Domain Name System (DNS) is a critical Internet service. DNS simplifies the process of finding Internet resources by resolving user-friendly domain names, such as splunk.com, into machine-readable IP addresses like 192.168.1.1.
Many sophisticated cyberattacks rely on DNS activities. Let’s review the risks DNS services face and what organizations can do to guard against DNS attacks. We’ll cover the following critical DNS security topics:
DNS security issues come in three categories: vulnerabilities, threats, and risks.
Vulnerabilities are flaws and weaknesses in DNS systems that can be exploited by attackers. DNS vulnerabilities include misconfigurations, outdated software, failure to apply recent security patches, and susceptibility to attacks from other sources. DNS attacks stem from these vulnerabilities. The more vulnerabilities you have, the higher your risk.
DNS vulnerabilities include:
Threats are human and automated attackers that exploit vulnerabilities in your DNS systems. We’ll examine common DNS attacks in the next section.
Risks are the potential losses and damage that occur when DNS attacks happen, including:
It’s estimated that 90% of business organizations suffer DNS attacks each year, and the average organization faces 7.5 DNS attacks annually. Each attack can incur significant financial costs — estimated at $1.1 million per attack or more — and may lead to other attacks as shown above.
Attack vectors are methods used by cybercriminals to target DNS systems. Some common DNS threats and attack vectors include:
DNS Threat | Threat Description | Attack Vectors |
DNS Tunneling | Cybercriminals encode non-DNS data, such as executable commands, into a DNS query. The hidden code may issue malicious commands to the server to enable unauthorized access and data extraction to third-party servers. | Malware infection: Attacker infects organizational devices with malware, which establishes a tunneling connection between the DNS resolver server and the attacker. |
DNS records are manipulated, allowing threat actors to route traffic from a legitimate website to a malicious one. | Man-in-the-Middle (MTM) attack: Attacker inserts themselves between a Web browser and the DNS server. The attacker then alters the information in the user’s cache (poisons cached DNS results) and on the DNS server to redirect requests to a malicious location. | |
DNS Hijacking | Attackers manipulate how DNS queries are resolved so that users are redirected to malicious websites. DNS hijacking is frequently used for pharming and phishing attacks. | Client or infrastructure attack: Hackers install malware on user PCs, seize control of routers, or hack DNS connections to conduct attacks. |
DNS Denial of Service (DoS) | Attacker bots send numerous requests through a DNS resolver, which then transmits amplified responses to the targeted DNS server, disrupting the service for legitimate users. Denial-of-service (DoS) attacks flood a server using a single device, making a website or resource unavailable. Distributed denial-of-service (DDoS) attacks use multiple devices to overwhelm the targeted resource. Attackers frequently combine ransomware with DDoS attacks, demanding a ransom to stop the attack or to prevent further disruption if their demands are not met. | DNS flood attacks: Infecting and using high-bandwidth Internet of Things (IoT) devices (video, industrial devices, virtual reality, etc.) to overwhelm DNS servers with numerous requests. DNS amplification attacks: Infecting and using use devices with smaller bandwidth connections to send many small requests for very large DNS records, Attackers designate the return address of the requests to be the intended victim, allowing the attacker to disrupt DNS services using fewer attacking devices. |
DNS Fast Flux | Cyberattackers utilize fast flux techniques to evade detection and prevent search services and organizations from denylisting (blacklisting) malicious IP addresses. Fast fluxing techniques rapidly associate a single malicious domain name with numerous, frequently changing IP addresses (sometimes thousands of IPs) that obscure the true origin of malicious content. | DNS amplification attacks: Sets of botnet servers or compromised host servers are used as proxy servers to route Web traffic to the original malicious Web server. Proxy IP addresses: Proxy IPs assigned to botnets or compromised servers obscure communication between the end-user and the original server hosting malicious content. |
Security strategies to protect DNS processes from manipulation, interception, redirection, and disruption include:
Implement strong server security practices, including role-based access, the principle of least privilege, and granular access to DNS resources and data. Organizations can implement strong passwords and user verification techniques, including multi-factor authentication, for DNS server access.
Regular monitoring of DNS logs can help detect unusual traffic patterns. Monitoring can also be performed in conjunction with Security and Information Event Management (SIEM) software for an enterprise-wide monitoring solution.
Keep up to date with security patches.
Global Cyber Alliance research found that DNS firewalls can prevent more than 33% of cybersecurity breaches. Cloud and hardware-based firewalls are available from several vendors.
DNS requests are usually transmitted in plain text, which can be easily intercepted and modified. DNS encryption protects DNS queries and responses from outside interference. Encryption techniques include DNS over HTTPS (DoH), DNS over TLS (DoT), and DNSCrypt.
Solutions like Cisco Umbrella can help block access to known malicious domains and IP addresses.
Use DNSSEC (Domain Name System Security Extensions) to prevent hijacking, cache poisoning, and other threats. DNSSEC protocols help verify the authenticity and integrity of DNS data.
Utilize threat intelligence feeds to ensure that lists of malicious servers are continuously updated.
Network segmentation and dynamic management can reduce impact exposure in the event of a DDoS attack.
Configure and use a load balancer or content delivery network (CDN) to decentralize DNS processing:
Intrusion detection systems (IDS) monitor network traffic for anomalous behavior such as cyberattacks. IDS systems can alert administrators when an attack occurs or it can issue an automation control to an integrated SIEM monitoring tool such as Splunk Enterprise Security.
Ensure that all DNS-connected devices use advanced protection solutions that can detect and block malware.
See an error or have a suggestion? Please let us know by emailing splunkblogs@cisco.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.