What is a DNS attack?

You may not have heard about them, but DNS attacks are a serious issue. Learn all about them and the preventative measures you can take right here.

A Domain Name System attack, or DNS attack, is a very serious issue in cybersecurity. DNS has a lot of vulnerabilities and this makes it easy for attackers to gain access to its data. There are also many different ways in which DNS can be attacked. We have the DNS reflection attack, DoD, DDoS, and so on.

We’ll be discussing the aspects of DNS attacks and how we can respond to them in this article.

What is DNS?

DNS means Domain Name System. It’s the directory of domain names in which a user can gain access to internet resources. These domain names are then translated to IP addresses so browsers can load these resources.

The idea of domain names came to be so that people could easily memorize the names when accessing content on the net, but web browsers do not understand them, so they use IP addresses instead.

This is why there’s a need for translation. You can liken DNS to the phonebooks – we use names, while telco systems use numbers.

DNS attack

A DNS attack is when hackers or attackers take advantage of vulnerabilities in the domain name system (DNS).

When a user requests an IP address, there is a recursive query to identify the IP address. The queries are not in any way encrypted so they can be intercepted. There are different ways in which attackers can intercept queries.

Some of the most common types of DNS attacks are DDOS attack, DNS rebinding attack, cache poisoning, Distributed Reflection DoS attack, DNS Tunneling, DNS hijacking, basic NXDOMAIN attack, Phantom domain attack, Random subdomain attack, TCP SYN Floods, and Domain lock-up attack. We’ll look at each of them in this article.

DDoS attack

A Distributed Denial-of-Service (DDoS) attack is a hostile attempt to interrupt normal traffic of a targeted network or server by bombarding the network or its surrounding infrastructure with Internet traffic. There are different DNS attack map to visually in real time DDoS attacks around the world.

DDoS attacks achieve effectiveness by making use of several compromised computer systems as sources of attack traffic. Most times, attackers deploy bots to bombard the target with false traffic. A case whereby only one bot is used is referred to as Denial Of Service (DoS) and is mostly localised or has minimal effect. DDoS, on the other hand, has a more broad effect and will require several deployed bots.

Exploited machines can include computers and other networked resources such as the Internet of Things (IoT) devices. To better understand how the DDoS attack works, imagine a highway clogged up with spoilt cars, thereby preventing regular traffic and causing a standstill traffic jam.

One of the biggest DDoS attacks was the Dyn DNS attack. Dyn is an Internet Performance Management (IPM) company, who is believed to be a pioneer DNS service provider. The Dyn attack occurred on the 21st of October 2016. It affected a large portion of the internet in the United States and Europe. The source of the attack was the Mirai botnet, consisting of IoT devices such as printers, Internet Protocol (IP) cameras, and digital video recorders.

DNS rebinding attack

DNS rebinding works by making a malicious web page cause visitors to run a client-side script that attacks computers connected to the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the same host that served the script.

Comparing domain names is an important part of imposing this policy, so DNS rebinding finds a way around this security by abusing the DNS. This attack can be used to breach a private network by causing the victim’s web browser to access computers at private IP addresses and return the results to the attacker.

This form of attack is closely related to how the DNS attack is carried out.

NXDOMAIN attack

NXDOMAIN simply means Non-existence domain. When a query for a domain is requested or when an internet browser tries to access a website, it sends a request to access the site through the domain name hoping to get the domain name converted to an IP address.

If this IP address is converted by the DNS server, the browser gets access to the website. In a case whereby the domain name is not registered with an IP address, an error message occurs instead. This case is referred to as NXDOMAIN. An NXDOMAIN attack is a form of DNS cyber attack that works by hijacking the error message and directing the query or the web browser to another page.

This is a unique type of what is a DNS attack, as attackers try to flood the DNS server with false queries to resolve a non-existent domain name. The DNS server looks for the domain that does not really exist, and hence never finds it.

As the server attempts to look for the pseudo domains sent to it, the cache gets clogged up with NXDOMAIN results and hence reduces the speed of the original requests’ response. Some Internet Service Providers (ISPs) in recent times started the bad practice of taking advantage of this situation. As they direct users to advert pages in a case of NXDOMAIN, which is against the standard practice.

Cache poisoning

A DNS cache or DNS resolver cache is a temporary database, maintained by a computer’s operating system, that contains records of all the recent visits and attempted visits to various websites and other internet domains.

Cache Poisoning, which is also known as a DNS spoofing attack, is a form of cyber attack and works by corrupting the DNS data being stored. This DNS data is then introduced into the DNS resolver cache, causing the DNS server to return an incorrect result record for queries made. This results in traffic being diverted to the attacker’s computer (or any other computer).

Most times, this occurs as the DNS servers take information passed to them by other DNS server without proper authentication.

Phantom domain attack and random subdomain attack

A phantom domain attack occurs when an attacker sets up fake domains that do not respond to DNS queries. Under normal circumstances, the DNS recursive server contacts DNS servers to resolve recursive queries. When phantom domain attacks occur, the recursive server continues to query non-responsive servers, which causes the recursive server to spend valuable resources waiting for responses.

When resources are fully consumed, the DNS recursive server may ignore legitimate queries and continue to focus on the non-responsive servers, causing serious performance issues.

The random subdomain attack works in an almost similar manner. In this case, the attacker queries a non-existent subdomain over and over again leading to an overpopulated negative cache.

Let us consider this scenario, imagine we want to access www.perfectacademy.org. Since this domain exists, we would definitely get a response to access the Perfect Academy website. If we then remove the “www” part and replace with a random string, say dhutz.perfectacademy.org, the recursive DNS server will be forced to open a recursive context looking for that “dhutz” string from Perfect Academy’s authoritative servers.

This will result in an NXDOMAIN response, that would be stored in the DNS server’s negative cache (which is more like a store for non-existent domains). If the “dhutz” label was changed continuously, then each query would trigger a recursive query to Perfect Academy’s authoritative servers, consuming recursive contexts and populating the negative cache.

TCP SYN floods and domain lock-up attack

Transmission Control Protocol Synchronize (TCP SYN) flood attack is a type of DNS attack that makes use of part of the traditional TCP handshake to use up resources on the targeted server and make it unresponsive. A typical three-way handshake simply involves the client sending a synchronize (SYN) message to the server, the server responds with a synchronize-acknowledge (SYN-ACK) message.

The client then responds back with an ACK message. After this is done, a connection is established. With this type of attack, the attacker sends TCP connection requests faster than the targeted server can process them. The server, however, tries to respond to all these messages resulting in “half-open” connections, which ultimately gives no room for legitimate connections.

Another form of attack is the DNS Domain lock-up attack. This form of attack involves the attackers setting up false resolvers and domains to establish a TCP-based connection with DNS resolvers. When the DNS resolver requests a response, these false domains respond by sending a random or useless packet data to keep the DNS resolver occupied.

In addition to this, these false domains will sluggishly respond to the DNS resolver requests. The DNS server, thinking the connection is legitimate, will keep the connection open, hoping to receive a response from the false domains. During this wait, resources become exhausted and legitimate requests are queued up or completely blocked.

DNSSEC tools

In order to successfully deploy DNSSEC on the client and server, you will need to install special software.

Some of the software tools needed are:

1. Windows 7 and Windows Server 2008 R2: it includes a “security-aware” stub resolver that can distinguish between secure and spam responses by a recursive name server.
2. Windows Server 2012 DNSSEC: it’s compatible with secure dynamic updates with Active Directory-integrated zones.
3. BIND: this incorporates the newer DNSSEC-bis (DS records) protocol as well as support for NSEC3 records.
4. Unbound: this is a DNS name server completely written from the scratch with DNSSEC concepts in mind. Other examples include mysqlBind, OpenDNSSEC, Knot DNS, PowerDNS.

What is DNSSEC?

Domain Name System Security Extensions creates a secure DNS by attaching cryptographic signatures to already available DNS records. These digital signatures are kept in DNS name servers with regular record types like Mail Exchanger (MX), Canonical Name (CNAME) and so on.

By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and was not altered while in transmission, as opposed to a fake record injected in a man-in-the-middle attack.

Since DNSSEC is an extension of DNS, it adds a few new DNS record types such as:

1. RRset Signature (RRSIG), which contains zones with a group of records of the same type
2. DNSKEY, which contains a public signing key.
3. Delegation Signer (DS) containing the hash (like a reference) of a DNSKEY record. This allows the transfer of trust from a parent zone to a child zone. DS helps resolvers ascertain that a child is authenticated
4. Next Secure (NSEC) and NSEC3 which is used by resolvers to ascertain the non-existence of a record name and type. Normally, an NXDOMAIN response occurs when a non-existent domain is requested but instead of this response, a “next secure” record is returned instead, which is provides a result (domain) close to the one queried or requested.

How to mitigate a DNS attack

Now we understand that attackers are not super hackers that cannot be stopped. All they do is just look for any vulnerabilities in a DNS and attack through that.

There are some few things we can do as users to mitigate attacks on DNS:

1. If you operate your own DNS resolver, restrict the usage to only users connected to your network. This will help to prevent attackers from poisoning your resolver’s cache.
2. If you run your own DNS server, then make sure you keep the DNS server and the OS they run patched and updated to prevent them from being exploited by known vulnerabilities.

If you use a domain name registrar, you can also protect yourself from DNS attacks:

1. DNSSEC allows DNS data to be digitally signed so that it becomes impossible for an attacker to forge it. So be sure to confirm if your provider has implemented DNSSEC.
2. Make use of two-factor authentication. If attackers gain access to one of your administrators account details, two-factor authentication will still make your DNS safe because access to the account will depend on a second authentication factor such as a one-time password sent to a mobile phone or email address.
3. You should enable modification locking. This feature requires a certain action to be performed before any change can be made

Final thoughts

The impact of a DNS attack can be drastic. We’ve seen from history how such an act has caused a cybersecurity panic in major cities. The Internet Engineering Task Force (IETF) and major internet security bodies in the world are constantly developing new technologies to help reduce or eradicate these attacks.

The introduction of DNSSEC is a major leap in cybersecurity. DNSSEC has different records set up to authenticate queries made to the DNS server, which ultimately filter out potential spam queries.

There are solutions now created to defend against DNS attacks, some of which are Cloudflare, Stackpath, Flowmon, and Incapsula.