The domain name system (DNS) is basically a directory of addresses for the internet. Your browser uses DNS to find the IP for a specific service. For example, when you enter esecurityplanet.com, the browser queries a DNS service to reach the matching servers, but it’s also used when you send an email.
It is handy for users, as they don’t have to remember the IP address for each service, but it does not come without security risks and vulnerabilities. Attackers will likely enumerate DNS to try common attacks.
It’s often the first step to perform further actions such as data thefts, defacing, or even ransomware attacks that have caused severe damages to many organizations in recent years. Besides, such attacks are loved by hackers, as it’s usually hard to detect by security tools, and it allows targeting thousands of victims in one operation.
Also read: How to Prevent DNS Attacks
DNS: Five Critical Concepts
In order to understand DNS attacks and how they can affect you, you must first understand what DNS is and how it works:
- Each device connected has a unique IP to allow other machines to find and recognize them.
- DNS removes the hassle of memorizing barely human-readable addresses for each device and service.
- Every time you browse a web page, multiple DNS servers are called before you can actually see the content.
- The operation that consists of translating domain names into IP addresses is called DNS lookup and is handled by DNS resolvers.
- DNS cache, also known as DNS resolver cache, is a database filled with recent DNS lookups. Because there are multiple caches at different levels, oftentimes you have to wait for the DNS propagation when creating or updating DNS entries.
Common DNS Attacks Explained
It’s not an exhaustive list, but the following techniques are the most common attacks used by threat actors to compromise DNS.
DNS spoofing or poisoning
The term spoofing means the attacker tries to impersonate a legitimate service, for example, by faking the IP associated with a domain.
While DNS spoofing is a pretty popular approach, it’s a generic term that covers various situations. DNS cache poisoning is probably more accurate to describe the most common scenario: In this situation, the attacker manages to fill the DNS cache with false information, so the DNS query will redirect users to a rogue IP.
It’s technically not possible for DNS resolvers to check the data in the cache. That’s why the false information remains in the cache until the expiration, also known as TTL or time to live. Even if this attack is only temporary by definition, it’s often enough to inject malware successfully.
Most of the time, the hackers redirect users to a copy of the legitimate website to steal credentials or banking data. While there is some evidence of counterfeit websites users can spot, it’s sometimes pretty hard to detect, for example, when it’s an exact clone of the original app.
Also read: New DNS Spoofing Threat Puts Millions of Devices at Risk
This attack relies on a client-server architecture and consists of using other protocols such as TCP or SSH to tunnel malware through DNS requests. The attacker will typically register a domain name and point it to his server that hosts malware.
Hackers have been using this technique for a long time, as it is particularly efficient to connect a command-and-control server to an infected machine. There is no firewall that can block these DNS requests.
In this case, the attacker redirects all queries to another domain name server, for example, after gaining unauthorized access to modify DNS records. Unlike with DNS poisoning attacks, the DNS cache is not involved.
There are different approaches and techniques for DNS hijacking. For example, the hacker can modify the local DNS settings or compromise the router.
The idea is to amplify the traffic of vulnerable DNS servers to hide the exact origin of an attack. The attacker forges the destination to be the victim’s addresses, which can take down an entire infrastructure with minimum resources.
Flooding attacks take advantage of devices that work with a high bandwidth to bomb DNS servers. The targeted servers cannot handle the gigantic volume of queries. Such attacks are often associated with super-charged botnets (e.g. Mirai), which can take down even the largest organizations.
DNS Encryption: DoH vs. DoT
To combat DNS attacks, major companies such as Google have pushed forward DNS encryption over TLS (DoT) or HTTPS (DoH). This is because most DNS requests have been unencrypted for years, which means DNS is prone to MITM (man-in-the-middle attacks). For example, anyone who manages to get into a Wi-Fi or a corporate network can mess with DNS queries and responses.
Using free software such as Wireshark, it’s relatively easy to capture data, including sensitive operations and all internet traffic.
The big problem is the blind trust between devices and DNS resolvers. Fortunately, encryption can harden access to DNS messages. While it’s not the exact same concept, it’s a bit like migrating from HTTP to HTTPS for a website.
DNS encryption over TLS has been introduced to embed messages in secure channels. TLS handshake messages are exchanged between the client and the server before sending the encrypted DNS messages.
It relies on a new port (e.g. port 53) that can be blocked by some firewalls and conflicts with existing architectures, which could ultimately force users to go back to unencrypted DNS requests. That’s why DoH has been created to fix the problem and allow web applications to use existing APIs.
DoH allows executing DNS queries through the HTTPS protocol. Without proper authorization, it’s theoretically impossible to gain access to queries and responses.
Protecting DNS with DNSCrypt
DNSCrypt is a protocol that encrypts, authenticates, and optionally anonymizes communications between a DNS client and a DNS resolver.
In other words, DNSCrypt encrypts all DNS traffic. The cryptography involved is called elliptic-curve cryptography.
It allows filtering the traffic that passes through UDP and TCP, for example, in the browser, which is an effective security measure in corporate networks. It can prevent DNS spoofing with authentication.
DNSCrypt can be installed as a client on most operating systems such as Windows, macOS, and Linux as well as Android, iOS, and open router firmwares. The most popular client is dnscrypt-proxy.
- Allows reviewing the generated traffic from the network
- Can block ads, malware, and spam
- Uses port 443
- Can reduce latency (e.g. in IPv4-only networks)
- Can be deployed on cloud servers
- Security prevails over availability, which is usually a good thing but can be a drawback
- Can become a single point of failure if other layers are unsecured
Also read: How to Secure DNS with DNSCrypt & DNSSEC
How to Secure DNS With DNSSEC
The DNS Security Extension (DNSSEC) uses digital signatures based on public keys to strengthen DNS. Instead of encrypting DNS queries and responses, it secures DNS data with public and private key pairs.
The private key is used to sign DNS data in a specific zone and generate a digital signature. And the public key is published in the zone. Any resolver that looks up data in the zone can retrieve the public key to validate the authenticity of the DNS data before returning to the user.
If the signature is incorrect or missing, the resolver will consider it as an attack and cancel the data transfer.
Moreover, DNSSEC will typically add new DNS records such as RRSIG (cryptographic signature) and DNSKEY.
- Effective to mitigate DNS poisoning
- Easy to deploy and activate
- Great industry support
- Uses validation instead of encryption
Going Further: DNS Pentesting
Regular DNS pentests (penetration tests) are probably one of the best security measures you can take to secure DNS for your organization, as it will emulate real-world attacks.
Pentesters will likely start by enumerating services with Nmap, and then, they might use dig to explore your DNS. For example, you can perform an authoritative search for mozilla.org with the following on Kali Linux:
dig authority mozilla.org
The ultimate goal of dig commands is to retrieve information such as the list of authoritative DNS servers, mail servers, or name servers. In addition, there are specific modules in Metasploit to enumerate DNS like auxiliary/gather/enum_dns.
Read next: Best Penetration Testing Tools