A DNS attack is any attack that targets the availability or stability of a network's Domain Name System service.
The Domain Name System (DNS) is a critical component of the internet infrastructure, responsible for translating human-readable domain names into IP addresses that computers can then use to communicate with each other. The qualities that make DNS vital to the internet also make it a target for threat actors seeking to exploit vulnerabilities for malicious purposes.
DNS attacks attempt to disrupt the functionality of DNS servers as well as the resolution of domain names to IP addresses to redirect users to malicious websites or intercept their internet traffic to gain unauthorized access.
On a global scale, 88% of organizations have suffered DNS attacks — with companies encountering an average of seven attacks per year at a cost of $942 thousand per attack, according to the IDC 2022 Global DNS Threat Report. In addition to financial losses, other serious consequences of DNS attacks include data theft, reputation damage, website downtime and malware infections.
To understand how DNS attacks work, it’s important to first understand how DNS works.
DNS works by using a hierarchical system of name servers that store information about domain names and their corresponding IP addresses. When a user types a domain name into their browser, the browser sends a DNS query to a local DNS resolver, which then looks up the IP address associated with the domain name. If the DNS resolver doesn't have the IP address, it sends the query to a root DNS server, which directs it to the authoritative DNS server for the domain. The authoritative DNS server then responds to the query with the correct IP address.
DNS attacks work by exploiting vulnerabilities in the DNS protocol or infrastructure. To carry out a successful DNS attack, the threat actor needs to intercept the DNS query and send a bogus response before the legitimate response arrives. DNS spoofing, for example, works by tricking the DNS server into caching the wrong IP address for a domain name. Similarly, DNS amplification works by exploiting open resolvers to flood a target server with traffic. In most cases, DNS attacks involve some form of manipulation or exploitation of the DNS system to perpetrate a form of harm or wrongful gain, such as launching a DDoS attack or stealing sensitive data.
DNS spoofing, also known as DNS cache poisoning, is a type of attack involving the manipulation of a DNS server's cache to redirect traffic from a legitimate website to an imposter site. The threat actor achieves a DNS spoofing attack by sending fake DNS responses to the DNS server, tricking it into caching the wrong IP address for an authentic domain name. When users try to access the authentic website, their traffic is directed to the attacker's fake site, which mirrors the original site. The attacker can then steal sensitive information from users, including personally identifiable information, login credentials and credit card numbers.
DNS amplification is a type of distributed denial of service (DDoS) attack that involves exploiting open DNS resolvers to flood a target server with traffic. The attacker sends a DNS query to an open resolver using a spoofed IP address. The resolver then sends a response far larger than the original query. When the attacker uses multiple open resolvers and spoofed IP addresses, they can overwhelm the target server with traffic so that it becomes unavailable to legitimate users.
DNS tunneling is a type of attack that involves using the DNS protocol to bypass firewalls and exfiltrate data from a compromised network. The attacker sends data packets disguised as DNS queries to a remote server, which then sends the data back to the attacker in the form of DNS responses. This allows the attacker to bypass firewalls, which often allow DNS traffic through, and exfiltrate sensitive data from the compromised network.
DNS hijacking, also known as domain theft, is a type of attack that involves maliciously gaining control of a domain name. The threat actor achieves this by either stealing the owner's login credentials or exploiting a vulnerability in the domain registrar's system. Once the attacker gains control of the domain name, they can redirect traffic to a fake website, steal sensitive information or use the domain name to launch other types of attacks.
DNS reflection is a type of attack that involves exploiting the DNS protocol to amplify DDoS attacks. The attacker sends a DNS query to a server that has an open resolver, using a spoofed IP address as the source. The server then sends a response to the target server, which is much larger than the original query. By using a large number of open resolvers and spoofed IP addresses, the attacker can overwhelm the target server with traffic, making it unavailable to legitimate users.
A domain generation algorithm (DGA) generates domain names based on a dynamic seed and an algorithm for command and control (C2) purposes. Using this technique, attackers register random-looking domain names (e.g., www.
A computer infected with malware containing a DGA can create thousands of domain names and attempt to contact them every day with the intent to receive an update or commands.
To prevent DGA attacks, an effective cloud security posture management (CSPM) solution will monitor DNS queries and incorporate advanced machine learning techniques to detect suspicious DGA domain request activities. The CSPM will alert security teams when multiple potential DGA-looking domain name queries have been executed by one resource in the cloud environment.
Cryptomining domain request activity involves generating network traffic via software designed to mine cryptocurrency, such as Bitcoin or Ethereum. The mining software makes requests to a domain that hosts mining code and executes the code on the miner's machine, allowing it to contribute computational power to the cryptocurrency network. Incidents of illegally exploiting computational resources to mine cryptocurrencies, known as cryptojacking, have increased 300% in recent years, keeping pace with rising values of cryptocurrencies and luring bad actors seeking financial gains.
Using audit event logs and network flow logs, some CSPM solutions are equipped to detect cryptomining activity traces left on DNS logs. With up-to-date threat intelligence, the CSPM will identify client hosts inside the cloud environment that initiate suspicious DNS queries to domain names associated with known cryptomining pools.
DNS rebinding attacks can allow a threat actor to bypass network security controls and gain access to sensitive — and otherwise inaccessible — resources. The attack works by exploiting the way web browsers handle the same-origin policy, which is designed to prevent scripts originating on one domain from accessing resources on another domain.
In a DNS rebinding attack, an attacker controls a name resolver and a website hosting a malicious script. When a user or service visits the attacker’s website with a browser capable of executing the malicious script, the threat actor tricks the browser into holding the connection to force the browser’s DNS cache to expire. This gives the attacker an opportunity to change DNS records to point to the victim’s local network.
With the rise in legitimate use of headless browsers for web scraping, web analytics and automated testing of web applications, detecting DNS rebinding attacks in cloud environments is now integral to cloud security.
DNS attacks can have serious consequences for cloud environments, which rely on DNS to connect users with cloud services and applications. By understanding and implementing best practices for DNS security in the cloud, DevSecOps professionals can help protect their networks.
Best practices for securing cloud environments from DNS attacks include:
Prisma Cloud ingests data from several sources such as cloud configurations, network flow logs, audit events and more — processing 1 trillion cloud events daily. Using this data, the context-driven platform wields Palo Alto Networks Unit 42® threat intelligence, third-party intelligence streams, machine learning (ML) and user and entity behavior analytics (UEBA) to identify threats lurking across cloud environments. With each threat detected, Prisma Cloud provides actionable remediation steps to help you respond and keep your organization safe.