A DNS is a cyberattack in which the vulnerabilities in the Domain Name System are exploited. DNS attacks are an important issue in cybersecurity because the DNS is a key part of the internet structure we know. Without DNS, the internet as we know it today would not be able to exist.
In this article, we’ll discuss what DNS is, what DNS cache is, which different types of DNS attacks there are and what you can do to prevent them.
What is DNS?
Let’s start with the basics. In short, DNS translates website domain names (such as www.example.com) into numbers, also known as IP addresses, to make them readable for devices. You can compare this to a massive phone book, in which you look up a name and then find the number.
It wouldn’t make sense to go through the whole phone book every time you want to call your parents. It works the same way with DNS: to prevent having to contact a DNS server each time you want to visit a website, your device stores the IP addresses in the DNS cache.
If your device doesn’t have the IP address stored in the DNS cache, it will ask a DNS server. If you want to know more about this process, check out our latest blog that tells you everything you need to know about DNS.
What is a DNS attack?
When hackers take advantage of DNS, this is called a DNS attack.
There are different kinds of DNS attacks. The most common ones are DoS & DDoS attacks, phantom domain attacks, NXDOMAIN attacks, random subdomain attacks, DNS domain lock-up attacks, DNS rebinding attacks, and DNS poisoning.
DoS & DDoS attacks
A Distributed Denial-of-Service (DDoS) attack is an attack focussed on interrupting regular traffic of a network or server by bombarding it with internet traffic. Even though a DDoS attack itself isn’t classified as a DNS attack, the DNS system is often a target.
If only one bot is used to attack a network or server, this is called a Denial of Service (DoS) attack. Generally, these have less impact than a DDoS attack. The reason for this is that DoS attacks are mostly localized.
To make it easier to understand, you can imagine a DDoS attack as a highway where everything is running smoothly until a huge traffic jam joins the highway. This traffic jam prevents normal traffic from moving.
Phantom domain attacks
A phantom domain attack is a variant of a DoS attack. It is aimed to disturb the performance of authoritative nameservers. This is done by setting up “phantom domains servers” that either don’t respond to DNS queries or do it super slowly.
This is problematic when a DNS server doesn’t know an IP address and contacts other servers to solve the queries. When a phantom domain attack happens, a DNS server will continuously query non-responsive servers. By doing this, a lot of resources are wasted. When all the resources are wasted, the DNS server will have serious performance issues.
An NXDOMAIN attack floods a DNS server with traffic from non-existent domain names. This is extremely problematic because it can clog a DNS server and makes it impossible for real users to visit a website.
DNS translates domain names as we know them into IP addresses that are readable by devices. In other words, DNS makes it possible for you to type www.example.com in a browser and get the website as a result. When an NXDOMAIN attack happens, you can type www.example.com in your browser, but won’t get to see the website. Instead of this, you’ll get an error message.
Random subdomain attacks
Random subdomain attacks are quite similar to NXDOMAIN attacks: they both flood a DNS server. However, with random subdomain attacks the DNS server is flooded with non-existed subdomains. What is meant by this is www.subdomain.example.com. If this link exists, DNS will find the IP address and the website will be shown.
However, if we change it for something random that doesn’t exist, such as www.azhd.example.com, the DNS server will be forced to look it up in the negative cache (where non-existent domains are stored). If the subdomain “azhd” is changed continuously, each query will make the DNS server turn to an authoritative server. This consumes resources.
DNS domain lock-up attack
DNS domain lock-up attacks also interrupt the connection between the server and the user. However, instead of sending a lot of SYN messages to the server, the tactic here is letting special domains or resolvers reply with random information. This keeps a DNS server busy and will eventually exhaust it.
DNS poisoning happens when you type in www.example.com in your browser, and the incorrect IP address is sent to your device. Instead of going to the right website, traffic will be diverted to wherever the attacker wants to send you. This is often a replica of the original site made to trick you. By doing this, the attacker might be able to distribute malware or even collect your login information.
DNS poisoning happens quite often because DNS servers rely on each other to find IP addresses and sometimes the wrong information is spread.
With DNS hijacking the attacker redirects a query to a different DNS server. This can be done through unauthorized modification of the server or with malware.
How can you prevent a DNS attack?
DNS attacks can be dangerous, however, they can be prevented. A few things you can do are:
- Always make sure that your DNS server and it’s operating system are up-to-date
- Make sure only users that are connected to your network can use your DNS server
- Use two-factor authentication
- Use DNSSEC to validate the integrity of DNS queries
Using the internet on a device starts with the DNS. Unfortunately, DNS is an easy to attack system. Therefore, managing DNS is an essential part of any business’s online security plan.