How to Protect Your Business from Top 10 DNS Attacks?

Surfing the internet is an absolutely common activity. We do not even think much: write what we’re looking for in the browser and it does the rest of the work. This is possible because of the Domain Name System (DNS).

Although the Domain Name System is powerful, it has many vulnerabilities – mainly due to configuration errors.

There are many types of DNS attacks and they hit thousands of companies and systems around the world on a daily basis. Read on to learn more about the threats that you may face and know how to prevent them. Good reading!

1. Distributed Reflection DoS Attack (DRDoS)

Imagine several false queries – created to elicit a very large response – being sent to several open recursive servers. This is how this attack works, using third-party resolvers or authoritative DNS servers (which become involuntary accomplices).

Powerful, its havoc hits massive servers: multiple machines are used at the same time to create hundreds or thousands of gigabits of traffic per second.

2. Cache Poisoning Attack (DNS Spoofing Attack)

This hack uses malicious code that intercepts and redirects user-requested requests. They are then sent to a page controlled by the criminal. There, the user is led to enter confidential information (number of documents, credit cards, logins, and passwords, among others).

Although it is a simple hit, it can do a lot of damage: if the user is trying to enter your bank’s website, for example, it is possible that the page data is in the cache (the temporary memory that makes navigation faster). As the information on the page will be the same, it will be difficult to perceive the trap.

3. SYN Flood Attack (SYN Spoofing Attack)

The idea is to cause a direct overhead on the transport layer and indirect on the application layer. For this, the scammer sends a sequence of SYN requests to the system. When the server receives the request from the client, they exchange three messages (the 3-way handshake).

Because the protocol is wrong and incomplete, the last message does not arrive and is replaced by the false SYN packet. Thus, the connection queue becomes full or the connection-licensed software is used (which increases the number of active connections). Because the server cannot process all connections, it stops responding to new requests from legitimate users.

4. DNS Hijacking Attack

When attempting to access a legitimate site, the user is redirected to a false address – whose domain registration information has been set to point to a fake or invasive DNS server.

Much used by malware on computers, and in case of home networks, directly on the routers, presents a site very similar to the real one, but that is controlled by the coupist in order to obtain logins, passwords and other data.

5. Basic NXDOMAIN Attack

In this type of attack, the main actors are nonexistent domain names (the NX domains). The attacker sends multiple queries to the DNS server to resolve them, and while the recursive server tries to locate them (but cannot), the cache is populated with NX domain results.

When the cache becomes full, name resolution requires more machine resources, which increases the response time for legitimate requests to the DNS server.

6. Phantom Domain Attack

In this attack, several ghost domains are configured and DNS is forced to resolve them. Because they do not respond-or do so very slowly-the server consumes resources while waiting for responses, and this inevitably leads to performance degradation or the failure of pending queries.

7. DNS Tunneling Attack

This technique uses DNS to hide communication and bypass the firewall in order to obtain internal data from a network. The attacker can then extract information or insert new code into existing malware. It is also used to bypass captive portals and thus avoid paying for Wi-Fi services.

8. Random Subdomain Attack

This blow causes extreme slowness in the authoritative server hit. This is because the criminal sends many queries to the DNS with requests from non-existent randomly generated domains. The recursive DNS server is waiting for the authoritative responses, but as they do not come, the limit of pending queries is exhausted.

9. Domain Lock-up Attack

In an interaction with DNS resolvers, domains send random packets to keep them busy. This process is done deliberately slowly to keep the resolvers involved while responding to requests. As a result, your resources get stuck and end up being depleted because the DNS resolver tries to establish those connections to inappropriate domains.

10. DNS Amplification Attack

The attacker infiltrates the DNS and from there, sends requests to the servers using a forged IP (the victim’s IP). It is a Distributed Denial of Service (DDoS) attack and the servers are directly responding to the false client. On a large scale, such attack can knock down servers.

How to Protect Your DNS?

DNS system protection depends on a set of solutions and practices that vary from company to company. To begin with, it is important to check the firewall and router default settings and then reinforce them.

Learn about other actions that may help:

Updated Systems

It is essential that all software and operating systems related to the DNS service be kept up-to-date and have all security patches applied.

Domain account

It is important to enable token (two-factor authentication) and generate security codes. Some management companies allow DNS changes to be blocked and access to the administrative panel for some IPs is blocked.

DNSSEC

To have an extra layer of security for DNS, it is essential to enable DNSSEC. This reduces the risk of manipulating data and information, as it ensures authenticity and integrity to the system by verifying the signing of the records made by the public keys.

Access Control List (ACL)

Some DNS software allows you to use ACL to block or limit IP access. If this setting is available, it is important to use it.

Infrastructure

One of the ways to prevent the recursive server from being compromised is to separate the features of the recursive servers from those of the authoritative servers. It is also advisable to block the DNS output on the firewall so that only the recursive server can connect externally.

If you look forward to learn more about Information Technology, and get valuable tips, follow us on LinkedIn, Twitter and Facebook.