DNS

DNS Attacks and Detection

CREATED BY :
MUHAMMED DARDIR
LinkedIn : Muhammed-Dardir
Contents
Introduction ..................................................................................................................................... 2
DNS Server and Client Types : ..................................................................................................... 2
DNS Server ............................................................................................................................... 2
DNS Client ................................................................................................................................ 2
DNS Records ................................................................................................................................ 2
What is the process for collecting DNS logs? .................................................................................. 3
DNS Attacks & Detection ................................................................................................................. 3
Unauthorized DNS server use ..................................................................................................... 3
Malicious sites on shared hosting ............................................................................................... 3
Modifying your DNS records ....................................................................................................... 3
DNS Tunneling ............................................................................................................................. 4
Blockchain DNS ............................................................................................................................ 4
Internationalized Domain Names (IDNs) ..................................................................................... 5
Domain Name Attacks & Detection ............................................................................................ 5
Fast Flux ....................................................................................................................................... 6
Squatting domain ........................................................................................................................ 6
Question need to answer ................................................................................................................ 7
General ............................................................................................................................................ 7
Introduction
The Domain Name System (DNS) is the backbone of the internet, functioning
as a decentralized directory that translates user-friendly domain names into
machine-readable IP addresses. This vital system ensures seamless communication
between devices and servers globally. From user accessibility to load balancing
and security enhancements like DNSSEC, DNS plays a pivotal role in maintaining
a reliable and secure online environment. Understanding its fundamental functions
is key to navigating the digital landscape effectively.
DNS Server and Client Types :
DNS Server :
- Recursive DNS Servers : These servers perform the task of resolving DNS
queries on behalf of clients. They interact with multiple DNS servers to find the
requested information and return it to the client.
- Caching DNS Servers : Designed to store (cache) DNS query results for a
specific time, as ISP DNS server, OpenDNS, 8.8.8.8, 1.1.1.1, pi-hole, etc.
- Forwarding DNS Servers : Forwarding servers pass DNS queries to other DNS
servers, often at the ISP level or external DNS services like Google's Public DNS
or OpenDNS. They help improve performance and security.
DNS Client :
- Stub Resolver : Basic DNS client, Run by the host OS, USE to lookup for a
hostname, by forwarding DNS queries to a recursive DNS server. It streamlines
the process by relying on the recursive server for obtaining necessary information,
without independently performing the full DNS resolution.
DNS Records :
- A (Address) Record: Maps a domain name to an IPv4 address.
- AAAA (IPv6 Address) Record: Associates a domain name with an IPv6 address.
- CNAME (Canonical Name) Record: Creates an alias or nickname for a domain,
redirecting it to another domain's canonical name.
- MX (Mail Exchange) Record: Specifies mail servers responsible for receive
emails on behalf of domain, Determine mail-handling host for the remote domain
- NS (Name Server) Record: Identifies authoritative DNS servers for a domain,
indicating where to find its DNS information.
- PTR (Pointer) Record: Used for reverse DNS lookups, associating an IP address
with a domain name.
- TXT (Text) Record: Stores human-readable information, often used for domain
verification or adding comments, Often used for spam prevention : SPF, DKIM
- SRV (Service) Record: Specifies information about available services, like
protocols, domain, and server details.
What is the process for collecting DNS logs?
- Network extraction using tools like Zeek
- Source host
- Directly from the DNS server

DNS Attacks & Detection

Unauthorized DNS server use
Definition : User Request to resolve Domain name from non-authorized DNS Server.
Example : An employee sets up a personal DNS server within the corporate network to
bypass content filtering or monitoring mechanisms, potentially exposing the network to
security risks and policy violations.
Detection : Monitoring DNS traffic for anomalies, unauthorized server IP addresses, or
patterns indicative of non-compliance.
Prevent : Restrict Connection with external DNS Server.
Malicious sites on shared hosting
Definition : Malicious sites on shared hosting refer to websites hosted on a shared
hosting server.
Example : A compromised website on a shared hosting server is used to host phishing
pages, distributing malware, or launching other malicious activities.
Detection : Monitoring server logs, network traffic, and employing security measures
such as intrusion detection systems (IDS) and antivirus software.
Prevent : Block Domain.
Modifying your DNS records
Definition : This could involve changing records such as A (address), MX (mail
exchange), or CNAME (canonical name), leading to potential disruptions in services or
redirection of traffic.
Example : An attacker gains unauthorized access to DNS settings and alters the A record
for a legitimate website to redirect traffic to a malicious server.
Detection : Detection involves regularly monitoring DNS configurations and logs for
unexpected changes.
Prevent : Implement strong authentication measures for accessing DNS management
interfaces, Regularly review and audit DNS configurations, Enable DNS security features
like DNS Security Extensions (DNSSEC) to authenticate and verify the integrity of DNS
data.
DNS Tunneling
Definition : DNS tunneling is a technique that involves encapsulating non-DNS traffic
within DNS packets to bypass network security controls.
Example : CNAME tunneling and TXT record tunneling
- The DNS request is being made by malware installed on the machine, not normal
Windows programs
- And it is encoding whatever data it is sending into the subdomain (29b90180…).
- Once the command is interpreted, a response can be returned that, although
encoded, will make sense to the malware on the far side (bc590180…).
- Can Send Command as Subdomain Encrypted

Detection : Monitoring DNS traffic for unusual patterns, such as a high frequency of
requests, long domain names, or the presence of encoded data within DNS payloads.
- Excessive queries for one domain with many subdomains
- Excessive DNS queries from one source
- Excessive amount of odd query types : TXT, CNAME, MX, NULL
- LONG/random looking subdomains
- Encoded data in TXT responses
- Usage of unauthorized DNS servers
- False positives: CDNs, AV checks, DNS Hijacking tests
Prevent : Implement Deep Packet Inspection (DPI), DNS Filtering, DNSSEC, Employ
Threat Intelligence, Implement Behavioral Analysis.
Blockchain DNS
Definition : In a Blockchain DNS system, if a company registers a domain (like
example.com) on the blockchain, everyone can see and verify this registration. When a
domain is updated or transferred, this change is recorded instantly and securely, There is
one important exception, at least in the case of EmerDNS which is currently a commonly
used blockchain DNS solution. The OpenNIC project maintains a peering agreement with
EmerDNS1, so if a user is using OpenNIC's DNS resolvers to resolve DNS
Example : Attacker use BDNS to avoid Domain down as well when reports.
Detection : looking for DNS requests with any blockchain DNS (BDNS) root zones.
Prevent : DNSSEC Integration, Regular Audits and Monitoring.
Internationalized Domain Names (IDNs)
Definition : Only characters supported in DNS hostnames are the characters "a-z", "0-9",
and a dash, Someone buy a domain name with Greek or Chinese characters?, to avoid
this use punycode.
Example : ᏚĖC450.com reflect to xn--c450-uva139z.com

Detection : Monitor DNS Logs

Prevent : DNSSEC, DNS Whitelisting, Educate Users.
Domain Name Attacks & Detection
Domain Generation Algorithm (DGA)
Definition : A Domain Generation Algorithm (DGA) is a technique used by malware to
dynamically generate a large number of domain names to establish communication with
command and control servers. This helps evade detection and disrupts efforts to block
malicious domains.
Example : A malware variant with DGA may generate a unique set of domain names
daily. For instance, it might create domains like abcd1234.com, efgh5678.com, based on
a specific algorithm. This makes it challenging for security solutions to preemptively
block these domains.
Detection : Detection of DGA involves monitoring network traffic for patterns consistent
with algorithmically generated domain names. Unusual spikes in DNS queries or a high
frequency of requests for seemingly random domains can indicate potential DGA
activity. Behavioral analysis and anomaly detection tools are crucial for identifying such
patterns, NXDomain Record Monitoring Response by IP.
Prevent : Threat Intelligence, Behavioral Analysis of Systems, Domain Name
Reputation Services, DNS Filtering and Blocking.
Fast Flux
Definition : Technique to Bypass IP Block Through DNS mean Attacker Can Create
Single Domain Put IP address associated with this domain are constantly changing, mean
this IPs for infected machines.

Example : An attacker might use Fast Flux to host a phishing website. The domain
associated with the phishing site rapidly switches between multiple IP addresses, making
it difficult for security measures to blacklist the malicious infrastructure effectively.
Detection : Detection of Fast Flux involves monitoring DNS responses for domains
associated with rapidly changing IP addresses. Analyzing the frequency of IP changes,
the number of name server changes, and the short time-to-live (TTL) values in DNS
responses can help identify domains employing Fast Flux.
Prevent : Rate Limiting, IP Geolocation Analysis.
Squatting domain
Definition : Domain squatting, also known as cybersquatting, involves the registration of
a domain name with the intent to exploit or profit from the reputation of someone else's
trademark or brand. It often involves registering variations of well-known domain names
to deceive users or capitalize on web traffic intended for the legitimate owner.
Example : An individual registers a domain such as "g00gle.com" with the intention of
misleading users who might mistype "google.com." This deceptive domain could host
malicious content or be used for phishing attacks.
Types :
- Typosquatting
- Homograph Attack
- Brandjacking
- Combosquatting
- New gTLD Squatting
Detection : Detection of domain squatting involves monitoring domain registrations for
variations of known trademarks or brands. Automated tools can analyze newly registered
domains for patterns, such as misspellings or alterations, that may indicate squatting.
Additionally, monitoring for sudden spikes in registrations related to popular events or
brand launches can be an indicator.
Prevent : Defensive Domain Registrations, Regular Domain Monitoring, Trademark
Registration.

Question need to answer

- How/where are you monitoring? Log files or network extraction?, Can you
find the source host?
- Are you recording responses? Without responses, you will not know the IP
resolution.
- Are you saving responses? Create your own PassiveDNS database!

General
- In Domain we need to check :
o Domain Reputation
o Domain Age
o Domain Randomness and Length
- Jason Fossen
o developed PowerShell sinkhole script to takes known bad domains and use
DNS to prevent access send request to bad domain to 0.0.0.0 or choice ip
- To check random domains
o by `freq.py`,`freq_server.py` developed by sans573 instructor, can use
`freq_server.py` in Logstash with API to check rank of domains and
Random domain
- domain_stats.py
o developed for speed and log analysis and provide `whois` information and
top 1 million lookup (works with Alex and Cisco)