What Are DNS Attacks?

5 min. read

A DNS attack is any attack that targets the availability or stability of a network's Domain Name System service.

 

DNS Attacks Explained

The Domain Name System (DNS) is a critical component of the internet infrastructure, responsible for translating human-readable domain names into IP addresses that computers can then use to communicate with each other. The qualities that make DNS vital to the internet also make it a target for threat actors seeking to exploit vulnerabilities for malicious purposes.

DNS attacks attempt to disrupt the functionality of DNS servers as well as the resolution of domain names to IP addresses to redirect users to malicious websites or intercept their internet traffic to gain unauthorized access.

On a global scale, 88% of organizations have suffered DNS attacks — with companies encountering an average of seven attacks per year at a cost of $942 thousand per attack, according to the IDC 2022 Global DNS Threat Report. In addition to financial losses, other serious consequences of DNS attacks include data theft, reputation damage, website downtime and malware infections.

 

How DNS Attacks Work

To understand how DNS attacks work, it’s important to first understand how DNS works.

DNS Mechanics

DNS works by using a hierarchical system of name servers that store information about domain names and their corresponding IP addresses. When a user types a domain name into their browser, the browser sends a DNS query to a local DNS resolver, which then looks up the IP address associated with the domain name. If the DNS resolver doesn't have the IP address, it sends the query to a root DNS server, which directs it to the authoritative DNS server for the domain. The authoritative DNS server then responds to the query with the correct IP address.

DNS Attacks 101

DNS attacks work by exploiting vulnerabilities in the DNS protocol or infrastructure. To carry out a successful DNS attack, the threat actor needs to intercept the DNS query and send a bogus response before the legitimate response arrives. DNS spoofing, for example, works by tricking the DNS server into caching the wrong IP address for a domain name. Similarly, DNS amplification works by exploiting open resolvers to flood a target server with traffic. In most cases, DNS attacks involve some form of manipulation or exploitation of the DNS system to perpetrate a form of harm or wrongful gain, such as launching a DDoS attack or stealing sensitive data.

 

Types of DNS Attacks

DNS Spoofing

DNS spoofing, also known as DNS cache poisoning, is a type of attack involving the manipulation of a DNS server's cache to redirect traffic from a legitimate website to an imposter site. The threat actor achieves a DNS spoofing attack by sending fake DNS responses to the DNS server, tricking it into caching the wrong IP address for an authentic domain name. When users try to access the authentic website, their traffic is directed to the attacker's fake site, which mirrors the original site. The attacker can then steal sensitive information from users, including personally identifiable information, login credentials and credit card numbers.

DNS Amplification

DNS amplification is a type of distributed denial of service (DDoS) attack that involves exploiting open DNS resolvers to flood a target server with traffic. The attacker sends a DNS query to an open resolver using a spoofed IP address. The resolver then sends a response far larger than the original query. When the attacker uses multiple open resolvers and spoofed IP addresses, they can overwhelm the target server with traffic so that it becomes unavailable to legitimate users.

DNS Tunneling

DNS tunneling is a type of attack that involves using the DNS protocol to bypass firewalls and exfiltrate data from a compromised network. The attacker sends data packets disguised as DNS queries to a remote server, which then sends the data back to the attacker in the form of DNS responses. This allows the attacker to bypass firewalls, which often allow DNS traffic through, and exfiltrate sensitive data from the compromised network.

DNS Hijacking

DNS hijacking, also known as domain theft, is a type of attack that involves maliciously gaining control of a domain name. The threat actor achieves this by either stealing the owner's login credentials or exploiting a vulnerability in the domain registrar's system. Once the attacker gains control of the domain name, they can redirect traffic to a fake website, steal sensitive information or use the domain name to launch other types of attacks.

DNS Reflection

DNS reflection is a type of attack that involves exploiting the DNS protocol to amplify DDoS attacks. The attacker sends a DNS query to a server that has an open resolver, using a spoofed IP address as the source. The server then sends a response to the target server, which is much larger than the original query. By using a large number of open resolvers and spoofed IP addresses, the attacker can overwhelm the target server with traffic, making it unavailable to legitimate users.

DNS Attacks Using Domain Generation Algorithm (DGA)

A domain generation algorithm (DGA) generates domain names based on a dynamic seed and an algorithm for command and control (C2) purposes. Using this technique, attackers register random-looking domain names (e.g., www..com) for their victims to rendezvous with the attacker’s network. The sheer number of potential rendezvous points generated makes the attacker’s network resilient to detection and block lists. What’s more, the use of public-key cryptography coded into the malware makes it impracticable for law enforcement to forge commands from the malware controllers, as worms typically reject unsigned updates.

A computer infected with malware containing a DGA can create thousands of domain names and attempt to contact them every day with the intent to receive an update or commands.

To prevent DGA attacks, an effective cloud security posture management (CSPM) solution will monitor DNS queries and incorporate advanced machine learning techniques to detect suspicious DGA domain request activities. The CSPM will alert security teams when multiple potential DGA-looking domain name queries have been executed by one resource in the cloud environment.

Cryptojacking

Cryptomining domain request activity involves generating network traffic via software designed to mine cryptocurrency, such as Bitcoin or Ethereum. The mining software makes requests to a domain that hosts mining code and executes the code on the miner's machine, allowing it to contribute computational power to the cryptocurrency network. Incidents of illegally exploiting computational resources to mine cryptocurrencies, known as cryptojacking, have increased 300% in recent years, keeping pace with rising values of cryptocurrencies and luring bad actors seeking financial gains.

Using audit event logs and network flow logs, some CSPM solutions are equipped to detect cryptomining activity traces left on DNS logs. With up-to-date threat intelligence, the CSPM will identify client hosts inside the cloud environment that initiate suspicious DNS queries to domain names associated with known cryptomining pools.

DNS Rebinding Attacks

DNS rebinding attacks can allow a threat actor to bypass network security controls and gain access to sensitive — and otherwise inaccessible — resources. The attack works by exploiting the way web browsers handle the same-origin policy, which is designed to prevent scripts originating on one domain from accessing resources on another domain.

In a DNS rebinding attack, an attacker controls a name resolver and a website hosting a malicious script. When a user or service visits the attacker’s website with a browser capable of executing the malicious script, the threat actor tricks the browser into holding the connection to force the browser’s DNS cache to expire. This gives the attacker an opportunity to change DNS records to point to the victim’s local network.

With the rise in legitimate use of headless browsers for web scraping, web analytics and automated testing of web applications, detecting DNS rebinding attacks in cloud environments is now integral to cloud security.

 

DNS Security Best Practices

DNS attacks can have serious consequences for cloud environments, which rely on DNS to connect users with cloud services and applications. By understanding and implementing best practices for DNS security in the cloud, DevSecOps professionals can help protect their networks.

Best practices for securing cloud environments from DNS attacks include:

  • Use a DNS firewall: Stop users from visiting malicious websites that could infect their computer and the organization’s network with a DNS firewall.
  • Implement DNSSEC: Use DNSSEC (DNS security extensions) to add digital signatures to DNS records, which will provide a mechanism to verify the authenticity of DNS responses and prevent DNS cache-poisoning attacks.
  • Require multifactor authentication: Prevent unauthorized access by requiring multifactor authentication to access DNS settings.
  • Monitor DNS traffic: Monitoring DNS traffic for suspicious activity, such as spikes in traffic or unusual query patterns, can inform security teams to launch mitigation and arrest the DNS threat.
  • Segment networks: Limit the impact of a DNS attack by isolating critical systems from less critical systems.
  • Regularly update and patch systems: Update and patch systems to prevent threat actors from exploiting vulnerabilities.

 

Learn More About DNS Security

Prisma Cloud ingests data from several sources such as cloud configurations, network flow logs, audit events and more — processing 1 trillion cloud events daily. Using this data, the context-driven platform wields Palo Alto Networks Unit 42® threat intelligence, third-party intelligence streams, machine learning (ML) and user and entity behavior analytics (UEBA) to identify threats lurking across cloud environments. With each threat detected, Prisma Cloud provides actionable remediation steps to help you respond and keep your organization safe.

 

DNS Security FAQs

A DNS server is a server that stores information about domain names and their corresponding IP addresses.
A DNS resolver is a component that receives DNS queries from a client and returns the corresponding IP address.
Root DNS server refers to a server that maintains the top-level domain names and directs DNS queries to the appropriate authoritative DNS server.
An authoritative DNS server is a server that stores information about a domain name and its corresponding IP address.
A DNS query is a request sent by a client to a DNS resolver or server asking for the IP address of a domain name.
DNS response is the reply or answer sent by a DNS resolver or server in response to a DNS query, containing the IP address of the requested domain name.
DNS cache is a local storage of recently accessed DNS records used to speed up DNS resolution.
TTL (time to live) is a value in a DNS record that determines how long a DNS resolver or server can cache the record.
DNS-based authentication of named entities (DANE) refers to a protocol that allows domain owners to publish their SSL/TLS certificates in DNS, providing an additional layer of security for secure communications.
A CNAME record refers to a DNS record that maps one domain name to another.
An MX record is a DNS record that specifies the email server responsible for a domain.
An NS record is a DNS record that specifies the authoritative name servers for a domain.
Public-key cryptography is a widely used cryptographic system that allows for secure communication over the internet without the need for a shared secret key. The system relies on the use of two mathematically related keys — a public key and a private key — and is based on complex calculations, such as large prime number factorization or solving for the discrete logarithm problem. Although it’s possible to generate a public key from the private key, success is unlikely.