This is part of our High-Tech Online Magazine.
So, let’s talk about DNS Spoofing, DNS Cache Poisoning, DNS Hijacking… wow, new words but not so new threats. These are some examples of DNS attacks. DNS Security Step By Step. This protocol, the DNS, is the great forgetfulness: we use it daily in almost all our web queries, however, we do not pay any attention. But let’s start at the beginning of everything.
What is DNS?
Well, the acronym is clear, Domain Name Server, and it allows us to map the name of a web page by its IP address. Raise your hand who knows that www.google.es has 22.214.171.124 as its IP address; I’m pretty sure very few can say it. Nevertheless, when we use a web browser, we can access that web, by typing its friendly name in the search engine. Is it magic? No way, we are using the DNS protocol to be able to translate its name. And more and more, it is very important because mostly, IP address are dynamic and with the adoption of IPv6, it will be much more complex and difficult to remember. The DNS protocol is like having the phone’s address book, but about Internet.
The last IDC’s research in 2019 about Global DNS Threat Report, affirms that the average cost of DNS attacks has increased almost 50%, with an increase of about 35% of attack using this protocol. This is something to keep in mind.
And when we talk about DNS security, what threats occur most? Let’s see the most famous DNS attacks and how could we protect ourselves.
DNSCache Poisoning Attack.
This issue is one of the many ways to get a DNS Spoofing attack, since the goal is to modify the DNS cache, which we use in many cases, like getting faster a DNS resolution. With this attack, the attacker attempts to modify the records that are stored on a DNS server, for which the attacker decides, or even worst, the DNS server’s IP address is supplanted. In any case, a user will be redirected to a fraudulent website, where theirs credentials or other information will be stolen.
A good mitigation plan could be to restrict DNS searches to internal or external DNS servers, with known good reputation.
Distributed Reflection Denial of Service (DRDoS).
The attack here is pretty clear, attempt against the availability of DNS serves. It is caused by flooding of packets that cannot be processed, by amplifying packages (if you send one, the reflectors send two or more). Here there is one more step than in a classic DDoS, since the victims are not the ones who execute the flood, it is done by systems that are not compromised:
The way to do it is using UDP communication and using acknowledgments. A few years ago, one of the most important DNS providers was attacked by a packet flood, making it impossible to connect to webs like Twitter, Spotify, Amazon or Paypal. Thousands of IoT devices, infected by Mirai botnet, were used to do the attack. Those webs did not suffer any direct attack and worked properly, but no user could reach them, due to the failure of translating the name. Look how important is the DNS.
To have a geographically scattered and not located in a particular data center should be a good mitigation plan.
Another classic attack, tunneling one protocol over another, in this case, DNS, and thus skipping the protection like firewalls systems when browsing.
To carry it out, it will be necessary to have an internally compromised system and have access to a DNS server. Encapsulating the communication, it will be possible to execute remote commands, or also to exfiltrate confidential information.
The best way to prevent such attacks is to apply Access rules, not focusing only on protocols, but also on applications, to allow appropriate ones in DNS communications.
Of course, there are many more types of DNS-related attacks, like TCP SYN or DNS floods, random and phantom subdomain attacks, etc. So, it is clear that the protection of DNS communications is a key factor in cybersecurity.
About Article’s Author: Daniel Vaquero
Willing of learning something new. I have played roles in different areas, following a progressive and professional growth upstroke. Focused in IT Security, I provide critical technical support combined with a passionate and in-depth ‘product expert’ level of technical knowledge.