The domain name system (DNS) is basically a directory of addresses for the internet. Your browser uses DNS to find the IP for a specific service. For example, when you enter esecurityplanet.com, the browser queries a DNS service to reach the matching servers, but it\u2019s also used when you send an email.<\/p>\n\n\n\n
It is handy for users, as they don\u2019t have to remember the IP address for each service, but it does not come without security risks and vulnerabilities. Attackers will likely enumerate DNS to try common attacks.<\/p>\n\n\n\n
It\u2019s often the first step to perform further actions such as data thefts, defacing, or even ransomware<\/a> attacks that have caused severe damages to many organizations in recent years. Besides, such attacks are loved by hackers, as it\u2019s usually hard to detect by security tools, and it allows targeting thousands of victims in one operation.<\/p>\n\n\n\n Also read: How to Prevent DNS Attacks<\/a><\/p>\n\n\n\n In order to understand DNS attacks and how they can affect you, you must first understand what DNS is and how it works:<\/p>\n\n\n\n It\u2019s not an exhaustive list, but the following techniques are the most common attacks used by threat actors to compromise DNS.<\/p>\n\n\n\n The term spoofing<\/a> means the attacker tries to impersonate a legitimate service, for example, by faking the IP associated with a domain.<\/p>\n\n\n\n While DNS spoofing is a pretty popular approach, it\u2019s a generic term that covers various situations. DNS cache poisoning is probably more accurate to describe the most common scenario: In this situation, the attacker manages to fill the DNS cache with false information, so the DNS query will redirect users to a rogue IP.<\/p>\n\n\n\n It\u2019s technically not possible for DNS resolvers to check the data in the cache. That\u2019s why the false information remains in the cache until the expiration, also known as TTL or time to live. Even if this attack is only temporary by definition, it\u2019s often enough to inject malware<\/a> successfully.<\/p>\n\n\n\n Most of the time, the hackers redirect users to a copy of the legitimate website to steal credentials or banking data. While there is some evidence of counterfeit websites users can spot, it\u2019s sometimes pretty hard to detect, for example, when it\u2019s an exact clone of the original app.<\/p>\n\n\n\n Also read: New DNS Spoofing Threat Puts Millions of Devices at Risk<\/a><\/p>\n\n\n\n This attack relies on a client-server architecture and consists of using other protocols such as TCP or SSH to tunnel malware through DNS requests. The attacker will typically register a domain name and point it to his server that hosts malware.<\/p>\n\n\n\n Hackers have been using this technique for a long time, as it is particularly efficient to connect a command-and-control server to an infected machine. There is no firewall<\/a> that can block these DNS requests.<\/p>\n\n\n\n In this case, the attacker redirects all queries to another domain name server, for example, after gaining unauthorized access to modify DNS records. Unlike with DNS poisoning attacks, the DNS cache is not involved.<\/p>\n\n\n\n There are different approaches and techniques for DNS hijacking. For example, the hacker can modify the local DNS settings or compromise the router.<\/p>\n\n\n\n The idea is to amplify the traffic of vulnerable DNS servers to hide the exact origin of an attack. The attacker forges the destination to be the victim\u2019s addresses, which can take down an entire infrastructure with minimum resources.<\/p>\n\n\n\n Flooding attacks take advantage of devices that work with a high bandwidth to bomb DNS servers. The targeted servers cannot handle the gigantic volume of queries. Such attacks are often associated with super-charged botnets (e.g. Mirai<\/a>), which can take down even the largest organizations.<\/p>\n\n\n\n To combat DNS attacks, major companies such as Google have pushed forward DNS encryption<\/a> over TLS (DoT) or HTTPS (DoH). This is because most DNS requests have been unencrypted for years, which means DNS is prone to MITM (man-in-the-middle attacks). For example, anyone who manages to get into a Wi-Fi<\/a> or a corporate network can mess with DNS queries and responses.<\/p>\n\n\n\n Using free software such as Wireshark<\/a>, it\u2019s relatively easy to capture data, including sensitive operations and all internet traffic.<\/p>\n\n\n\n The big problem is the blind trust between devices and DNS resolvers. Fortunately, encryption can harden access to DNS messages. While it\u2019s not the exact same concept, it\u2019s a bit like migrating from HTTP to HTTPS for a website.<\/p>\n\n\n\n DNS encryption over TLS has been introduced to embed messages in secure channels. TLS handshake messages are exchanged between the client and the server before sending the encrypted DNS messages.<\/p>\n\n\n\n It relies on a new port (e.g. port 53) that can be blocked by some firewalls and conflicts with existing architectures, which could ultimately force users to go back to unencrypted DNS requests. That\u2019s why DoH has been created to fix the problem and allow web applications to use existing APIs.<\/p>\n\n\n\n DoH allows executing DNS queries through the HTTPS protocol. Without proper authorization, it\u2019s theoretically impossible to gain access to queries and responses.<\/p>\n\n\n\n DNSCrypt is a protocol that encrypts, authenticates, and optionally anonymizes communications between a DNS client and a DNS resolver.<\/p>\n\n\n\n In other words, DNSCrypt<\/a> encrypts all DNS traffic. The cryptography involved is called elliptic-curve cryptography<\/a>.<\/p>\n\n\n\n It allows filtering the traffic that passes through UDP and TCP, for example, in the browser, which is an effective security measure in corporate networks. It can prevent DNS spoofing with authentication.<\/p>\n\n\n\n DNSCrypt can be installed as a client on most operating systems such as Windows, macOS, and Linux as well as Android, iOS, and open router firmwares. The most popular client is dnscrypt-proxy<\/a>.<\/p>\n\n\n\n Also read: How to Secure DNS with DNSCrypt & DNSSEC<\/a><\/p>\n\n\n\n The DNS Security Extension (DNSSEC) uses digital signatures based on public keys to strengthen DNS. Instead of encrypting DNS queries and responses, it secures DNS data with public and private key pairs.<\/p>\n\n\n\n The private key is used to sign DNS data in a specific zone and generate a digital signature. And the public key is published in the zone. Any resolver that looks up data in the zone can retrieve the public key to validate the authenticity of the DNS data before returning to the user.<\/p>\n\n\n\n If the signature is incorrect or missing, the resolver will consider it as an attack and cancel the data transfer.<\/p>\n\n\n\n Moreover, DNSSEC will typically add new DNS records such as RRSIG (cryptographic signature) and DNSKEY.<\/p>\n\n\n\n Regular DNS pentests (penetration tests) are probably one of the best security measures you can take to secure DNS for your organization, as it will emulate real-world attacks.<\/p>\n\n\n\n Pentesters will likely start by enumerating services with Nmap<\/a>, and then, they might use dig to explore your DNS. For example, you can perform an authoritative search for mozilla.org with the following on Kali Linux<\/a>:<\/p>\n\n\n\n dig authority mozilla.org<\/em><\/p>\n\n\n\n The ultimate goal of dig commands is to retrieve information such as the list of authoritative DNS servers, mail servers, or name servers. In addition, there are specific modules in Metasploit<\/a> to enumerate DNS like auxiliary\/gather\/enum_dns<\/em>.<\/p>\n\n\n\nDNS: Five Critical Concepts<\/h2>\n\n\n\n
\n
Common DNS Attacks Explained<\/h2>\n\n\n\n
DNS spoofing or poisoning<\/h3>\n\n\n\n
DNS tunneling<\/h3>\n\n\n\n
DNS hijacking<\/h3>\n\n\n\n
DNS amplification<\/h3>\n\n\n\n
DNS flooding<\/h3>\n\n\n\n
DNS Encryption: DoH vs. DoT<\/h2>\n\n\n\n
Protecting DNS with DNSCrypt<\/h2>\n\n\n\n
\n
\n
\n
\n
How to Secure DNS With DNSSEC<\/h2>\n\n\n\n
\n
\n
\n
\n
Going Further: DNS Pentesting<\/h2>\n\n\n\n