Common DNS attacks

The Domain Name System (DNS) makes the Internet usable for humans. It is fundamental to the proper operation of virtually all Internet Protocol (IP) network applications, from web browsing to email, from messaging to multi-media applications and more. By its very nature, the global Internet DNS system serves as a distributed data repository containing domain names (e.g., web addresses) and corresponding IP address information. DNS has proven extremely effective and scalable in practice and most people take DNS for granted given its proven reliability. However, its essential function and decentralized architecture serve to attract attackers seeking to exploit its distributed structure and rich data store for sinister activities.

Every time you enter a web address or send an email, you use DNS. DNS translates human-preferred "www" names into computer-preferred binary addresses. This translation service is more commonly referred to as a name resolution process, whereby a web address is resolved to its IP address. And a given web page may stimulate several DNS lookups, with encoded hypertext reference (href), source (src) and other tags that contain a unique domain name. Each of these stimulate your browser to perform a DNS lookup to fetch the referenced image, video, file or script, and perhaps pre-fetch links. And each time you click a link to navigate to a new page, the process repeats with successive DNS lookups required to fully render the destination page.

Email relies on DNS for email delivery, enabling you to send email using the familiar user@destination syntax, where DNS identifies the destination’s IP address for transmission of the email. And DNS goes well beyond web or email address resolution. Virtually every application on your computer, tablet, smartphone, security cameras, thermostats and other “things” that access the Internet require DNS for proper operation. Without DNS, navigating and accessing Internet applications would be all but impossible.

This leads to our first motivator for attacking DNS: to wreak havoc! An outage or an attack that renders your DNS service unavailable or which manipulates the integrity of the data contained within DNS can effectively bring a network down from an end user perspective. Even if network connectivity exists, you won't be able to connect unless of course you already know the IP address of the site to which you’d like to connect, which would certainly evince you as uniquely talented. But even under such circumstance while you’d be unable to connect, you wouldn’t see any linked images or content which rely on DNS for locating and rendering.

Attacks that can bring down your DNS services include server attacks, attacks leveraging known vulnerabilities, and denial of service attacks. Domain hijacking is another form of attack whereby an attacker manipulates the domain structure to impersonate your domain. Man-in-the-middle attacks, where an attacker can trick a resolver to accepting a falsified query answer can lead resolvers unwittingly to impostor websites.

The second and potentially more menacing motivator is the use of DNS as an attack vehicle, particularly as covert transport. Just as DNS is the first step in allowing users to connect to websites, it is likewise usable by bad actors to connect to internal targets within your enterprise and external command and control (C&C) centers for updates and directives to perform nefarious tasks. Given the foundational necessity of DNS, DNS traffic is generally permitted to flow freely through networks, exposing networks to attacks that leverage this freedom of communications for name resolution or for tunneling of data out of the organization.

An attacker may attempt to install malware on one or more of your users' devices to enroll it under the control of the attacker individually or as an unwitting member of a botnet. A botnet is a collection of devices infected with the attacker's malware which can be summoned to perform nefarious tasks at the behest of the attacker. Such malware may be installed via several avenues, including phishing or spear phishing attacks that bait users into opening executable email attachments or installing software from an attacker website. Whether a device is attacked while inside the enterprise network or a user device is infected then physically brought onto the network, if the device is trusted within the confines of an enterprise network it may have access to sensitive information. The malware may perform data collection, locating internal data sources using DNS for reconnaissance for internal targets. Then DNS can be used to identify the current IP address of the attacker’s external destination for exfiltration of sensitive information.

A reflection or amplification attack is another attack form which utilizes DNS as an attack instrument. DNS queries are sent to DNS servers using a spoofed source IP address. This spoofed address, the attack target, will receive the responses for these queries, which in large volumes can deny service at the target.

While DNS is the first step in IP communications, many enterprise security strategies trivialize or startlingly even ignore its role in communications and therefore its susceptibility to attacks on this vital network service or on the network itself. Most security strategies and solutions focus on filtering “in-band” communications flow in order to detect and mitigate cyber-attacks. But DNS traffic provides an additional stream of information that can be used to help identify and troubleshoot attack incidents.

Consider adding a DNS layer to your defense in depth security approach. This DNS layer is comprised of several approaches that help identify and mitigate DNS attacks as summarized below. I've linked some topics to videos that provide more details regarding respective topics while other will be addressed in future posts.

Attack typeDNS Defense Mechanism
DNS server attackRole deployment, ACLs, server hardening
DNS, OS vulnerabilitiesApply patches, upgrades
DNS denial of serviceAnycast and DNS rate limiting
DNS domain hijacking  Parent zone integrity checking
Man in the middle data manipulationDNSSEC
Malware querying its C&C CenterDNS Firewall
DNS tunnelingDNS traffic and entropy analysis
DNS reflection attackDNS response rate limiting
Unencrypted DNS information in transit  DNS over TLS, DNS over HTTPS, DNScrypt

Comments

Popular posts from this blog

Handy AAAA filter in BIND 9.8

Inglorious DDI

BIND 9.8.0 Adds DNS64 Support - Part 2 - How is it configured?