Analyze Potential Indicators Associated With : Domain Name Systems (DNS) Attacks – Part 1 |

Analyze Potential Indicators Associated With : Domain Name Systems (DNS) Attacks – Part 1

Domain Name Server (DNS) is a standard protocol that helps Internet users discover websites using human readable addresses. Like a phonebook which lets you look up the name of a person and discover their number, DNS lets you type the address of a website and automatically discover the Internet Protocol (IP) address for that website.

Without DNS, the Internet would collapse – it would be impossible for people and machines to access Internet servers via the friendly URLs they have come to know.

Uses of DNS

The classic use of DNS is to translate the domain name in a URL into a corresponding IP address. But DNS has many more uses – it underlies many other forms of Internet communication.

What is DNS Used For?

  • • Resolving names of World Wide Web (WWW) sites
  • • Routing messages to email servers and webmail services
  • • Connecting app servers, databases and middleware within a web application
  • • Virtual Private Networks (VPN)
  • • Peer-to-peer sharing programs
  • • Multiplayer games
  • • Instant messaging and online meeting services
  • • Communication between IoT devices, gateways and servers

If you use any of the above services, you will probably use DNS to communicate with it.

If you own or manage any of the above – for example if you own a website or allow VPN access to your company’s network – you will need to setup DNS in order to allow users to access to your service.

Next-Generation Uses of DNS

DNS has evolved over the past 20 years. Next-generation DNS services such as NS1, which provide advanced traffic routing capabilities, have created new uses for DNS:

Global server load balancing (GSLB) – fast routing of connections between globally distributed data centers

    Multi CDN – routing users to the CDN that will provide the best experience

    Geographical routing – identifying the physical location of each user and ensuring they are routed to the nearest possible resource

    Data center and cloud migration – moving traffic in a controlled manner from on-premise resources to cloud resources

    Internet traffic management – reducing network congestion and ensuring traffic flows to the appropriate resource in an optimal manner

What is Domain Hijacking?

Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems.  

Domain name hijacking is devastating to the original domain name owner’s business with wide ranging effects including:

  • Financial damages: Companies who rely on their website for business, such as ecommerce companies and SaaS companies, can lose millions of dollars when they lose control of the domain, their domain is one of their most valuable assets. Domain hijacking is one of the largest cybersecurity risks online businesses have.
  • Reputational damages: Domain hijackers can take control of a hijacked domain’s email accounts and use the domain name to facilitate additional cyber attacks such as installing malware or social engineering attacks.
  • Regulatory damages: By gaining access to a domain name, hijackers can replace the real web page with an identical web page designed to capture sensitive data or personally identifiable information (PII), this is known as phishing. Account information, contact information (email addresses and phone numbers), social media accounts, personal information, IP addresses or any other information that could be used in identity theft or gaining unauthorized access to customer accounts is the target. 

Note many countries (and/or customers) will hold your organization responsible for data breaches or data leaks, regardless of whether they result from a cyber attack like domain hijacking or misconfiguration. Domain hijacking is a real cyber threat, preventing it must be part of your cybersecurity efforts. 

Before we dive into the details of domain hijacking, it’s helpful to understand how the domain name system (DNS) works and its limitations.

How Does the Domain Name System (DNS) Work?

Each top-level domain (TLD) is managed by an organization called a domain name registry, which is appointed by the Internet Corporation for Assigned Names and Numbers (ICANN).

The most popular TLDs are managed by large organizations such as Verisign (.com and .net) or Public Interest Registry (.org).

National domains like .io or are managed by organizations in their respective countries. 

One important thing to understand is registries do not always manage domain name registration. Companies that handle domain registration are called domain name registrars (versus domain name registries) and are usually accredited by registries.

Accredited registrars may then subcontract to non-accredited registrars, increasing third-party risks and fourth-party risks and lengthening the time to resolve potential domain name disputes.

This is because each registrar has its own rules and requirements for proving domain ownership and approving domain transfers.

That said, most TLDS allow anyone to register the domain on one registrar and transfer control of the domain to another registrar (such as from Namecheap to Google domains) for any reason, such as better pricing, better security measures or a better customer experience. 

This has its benefits but also makes domain hijacking possible.

Domain hijacking is a risk to your business even if it’s not your domain that is hijacked. Any third-party vendor you regularly communicate with or that handles your or your customer’s data could have its domain hijacked.  

Domain hijacking must be part of your vendor risk management and third-party risk management programs.

While transferring domains is a little more complicated than registering a new domain, in practice it is a very simple process.

How Does Domain HiJacking Work?

Generally domain hijacking occurs from unauthorized access to, or exploitation of a vulnerability in a domain name registrar, through social engineering, or by gaining access to the domain name owner’s email address and then resetting the password to their domain name registrar. 

Another common tactic is to gather personal information about the actual domain name owner to impersonate them and persuade the domain registrar to modify registration information or transfer the domain to another registrar they control. 

Other methods include email vulnerability, vulnerability at the domain-registration level, keyloggers to steal login credentials and phishing attacks. 

What is DNS Poisoning (DNS Spoofing)

During a DNS poisoning attack, a hacker substitutes the address for a valid website for an imposter. Once completed, that hacker can steal valuable information, like passwords and account numbers. Or the hacker can simply refuse to load the spoofed site.

Someone browsing the web may never know that DNS spoofing is happening. The person may visit a site that looks perfectly normal, and even functions somewhat normally, so everything seems safe.

Or that person may find that a beloved site just won’t load. That person may try again for a time or two, but anger could be directed at the company for hosting a site that doesn’t work. 

Preventing DNS poisoning starts by blocking DNS spoofing. We’ll tell you all about how to do just that.

How Does a DNS Work?

Web developers are encouraged to use short, user-friendly web addresses as they develop their sites. Doing so could help them perform better in search queries, and their addresses help consumers know what pages contain before they click on them. But other computers don’t understand the addresses humans use. A DNS helps. 

Every time you type an address into your browser:

  • • A DNS server is contacted. Your computer must reach out to the DNS server for more information. 
  • • The DNS looks up a numerical address. Computers understand server addresses made up of numbers and dots only. If you’ve never searched for this site before, your computer will ask another server for help. 
  • • A DNS resolver completes the query. Your human-optimized address is switched to a numerical version. 
  • • You’re sent to your site. With the correct numerical address, you head to the proper server that hosts your website.  
  • Data is stored. The internet server you use has a DNS server that stores translations from human addresses to numeric versions. The results of your search are stored here. 

This work happens in seconds, and you may not notice the delay. But behind your screen, your computer is reaching out to others to understand where you should go next and what should happen. 

The DNS system was developed in 1983, when the internet contained far fewer websites and servers. The developers never dreamed that anyone would want to play with the system or defraud users, so no security measures were built in.

What Does DNS Cache Poisoning Look Like?

You ask to visit a site, and your server picks up a hacker’s response. That falsified data is stored, and DNS cache poisoning is complete. 

A hacker could do this by:

  • Impersonating a server. Your DNS server submits a query for a translation, and the hacker responds very quickly with the wrong answer, long before the correct server can do so.
  • Tying up the server. In 2008, researchers discovered that hackers could send thousands of queries to a caching server. Hackers then send thousands of false responses, and in time, they gain control of the root domain and the entire site.
  • Exploiting open ports. In 2020, researchers discovered that hackers could send thousands of queries to DNS resolver ports. In time, with this attack, they discover which port is open. Future attacks will focus only on this port. 

DNS poising attacks occur because the system is insecure. Your computer holds conversations with servers via the user datagram protocol (UDP). This allows for quick, efficient communication. But no security measures are built in. Your computer doesn’t verify the identity of the server it talks to, and it doesn’t validate the data that comes back. 

Forgery in this environment is relatively easy. If you’re not required to prove your identity, and the server you talk to could be owned by anyone at all, you could get falsified information and never know it.

Product categories

Sources:  Networkworld , Ns1, Okta

Are you getting ready to take your A+ exam? Did our tips help? Be sure to comment in on ways we can improve our guide process as well as share your own success stories! We are grateful to help you succeed with the A+ and hope to see you as a certified A+ member soon!  Learn more