Common DNS Security Issues
The Domain Name System (DNS) is a critical component of the Internet. Its role is to convert domain names into the IP addresses used to route network traffic to the intended destination. DNS’s vital role and lack of built-in security by default make it a common target for cybercriminals. Attackers can target DNS with denial-of-service (DoS) attacks to render sites unreachable or exploit DNS security gaps to further their own objectives.
Understanding DNS and Its Security Challenges
The IP addresses that computers use to identify one another are difficult to remember, which is why domain names exist. The role of DNS is to convert between a memorable domain name, like catonetworks.com, and an IP address, like 45.60.110.90.
DNS is one of the foundational protocols of the Internet, developed before security was a pressing concern. For this reason, DNS queries and responses lack encryption and authentication by default. DNS’s important role and lack of encryption and authentication make it a prime target for attackers. Since the entire Internet uses and trusts DNS, an attack exploiting it can have significant repercussions.
Common DNS Security Threats
Attacks on DNS are a common network security threat due to its vital role and weak security. Some of the most common security threats associated with DNS include the following:
DNS Cache Poisoning
DNS resolvers commonly cache commonly-accessed DNS records, improving speed and reducing load on DNS servers. In a DNS cache poisoning attack, the attacker takes advantage of the lack of DNS encryption and authentication to inject fake DNS entries into a resolver’s cache. As a result, users requesting these DNS records will receive an IP address specified by the attacker, redirecting them to a malicious site.
DNS Spoofing
DNS spoofing is a broad category of DNS attacks that includes DNS cache poisoning. In a DNS spoofing attack, the attacker impersonates a DNS server and changes DNS records with the intent of redirecting traffic.
DNS Hijacking
DNS hijacking is a general class of attacks that involves redirecting users to a malicious site by changing how DNS queries are resolved. Spoofing and cache poisoning are specific types of hijacking attacks, but an attacker can also manipulate DNS resolutions via malware, compromised routers, and other means.
DNS Amplification Attacks
DNS amplification attacks are a type of DoS attack that takes advantage of open DNS resolvers and the fact that DNS responses are (often significantly) larger than the associated query. In a DNS amplification attack, the attacker sends a DNS query to an open resolver with the source IP address set to that of the target. This causes the resolver to send the response to the intended target, who receives much more data than the attacker sent out. With many open resolvers and DNS records with much larger responses than requests, an attacker can launch a large-scale DoS attack while using only a fraction of the bandwidth of the target system.
Dangling DNS Records
Dangling DNS records exist when an organization has registered a domain with a DNS server and later decommissions that resource. An attacker may be able to take over the associated IP address or fully qualified domain name (FQDN), potentially by claiming it with a cloud provider after the target releases it. If so, traffic to the subdomain listed in the DNS entry will be redirected to the attacker’s site.
Domain Shadowing
Domain shadowing will create malicious subdomains under a legitimate root domain that has been compromised by an attacker. By doing so, the attacker creates a hard-to-detect subdomain that takes advantage of the reputation of the legitimate root domain. This subdomain can then be used in phishing attacks or as malware command and control (C2) infrastructure with a reduced risk of detection or being blocked by an organization.
NXDOMAIN Attacks (Phantom Domain Attacks)
NXDOMAIN attacks are a type of DoS attack designed to bypass caching to overwhelm a DNS server. The attacker makes a series of requests for non-existent subdomains, which won’t exist in a resolver’s cache. As a result, the attack will be passed on to the origin server for resolution, consuming resources and degrading the server’s ability to respond to legitimate requests.
Malicious DNS Resolvers
DNS resolvers play a critical role in receiving user DNS queries, performing follow-up queries to DNS servers, and returning a result. A malicious DNS resolver may monitor a user’s DNS requests and provide incorrect information that sends users to phishing pages. Users may be sent to a malicious DNS resolver via DHCP poisoning or malware.
DNS Rebinding
In a DNS rebinding attack, an attacker-controlled DNS server will initially respond to a DNS request with the IP address of a site serving malicious code but specify a very short time-to-live (TTL) value. When the TTL expires, the user’s browser will make another request, which the malicious DNS server will answer with the IP address of an internal resource. As a result, the domain may be considered part of the internal network, allowing the malicious code to bypass the same-origin policy (SOP) and access internal resources.
Typosquatting and Homograph Attacks
Typosquatting and homograph attacks involve creating malicious domains that closely resemble legitimate ones. If a user mistypes a URL or clicks on a link in a phishing email, they will be directed to an attacker-controlled website. Often, this is used for credential harvesting if the user enters their credentials into the phishing site.
Best Practices for DNS Security
Some network security best practices for protecting against common DNS threats include:
- Implement DNSSEC: DNS Security Extensions (DNSSEC) implements authentication for DNS queries. Enabling it on an organization’s domain(s) helps to prevent them from being used in DNS attacks.
- Monitor DNS Traffic: Many DNS attacks involve unusual DNS queries and responses. Monitoring DNS traffic for anomalies can help detect potential attacks.
- Log DNS Requests: DNS requests provide a record of sites visited and domains contacted by a computer. Logging this can be invaluable for forensic investigation of a phishing attack, malware infection, or other security incident.
- Use Reputable DNS Services: Organizations can select the DNS provider used to resolve their requests. Choosing a well-known DNS server reduces the potential risk of malicious redirection or espionage.
Integrating DNS Security into a SASE Framework
A Secure Access Service Edge (SASE) framework integrates various security and networking features into a single solution. Using a SASE platform that offers DNS as a Service (DaaS) can help to protect an organization against various threats. With DNS built into the organization’s SASE platform, the company is protected against malicious DNS servers and can perform DNS filtering to identify and block traffic to known malicious domains.
FAQs about Common DNS Security Issues
What is DNS cache poisoning?
DNS cache poisoning introduces malicious DNS entries into a DNS resolver’s cache. As a result, users requesting that domain will be redirected to an attacker-controlled site for credential harvesting or malware distribution.
How does DNS tunneling pose a security risk?
DNS tunneling allows an attacker to conceal their communications within DNS queries and responses. This increases the difficulty for an organization to identify data exfiltration or malware command and control (C2) messages.
What are dangling DNS records?
Dangling DNS records exist when an organization has decommissioned a cloud asset but not the associated DNS record. An attacker who claims the IP address or fully qualified domain name (FQDN) associated with this record can have all traffic intended for that subdomain redirected to a malicious site.
How can integrating DNS security into a SASE framework benefit organizations?
Integrating DNS into a SASE framework protects against malicious DNS servers and provides visibility into DNS traffic. As a result, an organization can more easily block traffic to known-bad domains and enforce corporate security policies.
Why DNS Security Needs to Be Part of Your SASE Strategy
DNS is a vital part of the Internet, but it wasn’t designed to be secure. As a result, attackers exploit DNS in various ways to further their attack campaigns. Building DNS into a SASE architecture enables an organization to implement strong DNS security and policy enforcement as part of a holistic, converged security architecture. This enhances security visibility, simplifies policy enforcement, and improves threat detection and response.
See how Cato Networks delivers DNS-layer threat protection as part of a complete SASE strategy. Book a demo today to explore unified DNS visibility, policy enforcement, and threat prevention.