DNS Attack Type

Trevor Chandler

Well-known member
Jul 4, 2020
163
166
16,766
Hello CINners,

A little something for you DNS aficionados! Ever since I had my first read of "DNS and BIND",
almost 20 years ago, I've been intrigued about this service! Of course, when I had that first read,
security didn't have nearly the concern that it does today. Well, it's a new day!!! Okay, that's
enough reminiscing. On with the show -)

DNS (Domain Name System) attacks exploit vulnerabilities in the DNS infrastructure, which translates domain names (like example.com) into IP addresses. These attacks aim to disrupt, intercept, or redirect user traffic. Here are the main types of DNS attacks:

1. DNS Spoofing (Cache Poisoning)​

  • Description: Attacker injects false DNS records into a resolver's cache, redirecting users to malicious sites.
  • Impact: Users are tricked into visiting fraudulent websites, often leading to phishing or malware distribution.

2. DNS Amplification Attack​

  • Description: A type of DDoS (Distributed Denial of Service) attack that leverages open DNS resolvers to overwhelm a target with large amounts of traffic.
  • Impact: The target's servers are rendered unavailable due to excessive traffic.

3. DNS Tunneling​

  • Description: Encodes non-DNS traffic (e.g., HTTP) into DNS queries, often used for data exfiltration or command-and-control (C2) communication.
  • Impact: Sensitive data can be stolen or malicious actions executed covertly.

4. Domain Hijacking​

  • Description: An attacker gains unauthorized control over a domain by compromising its registrar account or exploiting vulnerabilities.
  • Impact: The domain can be redirected, defaced, or taken offline.

5. DNS Reflection Attack​

  • Description: Similar to amplification attacks, but it uses spoofed requests to make the DNS server send responses to the victim's IP address.
  • Impact: Overwhelms the victim's server, causing service disruptions.

6. NXDOMAIN Attack​

  • Description: Overwhelms DNS resolvers by sending a high volume of queries for non-existent domains.
  • Impact: Depletes server resources, causing legitimate requests to fail.

7. DNS Flood Attack​

  • Description: Inundates a DNS server with a high volume of queries to exhaust its resources.
  • Impact: Causes the DNS server to crash or become unresponsive.

8. Man-in-the-Middle (MitM) Attack​

  • Description: An attacker intercepts and manipulates DNS traffic between the user and the resolver.
  • Impact: Users are redirected to malicious sites, potentially leading to credential theft or malware infections.

9. Registrar Hijacking​

  • Description: Attackers compromise a domain registrar's system to alter DNS records or transfer domain ownership.
  • Impact: Entire domains can be taken over or redirected.

10. DNS Typosquatting​

  • Description: Registering domains that resemble legitimate ones (e.g., googgle.com instead of google.com) to exploit user typos.
  • Impact: Users can be redirected to phishing sites or exposed to ads/malware.

11. Fast Flux DNS​

  • Description: Frequently changing IP addresses in DNS records to avoid detection and takedown.
  • Impact: Used for botnets, phishing, and other malicious activities.

Mitigation Strategies:​

  • DNSSEC (Domain Name System Security Extensions): Adds cryptographic signatures to DNS records.
  • Rate Limiting: Limits the number of queries a DNS server can process per client.
  • Monitoring and Logging: Tracks DNS activity for anomalies.
  • Firewalls and Access Control: Blocks malicious traffic and restricts open resolvers.
  • Patch Management: Keeps DNS server software up-to-date. I know you CINners are on top of this one!!!!
 
Hello CINners,

A little something for you DNS aficionados! Ever since I had my first read of "DNS and BIND",
almost 20 years ago, I've been intrigued about this service! Of course, when I had that first read,
security didn't have nearly the concern that it does today. Well, it's a new day!!! Okay, that's
enough reminiscing. On with the show -)

DNS (Domain Name System) attacks exploit vulnerabilities in the DNS infrastructure, which translates domain names (like example.com) into IP addresses. These attacks aim to disrupt, intercept, or redirect user traffic. Here are the main types of DNS attacks:

1. DNS Spoofing (Cache Poisoning)​

  • Description: Attacker injects false DNS records into a resolver's cache, redirecting users to malicious sites.
  • Impact: Users are tricked into visiting fraudulent websites, often leading to phishing or malware distribution.

2. DNS Amplification Attack​

  • Description: A type of DDoS (Distributed Denial of Service) attack that leverages open DNS resolvers to overwhelm a target with large amounts of traffic.
  • Impact: The target's servers are rendered unavailable due to excessive traffic.

3. DNS Tunneling​

  • Description: Encodes non-DNS traffic (e.g., HTTP) into DNS queries, often used for data exfiltration or command-and-control (C2) communication.
  • Impact: Sensitive data can be stolen or malicious actions executed covertly.

4. Domain Hijacking​

  • Description: An attacker gains unauthorized control over a domain by compromising its registrar account or exploiting vulnerabilities.
  • Impact: The domain can be redirected, defaced, or taken offline.

5. DNS Reflection Attack​

  • Description: Similar to amplification attacks, but it uses spoofed requests to make the DNS server send responses to the victim's IP address.
  • Impact: Overwhelms the victim's server, causing service disruptions.

6. NXDOMAIN Attack​

  • Description: Overwhelms DNS resolvers by sending a high volume of queries for non-existent domains.
  • Impact: Depletes server resources, causing legitimate requests to fail.

7. DNS Flood Attack​

  • Description: Inundates a DNS server with a high volume of queries to exhaust its resources.
  • Impact: Causes the DNS server to crash or become unresponsive.

8. Man-in-the-Middle (MitM) Attack​

  • Description: An attacker intercepts and manipulates DNS traffic between the user and the resolver.
  • Impact: Users are redirected to malicious sites, potentially leading to credential theft or malware infections.

9. Registrar Hijacking​

  • Description: Attackers compromise a domain registrar's system to alter DNS records or transfer domain ownership.
  • Impact: Entire domains can be taken over or redirected.

10. DNS Typosquatting​

  • Description: Registering domains that resemble legitimate ones (e.g., googgle.com instead of google.com) to exploit user typos.
  • Impact: Users can be redirected to phishing sites or exposed to ads/malware.

11. Fast Flux DNS​

  • Description: Frequently changing IP addresses in DNS records to avoid detection and takedown.
  • Impact: Used for botnets, phishing, and other malicious activities.

Mitigation Strategies:​

  • DNSSEC (Domain Name System Security Extensions): Adds cryptographic signatures to DNS records.
  • Rate Limiting: Limits the number of queries a DNS server can process per client.
  • Monitoring and Logging: Tracks DNS activity for anomalies.
  • Firewalls and Access Control: Blocks malicious traffic and restricts open resolvers.
  • Patch Management: Keeps DNS server software up-to-date. I know you CINners are on top of this one!!!!
DNS: Where even a simple typo can lead you down a rabbit hole... or to a sketchy 'Googgle.com'!
 
So, just yesterday, I spent some time standing up a brand new domain for our school. Not something we do every day, but how many of you are still running with scissors and not putting in those very necessary DMARC, DKIM, and SPF entries into your DNS zone file?

It was funny though, I had only sent THREE emails on the freshly built domain and Spam Email Monkey already blacklisted my domain, just because it's new. Sheesh..a guy can't cut a break around here.

Anyway...that's my 2 cents.
 
  • Wow
Reactions: Trevor Chandler
A good one Trevor, thanks for putting this out here
Thanks Ethical for stopping by!
So, just yesterday, I spent some time standing up a brand new domain for our school. Not something we do every day, but how many of you are still running with scissors and not putting in those very necessary DMARC, DKIM, and SPF entries into your DNS zone file?

It was funny though, I had only sent THREE emails on the freshly built domain and Spam Email Monkey already blacklisted my domain, just because it's new. Sheesh..a guy can't cut a break around here.

Anyway...that's my 2 cents
So, just yesterday, I spent some time standing up a brand new domain for our school. Not something we do every day, but how many of you are still running with scissors and not putting in those very necessary DMARC, DKIM, and SPF entries into your DNS zone file?

It was funny though, I had only sent THREE emails on the freshly built domain and Spam Email Monkey already blacklisted my domain, just because it's new. Sheesh..a guy can't cut a break around here.

Anyway...that's my 2 cents.
So, you think it was just because your domain was new? Are you feeling that Spam Email Monkey was picking on you? For be it from me to question whether you setup things properly, but I'm going to run the risk of making that query: Did you setup things properly??????????????????????????????????????
 
So, you think it was just because your domain was new? Are you feeling that Spam Email Monkey was picking on you? For be it from me to question whether you setup things properly, but I'm going to run the risk of making that query: Did you setup things properly???
I did, and I do. SEM monitors for new domains with their FRESH, FRESH10/15/30 blocklists, as it is a tactic for spammers - as you well know. Those lists get auto-delisted after a few days. Some organizations are pretty aggressive with their anti-spam policies, even if you have SPF/DKIM/DMARC in place. Apple iCloud, for example, is a current subject of annoyance for me, as Apple generally is.
 
I did, and I do. SEM monitors for new domains with their FRESH, FRESH10/15/30 blocklists, as it is a tactic for spammers - as you well know. Those lists get auto-delisted after a few days. Some organizations are pretty aggressive with their anti-spam policies, even if you have SPF/DKIM/DMARC in place. Apple iCloud, for example, is a current subject of annoyance for me, as Apple generally is.
Mr. Butler, may I learn the name of the domain registrar that you used, please? Something about this episode ain't passing my smell test!!!