There are millions of websites on the internet today, and thousands of websites are created everyday on this enormous network of web. But there are many threats and vulnerabilities to these websites. DNS attacks are one of the common and biggest threats to websites.
There are various methods to save websites from DNS attacks but before that it is important to understand what DNS is as well as what are the different types of DNS attacks.
What is DNS?
Domain Name System (DNS) is a naming method which is used by internet devices to find online resources. That stated, every website on the internet has a unique IP address (Internet Protocol address), however it’d be not possible for humans to memorise or to recall every website through their IP addresses due to the fact they are alphanumeric. DNS is a system which converts the simple alphabetical names into IP addresses so that users can have access to the online services and websites.
There are two major components that make up the system in DNS infrastructure. First is authoritative servers and second is recursive servers. IP information is hosted by authoritative servers and recursive servers helps in searching for IP information.
Types of DNS Attacks:
We will cover 6 different types of DNS attacks as well as the best mitigation methods.
- DNS Floods
- DNS Cache Poisoning
- Distributed Reflection Denial of Service (DRDoS) Attacks
- NXDOMAIN Attacks
- Phantom Domain Attacks
DNS Floods:
A DNS Flood uses DDoS(Distributed Denial of Service) attack vectors aiming at DNS servers. DNS Flood is used to deny access to certain domains.
Attacker use DNS flood to disrupt the working of recursive servers with the series of illegitimate requests which will prevent recursive server from processing legitimate queries
Now attackers draw these illegitimate queries from numerous locations and devices which makes it difficult to differentiate between the legitimate and illegitimate generated traffic.
There are several methods through which DNS Flood can be prevented. One of the methods is installation of IP verification protocol. It is an anomaly detection and blocking system which uses machine learning techniques. This is known to be one of the most effective mitigation measures against DNS Flood. We can also prevent DNS Flood by limiting requests from only authorised clients. Having low RRL (Response Rate Limiting) on the authoritative servers will also help.
DNS Cache Poisoning:
DNS Cache Poisoning is server-to-server ploy. DNS cache poisoning, manipulates the DNS servers by malicious entities to redirect the traffic away from legitimate servers.
For example, An attacker can change the information on the Google DNS server so it will redirect to Facebook IP.
In certain occasions, the attacks can be scaled by focusing on Internet Service Providers, particularly assuming that few of them depend on specific servers to retrieve DNS information. When these servers are compromised, the contamination becomes systematic and can influence clients’ routers associated with the networks.
To forestall these sorts of attacks, DNS servers ought to be designed with the goal that there is less dependence on outside-network servers. This keeps attackers’ DNS servers from communicating with the designated or targeted servers.
In conclusion, the attacks can be forestalled by confining DNS responses to give just specific data about the questioned domain and essentially ignore ‘ANY’ requests. Answering ANY requests forces the DNS resolver to profit more data about the mentioned domain. This incorporates MX records, A records and many more.
Distributed Reflection Denial of Service (DRDoS) Attacks
DRDoS, Distributed Reflection Denial of Service attempts to overpower DNS infrastructure by sending an enormous volume of User Datagram Protocol (UDP) requests.
Compromised endpoints are typically used. The UDP packet works on top of IPs to make requests to a DNS resolver. The system is inclined toward in light of the fact that the UDP communication protocol has no delivery affirmation requirements, and the request can likewise be copied. This makes it simple to make DNS clog.
For this situation, designated DNS resolvers attempt to answer the phoney requests however are compelled to give an immense volume of error response and wind up getting overpowered.
Distributed Reflection Denial of Service (DRDoS) attacks are a type of DDoS attack, and to forestall them, the application of ingress network filtering ought to be done to forestall spoofing. Since questions go through DNS resolvers, arranging them to just sort requests from specific IP addresses tends to assist with mitigating the issue.
This generally involves disabling open recursion, subsequently decreasing DNS attacks loopholes. Open recursion makes the server accept and allow DNS requests from any IP address, and this clear paths to the infrastructure for the attacker.
Setting up Response Rate Limiting (RRL) will likewise forestall the pace of DRDoS occurrences. This can be accomplished by setting a rate-limit ceiling. This component holds the authoritative server back from taking care of extreme amounts of queries.
NXDOMAIN Attacks
In a NXDOMAIN DNS assault, the designated server is immersed with invalid record requests. DNS Proxy servers (resolvers) are generally targeted in this case. Their assignment is to query DNS authoritative servers looking for Domain information.
The invalid requests connect with the DNS Proxy and authoritative servers and trigger NXDOMAIN error reactions and cause latency issues. The surge of requests in the long run causes performance issues with the DNS system.
NXDOMAIN DNS assaults can be forestalled by empowering the server to hold more cache data on valid requests for a longer period of time. This setup guarantees that in any event, during an attack, valid requests still go through without going through additional caching. Accordingly, the requested data can be promptly pulled.
Phantom Domain Attacks
In executing a ghost space assault, the attack initiator begins by configuring and designing an aggregate of domains so they don’t answer or do so slowly once they get a DNS inquiry. Recursive servers are majorly targeted in this case.
They are focused on with a gigantic volume of repetitive requests querying the phantom domains. The long response stops bring about an accumulation of unresolved requests that clog the network and take up significant server resources. Eventually, the plan forestalls legitimate DNS requests from being handled and keeps clients from getting to targeted domains.
To moderate phantom domain attacks, restricting the number of successive recursive requests on every server will help. They can be additionally restricted per zone.
Empowering hold down on the DNS server for requests made to non-responsive servers will likewise keep the infrastructure from being overpowered. This feature will limit the number of regular attempts, attempted on unresponsive servers after they reach a certain threshold.
Be safe from DNS threats
Every year, DNS attackers concoct a variety of uncanny tricks to bring down critical online infrastructure, and the harm can be colossal.
An individual or the organisation that heavily relies on the online domain should always follow the best practice guidelines and should be updated with the latest DNS thwarting technologies which will help them to stand against the DNS attack.
Leave a Reply