Professional Documents
Culture Documents
DNS Attacks Detection 1702244678
DNS Attacks Detection 1702244678
CREATED BY :
MUHAMMED DARDIR
LinkedIn : Muhammed-Dardir
Contents
Introduction ..................................................................................................................................... 2
DNS Server and Client Types : ..................................................................................................... 2
DNS Server ............................................................................................................................... 2
DNS Client ................................................................................................................................ 2
DNS Records ................................................................................................................................ 2
What is the process for collecting DNS logs? .................................................................................. 3
DNS Attacks & Detection ................................................................................................................. 3
Unauthorized DNS server use ..................................................................................................... 3
Malicious sites on shared hosting ............................................................................................... 3
Modifying your DNS records ....................................................................................................... 3
DNS Tunneling ............................................................................................................................. 4
Blockchain DNS ............................................................................................................................ 4
Internationalized Domain Names (IDNs) ..................................................................................... 5
Domain Name Attacks & Detection ............................................................................................ 5
Fast Flux ....................................................................................................................................... 6
Squatting domain ........................................................................................................................ 6
Question need to answer ................................................................................................................ 7
General ............................................................................................................................................ 7
Introduction
The Domain Name System (DNS) is the backbone of the internet, functioning
as a decentralized directory that translates user-friendly domain names into
machine-readable IP addresses. This vital system ensures seamless communication
between devices and servers globally. From user accessibility to load balancing
and security enhancements like DNSSEC, DNS plays a pivotal role in maintaining
a reliable and secure online environment. Understanding its fundamental functions
is key to navigating the digital landscape effectively.
DNS Server and Client Types :
DNS Server :
- Recursive DNS Servers : These servers perform the task of resolving DNS
queries on behalf of clients. They interact with multiple DNS servers to find the
requested information and return it to the client.
- Caching DNS Servers : Designed to store (cache) DNS query results for a
specific time, as ISP DNS server, OpenDNS, 8.8.8.8, 1.1.1.1, pi-hole, etc.
- Forwarding DNS Servers : Forwarding servers pass DNS queries to other DNS
servers, often at the ISP level or external DNS services like Google's Public DNS
or OpenDNS. They help improve performance and security.
DNS Client :
- Stub Resolver : Basic DNS client, Run by the host OS, USE to lookup for a
hostname, by forwarding DNS queries to a recursive DNS server. It streamlines
the process by relying on the recursive server for obtaining necessary information,
without independently performing the full DNS resolution.
DNS Records :
- A (Address) Record: Maps a domain name to an IPv4 address.
- AAAA (IPv6 Address) Record: Associates a domain name with an IPv6 address.
- CNAME (Canonical Name) Record: Creates an alias or nickname for a domain,
redirecting it to another domain's canonical name.
- MX (Mail Exchange) Record: Specifies mail servers responsible for receive
emails on behalf of domain, Determine mail-handling host for the remote domain
- NS (Name Server) Record: Identifies authoritative DNS servers for a domain,
indicating where to find its DNS information.
- PTR (Pointer) Record: Used for reverse DNS lookups, associating an IP address
with a domain name.
- TXT (Text) Record: Stores human-readable information, often used for domain
verification or adding comments, Often used for spam prevention : SPF, DKIM
- SRV (Service) Record: Specifies information about available services, like
protocols, domain, and server details.
What is the process for collecting DNS logs?
- Network extraction using tools like Zeek
- Source host
- Directly from the DNS server
Detection : Monitoring DNS traffic for unusual patterns, such as a high frequency of
requests, long domain names, or the presence of encoded data within DNS payloads.
- Excessive queries for one domain with many subdomains
- Excessive DNS queries from one source
- Excessive amount of odd query types : TXT, CNAME, MX, NULL
- LONG/random looking subdomains
- Encoded data in TXT responses
- Usage of unauthorized DNS servers
- False positives: CDNs, AV checks, DNS Hijacking tests
Prevent : Implement Deep Packet Inspection (DPI), DNS Filtering, DNSSEC, Employ
Threat Intelligence, Implement Behavioral Analysis.
Blockchain DNS
Definition : In a Blockchain DNS system, if a company registers a domain (like
example.com) on the blockchain, everyone can see and verify this registration. When a
domain is updated or transferred, this change is recorded instantly and securely, There is
one important exception, at least in the case of EmerDNS which is currently a commonly
used blockchain DNS solution. The OpenNIC project maintains a peering agreement with
EmerDNS1, so if a user is using OpenNIC's DNS resolvers to resolve DNS
Example : Attacker use BDNS to avoid Domain down as well when reports.
Detection : looking for DNS requests with any blockchain DNS (BDNS) root zones.
Prevent : DNSSEC Integration, Regular Audits and Monitoring.
Internationalized Domain Names (IDNs)
Definition : Only characters supported in DNS hostnames are the characters "a-z", "0-9",
and a dash, Someone buy a domain name with Greek or Chinese characters?, to avoid
this use punycode.
Example : ᏚĖC450.com reflect to xn--c450-uva139z.com
Example : An attacker might use Fast Flux to host a phishing website. The domain
associated with the phishing site rapidly switches between multiple IP addresses, making
it difficult for security measures to blacklist the malicious infrastructure effectively.
Detection : Detection of Fast Flux involves monitoring DNS responses for domains
associated with rapidly changing IP addresses. Analyzing the frequency of IP changes,
the number of name server changes, and the short time-to-live (TTL) values in DNS
responses can help identify domains employing Fast Flux.
Prevent : Rate Limiting, IP Geolocation Analysis.
Squatting domain
Definition : Domain squatting, also known as cybersquatting, involves the registration of
a domain name with the intent to exploit or profit from the reputation of someone else's
trademark or brand. It often involves registering variations of well-known domain names
to deceive users or capitalize on web traffic intended for the legitimate owner.
Example : An individual registers a domain such as "g00gle.com" with the intention of
misleading users who might mistype "google.com." This deceptive domain could host
malicious content or be used for phishing attacks.
Types :
- Typosquatting
- Homograph Attack
- Brandjacking
- Combosquatting
- New gTLD Squatting
Detection : Detection of domain squatting involves monitoring domain registrations for
variations of known trademarks or brands. Automated tools can analyze newly registered
domains for patterns, such as misspellings or alterations, that may indicate squatting.
Additionally, monitoring for sudden spikes in registrations related to popular events or
brand launches can be an indicator.
Prevent : Defensive Domain Registrations, Regular Domain Monitoring, Trademark
Registration.
General
- In Domain we need to check :
o Domain Reputation
o Domain Age
o Domain Randomness and Length
- Jason Fossen
o developed PowerShell sinkhole script to takes known bad domains and use
DNS to prevent access send request to bad domain to 0.0.0.0 or choice ip
- To check random domains
o by `freq.py`,`freq_server.py` developed by sans573 instructor, can use
`freq_server.py` in Logstash with API to check rank of domains and
Random domain
- domain_stats.py
o developed for speed and log analysis and provide `whois` information and
top 1 million lookup (works with Alex and Cisco)