Our Solution
Back
OUR SOLUTION
Capabilities
Predict, prevent, detect, and respond
How It Works
People, platform, and process
Use Cases
By threat, environment, or industry
Talk to a Cybersecurity Advisor
See how we deliver managed threat protection
WHY NETSURION
Back
WHY NETSURION
Key Business Benefits
Powerful yet practical cybersecurity
Industry Leadership
Perennial recognition for innovation
Customer Success
Driven to be your trusted partner
Partners
Back
PARTNER PROGRAM OVERVIEW
Partner Program Benefits
Our solutions are built for service providers
Become a Partner
Grow your cybersecurity practice
Insights
Back
VIEW ALL INSIGHTS
Articles
Read the latest from our blog
SOC Catch of the Day
Real stories of threats we reel in daily
Cybersecurity Q&A Videos
Answering your toughest cybersecurity queries
Webcasts & Events
Join us in-person or online to learn more
Company
Back
MEET NETSURION
Leadership
Meet our management team
News
Press releases and news stories
Careers
Check out our current openings
Contact Us
Talks to sales or support
MyNetsurion
Support
Partner Portal
Contact Us
5 types of DNS attacks and how to detect them
Home
Insights
Articles
5 types of DNS attacks and how to detect them
3 min read
The Domain Name System, or DNS, is used in computer networks to translate domain names to IP addresses which are used by computers to communicate with each other. DNS exists in almost every computer network; it communicates with external networks and is extremely difficult to lock down since it was designed to be an open protocol. An adversary may find that DNS is an attractive mechanism for performing malicious activities like network reconnaissance, malware downloads, or communication with their command and control servers, or data transfers out of a network. Consequently, it is critical that DNS traffic be monitored for threat protection.
Attack 1: Malware installation
. This may be done by hijacking DNS queries and responding with malicious IP addresses. The goal of malware installation can also be achieved by directing requests to phishing domains.
Indicators of compromise
: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to
hosts
file;
DNS cache poisoning
.
Attack 2: Credential theft
. An adversary may create a malicious domain name that resembles a legitimate domain name and use it in phishing campaigns to steal credentials.
Indicators of compromise
: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to hosts file; DNS cache poisoning.
Attack 3: Command & Control communication
. As part of lateral movement, after an initial compromise, DNS communications is abused to communicate with a C2 server. This typically involves making periodic DNS queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.
Indicators of compromise
: DNS beaconing queries to anomalous domain, low time-to-live, orphan DNS requests.
Attack 4: Network footprinting
. Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.
Indicators of compromise
: Large number of PTR queries, SOA and AXFER queries, forward DNS lookups for non-existent subdomains in the root domain.
Attack 5: Data theft
. Abuse of DNS to transfer data; this may be performed by
tunneling
other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.
Indicators of compromise
: Large number of subdomain lookups or large lookup size; long subdomains; uncommon query types (TXT records).
Feeling overwhelmed? There is a ton of detail to absorb and process discipline to put it into practice for 24/7 threat detection and response. Allow us to do the heavy lifting with our
co-managed SIEM
. Whether you use on-premise DNS like Microsoft DNS server or
Infoblox
or cloud services from
OpenDNS
, we’ve got you covered. Check out our "
Catch of the Day
" to read true stories from our SOC in which we detected and thwarted cyber-attacks including DNS-based threats.
2023 MDR Buyer’s Guide
Download the Whitepaper
Related Articles
10 min read
Navigating Your Managed Cybersecurity Options
5 min read
Incident Response: Whose Job is It?
7 min read
Six Proactive Steps to Expand Attack Surface Coverage