Section 1.1: What is DNS?

To understand the various attacks, we first need to clarify what DNS is.

The Domain Name System simplifies web browsing for users. It serves as the intermediary that links IP addresses to their corresponding domain names. This allows users to simply type “google.com” instead of memorizing an IP address.

Contrary to popular belief, the translation of domain names to IPs happens through a reverse process. While humans use domain names, computers depend on IP addresses, which are assigned to hosts. The DNS service facilitates this translation, making it possible for us to access websites effortlessly.

Imagine if we had to remember a string of numbers instead of simple names. Instead of saying, “visit Google,” we would have to say, “go to 142.251.40.238,” which would be cumbersome.

Section 1.2: How Does DNS Function?

Having established what DNS is, let’s briefly explore its operational mechanism.

DNS employs servers to store IP mapping data. There are two main types of DNS: public and private. Public DNS is accessible to everyone, while private DNS is restricted to specific internal networks.

Public DNS servers manage records for publicly available systems and websites, while private DNS operates within an organization’s network, allowing users to access systems via domain names rather than IPs.

But how do DNS servers process a request for a site like facebook.com?

DNS relies on records, with the A record (Address Mapping record) being the most crucial. This record connects a domain name to its corresponding IP address. When a DNS server receives a request, it refers to its A records to provide the correct IP address.

For this discussion, we’ll refrain from diving deeper into DNS, but there is much more to learn. If you can grasp the diagram below, you are ready to explore the four types of DNS attacks we will discuss.

Section 2.1: DNS Hijacking

First, let’s examine DNS hijacking, which has several variations. As the term implies, DNS hijacking occurs when a malicious actor seizes control of an existing domain through one of three methods:

1. An attacker breaches a domain registrar account to alter a domain name to one they control.
2. An attacker modifies an A record, redirecting it to a domain they control.
3. An attacker infiltrates a corporate environment to change the DNS servers set for all devices.

Let’s break these down. A domain registrar, like GoDaddy or BlueHost, allows users to register domain names. To hijack a domain, an attacker gains access to a user's registrar account and alters their registered domains.

In the second method, the attacker obtains admin access to change an existing A record. This could lead to severe consequences, such as redirecting users to a malicious site hosting malware.

Finally, the third method targets DNS within a corporate setting. Organizations often have multiple DNS servers managing the mappings of internal domain names. If an attacker alters these settings, it effectively disrupts the network's address book, hindering access to vital internal resources.

Section 2.2: DNS Tunneling

Next, we have DNS tunneling, a technique that has gained traction due to its ability to evade detection by firewalls and other security measures.

In a standard DNS request, only the necessary information is transmitted. However, DNS tunneling allows for additional data to be sent within the same packet using the DNS protocol.

While DNS tunneling can serve legitimate purposes, it often has malicious intent. Attackers frequently use this method to connect to command and control servers or to exfiltrate data in small amounts, avoiding detection by security systems.

Section 2.3: DNS Poisoning

Lastly, we’ll discuss DNS poisoning, also known as DNS spoofing. This attack involves tampering with DNS requests to return incorrect DNS responses. It is frequently associated with man-in-the-middle (MITM) attacks, where an attacker intercepts and redirects traffic.

For instance, when you attempt to access Twitter by typing "twitter.com," your computer requests the DNS server for the corresponding IP address. In a MITM attack, rather than receiving the legitimate A record, the attacker injects a fake DNS entry, redirecting you to a fraudulent site that may install malware or steal login credentials.

As we’ve seen, DNS is an indispensable service we rely on daily, yet its importance often goes unnoticed. When major outages occur due to DNS issues, such as with Facebook or Instagram, we are reminded of how crucial this service is.

While some DNS outages may be accidental, they can also result from deliberate cyberattacks like hijacking or poisoning. In this article, we’ve explored three prevalent types of DNS attacks and how they can be exploited for malicious purposes.

With this knowledge in hand, the next step is to learn how to safeguard DNS against these attacks. Stay tuned for our upcoming article, which will cover common strategies to protect against hijacking, tunneling, and poisoning attacks.