What is a DNS Attack?

Blog / What is a DNS Attack?

What is a DNS Attack?

A DNS attack is an attack centred on a network’s Domain Name System. There are many types of attack that could be considered a DNS attack, but this article will focus on several variants previously mentioned in last week’s piece on the large proportion of businesses who suffered DNS attacks in the past year. 

Therefore, DNS hijacking, flood, reflection and amplification, tunnelling and cache poisoning are the types of attack which will be covered. Ways to mitigate against DNS attacks will also be outlined. 

DNS explained

The Domain Name System (DNS) is a network protocol that translates domain names (e.g., Securiwiser.com) into an IP address to enable it to be recognised and searchable by computers. 

When domain names are searched for in browsers such as Google Chrome or Microsoft Edge, a program called a DNS resolver in the client’s operating system looks up the domain’s numerical IP address. 

As the associated IP address is searched for, the local DNS cache is first queried which holds IP addresses it already knows. If the cache does not have the address, the DNS resolver will ask other DNS servers until it finds the IP. DNS servers are recursive so they will query each other to find the correct server that holds the necessary IP. 

Once the IP address is located by the resolver, it returns this numerical value so the domain name can be accessed and will also cache the address for future use. 

Types of DNS attack

The Domain Name System has been an essential part of the Internet since 1985. However, it was designed for usability and not security. DNS attacks will often take advantage of the reciprocated communication between clients and servers. 

DNS hijacking 

Also called DNS redirection, this occurs when DNS queries are incorrectly resolved to redirect users to alternative, often malicious, sites. The domain name of the malicious site may appear very similar to the actual name, such as only one character being different to make it appear legitimate.  

Malware could be used to infect the client’s machine which changes the local DNS settings. In this situation, all DNS requests are sent to the attacker’s DNS server, such as with the DNSChanger worm

DNS flood 

A DNS flood is a type of distributed denial-of-service (DDoS) attack where the attacker floods the DNS servers of a particular domain in order to disrupt DNS resolution. If the address cannot be found for a website, API or web application as it can no longer respond to legitimate traffic, the service can be compromised and unable to function. 

DNS reflection & amplification 

Another form of DDoS attack, reflection and amplification attacks are volumetric and involve an attacker leveraging open DNS resolvers to overwhelm a target server or network with amplified traffic. This in-turn renders the server or network inaccessible. 

Malicious actors will send small queries with the aim of getting large responses. By utilising a botnet to have each bot make similar requests, the attacks both remains hidden and gets the benefit of greatly increased attack traffic. 

A request is made with a spoofed IP address (changed to the real IP address of the targeted victim) and then the DNS resolvers respond, having the ability for huge amounts of traffic to be sent to the target. 

DNS tunnelling  

DNS is widely used and trusted and is also not intended for data transfer. As a result, many organisations don’t monitor their DNS traffic for malicious activity. DNS tunnelling exploits the DNS protocol to tunnel malware and other data. 

How this type of DNS attack works is, firstly, a domain’s name server is pointed to an attacker’s server, where a tunnelling malware program is installed. A victim’s computer is then infected with malware. DNS requests are always allowed to move through the firewall, so the infected computer is able to send a query to the DNS resolver. 

A connection is established between the victim and attacker through the DNS resolver routing the query to the attacker’s command server. The tunnelling program can then be used to exfiltrate data or for other malicious purposes. 

Cache poisoning 

This type of attack involves storing incorrect IP addresses on the DNS cache. Since the cache is queried first in a DNS lookup, storing an incorrect (malicious) address means this is the address which will always be retrieved.  

The attackers will impersonate a DNS name server, make a request to a DNS resolver and then forge a reply to the resolver before the actual DNS name server can answer. Once this is done once the cache is ‘poisoned’ and will redirect to the malicious address each time. Only once the entry’s time to live (TTL) expires, or the DNS cache is cleared will clean up this issue.

How to mitigate DNS attacks 

There are different ways to help defend against DNS attacks. 

  • Update DNS server software whenever possible and ensure you are always using the latest version as this will include patches to vulnerabilities 
  • Consistently monitor DNS traffic 
  • Implement multifactor authentication when making changes to the DNS 
  • Utilise Domain Name System Security Extensions (DNSSEC) which provides DNS data with digital signatures using public key cryptography so it can’t be forged 

Securiwiser provides a cybersecurity vulnerability assessment for your domain which provides detailed information on your DNS health. Securiwiser can also consistently monitor your traffic which will alert you of any unusual activity, helping prevent DNS attacks and other attacks to your digital infrastructure.

How secure is

your business?

Security test

How secure is

your business?

Security test