRV (Server)
  • TXT (text)
  • Root Server

You can set up a DNS monitor to watch for changes with any of the above records. We recommend you watch your A and AAAA records. You can also monitor your SOA record for changes. Your SOA record has a serial number. The domain name system increments the serial number when anyone makes changes to your DNS records. By watching this number, you will immediately know if anyone changes your record.

Monitoring your SSL certificate

Besides sending you reminders about impending expiration dates and monitoring for certificate errors, you can monitor multiple fields on your SSL certificates:

  • Common name
  • Organization
  • Organizational unit
  • Serial number
  • Fingerprint
  • Issued by common name
  • Issued by organization
  • Issued by organization unit

Certificates used by the hacker won’t trigger an error, but because the certificate used by the hacker will not have the same values as your certificate, your SSL monitor will trigger an alert.


  1. DNS and certificate hijacking instances continue to go up.
  2. Protecting your users and brand from DNS attacks requires vigilance.
  3. Manual testing your DNS and SSL certificates will not capture localized issues your users may experience.
  4. Monitoring your DNS records and SSL certificate configuration proactively with Uptrends can alert you to an attack earlier than manual testing or waiting for user complaints.

Leave a Reply

Your email address will not be published. Required fields are marked *