What is a DNS Attack
A Domain Name System (DNS) attack is where cyber-criminals exploit vulnerabilities found in the Domain Name System (DNS) of a server. The purpose of the domain name system is to translate user-friendly domain names into machine-readable IP addresses, via a DNS resolver.
The DNS resolver will first query its own local cache for the domain name and IP address. If it fails to locate the records, it will continue to query other DNS servers. Failing that, it will look for the DNS server that contains the canonical mapping of the domain.
Once found, the requesting application will store both the domain name and IP address in the local cache. Since organizations are unable to directly monitor the flow of traffic between remote clients and DNS servers, DNS attacks have become a relatively easy way for cyber-criminals to compromise networks, and cause disruption.
Types of DNS Attack
There are many different types of DNS attacks, whose purpose is to exploit vulnerabilities found in the three types of DNS servers. These include the DNS stub resolver server, DNS recursive resolver server, and DNS authoritative server.
It’s typically the case where the attackers will try to intercept and exploit plaintext communications between the clients and servers. Alternatively, they might try to use stolen credentials in order to log in to a DNS server, and redirect DNS records. Below are some of the most popular DNS attacks we see today:
Zero-day attack: This is where the attacker exploits DNS software vulnerabilities that were previously unknown to the victims.
Cache poisoning: Cache poisoning is where the attacker tricks DNS resolvers into caching false information, such as IP addresses, in an attempt to redirect traffic to a malicious website.
Distributed Denial of Service (DDoS): This is where an attacker floods a DNS server with traffic in order to cause disruption and make it unavailable to its intended users. Unlike a simple Denial of Service (DoS) attack which sends traffic from a single device, a DDoS attack will use a botnet, which usually involves compromising random devices on different networks, in order to send large amounts of distributed traffic to the target server.
DNS amplification: A DNS amplification attack is a type of DDoS attack where the adversary sends a DNS query with a forged IP address to an open DNS resolver, prompting it to send back a response to a fake IP address, which might be another open DNS resolver. By continuously sending out these queries, a network can very quickly become overwhelmed with traffic.
Fast-flux DNS: DNS fast fluxing involves associating multiple IP addresses with a single domain name, and then rapidly swapping the IP addresses in order to make it harder to track and block malicious domains.
DNS tunneling: While not directly an attack on DNS, DNS tunneling provides a way for attackers to infect a victim’s system in order to establish a tunnel, which can be used to either exfiltrate data or implant malware on their system.
How to Prevent DNS attacks
It is imperative that organizations harden their DNS security in order to prevent attackers from transferring DNS zones, modifying DNS resolvers, and so on. However, since organizations can’t easily monitor DNS activity for signs of compromise (although they should still try), they will need to rely on other methods and practices, such as those detailed below.
Use the latest DNS software: Make sure that all DNS software has the latest patches installed.
Use multi-factor authentication (MFA): Implement MFA on all accounts that have access to DNS infrastructure.
Implement Domain Name System Security Extensions (DNSSEC): DNSSEC uses digital signatures based on public key cryptography to provide an additional layer of security to your DNS.
Isolate your DNS server: Regardless of whether you are using your own dedicated DNS server or a cloud-based DNS server, it should be 100% dedicated to DNS services only.
Audit your DNS zones: Carefully review DNS records, zones, and IP addresses, including your A, CNAME, and MX records, for signs of compromise.
Hide your BIND version: BIND is a DNS server used by many organizations. Since attackers can easily get your DNS server version by running a remote query, it is a good idea to hide your BIND version by setting the version to “Forbidden”, or something else.
Restrict DNS zone transfers: A DNS zone transfer is a copy of the DNS zone. Attackers will sometimes try to perform a DNS zone transfer in order to gain a better understanding of your network topology.
Disable DNS recursion: This will help to prevent DNS poisoning attacks.
Use a DDoS mitigation provider: Take advantage of DNS mitigation services like Cloudflare, Incapsula, or Akamai.
Continuously monitor network traffic: This includes logs generated by firewalls, intrusion prevention systems, and SIEM solutions. You should also monitor logs generated by your DNS resolver, and any passive DNS replication software you use.
If the security of Active Directory is a concern to your organization, it’s worth checking out what Lepide can do to help. Lepide can detect and react to threats to Active Directory in real-time, including external and internal security threats. If you’d like to see more, schedule a demo with one of our engineers.