Since the DNS is a fundamental part of not only the internet but also your IP network, that means, of course, that it’s mandatory, which is one of the many reasons it’s so appealing from the perspective of attackers. Domain name systems or DNS are complex, and that means there are more creative ways DNS is compromised that may go under the radar.
The following is an overview of what to know about DNS attacks and the particular types that are most prevalent.
Denial-of-Service (DoS) Attacks
A denial-of-service attack is actually a general term to describe DNS attacks.
The most common is a distributed denial-of-service, meaning the attacker’s traffic doesn’t come from a single source.
Instead, a target gets flood from thousands of IP addresses that usually are part of a botnet.
Attackers can find other ways to cause a large amount of network traffic to be directed at DNS servers as well, and then the service isn’t available by network users because of the saturation.
A DDoS attack is different from a DoS attack because a DoS attack uses only one bot and tends to be more localized and does less damage.
Any websites using the server during a DNS flooding attack will likely have traffic interruptions since legitimate requests can’t go through.
This is a type of attack where there are changes made to your DNS servers and domain registrar that direct traffic away from the original servers and to new destinations.
It can happen with an attacker takes advantage of a vulnerability in the domain name registrar system, but it can also happen at the DNS level. At the DNS level, with this type of attack, control of your DNS records is taken over.
When attackers have taken your domain name, they can then do a variety of activities like setting up a fake payment page.
The attacker creates a copy of your website that looks identical to visitors, and then it records their personal information.
DNS cache poisoning is also known as DNS spoofing, and it’s the most common of these types of attacks.
An attacker can put malicious data into your cache, and then users are redirected to another server without knowing it.
During a live cache poisoning attack, the attacker gets legitimate traffic to their servers, and they can then use pages to steal information via phishing techniques.
With a DNS tunneling attack, data of other programs in DNS queries and responses are encoded. The ultimate goal of this type of attack is to let cyber criminals put malware or stolen information into DNS queries. Then, they have an undercover way of communicating that goes undetected by firewalls.
In order for this to work, usually, the system needs external network connectivity.
A hacker also has to take control of a domain and server.
An NXDOMAIN attack is a specific type of flood attack where a high amount of invalid requests are sent to a targeted DNS server. The server then queries the authoritative name server for nonexistent IP addresses, which taxes the resources of both servers.
The attack, if it’s powerful, can mean both servers are overwhelmed.
The result of overwhelmed servers can be slow response times for actual requests or perhaps a stop to the DNS resolution services.
For an internet user, what it means is that if they were to visit a website with an attacked server, they wouldn’t be able to reach it or they’d get delays unless the IP address was already cached.
Phantom Domain Attacks
In the case of a phantom domain attack, a hacker would create a series of domains. These domains would either not respond to requests, or they’d do so very slowly.
Then an attacker would send a lot of requests for the domains to their targeted resolver.
The recursive server’s resources would be taken over, and it would cause a slow down or failure.
For the user, they wouldn’t be able to visit the site as a result of this type of attack.
There are other types of attacks beyond these, making it important that businesses understand more about DNS attacks and vulnerabilities and how to protect against them.