What is a DNS Attack and How Can You Protect Against It?

Table of Contents:

1. What is a DNS?
2. What is a DNS Attack? 
3. How Do Hackers Use DNS?
4. Types of DNS Attack
5. What is DNSSEC?
6. How to Protect Against a DNS Attack
7. Final Thoughts: DNS Attack

What is a DNS? 

The Domain Name System, or DNS, is a protocol that translates human-friendly URLs into IP addresses. Think of it as a phone book for the Internet. 

DNS is made up of the following components: an authoritative name server, a recursive server, DNS root server, and a TLD name server. Attackers can use DNS to establish a command and control (C2), which would allow them to gain unauthorized access into a network and be able to exfiltrate data.

Image source here

What is a DNS Attack?

A DNS attack is when a hacker exploits vulnerabilities in the DNS service. The focus of the attack is on the DNS infrastructure itself with either attempting to make the DNS service unavailable or corrupt answers that are usually provided by the DNS server. 

There are two general types of attacks on DNS: 

1. Attacks with the goal of disabling DNS
2. Attacks affecting the DNS response 

In the upcoming section, I will go into detail about some of the most common types of DNS attacks.

How Do Hackers Use DNS?

A major issue with the DNS system is the fact that an attacker can replace the authorized IP address of a webpage with a malicious one, therefore, directing users to a rogue website. The users would not have any knowledge of this IP swap as well.

Types of DNS Attack

DoS and DDoS Attacks

A distributed denial of service (DDoS) attack attempts to disrupt the regular traffic of a network or server by bombarding it with unnecessary traffic to overwhelm it and make it unresponsive. A DDoS attack can crash the entire DNS server preventing users from being able to access the web.

DNS Hijacking/DNS Redirection

Hackers redirect queries to a malicious website and target the DNS record of a webpage on the name server. 

DNS Poisoning/DNS Spoofing

This type of attack occurs when incorrect IP addresses are stored on a DNS cache. For example, instead of directing the user to amazon.com, the invalid DNS cache entry may take users to a phishing site instead that looks a lot like the real Amazon webpage. 

Here are a few ways on how DNS poisoning attacks may typically begin: 

• Hackers impersonate the DNS name server 
• Hacker makes a request to the DNS resolver
• The hackers forge a reply to the DNS resolver before the actual DNS name server is able to provide a reply

DNS Tunneling

This attack utilizes other protocols to pass DNS queries and responses. Hackers may use TCP, HTTP, or SSH to pass malware or exfiltrated information into DNS queries. 

NXDOMAIN Attack

This type of attack is a variant of DDoS and occurs when the DNS server is flooded with queries to non-existent domains, making it impossible for the server to respond to legitimate DNS requests. 

Phantom Domain Attack

This is a type of DoS (denial of service) attack that targets the authoritative name server. When the DNS server does not know an IP address, it will look up the address on other connected DNS servers. The purpose of this attack is to intercept the lookup process and slow down the function of the DNS server.

What is DNSSEC?

The DNS protocol was not designed with security in mind - hence all of the attacks that were created to exploit vulnerabilities in the DNS system - which was why DNS Security Extensions (DNSSEC) was created. DNSSEC protects against DNS attacks by digitally signing data to ensure its authenticity and accuracy. It implements hierarchical digital signing across all layers of DNS.

How to Protect Against a DNS Attack

Now that you have an understanding of some of the different DNS attacks, here are a few things that you can do to protect against a DNS attack. Hackers never stop searching for new vulnerabilities to exploit, so it is important to know what you can do to protect yourself from a DNS attack. 

1. Keep your resolver private and protected. If you are using your own resolver, only users within your network should have access  
2. Harden recursive DNS servers. Protect your recursive DNS servers from unwanted access and tampering through access controls, DNSSEC, etc. 
3. Be familiar with your DNS architecture. Understand your DNS architecture in order to properly secure it
4. Logging and monitoring DNS queries and the response data. Logging and monitoring inbound and outbound queries are beneficial to detecting anomalies
5. Configure your DNS to be as secure as possible. This can be done by using a random port instead of the standard port for DNS (UDP port 53), randomizing the query ID, and randomizing the case letters of the domain names that need to be resolved. 

Final Thoughts: DNS Attack

DNS attacks are not new but are becoming more prevalent as hackers are abusing and using DNS servers to accomplish their goals. On October 4th, 2021, Facebook, Instagram, and WhatsApp were down for a couple of hours, and one of the reasons was because the DNS was not resolving. This is why it is important that you understand what can be done to protect against such attacks. Remember that as DNS attacks are constantly evolving, so does DNS security. You should always be learning about what you can do to stop attackers from using DNS against you.