DNS, the Domain Name Service, is the Internet service that translates IP addresses into hostnames, and visa versa. It enables you to type www.exoprise.com in a browser, or send an email to someone at that domain, and have your request actually go to 188.8.131.52. As a vital part of the Internet infrastructure, DNS attacks can have a serious impact on your online operations, including access to your website and email.
Here are several types of DNS attacks that you may face and what you can do to recognize and mitigate them.
Yes, your domain can actually be stolen, at least as far as visiting your site is concerned. There are several possible ways of doing this, such as submitting fake changes to Internet routing tables. Domain hijacking will result in any traffic to your domain name to be routed to another site. This is often accompanied by a fake web site that attempts to collect either money or personal information from visitors.
If traffic to your site dramatically drops, that could be an indication of a domain hijack. That makes it important to monitor traffic going to your domain. If you see traffic to your domain going to an unknown location, that is a clear indication of a hijack. Once your site has been highjacked, you need to work with your registration service to return the domain name to your control.
DNS flood attack
This is one of the most basic types of DNS attack. In this Distributed Denial of Service (DDoS) attack, the attacker will hit your DNS servers. The goal is to overwhelm the servers so that they cannot service legitimate requests. In many cases the attacks are coming from multiple systems on the Internet. When that happens, it can be extremely difficult to clear the DNS so that it is open to normal traffic.
Enterprises can utilize a secondary DNS by an alternative registrar, and switch the DNS service once an attack is detected. Otherwise, combating a DNS flood can be a long and difficult battle, as you try to identify attack requests and exclude those IP addresses.
Another type of DNS flood is the phantom DNS. Phantom DNS systems will send requests to legitimate DNS servers but will not respond to requests for resolution. That ties up resources on the local DNS servers and could lead to a flood attack.
CloudReady DNS sensors, in addition to most web-based and API sensors, continuously detect DNS slowdowns and can alert network administrators to a DNS flood attack instantly. DNS performance is critical to the successful delivery and satisfactory end-user experience when accessing and using cloud services. A DNS sensor can monitor up to 5 DNS servers from a single vantage point.
Another type of DNS attack is DNS spoofing, also known as cache poisoning. This occurs when corrupt DNS data is injected into the DNS resolver’s cache. This can cause the name server to return an incorrect IP address. Often the data injected into the cache will route users to a fake site in an attempt to extract money or personal information.
Often these types of attacks are the result of vulnerabilities, such as opening malicious emails or similar hack. Both keeping operating system and application patches up to date and educating users can help alleviate DNS spoofing in enterprises.
Related to DNS spoofing, DNS hijacking involves inserting malware on the DNS server that brings about a similar outcome – redirecting a system to a fake site. This is one of the easiest ways to perform a DNS attack, because it is a relatively simple technique. Having up-to-date antivirus protection will help catch malware on DNS servers.
Many of these types of DNS attacks can be found through continuous DNS monitoring as well as synthetic application tests. Monitoring, especially of commercial SaaS applications that tend to use a lot of DNS resources, can help enterprises identify and diagnose DNS attacks and slowdown before they cause significant harm and impact an organization’s business. Look for unusual behaviors in your DNS activity, such as unexplained spikes in performance. Also, make sure that all DNS servers are fully patched, and are audited regularly.
Exoprise supports two different types of DNS monitoring, active and passive monitoring. Both types are required for good coverage and detection of issues.
- Active DNS Monitoring
Through DNS sensors, you can watch 5 different DNS domain names which may be served from different DNS registrants. The DNS sensors bypass the local machine cache and perform lookup tests against the network DNS server and cache, recording the server response time and Network Path to the DNS server. In addition, the SOA record for each domain will be queried from the root DNS server.
- Passive DNS Monitoring
Browser and API tests are fully instrumented for monitoring and collecting DNS lookup timings for every session and sensor run. Correlating end-user experience, DNS lookup times and crowd-based benchmarks across applications like SharePoint, Exchange Online or other Office 365 services enables deep insight into the end-to-end health of your DNS capacity. Finally, ServiceWatch, Real User Monitoring (RUM) for SaaS services, provides another way to collect DNS lookup performance in real-time.
All of the metrics, regardless of generation or collection, are analyzed for proactive anomaly detection and escalation of DNS slowdowns.