What is a DNS attack and how can I defend against it?

What is DNS?

The easiest way to explain Domain Name Service (DNS) is to think of DNS as a phone book.  Computers access a DNS server to be able to look up a domain name and return IP address associated with it, much the same as you could use a phone book to look up someone’s telephone number.  Once your computer has the IP address from DNS, it then sends a request to that IP address to get the information required to display the website or service.  DNS is required if you host a website or other services for your own employees or customers.

DNS can also be used inside a network especially in an Active Directory Domain environment to be able to locate resources on an internal network.  In this environment, DNS is typically installed on a domain controller.

Why attack DNS?

Attackers want information or to cause damage to systems.  The methods that these attackers use can cause DNS to not respond or worse direct you to a malicious site that can then compromise your system with malware or ransomware.  There are several ways to affect DNS; we’ll cover some of the most common forms below…

Zero Day Exploits

Zero Day Exploits are exploits that are freshly released into the wild either by individuals with malicious intent or those that are trying to bring light to the exploit so that it is fixed by the developer of the DNS server.  These exploits are dangerous in the fact that they have most often yet to be patched.  If the exploit is severe enough, developers may release a patch outside of their normal patch cycle.  This is why it is important to have some kind of patch management process in place to upgrade servers and workstations on a regular basis.

DNS poisoning and hijacking

DNS poisoning is a method by which an attacker gains access to a DNS server and then begins to “poison” or change records that exist in the DNS cache causing users to be redirected to a different site than they are trying to access.  DNS hijacking is similar to DNS poisoning except instead of changing records in the DNS cache, records are changed in DNS itself.  Hijacking is typically seen in cases where weak passwords to access and change DNS are in use.  In both poisoning and hijacking the goal is to get users to try to divulge information, typically account passwords, or install ransomware on machines.

Denial of Service

Denial of service attacks have one goal in mind: to disrupt services enough to cause a server to fail.  An attacker will use an infected machine to send queries to the DNS server in the hope of causing the server to fail.  A distributed denial of service attack is similar but uses multiple infected machines to cause the server to fail.  These attacks typically affect DNS servers on the internet but are also seen in internal networks.

How to protect DNS?

First, if your DNS servers are hosted on an internal network, it is important that these servers are patched on a regular basis.  Patch management helps here because it is automated and will report if there are issues that require manual intervention.  If you’re using an external DNS service, it is important to choose a DNS service that is reputable that has security in place to protect DNS and attempt to prevent denial of service attacks and poisoning.  Also, it is important to use a secure password to avoid your DNS being hijacked.

One technology that is coming down the pipe is called DNS over HTTPS which secures DNS end to end and prevents man in the middle attacks on DNS.  This is not yet supported by the major operating systems but should be in the next few years as more and more providers move to this technology.

If you have any questions about DNS or DNS attacks, contact your on-demand IT partner, SandStorm IT, at (901) 475-0275.