Read time: 5 minutes, 10 seconds
Cybersecurity threats grow more complex every day, and one of the different types of attacks that are seen are DNS-based cyber-attacks. DNS-based cyber-attacks can come in a variety of different forms, from DNS spoofing, DNS hijacking, and DNS cache poisoning. These DNS-based attacks focus on redirecting a victim’s web traffic to either malicious webpages, like phishing webpages, or to fake web servers. These types of attacks utilize Man in the Middle Attacks, DNS server hijacking, and DNS cache poisoning, via spam emails or other phishing methods, to implement these DNS attacks. To learn more about DNS-based attacks, we need to first learn about DNS in general and how it works.
Domain Name System (DNS)
The Domain Name System, or DNS, translates a domain into its corresponding Internet Protocol (IP) address. A domain is a text version of an IP address, connecting you to a website’s web server. This text version is meant to make web addresses easier to remember for humans. An example of a domain is www.google.com. An IP address is a string of numbers that uniquely identifies a computer or web server. Working along with IP addresses and domains are DNS servers. These servers come in four types: resolving name server, root name servers, top-level domain name servers (TLD name servers), and an authoritative name server. Each of these types of DNS servers has a different function, but the most important one is the resolving name server. The resolving name server takes the IP address and queries a number of different web servers until it connects the user to the web server that they desire.
The main process taken advantage of with DNS-based attacks is the method of DNS Lookup. DNS Lookup has several different steps:
- The user’s web browser and Operating System (OS) work together to try and recall the IP address of the domain the user is attempting to reach. If the user has connected to the domain address previously, that IP address will most likely have been cached and allow the user to quickly connect to the domain address.
- If that IP address has not been previously cached, then it moves to the next step which is the OS querying the DNS resolving server. The resolving server queries web servers, until it reaches the required IP address it is attempting to find for the user.
- The resolver will then find the IP address, and send it back to the host OS, who then sends it to the user’s web browser.
DNS Lookup is the core of the Internet, providing everyone with access to the domains that they need to reach. This gives attackers a number of different methods to steal data, such as Man in the Middle Attacks, phishing attempts, and DNS server hijacking.
Methods of DNS-Based Attacks
DNS-based attacks, like I mentioned, can be done through a number of different methods, and the most common method is a Man in the Middle attack. The way a Man in the Middle attack works is that a threat actor will intercept messages between a victim and server they are attempting to reach. Those messages, whether they are encrypted or not, will be collected by the attacker and they will read the messages if they aren’t encrypted, or they will attempt to decrypt them and then read the messages. This attack is not that complicated to implement, which is one of the reasons it is done most commonly.
Another method threat actors use for DNS-based attacks is phishing attempts. Phishing via spam is used to trick victims into heading to illegitimate web pages with malicious URLs that the victims then click. Once that malicious URL is clicked, a malware payload containing anything from spyware to DNS cache poisoning tools can be downloaded to the victim machine. Many different phishing methods exist, with spam emails containing the malicious links being the one most often used for DNS cache poisoning. When dealing with DNS cache poisoning, which we will discuss more later, your web browser’s attempts to access webpages will be redirected to spoofed or false webpage that seem legitimate.
One other method used for DNS-based attacks is DNS server hijacking. DNS server hijacking involves the hijacker redirecting the targeted web server to either spoofed or false webpages. This attack method injects a false DNS entry into the server, which then redirects those victims to the desired false webpage. Now that we know how DNS-based cyber attacks occur, we can take at what those types of attacks are, how they work, and the types of data that they target.
The first type of DNS attack we will discuss is DNS spoofing. Spoofing is the idea of faking a communication between two different points. These two points are normally a client and server, or a sender and recipient. With DNS spoofing, this is where a DNS entry, like I mentioned previously, is spoofed with a false DNS entry. This means that when a client has a spoofed DNS entry, any time it attempts to access that domain name from that web server, it will be sent to a completely different, malicious web address. This will then allow the threat actors to implement malware payloads onto the victim devices.
The next type of DNS attack is a DNS cache poisoning attack. These types of attack are similar to DNS spoofing, except instead of targeting the DNS entry, the DNS cache is instead the target. What happens is a more directed attack is carried out in an attempt to replace the DNS cache responses with false DNS responses. Usually, DNS cache poisoning is done by sending a large number of fake DNS responses to the recursive server, and changing the query on each message until the targeted value’s ID is guessed correctly. Protecting against these sorts of attacks are difficult, while the payoff for a successful attack is huge for threat actors. If a big-name DNS server relating to a commonly used domain name, like google.com, can be successfully poisoned, then thousands or even hundreds of thousands of victims could be infected.
As you can see DNS-based are common, can be undergone with relative ease, and can lead to a big payoff for threat actors if they are successful. A number of different methods can be used for protection against DNS-based attacks, but they are not the perfect defense. DNSSEC is a tool that can guard against these types of attacks, especially against DNS cache poisoning. Getting organizations, like Encryption Consulting, to do encryption, PKI, or HSM assessments to check for any types of gaps that may be in place in your IT infrastructure. To learn more about Encryption Consulting’s assessments, training, or implementation, visit our website at www.encryptionconsulting.com.