Attacks against the Domain Name System (DNS) in which malicious actors exploit vulnerabilities in the Internet’s DNS protocol are very common and costly.

The Domain Name System (Domain Name System) is under constant attack and there seems to be no end to these attacks as the threats become more sophisticated. DNS is as much as the Internet’s phone book is, it’s the part of the global Internet infrastructure that translates known names into numbers that computers need to access a website or send email. While the DNS has long been the target of attacks designed to steal all kinds of corporate and private information, the threats that have emerged over the past year indicate a worsening situation.

Check also:

The job of DNS is to translate a term that a user can enter into a search field (known as a human-readable name) into the appropriate string of numbers (IP address) that the device needs to access a website or send email. Attacks on these irreplaceable systems can be extremely malicious.

A 2021 IDC survey of more than 1,100 organizations in North America, Europe, and the Asia-Pacific region found that 87% of them had experienced DNS attacks. The average cost of each attack was about $950,000 for all regions and about $1 million for North American organizations.

What is DNS and how does it work

The report also noted that organizations across all industries experienced an average of 7.6 attacks over the past year.

The transition of COVID-19 to off-site work and companies’ response to moving resources to the cloud to increase their availability have become new targets for attackers, according to the report.

The study also found a sharp increase in data theft via DNS – 26% of organizations reported stealing confidential customer information, up from 16% in 2020.

We present the most common types of DNS attacks.

DNS Boost Triggers DDOS Attacks

A DNS amplification attack is a common form of Distributed Denial of Service (DDoS) that uses open and publicly available DNS servers to overload the target system with DNS response traffic.

According to the Cybersecurity and Infrastructure Agency (CISA), which leads US efforts to increase the resilience of the country’s physical and electronic infrastructure, an attacker sends a lookup request for an open DNS server for a DNS name with a source address set to be the destination address.

When the DNS server sends a response to the DNS record, it is sent to the destination. CISA said attackers typically send a request to get as much area information as possible to maximize the polishing effect. In most attacks of this type observed by the US-CERT, the designed queries sent by the attackers are of type “any”, which returns all known DNS zone information in a single query.

Since the response volume is much larger than the requests, the attacker can increase the volume of traffic directed to the target systems. According to CISA, by using botnets to generate a large number of tailored DNS queries, an attacker can generate huge network traffic without much effort.

Since the responses are legitimate data coming from important servers, the agency said, it is very difficult to prevent these types of attacks. The most common form of this attack observed by the US-CERT are DNS servers that are configured to enable unrestricted recursive troubleshooting of any client on the Internet. CISA notes that attacks can also target trusted name servers that do not provide frequent troubleshooting.

DNS Spoofing / Cache Corruption

Using DNS spoofing, also known as cache corruption, bad actors use weaknesses in DNS servers to hijack them. By exploiting cache corruption, attackers inject malicious data into DNS resolver cache systems in an attempt to redirect users to sites owned by the attackers. The attackers could then steal personal data or intercept other information.

When attackers gain control of the DNS server, they can modify the information in the cache (this is DNS poisoning). The DNS cache corruption code is often found in URLs sent in spam or phishing emails. These messages attempt to alert users to an event that requires immediate attention, which requires clicking on a URL provided by the attackers.

DNS servers can access the caches of other DNS servers, and this is how the attack spreads far and wide. The main risk of corrupting the DNS is data theft. Another big risk: If your Internet security provider’s website is tampered with, your computer may be exposed to additional threats like viruses or Trojans because legitimate security updates will not be performed.

DNS Tunnel

Another common way to attack DNS, and one of the oldest, is DNS tunneling. These attacks use the DNS protocol to transmit malware and other data in a client-server model. These payloads can take control of the DNS server and allow attackers to manage the server and its applications.

A tunneling creates a stealthy connection between the attacker and the target – via a DNS resolver – that can bypass the firewall. Cybercriminals can use the tunnel for malicious activities such as data theft.

DNS tunneling in many cases depends on the external network connection of the compromised system, which allows access to the internal DNS server through network access.

Fast Stream Bypasses Security Check

Fast Flux is a DNS avoidance technique in which attackers use botnets to hide their phishing and malware activities from security scanners by using the constantly changing IP addresses of compromised hosts that act as reverse proxies to the bot’s main server.

The term “fast flow” also refers to the combination of peer-to-peer networks, distributed command and control, network load balancing and proxy forwarding, which are used to immunize a network of malware against detection.

The main idea behind Fast Flux is to have a large number of IP addresses associated with a single legitimate domain name, as IP addresses are often exchanged by changing DNS resource records. Certified fast flow domain name servers are mostly hosted by a cybercriminal.

DNS hijacking/redirection

DNS hijacking (or DNS redirection) is the practice of undermining the way DNS queries are resolved. Cybercriminals do this by using malware that overwrites a system’s TCP/IP configuration to point to a rogue DNS server under the attacker’s control, or by modifying the behavior of a trusted DNS server to make it incompatible with Internet standards. Bad actors use these mods for malicious purposes such as phishing.

There are three main versions of DNS hijacking:

Attackers breach the domain registrar’s account and modify the DNS name server to a server they control Changing the domain’s IP address record to point to the attacker’s address

Attackers penetrate the enterprise’s router and change the DNS server, which is automatically sent to each machine when users log into the enterprise’s network.

How to prevent DNS attacks

Organizations can adopt a number of practices to help reduce the risk of DNS attacks.

Here are some suggested practices:

Implement stronger access control

Companies need to make sure that they take steps to better control who can access the network. One way to do this is to implement multi-factor or two-factor authentication as a way to access your online account or system. This requires users to provide more than one type of information, such as a password and ID, for access.

Companies should ensure that multi-factor authentication is enabled on all log or log accounts, so that passwords are not easy to guess, stored securely, and not reused across services.

CISA recommends that organizations immediately update their passwords for all accounts on systems that are likely to make changes to DNS records, including accounts in the organization’s managed DNS server software, systems managing the program, management panels of external DNS operators, and DNS registrar accounts.

Use the principle of distrust

The mistrust approach to security is gaining momentum, thanks in part to increased support from the US federal government, as well as the hybrid and remote business models that have incubated many companies. Zero trust can play an important role in reducing DNS threats.

Research firm Garner recommends that security and risk leaders implement two major network mistrust projects to reduce risk. The first is the implementation of the Zero Trust Network Access (ZTNA) system, which abstracts and centralizes access mechanisms so that engineers and security personnel are responsible for them.

Grants appropriate access based on the identity of users and their devices, and based on other factors such as time and date, geographic location, historical usage patterns, and device health. The result, Gartner says, is a safer and more resilient environment, with increased flexibility and improved monitoring.

Another project is identity-based network segmentation, which Gartner believes is an effective way to limit the ability of attackers to navigate the network once they have entered it.

The company said identity-based fragmentation reduces unwarranted implicit trust by allowing organizations to shift individual workloads to a “default refusal” model rather than an “implicit permission”. It uses dynamic rules that evaluate workload and application identity as part of deciding whether or not to allow network access.

Review and verify DNS records

CISA recommends that for all domains your organization owns and manages, you review all public domain records with domain registrars to verify that the associated name server (NS) records are authorized to the appropriate DNS servers. You must review all DNS records on all trusted and secondary DNS servers to verify that they are resolved for their intended purpose.

Organizations must immediately investigate any inconsistencies that are found and treat them as a potential security incident. These actions will help detect any active DNS hack.

Source: Network World