The coronavirus pandemic is moving businesses increasingly to focus on their online presence, with the website now becoming the crucial ‘shop window’. But this has led to more incidents of DNS attacks and hijacks from malicious sources, with reports noting a 1000% increase over 2018, and the cost to targeted businesses similarly growing.
If your business operates over a network, then you need to learn about DNS attacks and the threat they pose to your operations.
DNS attacks involve malicious access or manipulation of your domain name system. If left unchecked, one can quickly disrupt service or redirect traffic. As you can imagine, both scenarios are disastrous and will compromise the integrity of your network. Fortunately, you can prevent most DNS attacks if you know how they work and where your vulnerabilities are. This begins with understanding the different types of DNS attacks that you might be facing.
Four most common DNS attacks
We’ll explain four of the most common types of DNS attacks below to give you an idea of what to expect.
DNS tunneling
The first type of DNS attacks is DNS tunneling. DNS tunneling is done with the primary directive of bypassing a firewall. A good firewall is a decent start against viruses and malware, but many smart hackers know how to bypass them.
One of the ways they do this is by tunneling through the DNS. This is a tricky style of DNS attack because of how deceptive it is. When DNS tunneling occurs, a hacker will hide malicious programs or scripts in DNS queries. As these are pulled, users will be affected by the DNS tunnel. Because firewalls don’t cover the DNS, this effectively turns it into a perfect route for malware attacks. DNS tunneling takes advantage of the natural openness of the DNS.
DNS hijacking
DNS hijacking is another attack to watch for. Similar to DNS tunneling, DNS hijacking is done to manipulate a user’s experience. Rather than directly infecting them with malware, DNS hijacking will instead redirect them to a malicious website.
For example, if a user enters the standard domain of the most commonly used website on your network and it is currently hijacked, then they can be sent wherever the hacker chooses. In some situations, they may be sent to a website that mirrors the one they’re looking for. This is particularly scary because they may feel safe entering sensitive information like login credentials, which are then saved for a hacker. DNS hijacking is very concerning and not always simple to detect. It can originate from infected hardware or a direct interception, so you need to cover both areas.
Cache poisoning
One of the most common approaches to DNS attacks is cache poisoning, also known as DNS spoofing. Cache poisoning involves a similar outcome to DNS hijacking, but how it happens differs. Both DNS attacks seek to redirect DNS queries.
What makes cache poisoning different is what hackers target. Rather than starting from infected hardware, cache poisoning involves sabotaging the DNS cache. Typically, cache poisoning will create an abundance of false DNS responses. These will be sent to each DNS query in an attempt to correctly enter the right ID and connect with one. This type of DNS attack is also hard to identify. DNSSEC is your best solution for keeping the DNS cache clean.
DNS amplification
The last major DNS attack category to be aware of is DNS amplification or distributed denial of service (DDoS). A DNS amplification/DDoS is unlike the other three attacks mentioned above. It aims primarily to disrupt service rather than gaining access or stealing information. While it may seem less significant, its impact can be just as disrupting.
DNS amplification works by overloading your network. An attack will start by sending a seemingly small DNS query that requires a much larger response. This is then ramped up by increasing the number of false DNS queries being sent. Eventually, your network bandwidth will be consumed by the volume of large responses.
When this happens, other network operations cannot continue. This makes a DDoS attack particularly effective at bringing your whole network down. It’s nearly impossible to overlook a DNS amplification attack in progress. If network functions are seemingly slowed or unavailable for no obvious reason, a DDoS attack may be the cause.
How to protect against DNS attacks
Domain Name System, DNS for short, is a hierarchical naming system that translates domain name addresses that humans understand into numerical language that computers understand. DNS then looks for and finds the address requested by the user. DNS servers are the heart of all networks and need to be protected from malicious and even accidental damage done by users. Configuring firewalls, forwarders, zone transfers and resolvers are some ways to protect DNS servers.
DNS forwarders
A DNS forwarder is a DNS server that performs queries to another DNS server and slows down traffic on the main DNS server. DNS forwarders can have much larger caches, which benefits the primary DNS server. A forwarder also prevents the primary DNS server from contacting servers outside the internal network. This is beneficial for DNS server and internal network security.
Firewalls
Firewalls are a security necessity that restrict unauthorized access to systems and networks, and are one of the strongest lines of defense against attacks from outside users. Firewalls are installed using software or are built in by default into networking hardware such as routers. Firewalls can filter TCP /IP traffic, ports and protocols. Firewalls can be configured to be forgiving or aggressive when accepting inbound traffic.
Disable Zone Transfers
Zone transfers occur between the primary and secondary DNS servers. DNS zone files are created and updated by the primary server, and a read-only copy is sent to the secondary server. Disabling this is a must as malicious users can request the zone files on the primary server to be dumped. The attacker can then change the naming scheme and damage network infrastructure. Denying all zone transfers or just allowing specific servers stops these attacks.
DNS Resolvers
A DNS resolver is a DNS server that resolves domain names without being an authoritative or primary server. A DNS server’s only job to resolve is to resolve hostnames for the end user. A resolver can be available to users within an internal network, to external users, or both. It also decreases the load on authorized and primary servers.
Conclusion
DNS attacks are the biggest threat posed to your online system. These hackers aim to impact DNS queries to steal information, gain private access, and stall operations. What makes DNS attacks difficult to manage is how many different types there are. The four main types that you should be watching for include DNS tunneling, DNS hijacking, cache poisoning, and DNS amplification.
While addressing a DNS attack in-progress may not be simple, protecting your DNS is. Make sure to use domain name system security extensions (DNSSEC) to keep all DNS queries secured and valid.
