DNS, the Domain Name Service, is at the heart of how the Internet operates to locate the web site, server, or peer that is known to you by its name (e.g. apple.com), rather than its IP address (e.g. 22.214.171.124). This is a great help to humans as we tend to remember names, particularly those associated with things (e.g. stamps.com), rather than long numbers. The Internet itself operates using IP addresses which are composed of a unique number assigned to each computer interface that is attached to the Internet. But, remembering these unique numbers, and to which sites they correspond, is beyond the abilities of most people. The character names that humans use must be translated to the corresponding numerical IP values before the computer can send a message to the intended computer. DNS is the service that does exactly this, and is so ubiquitous that we would hardly conceive of a system that doesn’t use it. This is also why firewalls, that are used as the primary line of defense against cyber attack in an enterprise, lets DNS traffic pass unimpeded. If these firewalls were to suddenly block DNS, many of the systems and virtually all the web browsers behind the firewall would become unusable to their human operators, and the IT department would be flooded with calls from irate users.
Cyberattackers know this too. They also know that the DNS standard is highly flexible and allows for many opportunities to embed or attach data in unanticipated ways, as well as simply doing its intended job of converting names to IP addresses. Attackers routinely use the DNS service packets as the preferred method of running their command and control traffic into and out of your systems. This traffic generally appears to cybersecurity watch systems to be normal, benign traffic, which makes it so difficult to detect. Cyber security analysts have become wise to this trick and have built special detectors for these kinds of uses of the DNS traffic, but they tend to only catch the most egregious abusers of the DNS standard. The more cunning are still able to interact with your systems, and upload and exfiltrate data at will. The flexible nature of the DNS standard makes it almost impossible to prevent this kind of abuse.
Some systems, like controls, are not operated by human users, so the benefits of DNS for people are unnecessary for these systems. These kind of systems are typically engineered and configured by trained technology professionals who are comfortable with the low level details of IP such as the numerical addresses. Systems like this are typically embedded systems that lack a HMI, or have an HMI that is highly constrained as to what IP addresses with which it can communicate. Embedded system components like these are typically pre-configured to execute an intended purpose, and are routinely monitored and maintained. These include uses like: controls, robotics, automation, medical devices, avionics, automotive, etc. Instead of assigning a human readable name to each component in an embedded system, the system can be configured with the numeric IP address. The use of numeric IP address completely eliminates the threat of DNS conveyed attacks on your system as all DNS traffic can then be blocked within the system network, or preferably at each control system component. Thus, eliminating this major threat vector into your system.
Does your control system cyber security mechanism allow DNS attacks on your network? Here at Cognoscenti Systems we are dedicated to providing comprehensive network defense for control systems. See: www.cognoscentisystems.com