DNS Explanation
Domain Name System converts hostnames and internet domains to IP addresses and vice versa.
DNS works in a client-server model. The client accepts and receives responses from the DNS server.
The following are the two types of request:
Forward DNS lookup: Request containing names and resulting in an IP Address.
Reverse DNS lookup: Request containing IP address and resulting in names.
How DNS works
It consists of a database present on various computers. This database contains information relating to domains, host names, and IP addresses. The client, your web browser, sends a request to look up, for example, www.google.com. Then the DNS resolver determines the destination IP address using the DNS server. The DNS resolver then forwards the request to other DNS servers, in case it does not achieve the desired mapping from the requested DNS server.
Top DNS attacks used by malicious actors
Domain Hijacking/Redirection
Local DNS Hijacking.
Router DNS Hijacking.
Man In The MIddle DNS attacks.
Rogue DNS Server.
Distributed Reflection Denial of Service (DRDos)
Threat actos spoof source IP to generate massive number of responses to the target of the attack.
DNS Tunneling
Used to extiltrate data from organizations.
DNS Flood Attack
Threat actor target's one or more DNS servers to disrupt DNS service by sending numerous request.
Cache Poisoning
Attackers posiong DNS caches by impersonating a DNS name sever.
DNS Spoofing Attack
Can be achieved by DNS redirection.
Can be achieved by Cache Poisoning.
Phantom Domain Attack
Threat actor sets up a "Phantom" domain that does not respond to DNS queries.
Causes server to recursively spend resources waiting for querie answers.
Why Should you worry?
DNS servers are always open to the internet, meaning they are vulnerable to attacks and possible exploits.
Organizations can be impacted by several types of DNS attacks.
Valuable data can be stolen by the use of DNS tunneling.
What can you do?
Several mitigations can be applied depending on the case or vulnerability that needs to be mitigated.
Rate limit DNS request.
Block known threat actors proxy IPs.
Compare DNS requests against blacklist of identified malicious Domains.