DNS Remains a Critical Focus Area for Security Professionals

San Mateo, October 25 – NetSTAR has partnered with a leading, global cyber intelligence data firm to enhance their insights around DNS as a threat vector. Leveraging key internet traffic data collected by this company, NetSTAR has increased their visibility into DNS server logs and performance. Increased visibility into DNS traffic is a must in today’s security climate.

DNS is a common threat vector, and one sometimes ignored by internet and network security professionals. DNS-based attacks may include:

  • Cache poisoning (spoofing): the most common DNS attack, cache poisoning involves injecting malicious data into the DNS resolver cache to redirect users to impostor sites instead of desired sites, often as part of a phishing attack
  • Domain hijacking: an attack that modifies DNS servers and domain registrar data to direct traffic away from the domain to a phony site, often used to spoof payment pages and collect credit card or PayPal information
  • Distributed reflection DoS attacks: this attack type uses ignorant 3rd party resolvers and spoofed source addresses to drive a DoS attack, often involving botnets to amplify the attack effect
  • DNS tunneling: an attack that leverages DNS communication to bypass firewalls while tunneling protocols such as SSL and TCP, with the intent of data exfiltration, malicious data transfer, or remote control of a compromised host
  • DNS hijack/redirect attacks: in this attack, malware changes TCP/IP configuration settings to point to a rogue DNS server and redirect users to impostor sites
  • Random subdomain attacks: another type of DoS attack involving botnets, wherein hosts send DNS requests for non-existent subdomains to an authoritative DNS that hosts the main domain name in an attempt to exhaust DNS outstanding query limits
  • NXDOMAIN attacks: similar to a random subdomain attack, this type of attack includes a flood of queries from remote DNS clients to a DNS server for non-existing domains
  • Phantom domain attacks: an attack that saturates a DNS resolver with requests for multiple domains that will never respond to the DNS server or will respond very slowly
  • TCP SYN attacks: in this attack, the three-way handshake that initiates a TCP connection is exploited as spoofed SYN packets are sent, and the server wastes resources sending acknowledgments to bogus destinations which are never answered
  • Domain lockup attacks: in this attack type, attackers set up resolvers and domains to establish TCP connections with DNS resolvers, and upon receipt of requests from the DNS resolver these domains send delayed and random packets to the server to exhaust DNS server resources

Steve Earnshaw, NetSTAR Vice President of Product Management, explains: “The biggest challenge impacting internet security today is having visibility into the actual traffic flows of the internet. And with DNS-based attacks on the rise, nowhere is this more necessary than with DNS traffic. More and more organizations are relying on AI and machine learning, which does address security issues in part. But having people who can review DNS footprints from recursive to authoritative DNS logs and perform other tasks is critical, too.”

NetSTAR has human review teams in place around the globe, working 24/7 to continuously improve our visibility into the internet.