DNS Security and DNS Attack Types

This blog is about what DNS is used for, how it can be exploited and how to protect it against attacks.

What is DNS?

DNS (Domain Name System) achieves translation of domain names into IP addresses. Since it is inconvenient for users to memorize IP addresses of each website they visit, human-readable domain names are used (ex. securityforeveryone.com instead of some 32-bit number). When the user makes a request to visit a website, basically the domain name is sent to the DNS servers and its IP address equivalent is returned back to the machine that sent the request.

How DNS Works?

DNS has a layered structure. There are a lot of DNS servers that communicate with each other. Each server is responsible for inferior ones in the hierarchy and other than that, there are servers that make queries from other servers. DNS queries may take long and sending a DNS request to servers each time a user wants to visit a website results in a poor experience since it is slow. So a mechanism called cache is used. Devices with higher accessibility (faster-responding ones like routers) have a DNS cache and they save incoming requests into their caches with a TTL value (Time to Live, decides how long a record will be kept in the cache). So we don’t have to wait that much for each query, especially for websites we visit the most.

A DNS query works like this: When a user requests a website, the domain name is looked up from the DNS cache of the local machine or closest devices like routers. If not found, the request is sent to the recursive DNS servers (DNS resolver). This server is decided by the ISP (Internet Service Provider) of the user. Recursive servers can both receive DNS queries or make a request to other DNS servers. If the record is not found there, the recursive server makes a request to the root server. Root servers are at the top of the hierarchy. They contain addresses for top-level domain servers. Top-level domain servers are responsible for gTLD (Generic Top Level Domain, like .com, .edu, .org etc.) or ccTLD (Country Code Top Level Domain, like .us, .co, .uk) and they contain addresses of other DNS servers to look up for the next query. So, each server on top has a reference to the bottom that shows where to look next. This goes on until a record is found in a server’s cache or the IP is returned from the bottom-most servers in the hierarchy.

DNS Record Types

There might be different types of data that is stored for a domain. Some are listed below.

A: IP address record for IPv4

AAAA: IP address record for IPv6

CNAME (Canonical Name): CNAME records resolve to another domain name. Assume there is a website “example.com” and it has a subdomain “sub.example.com” and this subdomain has a CNAME record “alt.website.com”. To resolve the IP address, another query to “alt.website.com” will be made.

MX: MX records are used for mail servers. Like the example above, a domain may take a different MX name for mail communication.

NS (Nameserver): NS records are critical for determining which server to look up to find a record. It points to the server in which the address can be directly resolved. There might be multiple nameservers used for a domain to increase sustainability, in this case multiple nameservers are listed in NS records.

TXT: TXT records are fields where any text data can be stored inside. These records are more flexible in use. Sometimes they are used to verify domain ownerships. They may also be used to ensure email security by storing domain names which can send emails in the name of our domain. This is a security measure against phishing and spam.

There is a query type known as ANY. ANY query requests all DNS records at once. So we can get all of the above mentioned records with a single request.

How to Exploit DNS?

There are several ways to exploit DNS. Most popular ones are: DNS amplification, DNS hijacking, DNS poisoning and DNS zone transfer.

DNS Amplification

DNS amplification attack is a type of DDOS (Distributed Denial of Service) attack. Its main principle is to use DNS servers to amplify the data stream that is sent, so an “amplified attack” is achieved using fewer attacker machines or lower bandwidth. Working principle:

1. The victim’s IP is spoofed by the attacker. That means when a DNS lookup query is sent to DNS servers by the attacker, its response will be sent to the victim instead of the attacker's machine. 

2. A domain with a lot of subdomains is found. (i.e. Assume there is a website example.com that has subdomains sub1.example.com, sub2.example.com…) this is one of the main factors that “amplify the attack” since we will return a lot of data with a short query.

3. Attacker device(s) start sending queries that demand all of the subdomains of the “example.com” domain using the spoofed IP address. If possible, this may be done via multiple DNS servers to further amplify the attack.

4. A big data stream of DNS response data is sent to the victim’s device. And the victim (for example a website) becomes unusable since it will have to deal with a great amount of DNS data. The amount of amplification can differ and can reach up to 100 times bigger.

Mitigation ways:

1. You should reduce the total number of open DNS resolvers.

2. You can use source IP verification for spoofed packets.

3. You should disable recursion on Authoritative Name Servers.

DNS Hijacking

DNS hijacking and DNS poisoning are mainly done to direct the users into malicious sites to make them download apps with malware, steal their credentials with phishing. DNS hijacking is basically altering the responses of the DNS lookups to return a fake address to the victims. DNS hijacking can be done in several ways. A malware can alter the DNS addresses on a device, a DNS server or a router’s cache; a MitM (Man in the Middle) attack can achieve this by pretending to be a DNS server.

Mitigation ways:

1. Hardening DNS configuration interfaces. For example; 2 factor authentication, changing default login credentials (default passwords are still a big issue)

2. Using encrypted DNS protocols to prevent MitM attacks (i.e. DoT, DoH)

3. Using client lock to prevent DNS changes from someone other than 

DNS Poisoning (DNS Cache Poisoning)

Cache poisoning is basically injecting a malicious address into the DNS cache to return a fake address to the victims. On a DNS system with very low or no security (unlikely to see today) this attack can be better understood, for example, assume that there is a DNS system with no encryption. And there is a concept of qID’s (query ID’s). When a request is sent to the DNS server, it is enumerated with a qID and if the response also has the same qID, the server resolves that it is the response for that query. Also assume that for every query that is sent, next qID is previous qID +1.

Sample scenario:

1. Attacker finds the approximate qID value on the DNS server for the currently sent queries, i.e. ~1000.

2. A dummy domain name is sent to lookup for the target domain record that will be injected into the cache (for example, the attacker requests “test123.facebook.com” for the server to fetch a record for “facebook.com”)

3. Attacker sends a stream of responses of which qIDs increase, if the attacker’s response arrives to DNS server before the real response and its qID matches the real one’s, server keeps the malicious IP into its cache instead of the real one.

Mitigation ways:

1. The qIDs might be randomized to make it difficult to guess and match.

2. The ports of communication between DNS servers might be randomized to keep the communication obscure.

3. Encryption might be used in communication.

DNS Zone Transfer

A DNS zone transfer is a type of DNS query in which a DNS server provides a full or partial copy of its internal DNS database to another DNS server. Zone transfers are used to replicate the DNS database across multiple DNS servers.A zone transfer is initiated by a client when it sends a DNS request to a server for a zone transfer. A zone transfer can be a full transfer, which copies the entire zone database, or a partial transfer, which copies only part of the database.Zone transfers are a necessary part of the DNS infrastructure, but they can pose a security risk if they are not properly configured. A malicious attacker could use a zone transfer to obtain sensitive information such as hostnames and IP addresses.

Mitigation ways:

1. Restrict zone transfers to authorized DNS servers: Only allow zone transfers to DNS servers that are explicitly authorized.

2. Use access control lists (ACLs): Configure ACLs to allow only authorized DNS servers to perform zone transfers.

3. Disable zone transfers: If possible, disable zone transfers altogether. This will prevent attackers from being able to obtain any information about the DNS zone.