Interested in security? Follow along for content within Cybersecurity
Table of Contents:
The Domain Name System, or DNS, is a protocol that translates human-friendly URLs into IP addresses. Think of it as a phone book for the Internet.
DNS is made up of the following components: an authoritative name server, a recursive server, DNS root server, and a TLD name server. Attackers can use DNS to establish a command and control (C2), which would allow them to gain unauthorized access into a network and be able to exfiltrate data.
Image source here
A DNS attack is when a hacker exploits vulnerabilities in the DNS service. The focus of the attack is on the DNS infrastructure itself with either attempting to make the DNS service unavailable or corrupt answers that are usually provided by the DNS server.
There are two general types of attacks on DNS:
In the upcoming section, I will go into detail about some of the most common types of DNS attacks.
A major issue with the DNS system is the fact that an attacker can replace the authorized IP address of a webpage with a malicious one, therefore, directing users to a rogue website. The users would not have any knowledge of this IP swap as well.
DoS and DDoS Attacks
A distributed denial of service (DDoS) attack attempts to disrupt the regular traffic of a network or server by bombarding it with unnecessary traffic to overwhelm it and make it unresponsive. A DDoS attack can crash the entire DNS server preventing users from being able to access the web.
DNS Hijacking/DNS Redirection
Hackers redirect queries to a malicious website and target the DNS record of a webpage on the name server.
DNS Poisoning/DNS Spoofing
This type of attack occurs when incorrect IP addresses are stored on a DNS cache. For example, instead of directing the user to amazon.com, the invalid DNS cache entry may take users to a phishing site instead that looks a lot like the real Amazon webpage.
Here are a few ways on how DNS poisoning attacks may typically begin:
This attack utilizes other protocols to pass DNS queries and responses. Hackers may use TCP, HTTP, or SSH to pass malware or exfiltrated information into DNS queries.
This type of attack is a variant of DDoS and occurs when the DNS server is flooded with queries to non-existent domains, making it impossible for the server to respond to legitimate DNS requests.
Phantom Domain Attack
This is a type of DoS (denial of service) attack that targets the authoritative name server. When the DNS server does not know an IP address, it will look up the address on other connected DNS servers. The purpose of this attack is to intercept the lookup process and slow down the function of the DNS server.
The DNS protocol was not designed with security in mind - hence all of the attacks that were created to exploit vulnerabilities in the DNS system - which was why DNS Security Extensions (DNSSEC) was created. DNSSEC protects against DNS attacks by digitally signing data to ensure its authenticity and accuracy. It implements hierarchical digital signing across all layers of DNS.
Now that you have an understanding of some of the different DNS attacks, here are a few things that you can do to protect against a DNS attack. Hackers never stop searching for new vulnerabilities to exploit, so it is important to know what you can do to protect yourself from a DNS attack.
DNS attacks are not new but are becoming more prevalent as hackers are abusing and using DNS servers to accomplish their goals. On October 4th, 2021, Facebook, Instagram, and WhatsApp were down for a couple of hours, and one of the reasons was because the DNS was not resolving. This is why it is important that you understand what can be done to protect against such attacks. Remember that as DNS attacks are constantly evolving, so does DNS security. You should always be learning about what you can do to stop attackers from using DNS against you.