6 types of DNS attacks and how to prevent them

What is DNS?

DNS is often referred to as the "phone book of the internet." In a nutshell, it is the system that translates website domain names into their respective IP addresses. Once a user enters a domain name, a DNS server looks up the IP address the name is attached to and sends a request to the web server hosting the site.

DNS servers underpin the ability of the internet to deliver resources and information. So, unsurprisingly, they are prime targets for attackers. If a DNS server goes down as a result of a successful attack, it could have a cascading effect upon the entire internet, worldwide.

6 types of DNS attacks

Let's examine six methods attackers use to disrupt the operation of DNS servers.

1. DoS and DDoS attacks

DoS attacks flood servers with rogue and undecipherable data packets, slowing network traffic to the point where it can take minutes, if not longer, to access a website. One device is typically used to target a specific DNS server in a DoS attack. DDoS attacks rely on multiple devices launching attacks on multiple DNS servers.

2. DNS amplification attacks

Similar to DDoS attacks, DNS amplification attacks involve a malicious actor sending multiple requests to DNS servers in a short period of time. These requests -- known as trigger packets -- are further amplified, making them too much for the DNS servers to handle. In turn, a large amount of rogue data packets are sent to end users, rendering both their devices and the targeted DNS server useless. These outbreaks are also known as reflective amplification attacks.

3. DNS tunneling

In DNS tunneling, the attacker routes legitimate DNS requests back to their own server, which acts as a command and control (C&C) device. A malicious payload is deployed that can be used to either infect the DNS server or the device of a targeted victim.

DNS tunneling involves the following steps:

• The attacker registers a legitimate domain name.
• The name server is pointed back to the attacker's C&C server.
• A victim device is targeted, and the malware gets deployed onto it, bypassing any firewalls or network intrusion detection tools.
• A request is sent from the victim device to a DNS server, and this is sent back to the attacker's C&C server.
• A tunneling protocol is established, creating a direct connection to the victim, making use of the DNS server.
• Limited data exfiltration attacks typically occur, but any threat variant can be launched.

This type of attack is usually difficult to detect because of the tunneling procedure.

4. DNS hijacking

In DNS hijacking, an attacker gains control over a domain name registered to a different entity. This happens when end users' login credentials are known -- typically gained through phishing attacks -- or by exploiting a vulnerability or gap discovered in the IT infrastructure of the registrar in question. From a hijacked DNS, the end user might be redirected to a phony website and tricked into submitting confidential information and data, such as credit card or bank account numbers.

5. DNS spoofing

DNS servers are equipped with a cache memory, which stores the IP addresses of frequently requested domains. This feature enables servers to respond more quickly to user requests and reduces the amount of processing resources required. But it also makes it possible for attackers to redirect legitimate requests to fraudulent websites and then, ultimately, to their C&C servers.

6. Fast flux

In DNS fast fluxing, attackers register multiple IP addresses with one domain and swap between them quickly, making it difficult for law enforcement agencies and enterprise security teams to block and track them. Each IP address is live for a short amount of time before getting swapped to another. Attackers register new IP addresses as needed.

How to mitigate DNS attacks

Every organization is vulnerable to DNS attacks; there is no 100% foolproof protection against them. But organizations can take the following measures to reduce the chances a DNS server attack is successful:

• Use DNS encryption. Use the DNSCrypt, DNS over TLS or DNS over HTTPS protocols. Install agents on both the servers and endpoints that receive and send DNS requests, respectively.
• Use a DNS authenticator. Use DNS Security Extensions, which relies on a public key to confirm and validate any requests made to the DNS server.
• Deploy DNS traffic inspection. Use a next-generation firewall to block rogue data packets and associated illegitimate requests. An NGFW can be easily implemented into a zero-trust framework.
• Keep a DNS access control list. Create a list that specifies who is authorized to access DNS servers. Follow the principle of least privilege when assigning which rights and permissions each person receives. Use automation to provide real-time alerts in the event of unusual activity or multiple login attempts. Rely on privileged access management and MFA as well.
• Use DNS filtering. DNS filtering screens domain names -- and any other URLs -- to ensure they are not blocklisted and notifies admins in the event a blocklisted resource is found. DNS filtering can also automatically blocklist and allowlist domain names.
• Scan for vulnerabilities. Conduct a vulnerability scan, penetration test or both to ensure web applications are free from DNS security issues. Remediate any discovered vulnerabilities.
• Deploy rate limiting. Rate limiting restricts the number of requests that can be made to a DNS server over a predetermined time. This helps prevent malicious flooding and DoS and DDoS attacks.
• Monitor network traffic. Use network monitoring tools to keep a constant eye on any patterns of unusual activity made to a DNS server and sudden spikes in network traffic. Use these tools to filter through network log files and drill down further into the granular level of the data.
• Reduce the attack surface. Restrict traffic to a specific DNS server, use a load balancer to manage any sudden increases and check for unused or open ports. If any are found, close them immediately.
• Audit continuously. Confirm the DNS server zones requests are made from. Check for any signs of compromise in address, mail exchange or canonical name records.

Ravi Das is a cybersecurity consultant and business specialist who specializes in penetration testing and vulnerability management content.