Dynamic DNS (DDNS) is a beneficial service for small businesses, home users, and hobbyist system administrators as it allows them to access their devices remotely by automatically updating a changing IP address with a consistent domain name. However, DDNS also allows adversaries to dynamically establish connections to command-and-control infrastructure, making it a risk that most businesses need to understand and apply controls to manage. This blog post explores the intricacies of Dynamic DNS resolution, its implications for endpoint security, and how businesses can protect themselves against potential threats.
What is dynamic DNS resolution as an obfuscation technique?
Dynamic DNS is a service that automatically updates the DNS records of a domain name when the IP address changes. This is particularly useful for web properties with frequently changing IP addresses, such as small business websites and APIs. For instance, if a website’s IP address changes from 192.0.2.0 to 192.0.2.1, a dynamic DNS service will automatically update the DNS records. This ensures that users trying to access the website are directed to the correct IP address.
While this automation is beneficial for legitimate purposes, it can also be exploited by cybercriminals. By using the domains owned by the DDNS provider or by constantly changing the IP addresses associated with their dynamic hostnames, adversaries make it difficult for defenders to track and block their activities. This means that they can have more effective phishing and malware delivery campaigns.
How does dynamic DNS as an obfuscation technique happen?
DDNS providers own multiple domains and operate the authoritative nameservers for them. Some DDNS providers have hundreds of domains that their users can get a free Fully-Qualified Domain Name (FQDN) on. When a user creates an account, they choose one of the DDNS provider’s domains and then pick a hostname to use. This allows users to create a custom FQDN like myhomedomain.ddnsprovider.com.
Once the FQDN is created, the DDNS provider handles all DNS queries for that domain. Their authoritative nameservers respond with the IP address associated with the dynamic hostname, allowing users to access their website or API through the FQDN.
DDNS providers also offer a client application, which runs on an endpoint and communicates with the DDNS provider’s servers. This client application sends the current IP address of the device to the DDNS provider’s server every time it changes. The server then updates the DNS records for that domain name, ensuring that it always points to the correct IP address.
Adversaries can exploit this process by registering as a user with a DDNS provider and using their client applications or API to update their IP addresses frequently across an endless supply of hostnames, making it difficult for defenders to detect and block their activities without blocking legitimate sites that are also inside of that domain. The constant change in hostnames acts as a moving target, complicating efforts to disrupt malicious operations. This helps the cybercriminals launch more effective phishing and malware delivery campaigns and to obfuscate malware command and control servers.
Examples of dynamic DNS as an obfuscation technique
Dynamic DNS resolution is not just a theoretical concept but a real-world problem. Cybersecurity firms have observed threat actors using DDNS services to host phishing content and distribute malware. For instance, by using DDNS services like DuckDNS or ChangeIP, attackers can create subdomains that point to malicious servers, thereby spreading their attacks across the web.
DDNS has been used in several noteworthy incidents:
APT28 Targeting Government Institutions
In 2018, the notorious hacking group APT28, also known as Fancy Bear, leveraged DDNS services to disguise their phishing infrastructure. By constantly changing their IP addresses with dynamic DNS providers, they launched extensive spear-phishing campaigns targeting government institutions across Europe.
Emotet Malware Campaigns
Emotet, one of the most prevalent malware threats in recent years, was observed using DDNS services to rotate domains hosting its command-and-control servers. This tactic complicated efforts by security researchers to contain infected machines and disrupt communication with the malicious servers.
Mirai Botnet’s Use of ChangeIP
The Mirai botnet, infamous for orchestrating massive DDoS attacks, exploited DDNS services like ChangeIP to mask the IP addresses of the command centers managing the infected IoT devices. This enabled rapid shifts in infrastructure that hindered mitigation attempts by network security teams.
Locky Ransomware Distribution
During its 2016 campaign, Locky ransomware distributors used DDNS to conceal the distribution sites of their malicious payloads. The use of dynamic DNS services allowed them to maintain operational resilience even as defenders identified and took down known URLs associated with the attack.
Zeus Banking Trojan
Cybersecurity experts discovered the Zeus Trojan, which was designed to steal banking credentials, making use of DDNS for its command-and-control servers. The abuse of these services allowed attackers to evade detection by constantly moving their C2 infrastructure, prolonging their exploitation of compromised systems.
How dynamic DNS resolution as an obfuscation technique impacts your business
For businesses, Dynamic DNS (DDNS) used as an obfuscation technique significantly complicates the task of providing secure internet access for its users and IT assets and poses challenges in malware detection and prevention efforts. This concealment mechanism allows the true location of malicious servers to remain hidden, making it easier for cybercriminals to infect devices and launch follow-on attacks such as data breaches.
As the malware infection remains obscured, security teams face heightened difficulty in pinpointing and mitigating threats. The inability to effectively identify and respond to malicious activities due to DDNS usage can lead to severe consequences for organizations, including sensitive data theft, financial losses, and operational disruption. Such vulnerabilities underscore the importance of robust cybersecurity measures and advanced threat detection technologies to counteract the evolving tactics of cyber attackers.
Failure to adequately address the threats posed by Dynamic DNS in cyberattacks can expose businesses to regulatory fines. Many industries are bound by strict compliance standards that require rigorous cybersecurity measures. Non-compliance not only incurs financial penalties but also damages a company’s reputation. Additionally, affected customers facing data breaches may lose trust, leading to customer churn and a subsequent loss of revenue. Companies find themselves struggling to maintain profitability while managing the fallout from a compromised security posture. This highlights the critical need for implementing comprehensive security frameworks and continuous monitoring to safeguard assets and protect against potential financial and reputational damage.
Preventing dynamic DNS resolution as an obfuscation technique
Preventing the misuse of Dynamic DNS services requires a multi-faceted approach. Here are some effective strategies businesses can employ:
Use a Protective DNS Solution
One effective strategy for countering the misuse of Dynamic DNS is implementing a protective DNS solution. This approach involves using DNS security tools that can identify and block suspicious or malicious domains, FQDNs, and attacker infrastructure before users follow links to them. Protective DNS solutions monitor DNS traffic in real-time, helping organizations detect anomalies and potential threats early. By leveraging threat intelligence databases, these tools can quickly update and adapt to emerging threats, ensuring your network’s defenses are always current. Incorporating a protective DNS solution not only enhances overall security posture but also provides an additional layer of defense against sophisticated cyberattack tactics.
Block and monitor known DDNS domains
Maintaining a list of domains known to be owned by DDNS providers and monitoring DNS queries that match them can help detect suspicious activity. By keeping track of nameservers used by DDNS providers and hunting for domain names using those servers, businesses can identify and block potential threats early.
Analyze Passive DNS Data
Passive DNS data provides insights into DNS queries made by users, including attempts to access DDNS domains and subdomains. By analyzing this query data and the answers provided to these queries, businesses can detect and block connections to adversaries’ infrastructure, such as IP addresses and network blocks, preventing further exploitation.
Leverage Certificate Transparency Logs
Monitoring certificate transparency logs can reveal certificates issued for domains and subdomains. By keeping an eye on these logs, organizations can identify fraudulent websites using a DDNS provider that may be used for phishing or malware distribution.
Dynamic domain name resolution is a double-edged sword.
Dynamic DNS resolution, when used as an obfuscation technique, presents a formidable challenge for Security Operations and Cyber Threat Intelligence staff. By understanding its mechanics and implications, businesses can better protect themselves against potential threats. Implementing monitoring strategies, analyzing passive DNS data, leveraging certificate transparency logs, using protective DNS, and maintaining blocklists of DDNS domains are crucial steps in safeguarding against DDNS exploitation.
How Vercara can help.
Vercara’s UltraDDR provides top-tier DNS protection by functioning as a filtering DNS recursive server, protecting endpoint devices from threats. It combines recursive and private DNS resolver technologies to prevent malicious queries to DDNS providers and to track adversary infrastructure.
For those interested in learning more, explore our advanced security solutions and connect with our cybersecurity experts to strengthen your defenses against DDNS and other evolving threats.
