DNS (domain name system) is a decentralized and hierarchical naming convention for computers, services, etc. connected to a private network or the Internet. It links various data with domain names allocated to the respective participating entities. Standard DNS inquiries that are needed for pretty much all web traffic lead to DNS exploit opportunities, like DNS hijacking. These attacks could direct the inbound traffic of a website to the site’s fake copy, collecting confidential and sensitive user data in the process and landing the concerned business into some major trouble.
Common Attacks That Involve DNS
Like several Internet protocols, DNS wasn’t designed with a major focus on security. Also, it contains many design limitations. And when these limitations get exposed to technological advancements, hijacking a DNS lookup becomes relatively easy. DNSSEC (DNS Security Extensions) is a security protocol devised to mitigate this issue. DNSSEC safeguards against outbreaks by digitally signing information to ensure its validity. For a secure lookup to take place, the signing should happen at all levels in the lookup process.
DNSSEC is a robust security protocol. However, it isn’t widely adopted the way it should have been. This insufficient adoption, coupled with other likely vulnerabilities, renders DNS an easy target for spiteful attacks. Attackers have discovered multiple ways to target and manipulate DNS security. DNS spoofing, DNS tunneling, DNS hijacking, Phantom domain attack, etc. are examples.
Also called cache poisoning, DNS spoofing is basically introducing forged DNS information into the cache of a DNS resolver. This results in the DNS resolver sending wrong IP addresses for domains. In other words, traffic that should have gone to the real website gets directed to a replica site built by the wrong person with the wrong intentions.
DNS tunneling is a form of attack that employs other protocols for tunneling via DNS responses and queries. Attackers could use TCP, SSH, or HTTP to pass stolen information or malware into DNS queries, which do not get detected by most firewalls.
In DNS hijacking, queries get redirected to another domain name server. This could be done either using malware or by modifying the DNS security without proper authorization. Although the outcome here is fairly similar to DNS spoofing, a DNS hijack attack is fundamentally different since it targets the website’s DNS record on the nameserver, instead of resolver cache.
Some of the other attacks relating to DNS are NXDOMAIN attack, random subdomain attack, domain lock-up attack, and botnet-based CPE attack.
