Report: Air-gapped networks vulnerable to DNS attacks

Common misconfigurations in how Domain Name System (DNS) is implemented in an enterprise environment can put air-gapped networks and the high-value assets they are aimed at protecting at risk from external attackers, researchers have found.

Organizations using air-gapped networks that connect to DNS servers can inadvertently expose the assets to threat actors, resulting in high-impact data breaches, researchers from security firm Pentera revealed in a blog post published Dec. 8.

Attackers can use DNS as a command-and-control (C2) channel to communicate with these networks through DNS servers connected to the Internet, and thus breach them even when an organization believes the network is successfully isolated, the researchers revealed.

Air-gapped networks are segregated without access to the Internet from the common user network in a business or enterprise IT environment. They are designed this way to protect an organization’s “crown jewels,” the researchers wrote, using VPN, SSL VPN, or the users’ network via a jump box for someone to gain access to them.

However, these networks still require DNS services, , which is used to assign names to systems for network discoverability. This represents a vulnerability if DNS is not configured carefully by network administrators.

“Our research showcases how DNS misconfigurations can inadvertently impact the integrity of air-gapped networks,” Uriel Gabay, cyberattack researcher at Pentera, tells Dark Reading.

What this means for the enterprise is that by abusing DNS, hackers have a stable communication line into an air-gapped network, allowing them to exfiltrate sensitive data while their activity appears completely legitimate to an organization’s security protocols, Gabay says.

DNS as a Highly Misconfigurable Protocol

The most common mistake companies make when setting up an air-gapped network is to believe they are creating an effective air gap when they chain it to their local DNS servers, Gabay says. In many cases, these servers can be linked to public DNS servers, which means “they have unintentionally broken their own air gap.”

To read the complete article, visit Dark Reading.