1 00:00:00,000 --> 00:00:01,710 In this lesson, we're going to focus 2 00:00:01,710 --> 00:00:03,900 on domain name system attacks. 3 00:00:03,900 --> 00:00:06,630 The domain name system, simply known as DNS, 4 00:00:06,630 --> 00:00:08,430 is a fundamental component of the internet 5 00:00:08,430 --> 00:00:09,720 that's responsible for translating 6 00:00:09,720 --> 00:00:12,150 human-friendly domain names into IP addresses 7 00:00:12,150 --> 00:00:13,860 that computers can understand. 8 00:00:13,860 --> 00:00:15,270 However, this critical role 9 00:00:15,270 --> 00:00:17,850 also makes it a prime target for cyber attacks. 10 00:00:17,850 --> 00:00:20,310 So let's explore some of the various types of DNS attacks, 11 00:00:20,310 --> 00:00:23,700 including DNS cache poisoning, DNS amplification attacks, 12 00:00:23,700 --> 00:00:25,950 DNS tunneling, domain hijacking, 13 00:00:25,950 --> 00:00:27,750 and DNS zone transfer attacks, 14 00:00:27,750 --> 00:00:29,040 and some of the mitigation strategies 15 00:00:29,040 --> 00:00:30,600 for each of these types. 16 00:00:30,600 --> 00:00:32,790 First, we have DNS cache poisoning. 17 00:00:32,790 --> 00:00:35,610 DNS cache poisoning, also known as DNS spoofing, 18 00:00:35,610 --> 00:00:37,500 involves corrupting the DNS cache data 19 00:00:37,500 --> 00:00:40,260 of a DNS resolver with false information. 20 00:00:40,260 --> 00:00:41,850 This leads a resolver to direct traffic 21 00:00:41,850 --> 00:00:44,670 to an incorrect IP address that was set up by the attacker, 22 00:00:44,670 --> 00:00:46,950 often which will be a malicious website. 23 00:00:46,950 --> 00:00:49,470 For example, an attacker could poison the DNS cache 24 00:00:49,470 --> 00:00:51,360 on a popular online banking website, 25 00:00:51,360 --> 00:00:53,340 and then cause the bank's users to be redirected 26 00:00:53,340 --> 00:00:55,320 to a fake site where their logging credentials 27 00:00:55,320 --> 00:00:57,360 could be stolen by the attackers. 28 00:00:57,360 --> 00:01:00,720 To prevent DNS cache poisoning, you should utilize DNSSEC 29 00:01:00,720 --> 00:01:03,120 or the Domain Name System Security Extensions 30 00:01:03,120 --> 00:01:06,000 to add a digital signature to your organization's DNS data 31 00:01:06,000 --> 00:01:07,140 to ensure its authenticity 32 00:01:07,140 --> 00:01:10,380 and integrity are confirmed during any DNS lookups. 33 00:01:10,380 --> 00:01:13,140 Also, you should implement secure network configurations 34 00:01:13,140 --> 00:01:16,470 and firewalls to protect your DNS from unauthorized access 35 00:01:16,470 --> 00:01:17,880 to prevent DNS cache poisoning 36 00:01:17,880 --> 00:01:19,950 from occurring on your systems. 37 00:01:19,950 --> 00:01:22,980 Second, we have DNS amplification attacks. 38 00:01:22,980 --> 00:01:24,930 In a DNS amplification attack, 39 00:01:24,930 --> 00:01:27,450 the attacker exploits the DNS resolution process 40 00:01:27,450 --> 00:01:30,540 to overwhelm a target system with DNS response traffic. 41 00:01:30,540 --> 00:01:33,330 The attacker sends a DNS query with a spoofed IP address 42 00:01:33,330 --> 00:01:35,640 of their victim to an open DNS server, 43 00:01:35,640 --> 00:01:37,410 which will then send back a large response 44 00:01:37,410 --> 00:01:39,300 to the victim's IP address. 45 00:01:39,300 --> 00:01:41,850 For example, if an attacker could send a small query 46 00:01:41,850 --> 00:01:44,550 to an open DNS server and request a large amount of data 47 00:01:44,550 --> 00:01:46,710 like the entire list of hosts in a domain, 48 00:01:46,710 --> 00:01:48,870 this would then be sent to the victim's IP address, 49 00:01:48,870 --> 00:01:51,390 which in turn causes a flood of unwanted traffic, 50 00:01:51,390 --> 00:01:53,490 which can appear to look like a denial of service attack 51 00:01:53,490 --> 00:01:55,410 against that victimized system. 52 00:01:55,410 --> 00:01:57,690 One way to mitigate DNS amplification attacks 53 00:01:57,690 --> 00:01:59,700 is to set the size of the DNS responses 54 00:01:59,700 --> 00:02:02,250 or to rate limit any DNS response traffic 55 00:02:02,250 --> 00:02:04,950 to mitigate the impact of this kind of an attack. 56 00:02:04,950 --> 00:02:07,110 Third, we have DNS tunneling. 57 00:02:07,110 --> 00:02:09,870 Now, DNS tunneling involves using the DNS protocol 58 00:02:09,870 --> 00:02:11,880 to encapsulate non-DNS traffic, 59 00:02:11,880 --> 00:02:15,480 such as HTTP or SSH over port 53 60 00:02:15,480 --> 00:02:18,180 and attempt to bypass the organization's firewall rules 61 00:02:18,180 --> 00:02:19,770 so they can conduct command and control 62 00:02:19,770 --> 00:02:21,480 or data exfiltration. 63 00:02:21,480 --> 00:02:24,120 DNS tunneling is actually a legitimate technique, 64 00:02:24,120 --> 00:02:25,710 but it often is exploited by attackers 65 00:02:25,710 --> 00:02:27,660 for their own malicious purposes. 66 00:02:27,660 --> 00:02:29,970 For example, an attacker could use DNS tunneling 67 00:02:29,970 --> 00:02:31,620 to bypass a company's firewall 68 00:02:31,620 --> 00:02:34,140 and to exfiltrate sensitive organizational data. 69 00:02:34,140 --> 00:02:35,640 Since DNS requests are usually allowed 70 00:02:35,640 --> 00:02:37,710 to pass through a firewall without inspection, 71 00:02:37,710 --> 00:02:39,330 DNS tunneling is quite effective 72 00:02:39,330 --> 00:02:41,520 for sneaking data out of a given network. 73 00:02:41,520 --> 00:02:43,950 For this reason, it's important that you regularly monitor 74 00:02:43,950 --> 00:02:46,080 and analyze your DNS logs for any signs 75 00:02:46,080 --> 00:02:47,640 of unusual patterns of behavior 76 00:02:47,640 --> 00:02:50,460 that could indicate DNS tunneling has been occurring. 77 00:02:50,460 --> 00:02:52,980 Fourth, we have domain hijacking. 78 00:02:52,980 --> 00:02:55,680 Now, domain hijacking, also known as a domain theft, 79 00:02:55,680 --> 00:02:58,050 involves changing the registration of a domain name 80 00:02:58,050 --> 00:03:00,810 without the permission of the original domains registrant. 81 00:03:00,810 --> 00:03:03,090 Domain hijacking can lead to a loss of control 82 00:03:03,090 --> 00:03:04,980 over a website and potential redirection 83 00:03:04,980 --> 00:03:06,360 to a malicious website in place 84 00:03:06,360 --> 00:03:08,430 of the organization's real website. 85 00:03:08,430 --> 00:03:09,960 For example, if an attacker 86 00:03:09,960 --> 00:03:12,090 could hijack a popular e-commerce website's domain 87 00:03:12,090 --> 00:03:15,210 like amazon.com, they could redirect all of Amazon traffic 88 00:03:15,210 --> 00:03:17,520 to a fake site where a customer's payment information 89 00:03:17,520 --> 00:03:18,780 could be stolen. 90 00:03:18,780 --> 00:03:20,610 The best defense against domain hijacking 91 00:03:20,610 --> 00:03:22,380 is really to conduct regular updates 92 00:03:22,380 --> 00:03:24,360 and ensuring your account registration information 93 00:03:24,360 --> 00:03:25,440 is secure. 94 00:03:25,440 --> 00:03:26,700 Additionally, you should use 95 00:03:26,700 --> 00:03:29,160 the domain registry lock services that are available to you 96 00:03:29,160 --> 00:03:30,660 to prevent any unauthorized changes 97 00:03:30,660 --> 00:03:31,920 to your domain registrations 98 00:03:31,920 --> 00:03:33,420 in order to prevent domain hijacking 99 00:03:33,420 --> 00:03:35,370 from occurring in the first place. 100 00:03:35,370 --> 00:03:38,730 Fifth and finally, we have DNS zone transfer attacks. 101 00:03:38,730 --> 00:03:40,500 In a DNS zone transfer attack, 102 00:03:40,500 --> 00:03:41,940 the attacker's going to try to get a copy 103 00:03:41,940 --> 00:03:43,680 of the entire DNS zone data, 104 00:03:43,680 --> 00:03:46,050 which includes all the DNS records for a domain 105 00:03:46,050 --> 00:03:47,640 by pretending to be an authorized system 106 00:03:47,640 --> 00:03:49,320 who's making that request. 107 00:03:49,320 --> 00:03:51,630 This type of an attack can expose sensitive information 108 00:03:51,630 --> 00:03:53,610 about the network infrastructure of a domain, 109 00:03:53,610 --> 00:03:55,620 and it could be used as part of reconnaissance 110 00:03:55,620 --> 00:03:57,240 for a future attack that's being planned 111 00:03:57,240 --> 00:03:59,160 against a given organization. 112 00:03:59,160 --> 00:04:01,680 So remember, DNS attacks are designed 113 00:04:01,680 --> 00:04:04,080 to exploit the domain name services vulnerabilities 114 00:04:04,080 --> 00:04:06,480 in order to disrupt service, steal information 115 00:04:06,480 --> 00:04:08,580 or redirect a website's traffic. 116 00:04:08,580 --> 00:04:10,710 DNS cache poisoning involves corrupting 117 00:04:10,710 --> 00:04:13,770 a DNS resolvers cache and DNS amplification attacks 118 00:04:13,770 --> 00:04:15,810 are going to use DNS resolution processes 119 00:04:15,810 --> 00:04:17,100 to flood a target with traffic 120 00:04:17,100 --> 00:04:19,410 to create a denial of service type of condition. 121 00:04:19,410 --> 00:04:22,140 DNS tunneling is going to be used to bypass firewall rules 122 00:04:22,140 --> 00:04:24,120 and to conduct data exfiltration. 123 00:04:24,120 --> 00:04:26,610 Domain hijacking will involve unauthorized changes 124 00:04:26,610 --> 00:04:28,050 to the domain's registration. 125 00:04:28,050 --> 00:04:30,660 And a DNS zone transfer attack tries to get a copy 126 00:04:30,660 --> 00:04:32,700 of the domain's DNS zone data. 127 00:04:32,700 --> 00:04:34,740 By understanding how these attacks are performed, 128 00:04:34,740 --> 00:04:37,050 you're going to be better able to put mechanisms in place 129 00:04:37,050 --> 00:04:38,220 to prevent and mitigate them 130 00:04:38,220 --> 00:04:39,933 from happening on your networks.