Pattern Drive Private Limited

dns-attacks-prevention
DNS Attacks & How To Prevent Them

DNS Attacks: Dangerous Cyber Security Attacks & How To Prevent Now?

Updated on: 14/02/2023

766 Views | 0 Comments

Domain Name System or DNS Attacks are pretty standard these days. These DNS attacks are those cyber-attacks where a hacker exploits the DNS vulnerabilities. That said, the internet will not be able to function without the Domain name System. It is a vital part of the internet. In this article, we will discuss everything about the common attacks that DNS suffers from. Additionally, we will also mention various important ways in which you can safeguard yourself from such attacks.

Essential Points To Note:

  • DNS Attacks target the victim’s DNS or Domain Name System vulnerabilities.
  • Phishing and Spoofing are common methods used in the procedure. 
  • DNS Attacks are getting stronger and so are the security measures.
  • Companies and individuals need to adopt these security measures and fix any vulnerabilities in the DNS as soon as possible. 
  • Additionally, they should check DNS vulnerabilities from time to time and upgrade themselves.

A user might think that the internet might work pretty simply. However, there is a lot going on in the background that they usually cannot see. Domain Name System or DNS is a huge part of this. Each and every device on the Internet is connected via a unique IP address. For example, your cell phone has a different IP address from your laptop or computer. Even your laptop and computer have varied IP addresses. That said if your laptop wants to find another device, say a server where your searched website is stored, will search for its IP address.

The IP addresses come in two variants viz., numerical (IPv4) or alphanumeric (IPv6). The following are examples of IPv4 and IPv6 IP addresses:

  • 192.0. 2.146 (IPv4)
  • 2001:db8:3333:4444:5555:6666:7777:8888 (IPv6)

As with the example, it is clear that they do not provide much information to the user. This could be a problem. This is also where DNS comes into action. You do not need to remember the IP addresses of the individual websites as this is tedious. On the contrary, you can use the hostnames of the websites to search for them such as “Google” or “Youtube”. The computer does not understand hostnames but 0s and 1s (bits and bytes). Thus, DNS translates the hostnames you enter to an IP address to the computer to communicate. 

What Are DNS Attacks? What Are The Different Types Of DNS Attacks?

As already mentioned, DNS is linked to the IP addresses with numeric or alphanumeric addresses of the hosts. DNS is never perfect and it has its own security vulnerabilities from time to time. The hackers find these vulnerabilities in the DNS and try to exploit them causing cyber security attacks. This is called a DNS attack.

How Does DNS Work?
How Does DNS Work?

There are various kinds of DNS attacks that you need to be aware of. These include the following:

  • DDoS (Distributed Denial of Service)
  • DNS Flood Attack
  • Domain Hijacking
  • DNS Tunneling Attack
  • Cache Poisoning
  • NXDOMAIN Attack
  • Random Subdomain Attack
  • Phantom Domain Attack… and more.

However, this article will focus on two of the most common and dangerous DNS Attacks such as DNS Spoofing and DNS Poisoning attacks. Both of these cyber security attacks are DNS DDoS attacks that come under the DNS amplification attack.

So what is a DDoS attack? Well, in computing, Distributed Denial of Service refers to malpractice where the hackers flood a server with internet traffic. This is done to prevent users from accessing connected online services and websites. In simple words, DDoS in cyber security is important to consider. After a successful DDoS attack, the server turns unusable and people cannot open your website.

How Does DDoS Attacks Work?
How Does DDoS Attacks Work?

The below-mentioned are two important types of DNS DDoS Attacks among different types of attacks in cyber security:

1. DNS Amplification Attack

The idea of DNS amplification attacks is that a small query triggers a huge response. Thus, the term “Amplification”. The threat behind this kind of DNS attack is that a hacker does not particularly need any powerful machine. Just a normal computer is able to flood the DNS by sending short requests requiring long answers from the DNS resolver. 

2. DNS Reflection Attack

DNS reflection attacks on the contrary are even more malicious. In this kind of cyber security attack, the hackers send queries that seem to be from the victim. The received response is then sent to the victim (who did not ask for it in the first place). The traffic is just enough to flood their network. 

DNS Spoofing Attack & DNS Poisoning Attack: The Most Dangerous Ones

Both DNS Spoofing attacks and DNS poisoning attacks are much similar. This is why they are mostly confused. That said, people usually overlook how they work which makes them different. 

  • DNS Spoofing / DNS Poisoning

DNS spoofing is a method of attack where the DNS records are altered and used to redirect the online traffic to a fraudulent website resembling the original one. Once the users are directed to the fake website, they are mostly asked to login into their account. The users believe they are on the actual site but it is just a fake website created by the hackers that looks similar to the actual website. 

As soon as the users enter their login credentials they are tricked and the perpetrators steal the credentials. In some cases, the malicious website is used to infect the user’s device with worms or viruses. This lets the hackers have long-term access to the device and the data it stores. 

DNS Spoofing
DNS Spoofing

Two methods are used to execute DNS Spoofing attacks or DNS poisoning attacks are -

    • Man in the Middle Attack (MITM): It is the interception of communications between the users and a DNS server for routing the users to a different and malicious IP address.
    • DNS Server Compromise: It is the direct hijacking of a DNS server (DNS hijacking) that is configured to return a malicious IP address.
  • DNS Cache Poisoning

DNS cache is the activity of entering fake information into the DNS cache. This makes the DNS queries return incorrect responses and the users are directed to the wrong websites. This is a method of phishing in cyber security. Spoofing in cyber security is a common thing. While DNS Spoofing directly involves attacking the Domain Name System, DNS cache poisoning as the name states attacks the cached IP address of a website. 

What is DNS Cache? Well, it refers to the temporary storage of a website’s IP address in a local server. This makes sure that the domain request from the user does not need to be placed into the DNS server. Thus, it takes less time to return the resultant website.

DNS Cache Poisoning Attacks
DNS Cache Poisoning Attacks

The following is how a cached response is different from that of the uncached response:

DNS Uncached Response
DNS Uncached Response
DNS Cache Poisoned
DNS Cached Response
DNS Cache Poisoned
DNS Cache Poisoned

The DNS resolver caches play a major role in DNS cache poisoning if they store faulty information. For the storage of faulty information, the traffic goes to the wrong place till the cached information is rectified. The DNS resolvers cannot verify the data in their caches. The faulty information remains in the cache unless the TTL or Time to Live expires or is rectified manually. That said, this process does not originally disconnect the real websites from their real IP addresses causing IP spoofing in cyber security.

How To Prevent DNS Attacks?

Below are some useful tips that help to prevent DNS attacks and phishing in cyber security:

1. Ensure Your DNS Servers Are Updated 

You must always keep your DNS servers updated. This is true for all the DNS servers for example BIND, Microsoft DNS, or any other DNS software. This is essential as the latest software bears the newest security patches. Without this, your servers will definitely be vulnerable to exploits.

2. Disable DNS Recursion

You can prevent DNS poisoning attacks by disabling the DNS recursion. Usually, the BIND servers are enabled by default. If the DNS recursion remains enabled, the DNS servers permit the recursive queries for the other domains on the same name server. This lets the 3rd party hosts query the same name servers. Thus, you are required to disable this situation to prevent DNS amplification attacks. 

3. Utilize A DDoS Mitigation Provider

You can definitely run your own DNS servers. However, if you ever get hit by a DNS attack, you will suffer a heavy downtime. In such a situation, services such as Cloudflare will mitigate some of the DDoS attacks, if not entirely. And hence, your servers will keep working as before the attacks.

4. Restrict Zonal Transfers

The hackers in some cases perform a DNS zone transfer for acquiring a better knowledge of your network topology. That said, it is necessary to restrict which servers can perform a zone transfer. Additionally, you should also restrict the IP addresses that can make this request. IP spoofing in cyber security has a special mention when it comes to cyber-attacks. Thus, this can be prevented with this step.

5. Conceal Your BIND Version

An attacker can very easily check what BIND version you are running on your server with the following query:

Dig @ns1.server.com -c CH -t txt version.bind

The fact remains that hiding your BIND version will not do much in itself. But by doing this, you can take a positive step towards preventing hackers from auditing your server. 

So, how will you do this? Here are the steps:

  • You are required to edit the named.conf file. 
  • Locate the options { … } config block.
  • You will find the “BIND” variable at the end of this block. 
  • After you locate it, you will have to change it to version “Hidden”.
  • Save, close, and restart the BIND.

Final Thoughts

DNS attacks are not new. They are becoming much more predominant because hackers are abusing DNS servers to fulfill malicious goals. On the 4th of October, 2021, social media platforms such as Instagram, Facebook, and WhatsApp were down for a couple of hours. This was due to a DNS attack and it was not resolving. This is one of the famous cyberattacks and the latest one. Thus, it is necessary to understand what must be done to protect against such attacks. 

This is to be kept in mind that DNS attacks of all kinds are constantly evolving. DNS security is equally getting stricter. That said, you should always be learning about things that you can do to prevent hackers from misusing DNS against you.


Tags


Share


Leave a Comment

By Submitting you agree to our Terms of Service and Privacy Policy.