Table of Contents Cyber Attacks Explained: DNS Invasion
Scope of Article
We always read in the news about some website defaced and its pages changed to reflect some malicious content. It makes us wonder how exactly hackers can do it, and how do we prevent our infrastructure. Today we are going to learn about DNS (Domain Name System) and the ways hackers use to invade it. DNS invasion is a technically advanced technique and hence proved to be a harmful attack on a network or web infrastructure. By means of presenting this article, network administrators are encouraged to learn about it and devise ways to secure the network infrastructure under their management.
How DNS Works?
As we all know, the DNS system was put in place because it is impossible for human beings to remember number-coded IP addresses, whereas it is easy to remember user-friendly character-based names. DNS system was created in the era when internet was a friendly place. As for the underlying technology, domain name system uses UDP (User Datagram Protocol) to fetch IP address for a given domain name.
When an application such as a browser wants to connect to a destination service, it queries the DNS server asking for the IP address. This query is sent over UDP port 53 as a single request, and receives a single packet reply from the server. Since UDP data space is limited to 512 bytes, the protocol stack automatically uses TCP protocol for query and reply.
When the client machine receives a reply, it updates its own local cache with the received entry which is useful for subsequent queries to the same domain. Entries in the local cache carry their own TTL (Time to Live), after which those are purged automatically.
DNS system uses various record types such as A, CNAME, SOA, MX etc. It is important for network administrators to know the usage of each record and think from the security standpoint while implementing them.
Types of DNS Queries
Iterative DNS Query
When a client queries a DNS server asking if it has the answer for a given domain name, the DNS server may or may not have the answer ready. If the DNS server doesn’t have an answer, instead of shutting the request down, it sends the name of an upstream DNS server who might have the answer. This process continues until the client either gets an IP address or a query failed error message.
Recursive DNS Query
In this type, the client traverses through the recursive chain of available DNS servers until it either gets an IP address or an error message. Iterative queries are usually made by DNS servers, whereas recursive queries are made by client hosts, reducing their burden of performing referral searches.
DNS Security Attacks
System administrators often spend a lot of time securing applications, servers, and other infrastructure components but tend to forget hardening DNS servers. By its design, DNS heavily relies on UDP protocol, lacks built-in authentication, and is thus more susceptible to hacking. Let’s take a look at common DNS attacks.
1. DNS Cache Poisoning
A hacker alters local DNS cache entries to point to malicious IPs. This can happen at the client machine or the DNS server itself. Users may unknowingly land on malicious websites hosting viruses or phishing content.
2. DNS Hijacking
Instead of altering local cache entries, hackers change the client’s DNS server to their own. This allows them to collect browsing statistics, redirect users to malicious websites, or use data for social engineering.
3. DNS Spoofing
A man-in-the-middle attack where hackers spoof DNS responses by poisoning ARP caches or intercepting traffic. DNS ID spoofing is another variant where attackers inject false IPs by mimicking unique identifiers in requests.
4. DNS Rebinding
Also called DNS pinning, attackers register domains with very low TTL values, preventing caching. When users visit these domains, malicious scripts are delivered to browsers to install malware or redirect traffic.
5. DNS Denial of Service (DoS)
Attackers bombard DNS servers with excessive queries or SYN floods to overwhelm CPU and memory, eventually preventing the server from responding to legitimate queries.
6. DNS Amplification
Hackers exploit DNS servers to amplify traffic, overwhelming resources. Techniques include cache poisoning to redirect queries or forcing replication of excessively large domain names, simulating DDoS attacks.
7. DNS URL Phishing
Attackers register URLs similar to legitimate financial institutions, design lookalike login pages, and trick users into revealing credentials through phishing emails.
Protecting FOSS Systems
Open-source DNS implementations like BIND are widely used but vulnerable. Security measures include:
- Locking down DNS servers at the network level
- Running only DNS-related software on DNS servers
- Deploying firewalls, UTM devices, antivirus, and IDS
- Randomizing DNS identifiers and UDP ports to prevent spoofing
- Implementing DNSSEC to digitally sign DNS records and prevent cache poisoning
Summary
DNS invasion exploits design loopholes to gain access to IT infrastructure or lure client machines into phishing traps. Network administrators must understand these attack techniques and protect their infrastructure from data theft or outages.
About the Author
The author has over 18 years of experience in IT hardware, networking, web technologies, and IT security. Prashant is MCSE, MCDBA certified and also an F5 load balancer expert. He runs his own firm, Valency Networks in India (www.valencynetworks.com), providing consultancy in IT security, security audit, infrastructure technology, and business process management. Contact: prashant@valencynetworks.com
