A DNS attack is a cyberattack in which the attacker exploits vulnerabilities in the Domain Name System. This is a grave issue in cybersecurity because the DNS system is a crucial part of the internet infrastructure and at the same time, it has many security holes.
There are many different ways in which DNS can be attacked. DNS reflection attacks, DoS, DDoS, and DNS poisoning are just some of the attack types DNS is susceptible to.
In this article, we'll be discussing DNS attacks and how we can respond to them.
What is DNS?
Before we get into the nuts and bolts of how the attacks happen, let's go through some of the basics of how the DNS or domain name system works.
For the sake of simplicity, think of DNS as a massive phone book that refers to IP addresses with assigned domain names. Your browser doesn't "understand" domain names – to retrieve a website, it needs the IP address of the server where it is hosted. So, when you enter a domain name, this DNS phone book finds the IP to connect to.
The lookup process wouldn't be very efficient if you had to go through the whole phone book each time you're calling your mom and dad. Likewise, your computer doesn't always have to contact a remote DNS server each time it needs an IP address – for that, it relies on the DNS cache, which is historical DNS lookup information, stored on your browser, OS, router, and at other steps of the DNS lookup process.
If you're trying to visit a site that your closest DNS resolver doesn't know the assigned IP address of, it will ask other DNS servers until it finds the IP. The DNS server then learns of this new site and ads the assigned IP address to the domain name, which is further shared across other DNS servers.
When hackers take advantage of vulnerabilities in the Domain Name System (DNS), we call this a DNS attack.
Some of the most common types of DNS attacks are the DDoS attack, DNS rebinding attack, cache poisoning, Distributed Reflection DoS attack, DNS Tunneling, DNS hijacking, basic NXDOMAIN attack, Phantom domain attack, Random subdomain attack, TCP SYN Floods, and Domain lock-up attack. We'll look at each of them in this article.
DoS and DDoS attacks
A Distributed Denial-of-Service (DDoS) attack is a hostile attempt to interrupt the regular traffic of a targeted network or server by bombarding the network or its surrounding infrastructure with internet traffic. Albeit DDoS isn’t necessarily a DNS attack, the DNS system is a popular target.
DDoS attacks achieve effectiveness by using multiple compromised computer systems as sources of attack traffic. Usually, attackers deploy bots to bombard the target with traffic. A case whereby only one bot is used is known as a Denial Of Service (DoS) attack and is mostly localized or has minimal effect. DDoS, on the other hand, has a more broad impact and will require more resources.
Exploited machines may include computers and other networked resources, such as Internet of Things (IoT) devices. To better understand how a DDoS attack works, imagine a highway artificially clogged up with cars, thereby preventing regular traffic and causing a standstill traffic jam.
There are many types of DDoS attacks aimed at DNS, some of which we will discuss below.
One of the biggest DDoS attacks was the Dyn DNS attack. Dyn is an Internet Performance Management (IPM) company - a pioneering DNS service provider. The Dyn attack occurred on the 21 October 2016. It affected a large portion of the internet in the US and Europe. The source of the attack was the Mirai botnet, consisting of IoT devices such as printers, Internet Protocol (IP) cameras, and digital video recorders.
An NXDOMAIN attack is a DDoS variant when the DNS server is flooded with queries to non-existent domain names, flooding the authoritative name-server’s cache and stopping legitimate DNS requests altogether.
As you already know, your visits to websites are made possible by DNS converting domain names to an IP address. Suppose you’d type in asdasdasdasd.com into your address bar. What would happen then is that the DNS would not find the corresponding IP address because it doesn’t exist and return an error message. However, the resolver still tries to find the result, spending precious milliseconds to look through the cache, using CPU processing power, etc. In other words, before returning the error message, the request was processed along with other genuine requests.
Now, imagine that the attacker controls a botnet containing thousands of users. Each of them sends a request for a domain that doesn’t exist. This could clog the DNS server cache fairly quickly, denying service to users wanting to visit a legitimate site.
In recent times, some Internet Service Providers (ISPs) have started taking advantage of this situation in a harmful way. Instead of returning an error message, they direct these requests to servers with embedded ads, thus capitalizing on the invalid requests.
Phantom domain attack
A phantom domain attack is a type of DoS attack, directed towards an authoritative nameserver. It is done by setting up a bunch of DNS servers that don’t respond to DNS requests or do it very slowly, interrupting communications.
When a DNS server doesn’t know an IP address, it will look the address up on other connected DNS servers - this is known as recursive DNS. Phantom domain attacks are a method to intercept that lookup process. This wastes the server’s resources on non-functional or inefficient lookups.
When resources are fully consumed, the DNS recursive server may ignore legitimate queries and continue to focus on the non-responsive servers, causing severe performance issues.
Random subdomain attack
A random subdomain attack is very similar to NXDOMAIN attacks, the difference is that instead of asking the DNS for a non-existent domain, this attack asks for a non-existent subdomain.
Let us consider this scenario: imagine we want to access www.perfectacademy.org. Since this domain exists, we would definitely get a response to access the Perfect Academy website. If we then remove the "www" part and replace it with a random string, say dhutz.perfectacademy.org, the recursive DNS server will be forced to open a recursive context looking for that "dhutz" string from Perfect Academy's authoritative servers.
This will result in an NXDOMAIN response, that would be stored in the DNS server's negative cache (which is more like a store for non-existent domains). If the "dhutz" label was changed continuously, then each query would trigger a recursive query to Perfect Academy's authoritative servers, consuming recursive contexts and populating the negative cache.
In effect, NXDOMAIN is much broader in scope and scale. Meanwhile, the random subdomain attack targets the domain’s authoritative nameservers in particular.
TCP SYN floods
Transmission Control Protocol Synchronize (TCP SYN) flood attack is a form of DDoS attack that interrupts the handshake between the server and client by flooding it with arbitrary requests.
Rather than exhausting the server's processing power, this attack aims to exhaust the reserve of available open connections. It achieves this by sending bursts of synchronize (SYN) messages to the server faster than it can respond to them. A typical three-way handshake simply involves the client sending a synchronize (SYN) message to the server, the server responds with a synchronize-acknowledge (SYN-ACK) message. While the server is preparing a SYN-ACK message as a reply, the attacker generates more and more requests, ending up with a bulk of half-open connections eventually crashing the server.
DNS domain lock-up attack
The DNS domain lock-up attack is a form of DDoS attack with specially set up special domains and resolvers that also interrupt the handshake between the server and the client by not sending out the correct response but by replying with random data packets. They keep the server engaged and waiting for a proper reply (which never comes) exhausting the reserve of available connections.
The main difference between this and the TCP SYN flood is that the DNS domain lock-up attack happens in the next phase of a three-way TCP handshake. To successfully establish a connection, the client sends out a SYN message, the server replies with a SYN-ACK message and waits for an ACK message back from the client. DNS domain lock-up attack deliberately slows down the handshake, sending back ACK messages from the attacker-side. These false domains respond by sending a random or useless packet data to keep the DNS resolver occupied, unable to resolve the handshake. This completely negates all other legitimate connections for actual users.
DNS rebinding attack
DNS rebinding attacks use DNS vulnerabilities to bypass the web browser’s same-origin policy, allowing one domain to make requests to another - something that can have far-reaching consequences. For example, using DNS rebinding, an attacker may be able to gain control of your entire home network.
Picture this: you're browsing a shady website, which happens to have a malicious script running: