What is a DNS Attack? What are the Most Dangerous DNS Attacks and How to Protect Against Them?

The Internet as we know it simply wouldn’t function without its vital part – DNS. Unfortunately, DNS has its vulnerabilities. An attack in which the hacker exploits DNS vulnerabilities is called a DNS attack and in this article we are going to explore some of the most common DNS attacks, why they happen and how to protect against them.

Domain Name System Explained

While for the user the Internet works very simply, there is in fact, a lot going on in the background that we can’t see.

A big part of this is the Domain Name System or just DNS. 

Every device on the Internet is connected through  a unique IP address. This IP address serves as a distinct identifier, much like a home address in the physical world. While we, as users, interact with domain names like “example.com,” in the background, these domain names are mapped to specific IP addresses.

The process is seamless, thanks to DNS. Without DNS, we’d be required to remember the exact IP address of every website we wish to visit, which is not only impractical but also counterintuitive. Instead, DNS acts as the Internet’s phonebook, translating memorable domain names into their corresponding IP addresses.

So, when your computer seeks to access a website, it queries the DNS to find the website’s actual IP address, ensuring a smooth browsing experience.

If another device, let’s say your computer, wants to find another device, for example, a server where the website you are looking for is stored, it will search for its IP address.

Check this article to learn how people can track your IP.

The problem is that IPs are numerical (IPv4), or alphanumeric (IPv6) and look like this: 95.180.120.120. 

That doesn’t tell anything to the user.

This is where DNS comes into the picture. Instead of remembering IP addresses for every website you want to visit, you can use their hostnames to search for them, like “YouTube”). However, as computers prefer bits and bytes and 0s and 1s to communicate, the DNS will translate the hostname you entered into an IP address.

Like I told you, you don’t have to think about it too much.

What is a DNS Attack?

DNS is not perfect and it has its vulnerabilities. From time to time (actually all the time) hackers will try to exploit those vulnerabilities. This is called a “DNS attack”.

There are many different types of DNS attacks that you should know about, like DDoS (Distributed Denial of Service), domain hijacking, DNS flood attack, cache poisoning, DNS tunneling, random subdomain attack, NXDOMAIN attack, phantom domain attack and more. 

In this article, we’ll focus on the two most common, DNS DDoS attacks (especially DNS amplification attack) and DNS spoofing and DNS poisoning attack.

You might also want to refresh your memory on these 7 quick tips for Internet safety and privacy

DNS DDoS Attack

DDoS is probably the best-known DNS attack out there and one you might have heard about in the news. Basically, the goal of these attacks is to overwhelm the DNS server and make the DNS service unavailable.

 In other words, when a DDoS attack is successfully executed, the server becomes unusable and people can’t open your website.

The two types of DNS DDoS attacks are:

  1. DNS Amplification Attack

In a DNS amplification attack, the idea is that a small query triggers a large response (hence “amplification”). The danger behind this type of attack is that a hacker doesn’t need a particularly powerful machine. Even a normal computer can flood the DNS by making short requests that require long answers from the DNS resolver.

  1. DNS Reflection Attack

On the other hand, DNS reflection attacks are perhaps even more sinister. In this attack, the hacker sends queries that look like they originate from the victim. Next, the response is sent to the victim (who never asked for it) and this traffic  is usually enough to flood their network.

DNS Spoofing Attack and DNS Poisoning Attack

DNS spoofing attack and DNS poisoning attack are very similar and are sometimes confused. However, keep in mind that they work differently.

In a DNS spoofing attack the hacker redirects, or “spoofs” the victim’s Internet traffic. This way, they can send the victim to a malicious or phishing website instead of the real website the user wanted to go to. 

DNS poisoning attack or cache poisoning attack doesn’t attack the server and traffic like the spoofing attack, but works on the user end. Namely, this DNS attack creates a fake IP address that is then logged in the local memory cache, making the DNS recall the fraudulent site for the victim (even if it’s been resolved on the server-side).

How to Prevent DNS Attacks?

Here are some useful tips to prevent DNS attacks:

  1. Make sure your DNS servers are up-to-date

Always keep your DNS servers up-to-date, whether you are using Microsoft DNS, BIND or some other DNS software.  You’ll want to do this because the latest software will always have the newest security patches without which your servers will be vulnerable to exploits.

  1. Disable DNS recursion

By disabling DNS recursion you can prevent DNS poisoning attacks. If DNS recursion is enabled (usually by default on BIND servers), the DNS server allows recursive queries for other domains located on the same name server and this allows 3rd-party hosts to query the name servers. You should disable this to prevent DNS amplification attacks.

  1. Use a DDoS mitigation provider

You might try to run your own DNS servers, but if you happen to come under a DNS attack, you’ll likely suffer a huge downtime. Although this won’t solve the problem entirely, using a service like Cloudflare will mitigate some of the DDoS and allow you to keep your servers working.

  1. Restrict zone transfers

As attackers might perform a DNS zone transfer to get a better knowledge of your network topology, it’s a good idea to restrict which servers are actually allowed to perform a zone transfer and restrict the IP addresses allowed to make this request.

  1. Hide your BIND version

By running a query like:

Dig @ns1.server.com -c CH -t txt version.bind

An attacker will be able to see what BIND version you are running on your server. Although hiding the BIND version in itself will not do much, it’s a good thing to do to prevent hackers from auditing your server. 

To do this, you will need to edit the named.conf file. Find the options { … } config block. At the end of this block, you’ll find the version “BIND” variable. Change that to version “Hidden” or something like that. 

Save and close and restart BIND.

That’s it. Hopefully, this article will give you some more tools in preventing DNS attacks in the future.