What Are DNS Attack Vectors?

DNS attack vectors are the methods used by threat actors to target the Domain Name System (DNS), the protocol that translates a domain name like example.com into an alphanumerical IP address. Because DNS has a wide span of control, interruptions impact many services at once. DNS attack vectors may target the availability or stability of a DNS service, or leverage DNS as part of an overall attack strategy. Common DNS attack vectors include tunneling, cache poisoning, rebinding, amplification, flood attacks, and DNS spoofing. Many threat actors use DNS as a vector for DoS and DDoS attacks.

The Domain Name System makes it easier for users to access websites without having to keep track of long and complicated IP addresses for every website they want to visit. DNS servers match the easy-to-remember names of websites that users type into a web browser with a corresponding IP address (like 2001:db8:3e8:2a3::b63) that enables the right website to load.

When a user types a domain name such as example.com into a browser, a DNS resolver searches for the numerical IP address that matches the domain name. This process may involve multiple steps:

• The DNS resolver first searches for the IP address in its local cache.
• If the address does not exist in the cache, the DNS resolver may query other DNS servers for the correct IP address or search for an authoritative DNS server that stores a canonical mapping of the domain name to its IP address.
• Once the IP address is found, the resolver communicates it to the requesting browser and stores the address in its local cache for future use.

DNS attack vectors are effective because the Domain Name System was not designed with security in mind, and any disruptions have a wide impact. DNS servers are built to accurately and efficiently respond to queries rather than to examine their intent. Consequently, DNS has weaknesses that make it an attractive target vector for cyberattacks. DNS is an essential part of the internet and is involved in most communication. Additionally, many security tools accept DNS with limited verification, opening the door to a variety of attacks.

• Volumetric denial of service (DoS) attacks overwhelm a DNS server by flooding it with a large number of requests from one or more sources, slowing the response time or making the DNS service unavailable.
• Exploits take advantage of flaws or vulnerabilities in DNS services, in DNS protocols, or in the operating systems that run DNS servers.
• Stealth or slow drip DoS attacks degrade or interrupt service by submitting a steady drip of specific DNS requests that exhaust the capacity of outgoing query processing.
• Protocol abuse attacks use DNS in unintended ways that enable attackers to exfiltrate data or conduct phishing campaigns.

• Zero-day attacks. Attackers exploit previously unknown vulnerabilities in the DNS server software or protocol stack. Because these security holes are previously undiscovered, security teams have “zero days” to prepare patches or defenses for them.
• DNS cache poisoning. Also known as DNS spoofing, this attack vector involves corrupting or “poisoning” a DNS cache by replacing a legitimate DNS record with an IP address for another website that may be malicious. Cache poisoning is often used to dupe users into revealing confidential information such as login credentials or account information.
• Denial of service (DoS). This type of flood attack uses one computer and one internet connection to inundate a DNS server with a large amount of traffic, intending to overwhelm the server and prevent it from responding to legitimate requests.
• Distributed denial of service (DDoS). DDoS DNS attacks are a type of flood attack designed to render DNS servers unavailable by overloading the server with traffic from many source locations. DDoS attacks are often carried out by a botnet, a network of machines or bots infected with malware that allows attackers to control them.
• DNS amplification. Amplification attacks are a type of DDoS attack that relies on open, publicly accessible DNS servers to flood a target system with DNS response traffic. By sending small queries that result in large responses, attackers can amplify the impact of their efforts against a target.
• DNS tunneling. This DNS attack vector uses DNS as a covert communication channel to evade detection by a firewall. Cybercriminals may use DNS tunneling to exfiltrate sensitive data or to control a compromised device within a protected IT environment.
• DNS hijacking. These attacks redirect traffic intended for a website to new destinations where threat actors can launch malicious activities or create a look-alike copy of the original site to collect sensitive personal information.
• NXDOMAIN attack. This flood attack overwhelms DNS servers by requesting invalid or nonexistent records to overload the target DNS servers and its infrastructure environment. Overwhelmed by bad requests, the DNS servers and its supporting infrastructure slow down and eventually stop working.
• Domain lockup. Hackers set up TCP-based connections with DNS resolvers that send junk or random packets, keeping the DNS resolvers constantly engaged or “locked up.” This exhausts legitimate DNS servers and prevents legitimate requests from receiving responses.
• DNS flood attacks. These attack vectors use the DNS protocol to conduct a User Datagram Protocol (UDP) flood. In a DNS flood attack, threat actors deploy valid but spoofed DNS request packets at a very high rate and from a large group of source IP addresses. Because the requests appear valid, targeted DNS servers will respond to all requests, eventually becoming overwhelmed and exhausting their capacity.
• Random subdomain attack. Also known as a pseudo random subdomain attack, this type of DDoS attack sends hundreds or thousands of real but malicious DNS requests. Because the requests are legitimate with valid higher-level domains (e.g., doesnotexist.example.com), they’re able to avoid many of the DDoS protections and automatic mitigations used by firewalls and other filters.

IT and security teams may use a variety of techniques and cybersecurity best practices to prevent DNS attack vectors.

• Restrict access. Restricting the use of DNS resolvers to only valid users can prevent external users from poisoning the cache.
• Log and monitor DNS queries. By logging and monitoring inbound and outbound queries, IT teams can detect anomalies and gather contextual information that enables forensic analysis.
• Replicate data. Keeping copies of DNS data in other servers makes it easier to replace data that has been corrupted or lost on one server.
• Block redundant queries. This can help to prevent spoofing.
• Keep DNS servers up to date. Organizations that run their own DNS servers must keep the servers patched and up to date to prevent attackers from exploiting bugs and vulnerabilities.
• Deploy dedicated DNS protection. For companies with thousands of domains to protect, a third-party DNS security service may be the most effective option to fortify DNS workflow.