A DNS attack is a type of hack that takes advantage of flaws in the Domain Name System. Because the DNS system is such an important element of the internet infrastructure while still having several security flaws, this is a serious cybersecurity risk.
DNS attacks may be carried out in a variety of methods. DNS is susceptible to a wide range of attacks, including DNS reflection attacks, DoS, DDoS, and DNS poisoning. We’ll talk about DNS assaults and how to respond to them in this post.
What exactly is DNS?
For the purpose of simplicity, consider DNS as a giant phone book that refers to IP addresses with assigned domain names. Your browser doesn’t “understand” domain names; it requires the IP address of the server where the website is hosted to get them. As a result, when you type in a domain name, this DNS phone book looks for the IP address to connect to.
Cache of DNS records
If you had to go through the entire phone book every time you called your parents, the lookup procedure would be inefficient. Similarly, your computer doesn’t always need to contact a distant DNS server every time it requires an IP address; instead, it depends on the DNS cache, which contains past DNS lookup information kept on your browser, OS, router, and other DNS lookup stages.
If you try to access a site for which your nearest DNS resolver does not have the given IP address, it will query additional DNS servers until it does. The DNS server subsequently discovers the new site and assigns an IP address to the domain name, which is then shared with other DNS servers.
DNS attack
A DNS assault occurs when hackers take advantage of weaknesses in the domain name system (DNS).
DDoS assaults, DNS rebinding attacks, cache poisoning, Distributed Reflection DoS attacks, DNS Tunneling, DNS Hijacking, basic NXDOMAIN attacks, Phantom domain attacks, random subdomain attacks, TCP SYN Floods, and domain lock-up attacks are some of the most prevalent forms of DNS attacks. In this post, we’ll look at each of them individually.
DDoS and DoS
A Distributed Denial-of-Service (DDoS) attack is a hostile effort to disrupt a targeted network’s or server’s normal traffic by flooding the network or its surrounding infrastructure with internet traffic. Although a DDoS assault isn’t always a DNS attack, the DNS infrastructure is a common target.
DDoS assaults are effective because they use numerous hacked computer systems as attack traffic sources. Typically, attackers use bots to flood a target with traffic. A Denial of Service (DoS) attack occurs when only one bot is utilised and the effect is primarily localised or small. On the other hand, DDoS attacks have a broader scope and will require more resources.
Computers and other networked resources, such as Internet of Things (IoT) devices, are examples of exploited machinery. Imagine a freeway that has been purposely packed with automobiles, blocking regular passage and generating traffic congestion. This is how a DDoS assault works.
There are numerous different sorts of DDoS assaults focused on DNS, and we’ll go through a few of them below.
The Dyn DNS assault was one of the most significant DDoS attacks. Dyn is a pioneering DNS service provider and an Internet Performance Management (IPM) startup. The Dyn assault took place on October 21, 2016. It impacted a significant chunk of the internet in the United States and Europe. The Mirai botnet, which consists of IoT devices such as printers, IP cameras, and digital video recorders, was the source of the assault.
NXDOMAIN is under assault:
An NXDOMAIN attack is a DDoS type in which the DNS server is flooded with queries to non-existent domain names, causing the authoritative name-cache server to be inundated and genuine DNS requests to be blocked entirely.
As you may be aware, DNS converts domain names to IP addresses, allowing you to view websites. Assume you type asdasdasdasd.com into your browser’s address bar. The DNS would then return an error message since it couldn’t discover the appropriate IP address because it didn’t exist. The resolver, on the other hand, continues to hunt for the result, wasting valuable moments looking through the cache, utilising CPU processing power, and so on. In other words, the request was evaluated alongside other legitimate requests before delivering the error notice.
Assume the attacker is in charge of a botnet with tens of thousands of users. Each of them makes an attempt to access a domain that does not exist. This might soon block the DNS server cache, preventing people from accessing a legal website.
Some Internet Service Providers (ISPs) have recently begun using this circumstance in an unfavourable way. Rather than sending an error notice, they redirect these requests to servers that include embedded advertisements, allowing them to profit from the incorrect requests.
Attack on a phantom domain
A phantom domain attack is a sort of denial-of-service (DoS) attack that targets an authoritative nameserver. It’s accomplished by putting up a slew of DNS servers that either doesn’t respond to DNS requests or react very slowly, causing communications to be disrupted.
When a DNS server doesn’t know an IP address, it uses recursive DNS to look it up on other DNS servers linked to it. Phantom domain attacks are a way of intercepting that lookup. This wastes server resources on ineffective or non-functional lookups.
When resources are depleted, the DNS recursive server may disregard genuine queries in favour of non-responsive servers, resulting in significant performance degradation.
Attack on a subdomain at random
The difference between a random subdomain attack and an NXDOMAIN assault is that instead of querying the DNS for a non-existent domain, this attack asks for a non-existent subdomain.
Consider the following scenario: we wish to go to www.perfectacademy.org. We would very certainly receive a response if we attempted to access the Perfect Academy website using this domain. If we delete the “www” and replace it with a random string, such as dhutz.perfectacademy.org, the recursive DNS server will be compelled to establish a recursive context in order to seek the “dhutz” string from Perfect Academy’s authoritative servers.
An NXDOMAIN answer will be returned, which will be kept in the DNS server’s negative cache (which is more like a store for non-existent domains). If the “dhutz” label was updated repeatedly, each query would result in a recursive query to Perfect Academy’s authoritative servers, which would consume recursive contexts and populate the negative cache.
In practice, NXDOMAIN has a far larger scope and size. In the meantime, the random subdomain assault specifically targets the domain’s authoritative nameservers.
Floods of TCP SYN
A Transmission Control Protocol Synchronize (TCP SYN) flood attack is a type of DDoS assault that floods the server and client with arbitrary requests, interrupting the handshake.
Rather than using up all of the server’s processing capacity, this attack seeks to use up all of the server’s open connections. It accomplishes this by delivering synchronised (SYN) signals to the server in bursts quicker than the server can react. The client sends a synchronise (SYN) message to the server, and the server responds with a synchronize-acknowledge (SYN-ACK) message in a standard three-way handshake. While the server is preparing an SYN-ACK message as a response, the attacker continues to send requests, eventually causing the server to crash due to a large number of half-open connections.
Attack on the DNS domain
The DNS domain lock-up attack is a type of DDoS assault that uses specially configured domains and resolvers to disrupt the server-client handshake by not sending out the proper answer and instead of responding with random data packets. They keep the server busy waiting for a correct response (which never occurs), depleting the server’s connection pool.
The DNS domain lock-up attack differs from the TCP SYN flood in that it occurs in the third phase of a three-way TCP handshake. To establish a connection, the client sends an SYN message, the server responds with an SYN-ACK message, and the client waits for an ACK message. The DNS domain lock-up attack slows down the handshake by sending ACK signals back from the attacker side. To keep the DNS resolver busy and unable to resolve the handshake, these bogus domains react by providing random or worthless packet data. All other valid connections for actual users are utterly obliterated as a result of this.
An attack against DNS rebinding
DNS rebinding exploits make use of DNS flaws to get around the web browser’s same-origin policy, enabling one domain to send requests to another, which can have serious repercussions. An attacker may, for example, use DNS rebinding to take control of your whole home network.
How can you protect yourself against a DNS attack?
We now know that attackers aren’t super hackers who can’t be stopped. All they do is scan the DNS for weaknesses and attack them.
There are a few things we can do as users to protect ourselves from DNS attacks:
- If you run your own DNS resolver, only allow people that are connected to your network to use it. This will help prevent attackers from poisoning the cache of your resolver.
- If you operate your own DNS server, make sure it and the operating system it runs on are both patched and updated to avoid being abused due to known vulnerabilities.
You can also defend yourself from DNS assaults if you use a domain name registrar:
- DNSSEC enables DNS data to be digitally signed, making it difficult for an attacker to falsify it. As a result, double-check to see if your provider has DNSSEC enabled.
- Use two-factor authentication wherever possible. Even if an attacker gains access to one of your administrator’s accounts, two-factor authentication will keep your DNS protected since it will need a second authentication element, such as a one-time password delivered to a mobile phone or email address.
- It’s a good idea to activate modification locking. This feature necessitates the completion of a certain action before any changes may be made.