April 30, 2019
The Domain Name System (DNS) is the grey eminence of the Internet. That is why many online professionals may not be familiar with its potential even though they deal with it every day. DNS-related processes are crucial for interactions on the Web because every email, web page, or tweet uses the domain name system to translate human-readable domain addresses into codes only machines can understand.
However, many digital experts underestimate or even overlook the capabilities of DNS. Unfortunately, the same is not true for cybercriminals who often plague online professionals through DNS-based attacks. In order to avoid this, specialists need to understand the way DNS works and how perpetrators can abuse it. We examined the subject closely on our Domain Name System Primer whitepaper and will discuss the most important ideas in this article.
So How Does the DNS Work?
Which of the two is easier to remember: 220.127.116.11 or Google.com?
Most people would agree that the latter is far more convenient since it’s something they can easily read. On the contrary, the former is the machine-readable address computers use to communicate with each other.
The DNS is an integral part of how the Internet works because it translates domain names into the series of numbers, allowing users to interact on the Web. Another important fact is that all cyberspace traffic goes through it — directing every flow to their intended destinations. Additionally, the DNS maintains records that include the location associated with a domain, its IP address, the mail exchange information, and more.
In What Ways Can the DNS Be Abused?
There are a couple of ways data-hungry hackers can exploit DNS settings. The first is by taking advantage of security gaps on the servers and the second is by modifying how the system works. Let’s take a closer look:
- DNS cache poisoning – likewise known as DNS spoofing, it is a method carried out by tinkering with vulnerabilities which allows attackers to introduce malicious code into the DNS. In turn, this technique redirect traffic away from your website to unknown, malicious pages.
- DNS flood attack – is a type of Distributed Denial of Service (DDoS) attack that renders DNS servers inoperable by overloading them with unnecessary traffic. For you, as an online professional, it means that your website or a web application becomes too slow to respond to legitimate traffic, which, ultimately, may significantly disrupt operations.
- DNS tunneling – is an approach wherein DNS security features are bypassed by an attacker’s protocol that is using data from authorized applications. Although not technically an attack, DNS tunneling is often used to spy or steal data from the DNS servers.
Tips to Stay Protected from DNS Attacks
Fortunately, the DNS-based attacks can be avoided in a variety of ways:
Remedies for the poison
DNS cache poisoning is hard to detect and can take some time to resolve even when an administrator is already onto it. Some of the best practices that can be applied to prevent it from happening again include setting your DNS to rely less on other servers, storing only the data that is related to the requested domain and clearing the DNS caches in local machines regularly.
Stemming the tide
One way to recognize and halt DDoS attacks is by configuring a UTM (Unified Threat Management) firewall which rejects harmful payloads that are meant to flood a server. If the malicious IP addresses have been identified, these can be blacklisted to prevent them from sending any more unwanted traffic. Furthermore, studying data from a DNS database download service can help pinpoint additional sources of these threats.
Stop tunneling in its tracks
The detection of flagged entities can be implemented to prevent DNS tunneling. Organizations can use a public DNS resolver, for instance, to have an added layer of protection against would-be infiltrators. Another, more reactive approach is to analyze traffic in your network. Being knowledgeable of the average DNS server requests can let you recognize sudden increases in the activity which could be caused by tunneling.
The domain name system is an essential aspect of an online professional’s daily life which shouldn’t be overlooked. By understanding how the DNS works, what exploits can be performed by threat actors, and how these can be prevented, digital experts can better protect their business.
Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP) — a data, tool, and API provider that specializes in automated threat detection, security analysis and threat intelligence solutions for Fortune 1000 and cyber-security companies. TIP is part of the Whois API Inc. family which is a trusted intelligence vendor by over 50,000 clients.