The dark side of the DNS or the war of the port 53

Aug 5, 2024

What is DNS and why is it used?

DNS stands for Domain Name System. It’s essentially like a directory but for the internet. When you type a website address into your browser, like “www.example.com”, your computer needs to find out the IP address associated with that domain name to connect to the correct server.

DNS servers are like the internet’s address book, mapping domain names to their respective IP addresses. They translate human-readable domain names into IP addresses that computers use to identify each other on the network.

DNS is used to make internet communication easier for humans by allowing us to use memorable domain names instead of having to remember long strings of numbers for every website we want to visit. Additionally, it plays a crucial role in the functioning of the internet by ensuring that internet traffic is directed efficiently to the appropriate servers.

Is DNS vulnerable?

The DNS protocol is considered vulnerable to various types of attacks and exploits. While DNS is fundamental to how the internet operates, its design and implementation have inherent vulnerabilities that can be exploited by malicious actors.

The consequences of a DNS attack can be serious and far-reaching, affecting not only the targeted organization but also its customers, partners, and stakeholders. It underscores the importance of implementing robust security measures to protect against DNS attacks and mitigate their impact if they occur.

Some of potential impacts of a DNS attack include: disruption of services, data theft and breaches, damage to reputation, financial losses, and regulatory compliance violations.

What are the most sophisticated DNS attacks?

We are all familiar with classic DNS-based attacks such as DNS Cache Poisoning, DNS Reflexion attack, DNS Amplification attack, DNS Pseudo Random SubDomain (PRSD) attack, DNS NX Domain attack, etc. ….

However, less is known about the techniques and algorithms behind these attacks. And since most modern malware uses DNS in at least one of the 7 stages of the Cyber Kill Chain, here’s a little insight into these techniques:

– DNS Sinkhole: This is a technique for protecting against malicious domains by redirecting traffic destined for these domains to a controlled domain, thus preventing the propagation of malicious programs such as viruses, ransomware, etc…

– DGA (Domain Generation Algorithm): These are algorithms used to generate a very large number of DNS domains, which are used as rendezvous points between the malware and Command and Control (C2 or C&C). The purpose of DGA is to evade detection and mitigation efforts by security tools and researchers, as traditional blacklisting approaches become less effective when dealing with constantly changing domain names. The DGA algorithm uses a seed input, such as a date, a unique identifier, or a combination of factors, to generate a pseudo-random sequence of characters. For example, the algorithm may generate domain names like “qwer1234abc.com” or “x1yx2yz3.com”. The large list of domain names makes it difficult to block botnet proliferation.

– DNS Fast-flux: This technique combines two DNS functions. Several IP addresses are associated with the same server name and very low TTLs, of the order of 5 seconds. Because the TTL is so low, responses expire rapidly. This generates new resolution requests. Because of Round Robin, DNS servers will respond each time with a different IP address from the one previously sent. DNS Fast Flux is commonly used by botnets, malware, phishing campaigns, and other malicious actors to evade detection, hosting takedown efforts, and blacklisting. By constantly changing the IP addresses associated with a domain name, attackers can maintain resilient communication channels and infrastructure, making it difficult for defenders to disrupt their operations. This technique is very difficult to detect and block.

– DNS Double Fast-Flux: This is an even more twisted variant of DNS Fast-flux, with the same operating principle, except that the fast-flux technique is also applied to DNS servers. This technique is used by cybercriminals to further obfuscate and hide the true location of malicious infrastructure. In DNS Double Fast-Flux, not only are the IP addresses associated with a domain rapidly changed, but the DNS authoritative servers responsible for resolving the domain are also constantly rotated, adding an additional layer of complexity to the evasion technique. The target is even more mobile and therefore harder to stop.

– DNS-based Data Exfiltration Channel: This is a technique for exfiltrating data by encapsulating it in simple DNS Data requests to domains set up expressly for this purpose.

– DNS Tunneling (or Covert Channel VPNs): DNS tunnels are often used to surf the web anonymously, but also to exfiltrate sensitive data. This is achieved by encapsulating data within DNS queries and responses. Instead of using traditional communication protocols like TCP or UDP, DNS tunneling leverages the DNS protocol to create covert communication channels between a client and a remote server, allowing attackers to transmit data undetected. This is often done via DNS requests of type A or TXT records.

– DNS Killswitch: New-generation malware contains “killswitches” that enable its creator to halt its proliferation. The principle is as follows: the malware regularly makes DNS requests on a very long domain name with no semantics. As long as the DNS domain does not exist, the DNS response is negative and the malware continues to proliferate. If the domain in question does exist, the DNS response is positive. The killswitch takes effect and the malware stops. This happened on the WannaCry ransomware, which came to a screeching halt when a researcher accidentally deposited the domain name after analyzing the malware’s code.

– DNS as Malware Control Plan: Over 91% of malware uses DNS both to contact its Command and Control (C&C) center and to exfiltrate data or redirect traffic. DNS is therefore considered the malware’s Control Plan.

– DNS beaconing (or malware beaconing): This refers to the malware’s action of contacting its command and control center at regular intervals to obtain the download of its installation code or instructions for undertaking data exfiltration. Instead of establishing persistent connections or sending large volumes of data, the malware periodically sends small, stealthy DNS queries to specific domain names controlled by the attackers. These DNS queries serve as “beacons” or signals to indicate that the infected device is active and ready to receive instructions or updates from the C2 server. This can be done on HTTP requests, but increasingly on DNS requests such as A records, DNS AAAA records or DNS TXT records.

As we have seen, the techniques for circumventing and abusing the DNS protocol are numerous and increasingly complex. APTs (Advanced Persistent Threats) use a combination of these techniques to gain a foothold and proliferate. DNS is the second most common attack vector on the Internet after HTTP. And DNS is involved in at least 4 of the 7 stages of the Cyber Kill Chain. The delay in deploying DNSSEC (Domain Name System Security Extensions) and the current DNS protocol evolutions with DoH (DNS over HTTP) and DoT (DNS over TLS) are likely to make things even more complex.

About DNSSEC, DoH and DoT

DNSSEC is a set of security extensions to the DNS protocol that adds cryptographic authentication and integrity checks to DNS data. Its primary goal is to address vulnerabilities in the traditional DNS infrastructure and provide mechanisms to ensure the authenticity and integrity of DNS information.

DNS over HTTP (DoH) is a protocol that allows DNS queries and responses to be transmitted over the HTTP protocol, typically using HTTPS (HTTP Secure) for encryption. Traditionally, DNS queries and responses have been transmitted over UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) without encryption, leaving them vulnerable to interception and manipulation. DoH represents a significant advancement in DNS privacy and security, providing a standardized approach for encrypting DNS traffic and protecting user privacy against surveillance and censorship. However, it’s important to note that DoH is not a panacea and may introduce new challenges and considerations, such as DNS-based filtering and parental controls that need to be addressed in deployment and configuration.

DNS over TLS (DoT) is a protocol that encrypts DNS queries and responses using the Transport Layer Security (TLS) protocol. Like DoH, DoT provides a secure and private method for transmitting DNS traffic over the internet, protecting it from interception and manipulation. DoT represents a significant advancement in DNS security and privacy, providing a standardized approach for encrypting DNS traffic and protecting user privacy against surveillance and interception. By leveraging the security features of TLS, DoT offers a robust solution for securing DNS communications over the internet.

anakyst

Protected: Rotary VI EAST

Feb 28, 2026

anakyst

Protected: BetterCyberCareer Group

Feb 28, 2026

anakyst

Protected: Benin Club 1931 – Official

Feb 28, 2026

OWASP TOP !0

Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently. Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser. XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks. Broken Access Control. Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc. Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion. Cross-Site Scripting XSS. XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Insecure Deserialization. Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. Using Components with Known Vulnerabilities. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. Insufficient Logging & Monitoring. Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.