The Internet works in a manner much similar to the postal service like it's also based on addresses. When the systems wish to communicate over the internet they need to know an address where they can forward the packets or from where the packets/messages are coming. In the language of the computers, these are known as Internet Protocol (IP) address.
IP addresses are random sets of numbers which are actually difficult to remember and there is relative ease in remembering simple words from the English language thus DNS came into existence. In addition, a Web site's IP address can change over time, and some sites associate multiple IP addresses with a single domain name. Domain name server (DNS) is a protocol that translates human-friendly domain name like www.securitycommunity.tcs.com into system recognized IP address 22.214.171.124. It is akin to internet own address book that upholds a directory of domain names translate them to Internet Protocol (IP) addresses.
A single DNS can't support the load of the whole internet. So there came whole hierarchy of DNS also with each organization having its own internal DNS. The structure comprised of root servers controlling top-level domains such as .com, .gov, and .org, Global Top Level Domains (TLDs) controlling regional domains such as .br, .fr and .uk, also authoritative servers controlling specific domains such as tcs.com and a very large group of recursive resolvers that end user systems connect to. A query from a user for a domain name would be sent to a recursive resolver and that resolver would work with the root, TLD and varying levels of authoritative servers to track down the DNS authoritative server responsible for the domain from which it would receive a DNS reply. Every time we browse a website or send emails/messages, our machine sends a DNS lookup request which to help route the traffic.
DNS wasn't designed keeping security in mind. The types of DNS attacks in use today are numerous and quite complex, taking advantage of the communication back and forth between clients and servers. DNS can use either the User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) and historically uses a destination port of 53 which is kept open for resolving DNS queries. DNS is a backbone of internet so when DNS servers are under attack and becomes unreachable, every site it supports becomes unreachable as well. Connectivity of a company is compromised which can further lead to loss of revenue, customer defection and negative impact on the brand.
There are the whole bunch of attacks targeting DNS, categorizing them broadly into two types DNS specific and other as network layer attacks.
DNS specific are one's which targets the DNS servers themselves. DNS servers are recursive, which simply means that they can query each other to either find another DNS server that knows the correct IP address or find the authoritative DNS server. Mitigation of these attacks requires a deep packet inspection of incoming traffic at the application layer. Popular once includes
NXDOMAIN attack: Attack is accomplished by sending floods of randomized subdomain queries in an attempt to overload the DNS servers and bypass any caching servers on the way. Cache are filled up with NXDOMAIN results thus slower DNS server response time for legitimate requests. DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result.
Phantom Domain attack: DNS resolver tries to resolve multiple domains that are phantom domains nonexistent. These phantom domains may not send responses or they will be slow. Server consumes resources while waiting for responses, eventually leading to degraded performance or failure. Too many outstanding queries.
Random subdomain attack: Infected clients create queries by prepending randomly generated subdomain strings to the victim’s domain. E.g. abc1234433.mybank.com. Each client may only send a small volume of these queries to the DNS recursive server. Responses may never come back from these nonexisting subdomains. DNS recursive server waits for responses, outstanding query limit exhausted.
Cache Poisoning: Corruption of the DNS cache data. The malicious resolver provides requested user, rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g. www.mybank.com). The client connects to site controlled by the attacker, thinking it is www.mybank.com.
DNS hijacking: Modifies DNS record settings to point to a rogue DNS server or domain. User tries to access a legitimate website www.mybank.com.User gets redirected to a bogus site controlled by hackers that look a lot like the real thing. Hackers acquire usernames, passwords and credit card information.
The attack on DNS is an extremely popular choice of attackers owing to the inherent nature of DNS which require back and forth between clients and servers. In December 2015, there was a large DDoS attack against the DNS servers responsible for the Turkish domain “.tr” and the latest DDoS attack in Oct 2016 on Dyn, one of the largest against a DNS provider showed how crippled internet can become under them. Dyn DDoS attack is believed to a combination of both two types of attacks, the DNS-specific and network layer attack.
Authored By - Shefali Singh
TCS Enterprise Security and Risk Management
Rate this article: