How to use DNS to Prevent Security Issues

Weaknesses and Vulnerabilities in the Domain Name System (DNS)

  1. DNS Servers are Blabber Mouths
    The truth is, DNS servers aren’t good at keeping secrets. They function as a digital phonebook of sorts and their purpose is to convert domain names into IP addresses. They’ll “talk” to any device and freely exchange information. You can think of DNS servers as gossips — they love to spill the beans. But that’s what they were designed to do. In fact, it’s their “gossipy” nature that allows the internet to work in the way we’ve grown accustomed to today.
  2. Recursive DNS Servers Can’t Resist a Poisoned Apple
    Just like Snow White, DNS servers aren’t able to resist beautiful red apples. They’re going to take a bite. Without special security precautions, they aren’t able to distinguish between a legitimate request and a fraudulent one. A server that eats a “poisoned apple” won’t fall into a coma, though. Instead, it will be flooded with fraudulent DNS records, which will trick it into sending innocent users to very bad places. In case it’s not clear, the server doesn’t really eat an apple… but servers can be poisoned by a hacker (more on this below).
  3. DNS Isn’t a Natural Defensive Tackle
    In its basic state, the domain name system isn’t equipped to “hold the line.” In other words, it wasn’t created to block or recognize potential threats, it was only designed to answer queries. In fact, DNS is commonly exploited by hackers to circumvent firewalls, hijack websites, and tunnel malicious traffic in a variety of ways. DNS is also vulnerable to DoS and DDoS attacks, which are notorious for causing widespread outages for domains.

Common DNS Attacks that Exploit DNS Security

  1. Distributed Denial-of-Service (DDoS) Attacks
    As the name suggests, this type of threat is designed to deny access to a server or network. DDoS attacks are carried out by cybercriminals who have either assembled a botnet (typically a large group of hacked “zombie” devices) to attack a specific target or through an amplification attack, which uses publicly accessible DNS servers to flood a target with lookup requests. When faced with such a large barrage of unexpected traffic, systems can easily and quickly be overwhelmed and the domains relying on them go dark.
  2. NXDOMAIN Attack
    This DNS threat is a close relative of the DDoS attack. Its goal is also to deny service to legitimate traffic, but instead of instructing hacked devices to hit a specified target, it bombards nameservers with requests for subdomains or DNS records that don’t exist or are invalid. An NXDOMAIN attack is usually accomplished by (but not limited to) programs that allow bad actors to auto-generate subdomains randomly. This causes the authoritative nameserver to essentially chase its tail because it’s too busy answering a flood of bad requests. Like DDoS attacks, these threats can exhaust a server or network to the point of failure.
  3. DNS Hijacking
    You can think of DNS hijacking as sleight of hand. These types of attacks redirect traffic to a fake, malicious version of a website. This can be achieved via Trojan malware unknowingly installed on end-user devices, hacked routers, or intercepted DNS communication. The purpose of DNS hijacking is typically to collect sensitive details, such as passwords and payment information (phishing), or for ad revenue from spam ads (pharming).
  4. DNS Tunneling
    This type of attack exploits DNS by using the protocol to sneak malicious traffic past a network’s firewalls and defenses. When DNS tunneling is successful, the attacker can infect internal devices on the network and exfiltrate data without the end user’s knowledge. Tunneling takes advantage of the domain name system’s “trusting” nature and can-do attitude and are notoriously hard to detect
  5. DNS Poisoning/DNS spoofing
    DNS poisoning or DNS spoofing is when an attacker impersonates an authoritative nameserver. Think of it like how the witch disguised herself as an old woman to fool Snow White into eating the poisoned apple. Once established, the “imposter” will attempt to forge replies when the recursive server makes a request. Oblivious to the threat, the recursive server accepts the wrong answer without question and runs with it. In its defense, this isn’t an easy task. A hacker only has milliseconds to pull this off before the real authoritative nameserver answers the request. Unfortunately, if the bad actor is successful, this can lead to threat #6, which can be an even bigger problem.
  6. DNS Cache Poisoning
    Cache poisoning is often a byproduct of DNS poisoning. The reason being is that once a recursive server is tricked into thinking a malicious actor’s device is an authoritative nameserver, it doesn’t just answer the original query with the information it receives. It also stores the fraudulent details in its cache. Anytime a user queries the resolver for the same website, the recursive resolver will send the end user to the “bad place” until the record(s) in its cache has expired.

How DNS Made Easy Can Protect Your Domain

DNSSEC: Validate and Secure Your DNS

Enable DNSSEC in DNS Made Easy

Full DNS Audit Log History: Query Logging and Advanced Analytics

Advanced DNS Monitoring and Protection: Real-time Anomaly Detection (RTTAD)

DNS Made Easy Counter Measures for DNS Threats

1. Anomaly Detection prevents- DDoS Attack and NX Domain Attack

2. DNSSEC prevents - DNS Hijacking, DNS Tunneling, DNS Poisoning, DNS Cache Poisoning

Industries Most Vulnerable to Security Holes in the Domain Name System

  • Finance
  • Banks
  • Investment groups
  • Payment processing
  • E-commerce
  • Retail sites
  • Dropshipping
  • Subscription-based platforms
  • Hotels and online booking services
  • Technology
  • SaaS, Internet Service Providers, etc
  • Gaming
  • Mission-critical systems
  • Education
  • Primary schools
  • Secondary schools
  • Colleges and universities
  • Healthcare
  • Online medical charts
  • Insurance
  • Critical online systems

DNS Made Easy: A Step Above the Rest in Fast, Reliable, and Secure DNS

--

--

Learn more about the Domain Name System (it’s not as hard as you may think), we post new blogs and educational infographics every week.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
DNS Made Easy

DNS Made Easy

527 Followers

Learn more about the Domain Name System (it’s not as hard as you may think), we post new blogs and educational infographics every week.