Top 10 DNS attacks likely to infiltrate your network

DNS-based attacks are on the rise because many organizations don’t realize DNS is a threat vector and therefore don’t protect it.


DNS based attacks are on the rise

The problem with traditional firewalls is that they leave port 53 open, which is for DNS queries. So they are not always effective in protecting against DNS-based DDoS attack such as amplification, reflection, etc. They require extremely high compute performance to accurately detect DNS-based attacks, making deep inspection an impractical approach in terms of cost and the number of distribution points that are needed. Hence traditional protection is ineffective.

DNS cannot go down and if a DNS service goes down, network attached devices stop working. A company loses connectivity to the internet and hence cannot conduct business online. This leads to loss of revenue, customer defection and negative brand impact. Here are the top DNS attacks to look out for:

dns attacks 1

Distributed Reflection DoS attack

 •Combines Reflection and Amplification

•Uses third-party open resolvers in the Internet (unwitting accomplice)

•Attacker sends spoofed queries to the open recursive servers

•Queries specially crafted to result in a very large response


•Causes DDoS on the victim’s server

dns attacks 2

Cache poisoning

Corruption of the DNS cache data

1. Attacker queries a recursive name server for IP address of a malicious site

2. The recursive server does not have the IP address and queries a malicious DNS resolver

3. The malicious resolver provides requested rogue IP address and also maps the rogue IP address to additional legitimate sites (e.g.

4. The recursive name server caches rogue IP address as the address for

5. User queries the recursive server for IP address of

6. The recursive server replies to user with cached rogue IP address

7. Client connects to site controlled by attacker, thinking it is

Impact: Logins, passwords, credit card numbers of the user can be captured

dns attacks 3

TCP SYN floods

•Uses the 3-way handshake that begins a TCP connection

•Attacker sends spoofed SYN packets with the source IP address of bogus destinations

•The server sends SYN-ACKs to these bogus destinations

•It never receives acknowledgement back from these destinations and the connections are never completed

•These half-opened connections exhaust memory on the server


•Server stops responding to new connection requests coming from legitimate users

dns attacks 4

DNS tunneling

•Uses DNS as a covert communication channel to bypass firewall

•Attacker tunnels other protocols like SSH, TCP or Web within DNS

•Enables attackers to easily pass stolen data or tunnel IP traffic without detection

•A DNS tunnel can be used for as a full remote control channel for a compromised internal host.

•Also used to bypass captive portals to avoid paying for Wi-Fi service


•Data exfiltration can happen through the tunnel

dns attacks 5

DNS hijacking

•Modifies DNS record settings (most often at the domain registrar) to point to a rogue DNS server or domain.

•User tries to access a legitimate website

•User gets redirected to bogus site controlled by hackers that looks a lot like the real thing.


•Hackers acquire user names, passwords and credit card information

dns attacks 6

Basic NXDOMAIN attack

•The attacker sends a flood of queries to a DNS server to resolve a non-existent domain/domain name.

•The recursive server tries to locate this non-existing domain by carrying out multiple domain name queries but does not find it.

•In the process, its cache is filled up with NXDOMAIN results.


•Slower DNS server response time for legitimate requests

•DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result.

dns attacks 7

Phantom Domain attack

•“Phantom” domains are setup as part of attack

•DNS resolver tries to resolve multiple domains that are phantom domains •These phantom domains may not send responses or they will be slow


•Server consumes resources while waiting for responses, eventually leading to degraded performance or failure

•Too many outstanding queries

dns attacks 8

Random subdomain attack

•Infected clients create queries by prepending randomly generated subdomain strings to the victim’s domain. E.g.

•Each client may only send a small volume of these queries to the DNS recursive server

•Harder to detect

•Multiple of these infected clients send such requests


•Responses may never come back from these non-existing subdomains

•DNS recursive server waits for responses, outstanding query limit exhausted

•Target domain’s auth server experiences DDoS

dns attacks 9

Domain lock-up attack

•Resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers

•When DNS resolver requests a response, these domains send “junk” or random packets to keep them engaged

•They also are deliberately slow to respond to requests keeping the resolvers engaged. This effectively locks up the DNS server resources.


•DNS resolver establishing these connections with the misbehaving domains exhausts its resources

dns attacks 10

Botnet-based attacks from CPE devices

 •Random Subdomain attacks that use botnets to target all traffic to one site or domain

•Attack involves compromised devices like CPE switches, routers

•Supplied by ISPs

•Supplied by Customer

•These malware infected CPE devices form botnet to send multiple DDoS traffic to say


•Victim domain experiences DDoS

•DNS resolver resources exhausted

•When CPE devices are compromised, it can lead to other adverse effects:

•SSL proxy – login credentials theft etc.

•Launch point for attacks against customer PCs and environments(expanding the compromise)

Fulton is executive vice president of product at Infoblox.

Copyright © 2015 IDG Communications, Inc.