DNS Open Resolver Attacks
Many organizations use the services of publicly open DNS servers such as GoogleDNS (8.8.8.8) to
provide responses to queries. This type of DNS server is called an open resolver. A DNS open resolver
answers queries from clients outside of its administrative domain. DNS open resolvers are vulnerable
to multiple malicious activities described in the table.
Table caption
DNS Resolver
Description
Vulnerabilities
Threat actors send spoofed, falsified record resource (RR) information to a DNS resolver to
DNS cache redirect users from legitimate sites to malicious sites. DNS cache poisoning attacks can all be
poisoning attacks used to inform the DNS resolver to use a malicious name server that is providing RR
information for malicious activities.
Threat actors use DoS or DDoS attacks on DNS open resolvers to increase the volume of
DNS amplification attacks and to hide the true source of an attack. Threat actors send DNS messages to the open
and reflection attacks resolvers using the IP address of a target host. These attacks are possible because the open
resolver will respond to queries from anyone asking a question.
A DoS attack that consumes the resources of the DNS open resolvers. This DoS attack
DNS resource consumes all the available resources to negatively affect the operations of the DNS open
utilization attacks resolver. The impact of this DoS attack may require the DNS open resolver to be rebooted or
services to be stopped and restarted.
DNS Stealth Attacks
To hide their identity, threat actors also use the DNS stealth techniques described in the table to
carry out their attacks.
Table caption
DNS Stealth
Description
Techniques
Threat actors use this technique to hide their phishing and malware delivery sites behind a
quickly-changing network of compromised DNS hosts. The DNS IP addresses are continuously
Fast Flux
changed within minutes. Botnets often employ Fast Flux techniques to effectively hide malicious
servers from being detected.
Threat actors use this technique to rapidly change the hostname to IP address mappings and to also
Double IP Flux change the authoritative name server. This increases the difficulty of identifying the source of the
attack.
Domain
Threat actors use this technique in malware to randomly generate domain names that can then be
Generation
used as rendezvous points to their command and control (C&C) servers.
Algorithms
� DNS Domain Shadowing Attacks
Domain shadowing involves the threat actor gathering domain account credentials in order to
silently create multiple sub-domains to be used during the attacks. These subdomains typically point
to malicious servers without alerting the actual owner of the parent domain.
DNS Tunneling
Threat actors who use DNS tunneling place non-DNS traffic within DNS traffic. This method often
circumvents security solutions when a threat actor wishes to communicate with bots inside a protected
network, or exfiltrate data from the organization, such as a password database. When the threat actor
uses DNS tunneling, the different types of DNS records are altered. This is how DNS tunneling works
for CnC commands sent to a botnet:
1. The command data is split into multiple encoded chunks.
2. Each chunk is placed into a lower level domain name label of the DNS query.
3. Because there is no response from the local or networked DNS for the query, the request is sent to
the ISP’s recursive DNS servers.
4. The recursive DNS service will forward the query to the threat actor’s authoritative name server.
5. The process is repeated until all the queries containing the chunks of are sent.
6. When the threat actor’s authoritative name server receives the DNS queries from the infected
devices, it sends responses for each DNS query, which contain the encapsulated, encoded CnC
commands.
7. The malware on the compromised host recombines the chunks and executes the commands hidden
within the DNS record.
To stop DNS tunneling, the network administrator must use a filter that inspects DNS traffic. Pay
close attention to DNS queries that are longer than average, or those that have a suspicious domain
name. DNS solutions, like Cisco OpenDNS, block much of the DNS tunneling traffic by identifying
suspicious domains.
