Inside the Numerous Threats to DNS

Imagine if, instead of entering Amazon.com or Facebook.com into a web browser, you instead had to type from memory 186.221.622.203 or 212.823.293.204 to visit those websites. You don’t have to be a branding expert to know that these would prove a bit tougher to remember. In reality, this is exactly what happens when we visit those sites, however. (Albeit with different strings of digits, since these are picked as examples.)

When you visit a website by typing in a web address like www.example.org, the Domain Name System (DNS) protocol translates your words instantly into machine-readable IP addresses. Think of DNS a bit like a phone book for the internet: linking names to numbers in order to connect you to the party you want to speak to.

As such, DNS is a crucial piece of internet infrastructure, created by a computer scientist named Paul Mockapetris back in 1983, long before the majority of people hopped online for the first time. Although the process of converting human-readable web addresses to machine-readable digits takes only milliseconds, it’s no exaggeration to say that — without it — websites would be inaccessible to users.

Unfortunately, when it comes to critical infrastructure, cyber attackers are always ready and willing to seize upon ways to disrupt it in order to wreak chaos. As it turns out, DNS is vulnerable to multiple attacks from threat actors who use it as means by which to attack company networks. There are a number of different attacks that involve DNS. For those without the necessary DNSSEC protection, the impact of these attacks can be extremely damaging.

Attacks that target DNS

For example, in a DNS tunneling attack the DNS protocol is used to tunnel data, including malware, through a client server model. It can use these payloads to remote control a server and applications to exfiltrate data or carry out other malicious use-cases. DNS tunnelling seizes upon the trusted status of DNS traffic to pass through in- and outbound firewalls to carry commands to malware (with inbound DNS traffic) and exfiltrate data or provide responses to malware operators (with outbound DNS traffic.) It’s a frighteningly straightforward type of attack to implement and allows bad actors to sneak past defences to cause damage.

Another attack involving DNS is the Domain Generation Algorithm (DGA) attack. DGAs are used in a variety of malware attacks to create large numbers of web domain names which, in turn, can be utilized as rendezvous points with command and control (C2) servers. Attackers create DGAs in order that malware can generate a list of domains which can then be utilized to switch domains used for malware attacks so that security systems are unable to block and/or take down the domains in an expedient manner.

More attacks to watch out for

Still another DNS-centered attack involves Malicious Newly Registered Domains (NRDs). This refers to newly registered domains that appear to be legitimate, often being minor variations on legitimate domain names in order to try and trick users into visiting them accidentally. For instance, during the coronavirus pandemic, attackers created Malicious NRDs that looked like they were authorized resources related to COVID-19. Such sites typically disappear quickly, before new ones appear in their place. They can be used in a myriad of cyber attacks, including for phishing, command and control (C2), and for distributing malware like Trojans, worms, and viruses.

One more DNS-related attack is referred to as Fast Flux. This DNS technique involves malicious actors establishing multiple IP addresses, then switching the malicious domain as a way of sidestepping IP controls. This makes it tough to discover their locations and shut them down. This technique is frequently utilized by botnets as a means to obfuscate malicious activities that may include web proxying, malware communication and delivery, and phishing.

Safeguard your DNS infrastructure

Protecting DNS infrastructure is vital. This is where DNSSEC enters the picture. Referring to a suite of extensions designed to improve DNS security, DNSSEC works by verifying that DNS results have not been altered in some way. It does this by checking the legitimacy of responses that are sent by name servers to clients by way of digital signature technology. For example, in a DNS spoofing attack — in which DNS records are utilized to redirect traffic to a fraudulent site — DNSSEC provides added layers of security which makes it harder for an attacker to impersonate a legitimate website.

Many organizations fail to put proper focus on DNS-layer security. Inspecting DNS traffic is crucial, as are investing in the right tools to help. Tools like machine learning algorithms that can accurately detect, and even predict, DNS threats are getting better all the time. That’s important because DNS attacks are developing all the time as well. Making sure that you are properly protected against these fast-growing forms of cyber attack is a “must” in today’s complex cybersecurity landscape.