The 5 big DNS attacks and how to mitigate them

Domain name system (DNS) attacks, in which bad actors take advantage of vulnerabilities in the DNS Internet protocol, are extremely prolific—and costly.

The role of DNS is to translate the term that you might enter in a search box (known as the human-readable name) into the corresponding string of numbers (IP address) that your device needs to access a website or send an email. Attacks against these indispensible systems can be quite damaging.

A 2021 IDC survey of more than 1,100 organizations in North America, Europe and Asia Pacific, showed that 87% had experienced DNS attacks. The average cost of each attack was around $950,000 for all regions, and about $1 million for organizations in North America.

The report also noted that organizations across all industries suffered an average 7.6 attacks during the previous year.

The COVID-related shift to off-premises working and the response that companies made to move resources to the cloud in order to make them more accessible have provided new targets for attackers, the report said.

The research also found a sharp rise in data theft via DNS, with 26% of the organizations reporting sensitive customer information stolen, compared with 16% in 2020.

Here are the five most common types of DNS attacks.

DNS amplification triggers DDOS attacks

A DNS amplification attack is a popular form of distributed denial of service (DDoS) that takes advantage of publicly accessible, open DNS servers to overwhelm a target system with DNS response traffic.

The primary technique involves an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address, according to the Cybersecurity and Infrastructure Security Agency (CISA), which leads U.S. efforts to enhance the resilience of the nation’s physical and cyber infrastructure.

When the DNS server sends the DNS record response, it’s sent to the target instead. Attackers typically submit a request for as much zone information as possible so they can maximize the amplification effect, CISA says. In most attacks of this type observed by US-CERT, the spoofed queries sent by attackers are of the type “ANY,” which returns all known information about a DNS zone in a single request.

Because the size of the response is much larger than the request, the attacker can increase the amount of traffic directed at the target’s systems. By leveraging a botnet to produce a large number of spoofed DNS queries, CISA says, an attacker can create an immense amount of traffic without much effort.

And because responses are legitimate data coming from valid servers, it’s extremely difficult to prevent these types of attacks, the agency says. The most common form of this attack US-CERT has seen involves DNS servers configured to allow unrestricted recursive resolution for any client on the Internet. But attacks can also involve authoritative name servers that don’t provide recursive resolution, CISA notes.

DNS spoofing/cache poisoning

With DNS spoofing, also called cache poisoning, bad actors exploit vulnerabilities on DNS servers in order to take them over. Using cache poisoning, attackers inject malicious data into a DNS resolver’s cache systems to try to redirect users to the attacker’s sites. The attackers can then steal personal information or capture other information.

When attackers gain control of a DNS server, they can modify the cache information (this is DNS poisoning). The code for DNS cache poisoning is frequently found in URLs sent through spam or phishing emails. The emails try to alert users to an event that requires immediate attention, which requires clicking on a URL provided by the attackers.

DNS servers can access the caches of other DNS servers, and this is the  way the attack spreads on a potentially large scale. The key risk with DNS poisoning is the theft of data. Another significant risk: if an Internet security provider’s site is spoofed, a user’s computer might be exposed to additional threats such as viruses or Trojans, because legitimate security updates will not be performed.

DNS tunneling

Yet another popular DNS attack mode, and one of the older ones still around, is DNS tunnelling. These attacks exploit the DNS protocol to tunnel malware and other data through a client-server model. These data payloads can take over a DNS server and allow attackers to manage the server and its applications.

The tunnelling creates a hidden connection between the attacker and the target—through the DNS resolver—that can bypass a firewall. Cyber criminals can use the tunnel for malicious activities such as exfiltrating data.

DNS tunneling in many cases relies on the external network connectivity of a compromised system, which provides access into an internal DNS server with network access.

Fast flux evades security scans

Fast flux is a DNS evasion technique in which attackers use botnets to hide their phishing and malware activities from security scans, by leveraging constantly changing IP addresses of compromised hosts acting as reverse proxies to the backend botnet master.

Fast flux can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection that’s used to make malware networks more resistant to discovery.

The main idea behind fast flux is to have a large number of IP addresses

associated with a single, legitimate domain name, where the IP addresses are frequently swapped in and out, through changing DNS resource records. The authoritative name servers of the fast-fluxing domain name are in most instances hosted by the cyber criminal.

DNS hijacking/redirection

DNS hijacking (or DNS redirection) is the practice of subverting the resolution of DNS queries. Cyber criminals do this by using malware that overrides a system’s TCP/IP configuration to point at a rogue DNS server that is under the control of the attacker, or by modifying the behavior of a trusted DNS server so that it doesn’t comply with internet standards. Bad actors use these modifications for malicious purposes such as phishing.

There are three main versions of DNS hijacking:

• Attackers compromise a domain-registrar account and modify the DNS nameserver to one they controlChanging the record for a domain’s IP address to point to the attacker’s address instead
• Attackers compromise an organization’s router and change the DNS server that automatically gets pushed to each device when users sign on to the organization’s network.

How to prevent DNS attacks

Organizations can adopt a number of practices to help mitigate the risk of DNS attacks. Here are some suggested practices:

Implement stronger access controls

Enterprises need to ensure that they are taking steps to better control who has access to networks. One of the ways to do this is to deploy multi-factor or two-factor authentication as a way to establish access to an online account or system. This requires users to provide more than one type of information, for example a password and some proof of identity, in order to gain access.

Companies should make sure multi-factor authentication is enabled in all registrar or registry accounts, that passwords are not easy to guess and are stored securely and not re-used across services.

CISA advises that organizations immediately update passwords for all accounts on systems that can make changes to their DNS records, including accounts on organization-managed DNS server software, systems that manage that software, third-party DNS operators’ administration panels, and DNS registrar accounts.

Employ zero trust

The zero trust approach to security continues to gain momentum, due in part to growing support from the U.S. federal government, and the hybrid and remote work models that have taken hold at many companies. Zero trust can play a role in DNS threat mitigation.

Research firm Garner recommends that security and risk leaders implement two key, network-related zero trust projects to reduce risk. One is to deploy zero trust network access (ZTNA), which abstracts and centralizes access mechanisms so that security engineers and staff can be responsible for them.

It grants appropriate access based on the identity of users and their devices, in addition to other context such as time and date, geolocation, historical usage patterns and device posture. The result, Gartner says, is a more secure and resilient environment, with improved flexibility and better monitoring.

The other project is identity-based network segmentation, which Gartner says is an effective way to limit the ability of attackers to move laterally in a network once they have gotten in.

Identity-based segmentation reduces excessive implicit trust by allowing organizations to move individual workloads to a “default deny” rather than an “implicit allow” model, the firm says. It uses dynamic rules that assess workload and application identity as part of determining whether to permit network access.

Review and verify DNS records

CISA recommends that for all the domains an organization owns and manages, it should review all public domain records with domain registrars to verify the associated name server (NS) records are delegated to intended DNS servers. It should review all DNS records on all authoritative and secondary DNS servers to verify they resolve to their intended destination.

Organizations should immediately investigate any discovered discrepancies, and treated them as a potential security incident. These actions will help spot any active DNS hijacks.