Why DNS Attacks Need More Attention
DNS attacks have been rising in 2022, and no two are exactly alike.
This month, the Iranian state-sponsored attack against the energy sector introduced a new malware for DNS hijacking that had not been seen before, using “macro-laced word documents.”
A threat report released this month by efficientIP found that an astounding 88% of organizations surveyed experienced a DNS attack within the last 12 months.
This post considers why these attacks are difficult to confront, the type of most prevalent attacks, and how organizations can protect themselves from being the next victim.
Here’s a quick review of the background of DNS to catch our less technical readers up to speed.
What is DNS?
DNS is a directory that matches names with corresponding IP addresses. Your DNS server converts the domain name queries into IP addresses, determining which servers end users arrive at
Here’s a look at how a DNS record request is processed:
What is a DNS Attack?
A DNS attack finds vulnerabilities within this sequence to manipulate the responses given by the DNS servers or make them unavailable altogether. Often DNS attacks involve redirecting the attack target to phishing sites that are difficult to tell apart. But there are other ways attackers target DNS too.
Common DNS Attack Methods
DNS uses a client-server model for devices to access data stored on servers. The attacker takes advantage of this by establishing a command-and-control channel to a victim’s device, hiding information within the DNS requests sent to the server they control.
The DNS recursive resolver server requests the IP address. It then routes the DNS query back to the hacker’s authoritative nameserver containing the tunneling malware, which then attacks the target, undetected by the firewall.
The attacker floods the ports on the host with IP packets with botnets. These high amounts of DNS requests use up the network’s bandwidth, making the DNS servers unavailable and taking the service offline. This can also create DNS amplification as legitimate users attempt over and over again to access the offline services.
DNS hijacks can give attackers critical company information through intercepted emails and web traffic. There are three main ways your DNS hijacking occurs.
- The attacker could compromise and modify your authoritative nameserver to point to the one they control.
- They could change your domain’s IP address’s A record, and redirect traffic to their illegitimate site.
- Finally, attackers could target the router, changing the DNS that devices connect to once they log in.
Unlike DNS hijacking, the attacker goes after the resolver’s cache rather than the DNS record of the website on the nameserver. This happens when local DNS cache values are overwritten with fake values to redirect the attack target to a website. Hackers also often spoof the address’s source, making it difficult to defend against. This can also be called cache poisoning or DNS spoofing.
Why DNS Attacks Are on the Rise
Organizations are missing an opportunity to close the DNS gap in a few ways, but it’s also important to note that DNS was not built when security was a high concern.
DNS is an application, so rolling out DNS can be considered an admin task that’s not owned by the security side of the house. When the SecOps team doesn’t take ownership over DNS, it exists in a kind of orphaned zone without adequate attention. Monitoring DNS is uncommon, and its traffic often goes unexamined for suspicious activities.
DNS came about when many of the original internet protocols were not designed with security in mind. Hackers did not exist yet, so security considerations were not a part of the design.
There have since been some protection efforts created. For example, if you change your external DNS server to Cloud Flare or Infoblox, you can get some protection. However, these DNS controllers can be easily bypassed to exfiltrate data.
Firewalls are not performing any behavioral inspection and do not usually have any restrictions set for DNS traffic. They may try to inspect the payload, but if the payload is encrypted, it is just allowed through.
Is There a Way to Protect Yourself from DNS Attacks?
Although the technology trying to address this problem space is relatively new, there are options to consider.
Find a network monitoring and detection platform that includes DNS monitoring and data exfiltration protection. A historical log of DNS queries and responses allows for forensic investigation and prevention of attacks.
Follow Best Practices
- Limit access to the nameserver.
- Use a domain registrar lock tool that requires approval before changing DNS records.
- Restrict usage of the DNS resolver from any external access
- Roll out Multi-Factor Authentication (MFA) to log into the domain registrar account
- Use random source ports and randomize query IDs
DNSSEC (DNS Security Extensions) authenticates the data’s origin for DNS resolvers using digital signatures and helps harden your recursive serve. See if DNSSEC was properly set up for your domain by entering your domain name in this free tool operated by Verisign labs.
LiveAction’s threat detection and response product, ThreatEye, closes the DNS monitoring gaps left by inadequate firewall and detection tools. When deployed in front of a DNS server, ThreatEye correlates DNS queries into threat intelligence scans and sees into encrypted sessions without decryption for indicators of an attack.