Understanding DNS attacks: Identifying and patching vulnerabilities
Nihad Hassan
October 26, 2022
0 mins readThe Domain Name System (DNS) translates domain names into IP addresses. Every device and website has an IP address that other devices, websites, and online services use to communicate with it. IP addresses are a string of numbers usually formatted as 000.000.000.000. However, we use domain names since people can’t easily remember these numbers. When we want to visit Google, we simply type the domain name into our browser’s address bar, and the DNS service translates the user-entered domain name “google.com” into the corresponding IP address that a computer uses.
DNS is a fundamental component of the internet infrastructure, as any communication must start with a DNS name resolution. If the DNS becomes unavailable, internet programs will no longer function.
DNS attacks refer to any attack that targets the stability and security of the DNS infrastructure. They commonly aim to render the DNS unavailable or intercept and alter the answers provided by the DNS, directing unsuspecting users to malicious websites. DNS infrastructure contains two components — authoritative and recursive DNS servers — and both are open to attack.
Below, we’ll explore the most common attacks against DNS and review mitigation strategies to avoid them.
Crash course in DNS attacks
There are several types of DNS attacks, each function differently, have unique impacts, and require specific countermeasures.
Spoofing
DNS spoofing occurs when threat actors alter the legitimate DNS server records to redirect users to fraudulent websites instead of their intended destination.
When unsuspecting users reach the fraudulent website, the website prompts them to enter sensitive information, such as login details or credit card information. Threat actors use this technique to steal the victim’s sensitive data or plant malware — like ransomware or keyloggers — on their victim’s device.
Attackers execute DNS spoofing attacks using two methods:
Intercepting the communications between the target device and the DNS server and redirecting users’ requests to a malicious website
Directly attacking the legitimate DNS server and forcing it to return malicious IP addresses
To counter this attack, we should:
Update and patch the DNS server software regularly.
Check the website for the secure connection (padlock) symbol. This symbol appears next to the address bar of the web browser. If there’s no padlock, this may indicate threat actors have mirrored the website for malicious purposes.
Enable the Domain Name System Security Extensions (DNSSEC) on the domain. These extensions add a layer of security by attaching a digital certificate signature to DNS information.
Cache poisoning
In this attack, the threat actor injects false DNS information into the DNS cache to force it to return incorrect information and direct users to malicious websites. For example, when a user requests to visit google.com, the poisoned DNS server returns the IP address of another website that could contain an exploit kit or phishing page.
DNS cache poisoning and spoofing are often used interchangeably in cybersecurity. However, they are different in terms of their function and order of appearance. In DNS poisoning, threat actors replace the DNS records to redirect unsuspecting users to malicious destinations. Then, DNS spoofing redirects unsuspecting users to the malicious website using a poisoned cache.
To prevent a DNS poisoning attack, we should:
Use DNSSEC, which uses public key cryptography. This ensures that only a legitimate DNS nameserver answers a request with the correct DNS information.
Prevent local DNS servers from answering internet-based DNS queries — unless our DNS nameserver is registered with ICANN.
DoS/DDoS/flooding
DNS flooding is an attack by which malicious actors try to overwhelm DNS servers with false DNS requests to prevent them from serving legitimate requests. There are two types of DNS flood attacks: denial of service (DoS) flooding and distributed denial of service (DDoS) flooding.
DoS flood attack
In a DoS flood attack, the attacker uses one computer to flood a remote DNS server with false traffic. This technique is no longer effective because modern DNS servers have advanced technical specifications that one device cannot disrupt.
DDoS DNS flood attack
The DDoS DNS flood is the most effective attack mechanism wherein attackers use many devices to target one DNS server. This action consumes the target DNS memory and CPU resources, eventually taking the server offline.
In cybersecurity, a bot can refer to any computing device, for example, a laptop, workstation, or internet of things (IoT) device infected with malware and under a threat actor’s control. A collection of these bots is called a botnet.
Attackers commonly use networks of botnets containing thousands or millions of compromised devices that run malicious scripts. The attacker orchestrates the attack by directing all devices to send traffic simultaneously to one server, generating a DoS status.
DNS floods are considered relatively modern, made widely possible by the increasing numbers of IoT devices worldwide. Many IoT devices have poor security configurations, making them easy targets for hackers to control.
To prevent DDoS and DoS flood attacks, we should:
Use a DDoS mitigation service to prevent outside attackers from overwhelming our DNS servers with false requests.
Use one dedicated server as the authoritative name server and another as the DNS resolver. This enables one component to remain operational if the second fails.
Use a dedicated DNS server. Small and medium-sized organizations often use one server for multiple purposes, such as hosting applications and running the DNS service. However, if the attacker accesses one application hosted on the server, they can compromise and alter the DNS settings.
NXDomain
Like a DNS flood attack, the NXDomain attack overwhelms the target DNS server with many requests for invalid records (nonexistent domain names). To execute this attack, attackers use a DNS proxy server that automatically sends a massive number of DNS requests to the targeted authoritative DNS server. The authoritative server consumes resources (fills the server cache) in resolving these invalid requests, making it respond slowly to legitimate requests — and eventually stop responding altogether.
To prevent the DNS NXD flood attack, we should:
Conduct regular DNS audits.
Blocklist suspicious domain names and servers.
Temporarily blocklist a client’s IP address if it sends too many NXDomain requests.
Increase the Time to Live (TTL) on current DNS records to ensure that they’ll remain for an extended time in external DNS caches. These records don’t need to be updated regularly.
Amplification attacks
This is another DDoS attack that aims to prevent the target DNS server from serving legitimate DNS queries. In this attack, threat actors exploit open DNS servers to send multiple responses to the target server.
Threat actors initiate this attack by sending numerous DNS requests to the open DNS server using the target IP address as the source address. The open DNS server returns the response to the requester (in this example, the target spoofed IP address). Sending many DNS responses eventually crashes the target server by consuming its network bandwidth and making it unresponsive to legitimate requests.
Attackers commonly leverage botnets, especially on IoT devices, to generate spoofed DNS requests to overwhelm the target servers or organization network with DNS responses.
To prevent this attack, we should:
Enforce source IP verifications on all network devices.
Prevent DNS authoritative name servers from functioning as recursive servers.
Enforce response rate limiting (RRL) settings on all DNS servers.
Configure open DNS resolvers to only respond to queries from a trusted source.
Hijacking
In this attack, threat actors manipulate DNS response queries to direct unsuspecting users to fraudulent or malicious websites. This attack occurs by:
Installing malware, such as a trojan horse, on the victim’s computer to incorrectly resolve DNS queries and lead the unsuspecting user to malicious sites
Compromising the target router and changing its DNS settings. This affects all users connected to the router.
Intercepting the communications between the legitimate DNS server and user device — as in the case of a man-in-the-middle attack — and manipulating DNS responses to lead the unsuspecting user to malicious sites
Targeting the DNS server directly and then changing its DNS settings to lead unsuspecting users to different URLs
Although this attack is malicious, some internet service providers (ISPs) use this technique to direct users to other websites. For example, some ISPs use it to display advertisements based on a user’s browsing history.
Rebinding
In this attack, the threat actor infects the target router with malware to control it remotely. The attack begins by executing malicious JavaScript code on a user’s browser to infect the router. Many people don’t protect their router using a complex password — or just safeguard it using the default factory credentials. This leaves them vulnerable to rebinding attacks.
A good first step toward guarding against rebinding attacks is to protect the router with a strong password. We should also:
Change the default router username and password to something difficult to guess.
Keep the DNS server and all client operating systems and installed applications up to date.
Tunneling
This DNS attack routes unsuspecting user traffic to the attacker’s server. This attack is typical among ransomware operators for facilitating communication with the Command and Control Center (C&C) and exfiltrating data from the target device.
DNS tunneling evades detection by security tools like firewalls. Threat actors send stolen data from the target network in small chunks and deliver them as a series of DNS queries and responses to avoid detection.
A DNS tunneling attack works as follows:
The attacker has a server with a domain name pointing to it. This server runs tunneling malware.
The attacker infects a computer with malware. The infected computer might sit behind a company firewall but can use the DNS resolver.
Now, the DNS resolver can communicate with the remote attacker’s C&C server.
By doing this, each infected device and the remote attacker’s server have created a covert channel that can be used to exfiltrate data from the victim device or deliver more malware, such as ransomware, to the target device.
To prevent this attack, we should:
Use advanced security solutions, including next-generation firewalls on network perimeters and network detection and response (NDR), to monitor all interactions within our IT environment. This enables us to detect APT and ransomware operators and halt communications with attackers’ servers.
Configure all devices within an organization’s network to send all their DNS queries to an internal DNS server that blocks suspicious domain names.
Phantom domain
In this attack, the threat actor sets up numerous phantom domain names and requests the target DNS server to resolve them. These domains (commonly a large number of sub-domain names) respond very slowly or never. After a while, the target DNS server consumes its server cache while waiting for the attacker domain’s responses and eventually becomes unresponsive.
To prevent this attack, we should:
Increase the number of recursive DNS servers.
Limit the number of successive recursive DNS requests on each DNS server.
Conclusion
The DNS service is a critical component of internet infrastructure. It’s responsible for translating users’ domain names into IP addresses that other servers can understand. However, it was not made for security. With the widespread use of the internet and the growing number of cyberattacks, cybercriminals have become increasingly interested in DNS attacks.
Any attack against the DNS service prevents all internet programs from functioning correctly. Cybercriminals know this and have developed many ways to attack DNS services for malicious purposes.
There are several different techniques to attack the DNS service, which we can group into two main categories:
Attacks that aim to make the DNS service unavailable
Attacks that aim to manipulate the DNS records to lead unaware users to malicious destinations
As this article has demonstrated, each type of DNS attack requires a different set of countermeasures to mitigate it. However, generally speaking, the keys to preventing DNS attacks include keeping the DNC server software up to date, using a dedicated DNS server to provide the DNS service, increasing the number of recursive DNS servers, and checking for vulnerabilities to mitigate DDoS attacks.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.