5 types of DNS attacks and how to detect them

The Domain Name System, or DNS, is used in computer networks to translate domain names to IP addresses which are used by computers to communicate with each other. DNS exists in almost every computer network; it communicates with external networks and is extremely difficult to lock down since it was designed to be an open protocol. An adversary may find that DNS is an attractive mechanism for performing malicious activities like network reconnaissance, malware downloads, or communication with their command and control servers, or data transfers out of a network. Consequently, it is critical that DNS traffic be monitored for threat protection.

Attack 1: Malware installation. This may be done by hijacking DNS queries and responding with malicious IP addresses. The goal of malware installation can also be achieved by directing requests to phishing domains.

Indicators of compromise: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to hosts file; DNS cache poisoning.
Attack 2: Credential theft. An adversary may create a malicious domain name that resembles a legitimate domain name and use it in phishing campaigns to steal credentials.

Indicators of compromise: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to hosts file; DNS cache poisoning.
Attack 3: Command & Control communication. As part of lateral movement, after an initial compromise, DNS communications is abused to communicate with a C2 server. This typically involves making periodic DNS queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Indicators of compromise: DNS beaconing queries to anomalous domain, low time-to-live, orphan DNS requests.
Attack 4: Network footprinting. Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Indicators of compromise: Large number of PTR queries, SOA and AXFER queries, forward DNS lookups for non-existent subdomains in the root domain.
Attack 5: Data theft. Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.

Indicators of compromise: Large number of subdomain lookups or large lookup size; long subdomains; uncommon query types (TXT records).
Feeling overwhelmed? There is a ton of detail to absorb and process discipline to put it into practice for 24/7 threat detection and response. Allow us to do the heavy lifting with our co-managed SIEM, SIEMphonic. Whether you use on-premise DNS like Microsoft DNS server or Infoblox or cloud services from OpenDNS, we’ve got you covered. Check out our "Catch of the Day" to read true stories from our SOC in which we detected and thwarted cyber-attacks including DNS-based threats.