The most common DNS attack methods
Attempts to compromise the DNS are unfortunately more frequent than you might think. Attackers can manipulate the DNS in several ways and gain big payoffs. But there are ways of protecting yourself and your business.
Published by
Simone Catania
Date
The Domain Name System (DNS) is essential to today’s internet. It converts human-readable alphabetical names into IP addresses, allowing us to access websites and exchange emails using domain names instead of a long string of numbers. When it was designed, the focus was on usability, not on security.
Nowadays, malicious actors are increasingly targeting DNS infrastructure to exploit its vulnerabilities. Although recent updates and security protocols have made it more secure, a certain level of risk persists. DNS attacks can be the cause of data breaches and business downtime, resulting not only in financial loss but also in reputational damage. The worst part is that it can go completely undetected.
Any organization concerned with the internet should take this issue seriously and include proper countermeasures in their security plan. This article discusses some of the most common DNS attack methods and explores best practices to mitigate them.
What is the DNS?
In the early ’80s, Paul Mockapetris developed the DNS, a naming system that enables the use of human-friendly domains instead of long numerical labels that are hard to remember. Today, when you type a domain name in the address bar of web browsers, the DNS finds the corresponding IP address and connects you to the correct website server you are looking for.
For example, when you type “facebook.com” in your browser’s address bar, your device sends a DNS request to its configured DNS server asking for the IP address of “facebook.com”. Yet, like any other protocol on the internet, DNS can be manipulated and exploited. A malicious attacker can take advantage of the domain name resolution by attacking the DNS server and changing its records to return incorrect information about domain names or websites instead of their correct IP addresses.
These are the risks of the DNS
The DNS was designed back when the internet was only an academic project among a few people and before the majority of common cyberattacks were an issue. Its original design did not foresee any security or authentication measures.
Malicious actors can hack the communication between the server and the users to
- redirect users to a bogus website
- propose malicious content
- show unwanted pop-up ads
- spread scams or malware
- steal a domain name (in the worst cases).
Over the years, DNS and network experts have discovered several bugs. The flaw discovered by Dan Kaminsky in 2008, a critical vulnerability allowing cache poisoning attacks on most nameservers, is probably the most significant example. To close this gap, various security protocols such as DNSSEC, DoT (DNS over TLS) and DoH (DNS over HTTPS) have been implemented.
Seven cyberattacks methods to hack the DNS
Hacking the DNS servers can be very profitable for hackers. It allows them to seize valuable information and redirects users to accomplish a specific action by, for example, phishing or installing malware on their devices. There are many different methods to launch DNS attacks but here are the most common.
1. DoS, DDoS and DNS amplification attacks
In a denial-of-service (DoS) attack, the attacker attempts to prevent you from accessing the network or computer resources. To achieve this, a DNS server is flooded with traffic until the website or online resource is unavailable. The DDoS (distributed denial-of-service) is a more sophisticated version of the DoS.
The main difference lies in the number of systems involved. While the DoS is a system-to-system attack, the DDoS operates several systems to attack a single one. This makes a DDoS attack more difficult to detect as it coordinates multiple zombies or bots. The DNS amplification attack falls into the same category as DDoS attacks. It exploits the vulnerabilities in the DNS by sending numerous fake DNS queries to bring down the server.
2. DNS hijacking
Attackers use DNS hijacking methods to redirect and resolve the DNS query incorrectly. This happens when the hacker gains control over the DNS server and can divert the traffic to a fake DNS server. As a result, users land on a bogus website, usually without even realizing it.
There are different methods of hijacking the DNS, such as poisoning the DNS cache with an incorrect IP address, infiltrating malware into the router that changes the DNS settings, enabling access to the network and rerouting DNS queries or using man-in-the-middle attacks. The latter allows hackers to intercept the communication between you and the website and thus manipulate the DNS request by providing a different IP address. They can also modify DNS routers and use a so-called rogue DNS server to redirect traffic.
3. DNS tunneling
This attack is anything but new as it has been around for over 20 years, but it still poses a severe threat. This malicious technique allows an attacker to establish contact with your computer and tunnel malware and other malicious data through a client-server model. You won’t realize you are “conversing” with an infected server!
The DNS resolver creates a tunnel between you and the attacker to redirect the query with hidden data needed to perpetrate the attack on your system. Typical abuse cases related to DNS tunneling are not restricted to data exfiltration. DNS queries and responses can also incorporate other malicious programs or protocols.
4. DNS spoofing
DNS spoofing is used to hijack a browser’s request of a website and redirect the domain traffic, pretending to route over the legitimate server destinations. This is achieved either by changing the IP address of DNS servers or by changing the IP address of the domain name server itself.
A DNS spoofing attack occurs when the attacker impersonates a DNS server and sends responses to DNS queries different from those sent by the legitimate server. The attackers can send every kind of answer to the victim’s question, including fake IP addresses for hosts or other types of false information.
5. DNS poisoning and DNS cache poisoning
You are sure to have heard of web caching i.e. the store of internet data to be retrieved on the next visit. The DNS has a similar function.
When attackers poison the DNS, they inject fraudulent IP addresses into your local memory cache. When this happens, you will land on what looks like the typical website you were looking for. In reality, it is a fake version designed to steal your data.
To poison the DNS, attackers can follow several methods from machine-in-the-middle, poisoning both DNS and the browser, to server hijacking when reconfiguring the requests on the DNS server or spam and other cryptography-based attacks. This attack is particularly harmful because, for example, the login page looks authentic and users don’t realize that the malicious person who poisoned the DNS has stolen their login credentials.
Sometimes DNS poisoning does not aim to steal sensitive data but rather to compromise access to a portal in order to reduce its visibility.
6. DNS tracking/logging
Whenever a domain name is resolved, a DNS server is queried for information. In doing so, information about the user is sent to the ISP in charge of that server, which records your IP address and thus your approximate location. TLS/SSL certificates encrypt the communication so that hackers are not able to read the content. But this doesn’t hide your IP when you visit a domain name.
If someone is able to track an IP address, they can potentially relate it to other stored information like name, address, bank details and much more. Hackers can potentially collect and correlate this information to perpetrate their attacks. In the past, some ISPs have accumulated this information to resell it to third parties, often advertisers, enabling them to implement their strategies in a targeted manner.
Users in Europe enjoy greater protection due to the introduction of the GDPR. Although it is not yet clear whether the IP address is included in the scope of personal data, it may certainly not be associated with other information.
7. DNS rebinding
The DNS rebinding method allows an attacker to overcome the problem of closed ports on the router. In this case, the attack starts from a web page that executes a malicious client-side script in the browser. This generates an attack on machines elsewhere on the network. Domain name verification is one of the essential building blocks of the same-origin policy enforced by web browsers to exclusively grant the host that created the script access to content.
The DNS rebinding attack, however, overcomes this policy by exploiting the system in order to resolve domain names abusively. Simply put, the DNS rebinding attack allows a browser to start communicating with remote servers with which it should not actually exchange data.
Five measures to mitigate DNS attacks
Once you understand the different types of attack and their targets, the next step is to gain an understanding of the available countermeasures. It is possible to harden your DNS infrastructure by implementing several best practices. Follow these recommendations to attain the highest DNS security.
1. Implement internet security
Implement all DNS protection systems and protocols, such as DNSSEC.
2. Restrict DNS resolver access
Keep your DNS resolver private and accessible only to your network users and never to third parties.
3. Apply safe configurations
Use the optimal DNS configuration to reduce possible vulnerabilities, e.g. limiting the number of queries or blocking redundant ones.
4. Opt for certified managed service
DNS management requires technical knowledge and skills. Rely on a reliable, professional and certified partner to ensure the highest security DNS standards, including ISO certification.
5. Use digital certificates and signatures
Implement a higher level of data privacy by authenticating and encrypting your data and communications. This also includes the use of two-factor authentication, where available.
Protecting the DNS infrastructure is a critical step in preserving internet security in general. An efficient DNS security strategy entails the application of all currently available security protocols, managing redundant DNS servers and knowing which methods hackers can exploit to their advantage.
Protecting DNS = safer business
There are many cyberattacks and network intrusions that can befall a company. As a critical element of the internet, the DNS is the target of different cyberattacks that may lead to downtime of critical websites and applications. By prioritizing safety and taking measures to alleviate specific threats, you can prevent downtime, mitigate losses and, most importantly, increase customer confidence in your organization.
DNS security may seem like a complicated topic, but there are services like ours to help businesses with expert strategies to improve DNS security and safeguard their domains. At InterNetX, we understand the complexities around DNS security and have engineered solutions to help you prevent and protect your business against DNS attacks.
Let us handle DNS for your domains