[EN] List of different types of security errors in DNS
In an internal training, we discussed various threats to DNS. Below is a list that may be of use to someone:
Taking over access to the domain management panel
Taking over access to the domain management panel can occur through various means such as bruteforce or phishing. These attacks aim to gain unauthorized access to the management panel, allowing the attacker to control the domain settings.
Breaking into a DNS registrar infrastructure
Breaking into a DNS registrar using advanced persistent threats (APT) or exploiting panel vulnerabilities can result in the attacker gaining access to sensitive information such as domain login credentials.
Hacking into the organization supervising TLD domains
Hacking into the organization supervising TLD domains, such as NASK in Poland, can lead to a large-scale DNS attack affecting multiple domains.
Taking over a non-renewed domain
It involves attackers exploiting the fact that the domain owner failed to renew their registration, allowing the attacker to register the domain themselves.
Addresses pointing to NS out of date
Can also occur through outdated addresses pointing to name servers addresses. Attackers can exploit this weakness by hijacking the NS records and redirecting traffic to their own malicious sites.
OS server takeover
Operation System - command execution can result in attackers gaining control of the DNS infrastructure.
Attack can allow attackers to intercept and modify traffic between a user and a DNS server.
Denial of Service
Disruptions to online services. These attacks aim to overwhelm DNS servers with traffic, rendering them unable to respond to legitimate requests.
Zone export misconfiguration (access for everyone)
Can result in unintended access to DNS information. This can occur when DNS zone configuration allows access to everyone, potentially exposing sensitive information.
Can expose sensitive information such as: internal IP addresses, software version (CHAOS), revDNS vhost and data from TXT records. This information can be used to launch further attacks.
Amplify the amount of traffic directed at a target, causing a denial of service (DoS) attack. Attackers can exploit vulnerable DNS servers using techniques such as DNS reflection or DNS amplification.
TTL length in DNS entries can affect the time it takes for DNS changes to propagate. Longer TTLs can make it harder to respond quickly to incidents, while shorter TTLs can result in increased traffic and potential availability issues.
Data exfiltration can occur through DNS queries or by manipulating DNS responses to send sensitive information to attackers. This can allow attackers to steal data without being detected.
Buying similar domains, and homoglyph attacks can be used to trick users into visiting malicious sites or providing sensitive information.
Autocomplete search like badWPAD vulnerability
Autocomplete search vulnerabilities like badWPAD can allow attackers to intercept traffic and redirect users to malicious sites. This can occur through DNS resolution, allowing attackers to steal sensitive information.
Tunnel over DNS
Tunnel over DNS attacks can be used to bypass network security controls by using DNS queries to transmit data.
Secondary DNS in the same network
Secondary DNS servers located in the same place can lead to availability issues in the event of an attack or outage. It is recommended to have secondary DNS servers in different locations to ensure redundancy and availability.
Cache poisoning/DNS snooping
This attacks can exploit vulnerabilities in DNS caching to manipulate DNS responses and redirect users to malicious sites.
DNS rebinding attacks can exploit vulnerabilities in web browsers to bypass security controls and access sensitive information.
AP/router takeover attacks can allow attackers to reconfigure DNS settings and redirect traffic to malicious sites. This can occur through vulnerabilities in network devices, such as routers or access points.
Malware on workstation
Malware on workstations can be used to manipulate DNS settings or intercept traffic to steal sensitive information or deliver further attacks.
Open resolver vulnerabilities can allow attackers to exploit DNS servers to launch DDoS amplification attacks.
Zone update misconfiguration
DNS zone update misconfiguration can lead to unintended changes to DNS entries. It depends on wrong access list configuration in DNS software.
DNS blackholing on TLD level
If, by chance or attack, the real domain gets on the list of banned domains (e.g. there may be a law at the country level that prohibits access to gambling sites), this may cause an accessibility problem.
DNS software vulnerability
DNS software vulnerabilities can be exploited by attackers to gain unauthorized access to DNS servers.
DNS misconfiguration (SPF old IP address)
DNS misconfiguration, such as using old IP addresses in SPF records, can lead to unintended consequences and potential security vulnerabilities.
TLS/SSL certificate registration
Information leak in process of registering TLS/SSL certificate.
Cache - privacy
Information leakage consisting in obtaining knowledge whether a given domain is in the cache of the DNS server.
It is easy to use a brute force attack to check thousands of subdomains.
For example - marketing agency is creating websites and they registers domain for their data (not the customers data).