A closer look at DNS and how it’s used in cyberattacks.

When you think of DNS attack types, the first thing that probably comes to mind is a Denial of Service, or DoS, attack. While this is a valid thought to have, DoS attacks aren’t actually attacks on DNS. More often than not, they use DNS to carry out a DoS attack rather than actually attacking DNS itself.

DNS is one of the backbones of the internet, allowing users to get from point A, their computer, to point B, a website, in seconds. This article will look at some of the common ways the crucial service can be attacked to redirect users to malicious sites, prevent them from accessing a website they need, and more.

What Is DNS?

Before we get into the types of attacks, let’s start with an explanation of what DNS is.

DNS, which stands for Domain Name System, essentially makes it easier for us all to browse the web. DNS is responsible for the mapping between an IP address and the domain assigned to it, enabling everyday users of the Internet to type in “google.com” and be directed to Google without having to know the IP address.

While you may think that domain names translate to IPs, it’s actually the other way around. Computers rely on IP addresses that are assigned to hosts, hosts are assigned names, and the DNS service is used to translate name requests into IP addresses.

Put simply, without DNS, we wouldn’t be able to browse to google.com or facebook.com. Instead, we would need to know the IP address(es) of Google’s webservers, and the same with Facebook and every other website that exists on the Internet.

Just imagine if we had to remember IP addresses instead of domain names. Instead of saying, “go to Google”, maybe we’d say, “go to the search engine at 142.251.40.238”.

How Does DNS Work?

Now that we know what DNS is and its purpose, let’s quickly look at how it works. DNS uses DNS servers to store its IP mapping information. There are two primary DNS types: public and private. As one might guess, public DNS is publically available, while private DNS is not.

Public DNS servers are what manage DNS records related to systems and websites that are publically available. On the contrary, private DNS operates within an organization’s internal network, allowing users to access systems via domain names rather than IPs.

How exactly does it all work though? How do the DNS servers know what to look for when they receive a DNS request for facebook.com?

DNS is built on what are called records. There are various types of records, but the most important for a system to have is an A record, or an Address Mapping record. This record stores the domain name that belongs to an IP address on the DNS server, so when the DNS server receives a request, it can look up that domain in its set of A records and respond with the corresponding IP address.

For the purposes of this article, I won’t be going any deeper into the topic of DNS, but there’s much more to it. At this point, if you understand the image below, you know enough to continue on learning about the four types of DNS attacks we’re going to cover.

DNS Attacks

As we’ve learned so far, DNS is a critical component of the Internet’s infrastructure. Without it, we’d be unable to get to our favorite websites without knowing the site's public IP. Even the ways we normally obtain public IPs (ping, nslookup, etc.) wouldn’t work because they require you to input the DNS name so a lookup can be performed.

The DNS service being unavailable is one thing, and DoS attacks can be performed to overload DNS servers, but there are other ways to perform attacks on DNS. The attacks we’re going to be looking at focus more on leveraging DNS to perform malicious activity rather than to impact availability.

DNS Hijacking

First, DNS Hijacking, which has a few variations to it. As the name suggests, DNS hijacking involves a malicious actor taking over an existing domain name in one of three ways:

• An attacker compromises a domain registrar account and modifies an existing domain name to one that they control.

• An attacker modifies an A record so the IP is now mapped to a domain they control.

• An attacker compromises a corporate environment and changes the DNS servers that are configured for all corporate computers.

Let’s drill down a bit into each of these. Looking at the first one, a domain registrar is a company that manages the reservation of domain names for consumers. Some popular ones you’ve likely heard of are GoDaddy, DreamHost, and BlueHost.

In order to register a domain with one of these vendors, you must create an account. In this method of hijacking, the attacker gains access to a user’s account on the domain registrar’s platform and makes changes to their registered domain(s).

In the second method, the malicious person will have obtained some level of administrator access, giving them permission to modify an existing A record. As we covered earlier, the A record is the primary record used to map an IP address to a domain name, so unauthorized modifications can have severe consequences.

For example, an attacker might modify the A record of an organization's public website to point to a malicious IP that they are hosting malware on. Instead of the website pointing to the organization’s public IP, the attacker would change it to the IP of the malicious site he/she is hosting. With this modification, when a user tries to browse to somecompany.com, they would then be sent to the attacker’s webserver instead of the company’s webserver.

Lastly, if we look at the third method we can see it’s more geared toward compromising DNS within a corporate environment. In a given environment, a company might have two DNS servers or they might have five, 10, 15 plus.

Those servers are responsible for handling the mappings of domain names that exist in the company’s infrastructure like laptop names, server names, and internal applications, and they’re are configured on each device within the DNS configuration. By going into a computer’s network settings, you can view or change your DNS settings, but these configurations can also be controlled at the corporate network level, which is likely what would happen in the event of a hijacking attack.

Looking at my DNS settings on my laptop, I can see the DNS server is set to 192.168.1.1 by default, which means my home router’s DNS service is being used. If I wanted to, I could add more DNS servers here like 8.8.8.8, which is Google’s public DNS.

So, to bring this full circle, when the configured DNS servers on a corporate device are changed, it essentially leaves that computer without an address book, no longer having access to the A records that exist for the internal network.

DNS Tunneling

The next type of DNS attack is called DNS tunneling. This is a type of attack that’s grown in popularity over the years due to the fact that it evades detection in many firewalls and other types of perimeter security mechanisms.

Typically a DNS request will contain only the information needed for a client to talk to a server. DNS tunneling occurs when information other than what’s required is transmitted in the same packet via the DNS protocol.

DNS tunneling can have legitimate purposes, as it’s used to transmit additional data via DNS requests, but much tunneling activity is in fact malicious. Oftentimes, we see tunneling being used to establish connectivity with command and control servers or exfiltrate data in small chunks.

Attackers opt for tunneling to avoid being detected or blocked by a given company’s firewalls or tipping the security team off to something strange going on in their environment (i.e. exfiltration of large amounts of data).

DNS Poisoning

The last type of attack we’re going to cover is DNS poisoning, also called DNS spoofing. This attack is the act of interfering with DNS requests to provide the wrong DNS response. Oftentimes, DNS poisoning is used in what are called man-in-the-middle (MITM) attacks, where an attacker intercepts traffic and redirects it elsewhere.

Consider you want to browse to Twitter, so you type in “twitter.com” and press enter. When you do this, your computer reaches out to a DNS server to ask for directions to twitter.com. Under normal circumstances, the DNS server would retrieve its IP address mapping for Twitter and respond to the DNS request with that information.

During a MITM attack, the below is what happens:

As you can see, instead of the DNS server retrieving the legitimate A record for the website, an attacker injects a fake DNS entry which is then sent back to the client, or your computer in our scenario. This results in your computer being directed to a fake website that either installs malware or tricks consumers into providing login credentials.

As we’ve learned, DNS is a crucial service we all rely on each day, but sometimes its criticality to the day-to-day operation of the internet is often overlooked. It can be easy to forget how important its functionality is, but when day-long outages of Facebook and Instagram occur because of a DNS issue, we quickly remember how reliant we are on the sole service.

While outages resulting from DNS issues can be mere accidents, they can also be the result of cyberattacks like DNS hijacking or poisoning. In this article, we’ve covered the three common types of DNS attacks and how attackers may leverage those attacks to accomplish their malicious objectives.

With that knowledge, the next step is to learn how we can better protect DNS to prevent these types of attacks from occurring. Stay tuned for a subsequent article covering some of the common controls leveraged to protect DNS from hijacking, tunneling, and poisoning attacks.

Originally published at katlyngallo.medium.com on January 18, 2022.