Types of DNS Attacks and How Application Monitoring Can Help

DNS, the Domain Name Service, is the Internet service that translates IP addresses into hostnames, and visa versa. It enables you to type www.exoprise.com in a browser, or send an email to someone at that domain, and have your request actually go to 35.172.52.247. As a vital part of the Internet infrastructure, DNS attacks can have a serious impact on your online operations, including access to your website and email.

Here are several types of DNS attacks that you may face and what you can do to recognize and mitigate them.

Domain hijacking

Yes, your domain can actually be stolen, at least as far as visiting your site is concerned. There are several possible ways of doing this, such as submitting fake changes to Internet routing tables. Domain hijacking will result in any traffic to your domain name to be routed to another site. This is often accompanied by a fake web site that attempts to collect either money or personal information from visitors.

If traffic to your site dramatically drops, that could be an indication of a domain hijack. That makes it important to monitor traffic going to your domain. If you see traffic to your domain going to an unknown location, that is a clear indication of a hijack. Once your site has been highjacked, you need to work with your registration service to return the domain name to your control.

DNS flood attack

This is one of the most basic types of DNS attack. In this Distributed Denial of Service (DDoS) attack, the attacker will hit your DNS servers. The goal is to overwhelm the servers so that they cannot service legitimate requests. In many cases the attacks are coming from multiple systems on the Internet. When that happens, it can be extremely difficult to clear the DNS so that it is open to normal traffic.

Enterprises can utilize a secondary DNS by an alternative registrar, and switch the DNS service once an attack is detected. Otherwise, combating a DNS flood can be a long and difficult battle, as you try to identify attack requests and exclude those IP addresses.

Another type of DNS flood is the phantom DNS. Phantom DNS systems will send requests to legitimate DNS servers but will not respond to requests for resolution. That ties up resources on the local DNS servers and could lead to a flood attack.

DNS spoofing

Another type of DNS attack is DNS spoofing, also known as cache poisoning. This occurs when corrupt DNS data is injected into the DNS resolver’s cache. This can cause the name server to return an incorrect IP address. Often the data injected into the cache will route users to a fake site in an attempt to extract money or personal information.

Often these types of attacks are the result of vulnerabilities, such as opening malicious emails or similar hack. Both keeping operating system and application patches up to date and educating users can help alleviate DNS spoofing in enterprises.

DNS hijacking

Related to DNS spoofing, DNS hijacking involves inserting malware on the DNS server that brings about a similar outcome – redirecting a system to a fake site. This is one of the easiest ways to perform a DNS attack, because it is a relatively simple technique. Having up-to-date antivirus protection will help catch malware on DNS servers.

Many of these types of DNS attacks can be found through continuous DNS monitoring as well as synthetic application tests. Monitoring, especially of commercial SaaS applications that tend to use a lot of DNS resources, can help enterprises identify and diagnose DNS attacks and slowdown before they cause significant harm and impact an organization’s business. Look for unusual behaviors in your DNS activity, such as unexplained spikes in performance. Also, make sure that all DNS servers are fully patched, and are audited regularly.