Domain Name System (DNS) attacks are a common occurrence, and each year, hundreds of websites fall victim to these types of attacks.

To protect a network against this category of exploits, it is important to understand the different types of DNS attacks as well as the best mitigation methods.

What Is DNS?

Domain Name System (DNS) is a structured naming system that is used by internet devices to locate online resources. That said, each website on the internet has a unique Internet Protocol (IP) address, but it would be harder for humans to recall each website by their IP addresses because they are alphanumeric.

When it comes to DNS infrastructure, there are two main components that make up the system, and they are authoritative servers that host the IP information and recursive servers which are involved in the search for IP information.

DNS attacks can be leveraged against either one.

Types of DNS Attacks

Attackers typically use a variety of techniques to disrupt DNS functionality. The following is an outline of some of the most common methods.

1. DNS Floods

Image showing authentication error on computer.

A DNS flood uses Distributed Denial of Service (DDoS) attack vectors to target Domain Name System servers and is used to disrupt access to certain domains.

Attackers use DNS floods to inundate DNS recursive servers with a wall of illegitimate requests, preventing them from adequately processing legitimate queries.

They typically draw traffic from a multitude of locations, devices, and IPs, making it difficult to differentiate between normal and ‘generated’ traffic.

Botnets controlling thousands of IoT and hacked computers are usually harnessed for the scheme, and their source IP addresses spoofed using scripts.

Read More: What Is a Botnet?

Mitigation Measures

There are numerous ways of preventing domain flood attacks, and they include the installation of IP verification protocols. Machine-learning anomaly detection and blocking systems are the best for this.

If the problem is particularly serious and such interception measures are lacking, deactivating recursive DNS servers will mitigate the problem by preventing more relays.

Limiting requests to only those from authorized clients is another way to solve the problem. Having a low Response Rate Limiting (RRL) configuration on the authoritative servers also works.

2. DNS Cache Poisoning

Security alert warning on screen.

DNS cache poisoning involves DNS server manipulation by malicious entities to redirect traffic away from legitimate servers. It is basically a server-to-server ploy.

An attacker could, for example, change the information on the Instagram DNS server so that it points to the Twitter IP. In most cases, the redirects lead visitors to sites controlled by hackers where phishing, XSS, and other vulnerability attacks are executed.

In some instances, the attacks can be scaled by targeting Internet Service Providers, especially if several of them rely on specific servers to retrieve DNS data. Once the primary servers are compromised, the infection becomes systematic and can affect customers’ routers connected to the networks.

Mitigation Measures

To prevent these types of attacks, DNS servers should be configured so that there is less reliance on outside-network servers. This prevents attacker DNS servers from communicating with the targeted servers.

Installing the latest BIND version on the server also helps. This is because the upgraded releases have cryptographically secured transaction technologies and have port randomization capabilities that taper the attacks.

Lastly, the attacks can be prevented by restricting DNS responses to provide only particular information about the queried domain and simply ignore ‘ANY’ requests. Responding to ANY requests forces the DNS resolver to avail more information about the requested domain. This includes MX records, A records, and more. The additional information uses up more system resources and amplifies the size of the attack.

3. Distributed Reflection Denial of Service (DRDoS) Attacks

Webpage showing error message.

Distributed reflective denial of service (DRDoS) attacks try to overwhelm DNS infrastructure by sending a huge volume of User Datagram Protocol (UDP) requests.

Compromised endpoints are usually used to do this. The UDP packets work on top of IPs to make requests to a DNS resolver. The strategy is favored because the UDP communication protocol has no delivery confirmation requirements, and the requests can also be duplicated. This makes it easy to create DNS congestion.

In this case, targeted DNS resolvers try to respond to the fake requests but are forced to issue a huge volume of error responses and end up getting overwhelmed.

Mitigation Measures

Distributed Reflection Denial of Service (DRDoS) attacks are a form of DDoS attack, and to prevent them, the application of ingress network filtering should be done to prevent spoofing. Because queries go through DNS resolvers, configuring them to only resolve requests from certain IP addresses will help to mitigate the issue.

This usually entails disabling open recursion, thereby reducing DNS attack loopholes. Open recursion causes the server to accept DNS requests from any IP address, and this opens up the infrastructure to attackers.

Setting up Response Rate Limiting (RRL) will also prevent the rate of DRDoS incidences. This can be achieved by setting a rate-limit ceiling. This mechanism keeps the authoritative server from handling excessive amounts of queries.

4. NXDOMAIN Attacks

Screen full of error messages.

In an NXDOMAIN DNS attack, the targeted server is inundated with invalid record requests. DNS Proxy servers (resolvers) are usually targeted in this instance. Their task is to query DNS authoritative servers in search of domain information.

The invalid requests engage the DNS Proxy and authoritative servers and trigger NXDOMAIN error responses and cause network latency problems. The flood of requests eventually causes performance issues with the DNS system.

Mitigation Measures

NXDOMAIN DNS attacks can be prevented by enabling the server to retain more cache information on valid requests over time. This configuration ensures that even during an attack, legitimate requests can still get through without having to undergo additional caching. As such, the requested information can be readily pulled.

Suspected domains and servers used in the scheme can also be blocked, thereby freeing up resources.

5. Phantom Domain Attacks

Signboard showing problem-solving issues.

In executing a phantom domain attack, the attacker starts by configuring a collective of domains so that they don’t respond or do so very slowly once they receive a DNS query. Recursive servers are targeted in this instance.

They are targeted with a huge volume of repetitive requests querying the phantom domains. The long response pauses result in a backlog of unresolved requests that congest the network and take up valuable server resources. Ultimately, the scheme prevents legitimate DNS requests from being processed and prevents users from accessing the targeted domains.

Mitigation Measures

To mitigate phantom domain attacks, limiting the number of successive recursive requests on each server will help. They can be further limited per zone.

Enabling holddown on the DNS server for requests made to non-responsive servers will also prevent the system from being overwhelmed. The feature limits the number of consecutive attempts made to unresponsive servers once they reach a certain threshold.

Increasing the number of recursive servers also works.

Stay Safe from DNS Dangers

Each year, DNS attackers come up with an array of uncanny tricks to take down critical online infrastructure, and the damage can be enormous.

For individuals and enterprises that rely heavily on online domains, following best-practice guidelines and installing the latest DNS thwarting technologies will go a long way in preventing them.