Types of DNS Attacks and How to Prevent Them

In the cybersecurity world, Distributed Denial of Service (DDoS), malware, and ransomware get more attention than domain name system (DNS) attacks, but DNS attacks are on the rise. 

The domain name system, otherwise known as DNS or DNS system, is the system used everyday to map website names to their associated IP addresses. If you've used the internet, you've used the DNS. It works using the DNS protocol and DNS lookups, which is similar to looking up a phone number in a phone book. As you can imagine, the system has many, many connected endpoints — which means cyber attacks targeting DNS servers continue to grow in volume, frequency, and cost. Awareness of DNS attacks and the need to guard against them is increasing, too. Unfortunately, cybercriminals and hackers are a persistent bunch. There are several kinds of DNS attacks to look out for — and, thankfully, some important cybersecurity steps you can take to protect your business.

How Does DNS Work?

DNS infrastructure consists of three components: client resolvers, local DNS (LDNS) servers, and authoritative DNS (ADNS) servers. Client resolvers perform lookups via a request to a configured LDNS server. The LDNS server then sends iterative queries required by the ADNS server to resolve the name-to-address mapping requested.

Good to Know: In any system with a distributed database, a particular name server may be presented with a query that can only be answered by another server. The two general approaches to dealing with this problem involve a recursive server or iterative server. When using a recursive the first server pursues the query for the client at another server. With an iterative approach the server refers the client to another server to let the client pursue the query. Both have advantages and disadvantages, but the iterative approach is preferred for the datagram access style. The domain system requires implementation of the iterative approach, but allows the recursive approach as an option.

What is a DNS Attack?

What exactly constitutes a DNS attack? The name refers to a category of cyber attacks in which hackers (the bad kind) target an organization’s DNS servers — servers which contain domain names that hackers want. Once they have those domain names, they can execute the types of attacks outlined below. Bad actors can also scan a system for vulnerabilities they can exploit. 

Good to Know: The Domain Name System Security Extensions (DNSSEC) is a feature of the Domain Name System (DNS) that authenticates responses to domain name lookups. It does not provide privacy protections for those lookups, but prevents attackers from manipulating or poisoning the responses to DNS requests.

Types of DNS Attacks

It’s hard to say how many types of DNS attacks exist — hackers are creative, and these attacks are always evolving. But there are some patterns, of course, and of those a few of the most common types of attacks stand out. 

• DNS Amplification Attack: Also known as a Reflection Attack, the Cybersecurity and Infrastructure Security Agency (CISA) defines this attack as a form of DDoS. “... attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic.” Amplification attacks are not attacks on DNS name servers, but use DNS to attack others.
• DNS Flood Attack: The DNS flood attack is somewhat new, but is growing with the increased use of high bandwidth Internet of Things (IoT) botnets such as Mirai. Flood attacks use high bandwidth connections of IoT devices to directly overwhelm the DNS servers of major providers. The IoT devices’ request volume overwhelms the DNS provider’s services, preventing legitimate users from accessing the provider's DNS servers.
• Phantom Domain Attack: Also known as an NXDOMAIN Attack, this DoS attack hits authoritative name servers. Non-functional, clunky searches on DNS servers bog down service. 
• Random Subdomain Attack: These are DoS attacks, too. They send a large volume of DNS queries to a large group of fake subdomains, making the authoritative server unavailable to real traffic. Note: DNS queries consist of a single UDP request from the client, followed by a single UDP reply from the server. When the answer length exceeds 512 bytes, and both client and server support EDNS, larger UDP packets are used. Otherwise, the query is sent again using the Transmission Control Protocol (TCP).
• DNS Hijacking: This method redirects users to malicious domain systems. Types of DNS hijacking include:
  • Middleman Attacks: Middleman attacks are used to steal sensitive data or information from users on sites that require a login. IP spoofing and DNS spoofing (see below) are middleman attacks.
  • DNS Cache Poisoning: Also known as DNS spoofing, attackers send corrupt Domain Name System data into DNS resolver cache, causing the name server to return an incorrect result record (e.g. an IP address) and divert traffic to a computer specified by the attacker.
  • Rogue DNS Server: These attacks convert real site IP addresses to malicious sites to steal sensitive data.

• DNS Spoofing: Focused on public WiFi, DNS spoofing redirects users to an attacker-controlled website. This often leads to phishing or malware attacks.
• Fast Flux: This type of attack is favored by cybercriminals, often botnets, who want to keep their web sites operating while hiding their activity by blocking their IP address. Attackers rapidly cycle through a large number of IP addresses tied to a domain. This hides the malicious domain.
• Domain Lock-up Attack: As the name implies, these attacks lock up a DNS resolver. Attackers do this by creating TCP connections with the resolver, then having the domains send random, junk packets that occupy and overwhelm the resolver.

DNS Attack Statistics and Impact

According to the IDC 2020 Global DNS Threat Report, the recent shift to remote work has made DNS attacks more popular than ever because it increased attack surfaces. The numbers support that assertion:

• Of the organizations surveyed, 87% reported experiencing an attack in 2021 — up from 79% in 2020.
• In 2021 businesses faced 7.6 attacks annually.
• 54% of DDoS attacks were over 5Gb/s.
• The increase in attacks by type from 2020 to 2021 included:
  • DNS phishing up to 49% from 39%
  • DNS-based malware up to 38% from 34%
  • DDoS up to 29% from 27%
  • DNS hijacking up to 27% from 12%
  • DNS tunneling up to 24% from 17%
• The average cost of an attack in 2021: $950k — up from $924k in 2020
• 76% of companies surveyed reported suffering application downtime due to attacks

Industry Impact of DNS Attacks

The goal of a DNS attack is, more often than not, to steal information. That information can then be used for financial gain. Because some industries have more information than others, they tend to be targeted more often than others. The IDC 2020 Global DNS Threat Report highlighted the following industries and attack impact.

Telco

• Unfortunate distinction of being the most targeted industry.
• Average 8.6 attacks per company.
• Cited as having the highest customer information stolen via DNS at 29%.
• Of companies attacked, 31% suffered brand damage, which can lead to high customer churn.

Finance 

• Bad actors see finance organizations as high-value opportunities. 
• Highest average cost damage per attack at $1.08M.
• Cited has highest rate of cloud service downtime when attacked at 52%. 

Retail 

• Compromised websites are the most common effect at 41%. 
• Cloud misconfiguration abuse hit 29%, the highest of all industries. 
• Growth of online shopping makes guarding customer credentials critical. 

Government

• Attacks forced 44% of organizations to shut down network infrastructure for damage control.
• Shutdowns kept citizens and employees from accessing services and apps.

Healthcare

• Survey found industry suffered highest rate of downtime at 53%.
• Of industries attacked, 36% were forced to shut down infrastructure partially or entirely.
• Attacks have potential to impact quality of care and care provider decision-making.

Education 

• COVID-related remote learning increased attack opportunities in 2020.
• Attacks forced 49% of institutions to shut down DNS services or servers.
• Greatest impact was student and teacher inability to access apps and services.

DNS Attack Mitigation Using CloudConnexa and Cyber Shield

The numbers above make it clear that DNS security needs to be front of mind for IT professionals. We mentioned that remote work increased the attack surface available to cyber attackers. That attack surface will increase even more as more IoT (Internet of Things) devices connect to 5G networks. 

That means that now more than ever your business must protect data, apps, cloud services, and users. Fortunately Cyber Shield, a built-in feature of OpenVPN Cloud, protects all of them.

It protects you from DNS attacks while monitoring, detecting, and stopping you from accessing harmful content. Cyber Shield encrypts DNS traffic, securely tunneling it to OpenVPN DNS servers or your private DNS servers to prevent man-in-the-middle attacks. Its functionality enables:

• Filtering content accessible on your network to protect your VPN users from malicious and suspicious websites, even when internet traffic isn’t transported through the VPN. You can choose to simply monitor the number of domain name resolutions that fall into these content categories, or you can take security a step further and enable blocking. DNS-based filtering lets you block domain name resolutions for websites that fall into undesirable or unsafe categories. Specific domain names can be added to allow and block lists. 
• Giving admins the ability to block site domain name resolutions that fall into preset content categories. The Traffic Blocking feature helps users detect and block network threats by category or Threat Level (Levels 1 thru 3).
• Providing DNS Filter and Traffic Reporting and Dashboards with detailed statistics on traffic threats (malware, intrusion, DOS) as well as the device of origin. Plus, the detailed DNS Filter Reporting (exportable to CSV) provides insight into observed and blocked domain name queries from users.
• Protecting remote workers from middleman attacks with a killswitch on the OpenVPN Connect App.