DNS (Domain Name System) servers make it easier to browse the internet every day because they translate nominal addresses (ex.: websites) into IP addresses, which are much simpler for most users to remember. Picture having to save 15 different numeric combinations to access the web services you use most regularly. It’s no mission impossible, but it’s much easier to type www.google.com than http://192.168.5.5/, for example.

IP translation into domains makes our daily life much easier. But it can also hide great risks if you do not pay proper attention to security. Users have a hard time identifying DNS server attacks, which makes them even more effective for the attacker’s goals.

Direct to suspicious destinations

Most common DNS attack techniques aim to redirect users to incorrect destiny. For this, attackers use two main techniques: DNS Poisoning and DNS hijacking.

Poisoning

To reduce server overhead, DNS systems often save information on pages visited on a regular basis so that, in a future access, they can accelerate their loading with cache.

Nonetheless, this technique that aims to speed up domain redirection requests also poses a risk because an attacker may infiltrate the DNS server, in order to modify the information registered in the cache.

Whenever successful, the attacker can change the targeted IP number without effectively changing the address that the user browsed.

Hijacking

On the other hand, an attacker can use malware to hijack domain translation requests and redirect traffic to a malicious DNS server.

That is, instead of attacking the original DNS server, the criminal contaminates the local device or network with a malicious application capable of intercepting the traffic requests and directing them to a rogue server controlled by the criminal, who will finally send the user to a fake destination.

DNS Poisoning aims to attack the DNS server.

DNS Hijacking aims to attack local asset (device).

Malicious pages to which the user can be redirected are usually cloned (a phishing technique) for various purposes: disseminating loads of malware or unwanted applications, mining cryptocurrency, stealing information on spoofed access forms etc. And since the user typed the correct domain, they would hardly identify in (promptly) that he was a victim of this type of engineering.

Cause overload and unavailability of systems

However, DNS can be used in another type of malicious action, amplifying denial of service attacks. The DDoS technique aims to create overhead on a system until it is unable to sustain the volume of requests and becomes unavailable. When using a DNS server, the DDoS attack can result in two effects:

 

  • Instead of directing traffic from a botnet directly to the victim, the attacker sends requests to the DNS server. Botnet requests to the DNS server are configured to increase the response volume of each server. That is, with a relatively low volume of traffic requests, the attacker generates considerably larger response volumes, which are directed to the victim’s system;
  • Another way is to redirect the traffic requests to the DNS server in order to cause them to fail. The result is that without a system for translating names into IP numbers, targeting to the requested web pages will become unavailable *.

How to avoid a DNS attack?

As seen in the types of malicious strategy above, the final devices (either owned by a private user or a company) will have difficulty identifying that they are victim of this type of attack.

The first protection against this kind of scheme is to make sure that the DNS servers that your company uses, adopt advanced protection technologies and are updated frequently. Keeping servers under constant review is equally important (DNS services are often overlooked) to raise the visibility of your systems’ security. Clearing cache often on local networks and devices is also an important course of action.

Considering the two types of tampering of domain requisitions, it is worth considering as protection:

Poisoning

Protections for networks will be effective in identifying non-standard traffic. In this group, consider deploying the protection of a Firewall by controlling the data flow between your DNS server and the public network.

Hijacking

To identify malware involved in this type of attack, adoption of an ATP system is encouraged, for it is capable of protecting private networks against advanced threats, blocking IPs with a bad reputation. Likewise, Anti-Malware controls can be used to secure networks and email servers.

Since DNS servers are susceptible to DDoS attacks, it is important to adopt systems for monitoring and evaluating traffic requests within the enterprise. In this case, the adoption of products such as Next Generation Firewall and Intrusion Prevention System (IPS) is relevant.

Finally, considering your network security product, some best practices would be:

  • To restrict zone transfers, ensuring transfer only to specific IP addresses. This action avoids the exposure of information;
  • To use digital certificates to authenticate SSH sessions on the DNS server;
  • To review the use of ports. Close those that are not necessary or appropriate for DNS requests.

In addition to these best practices, consider following DNSSEC, which is a more secure name resolution standard, reduces the risk of manipulating data and information.

* Users who access a given page regularly may be able to access it through cache, but will not have access to page updates. Users who have no history would not be able to access whatsoever.