The Domain Name System (DNS) is essentially an address book for the Internet. Your browser uses DNS to find the IP address of a specific service. For example, when you enter esecurityplanet.com, the browser queries a DNS service to reach the corresponding servers, but it is also used when you send an email.
This is convenient for users, as they don’t have to remember each service’s IP address, but it’s not without security risks and vulnerabilities. Attackers will likely enumerate the DNS to attempt common attacks.
It is often the first step to perform other actions such as data theft, defacing or even ransomware attacks that have caused serious damage to many organizations in recent years. In addition, these attacks are popular with hackers because they are generally difficult to detect by security tools, and they allow the targeting of thousands of victims in a single operation.
Also Read: How to Prevent DNS Attacks
DNS: five critical concepts
In order to understand DNS attacks and how they can affect you, you must first understand what DNS is and how it works:
- Each connected device has a unique IP address to allow other machines to find and recognize them.
- DNS takes the hassle out of remembering barely human-readable addresses for every device and service.
- Each time you browse a web page, several DNS servers are called before you can actually see the content.
- The operation of translating domain names into IP addresses is called DNS lookup and is handled by DNS resolvers.
- The DNS cache, also known as the DNS resolver cache, is a database filled with recent DNS lookups. Since there are multiple caches at different levels, you often have to wait for DNS propagation when creating or updating DNS entries.
Common DNS Attacks Explained
This is not an exhaustive list, but the following techniques are the most common attacks hackers use to compromise DNS.
DNS spoofing or poisoning
The term impersonation means that the attacker tries to impersonate a legitimate service, for example by falsifying the IP address associated with a domain.
Although DNS spoofing is a fairly popular approach, it’s a generic term that covers a variety of situations. DNS cache poisoning is probably more accurate in describing the most common scenario: in this situation, the attacker manages to fill the DNS cache with false information, so that the DNS query redirects users to a malicious IP address .
It is technically impossible for DNS resolvers to verify data in the cache. This is why false information remains in the cache until expiration, also known as TTL or TTL. Although this attack is only temporary by definition, it is often sufficient to successfully inject malware.
Most of the time, hackers redirect users to a copy of the legitimate website to steal credentials or banking data. Although there is evidence of fake websites that users can spot, sometimes it is quite difficult to detect them, for example, when it is an exact clone of the original app.
Also read: New DNS spoofing threat puts millions of devices at risk
This attack relies on a client-server architecture and consists of using other protocols such as TCP or SSH to tunnel malware through DNS requests. The attacker will usually register a domain name and point it to their server which hosts malware.
Hackers have used this technique for a long time, as it is particularly effective in connecting a command and control server to an infected machine. No firewall can block these DNS requests.
In this case, the attacker redirects all requests to another domain name server, for example after gaining unauthorized access to modify DNS records. Unlike DNS poisoning attacks, the DNS cache is not involved.
There are different DNS hacking approaches and techniques. For example, the hacker can change local DNS settings or compromise the router.
The idea is to amplify traffic from vulnerable DNS servers to hide the exact origin of an attack. The attacker spoofs the destination to be the victim’s addresses, which can bring down an entire infrastructure with minimal resources.
Flooding attacks take advantage of devices that operate with high bandwidth to bombard DNS servers. The targeted servers cannot handle the gigantic volume of requests. Such attacks are often associated with overpowered botnets (e.g. Mirai), which can destroy even the largest organizations.
DNS encryption: DoH versus DoT
To combat DNS attacks, major companies such as Google have pushed DNS encryption over TLS (DoT) or HTTPS (DoH). This is because most DNS queries have not been encrypted for years, which means DNS is prone to MITMs (man-in-the-middle attacks). For example, anyone who gains access to a Wi-Fi or corporate network can disrupt DNS queries and responses.
Using free software such as Wireshark, it is relatively easy to capture data, including sensitive transactions and all Internet traffic.
The big problem is blind trust between devices and DNS resolvers. Fortunately, encryption can strengthen access to DNS messages. Although it’s not exactly the same concept, it’s a bit like migrating from HTTP to HTTPS for a website.
DNS over TLS encryption was introduced to integrate messages into secure channels. TLS handshake messages are exchanged between client and server before sending encrypted DNS messages.
It relies on a new port (e.g. port 53) which can be blocked by some firewalls and conflict with existing architectures, which could eventually force users to revert to unencrypted DNS queries. That’s why DoH was created to solve the problem and allow web applications to use existing APIs.
DoH makes it possible to execute DNS queries via the HTTPS protocol. Without proper authorization, it is theoretically impossible to access requests and responses.
Protect DNS with DNSCrypt
DNSCrypt is a protocol that encrypts, authenticates, and optionally anonymizes communications between a DNS client and a DNS resolver.
It allows filtering traffic that goes through UDP and TCP, for example, in the browser, which is an effective security measure in corporate networks. It can prevent DNS spoofing with authentication.
DNSCrypt can be installed as a client on most operating systems such as Windows, macOS, and Linux, as well as Android, iOS firmware, and open routers. The most popular customer is dnscrypt-proxy.
- Allows you to examine the traffic generated from the network
- Can block ads, malware and spam
- Use port 443
- Can reduce latency (e.g. in IPv4-only networks)
- Can be deployed on cloud servers
- The inconvenients
- Security trumps availability, which is usually a good thing but can be a downside
- Can become a single point of failure if other layers are not secure
Also Read: How to Secure DNS with DNSCrypt and DNSSEC
How to Secure DNS with DNSSEC
The DNS Security Extension (DNSSEC) uses digital signatures based on public keys to harden DNS. Instead of encrypting DNS queries and responses, it secures DNS data with public and private key pairs.
The private key is used to sign DNS data in a specific zone and generate a digital signature. And the public key is published in the zone. Any resolver looking for data in the zone can retrieve the public key to validate the authenticity of the DNS data before returning to the user.
If the signature is incorrect or missing, the resolver will consider it an attack and cancel the data transfer.
Additionally, DNSSEC will usually add new DNS records such as RRSIG (cryptographic signature) and DNSKEY.
- Effective in mitigating DNS poisoning
- Easy to deploy and activate
- Excellent industry support
- The inconvenients
- Uses validation instead of encryption
Go further: DNS Pentesting
Regular DNS pentests (penetration tests) are probably one of the best security measures you can take to secure your organization’s DNS because it will mimic real-world attacks.
Pentesters will probably start by enumerating services with Nmap, then they can use dig to explore your DNS. For example, you can perform an authoritative search on mozilla.org with the following on Kali Linux:
mozilla.org digging authority
The ultimate goal of dig commands is to retrieve information such as the list of DNS servers, mail servers, or authoritative name servers. Also, there are specific modules in Metasploit to enumerate DNS like auxiliary/gather/enum_dns.
Read next: Best Penetration Testing Tools