[EN] List of different types of security errors in DNS

In an internal training, we discussed various threats to DNS. Below is a list that may be of use to someone:

Taking over access to the domain management panel

Taking over access to the domain management panel can occur through various means such as bruteforce or phishing. These attacks aim to gain unauthorized access to the management panel, allowing the attacker to control the domain settings.

Breaking into a DNS registrar infrastructure

Breaking into a DNS registrar using advanced persistent threats (APT) or exploiting panel vulnerabilities can result in the attacker gaining access to sensitive information such as domain login credentials.

Hacking into the organization supervising TLD domains

Hacking into the organization supervising TLD domains, such as NASK in Poland, can lead to a large-scale DNS attack affecting multiple domains.

Taking over a non-renewed domain

It involves attackers exploiting the fact that the domain owner failed to renew their registration, allowing the attacker to register the domain themselves.

Addresses pointing to NS out of date

Can also occur through outdated addresses pointing to name servers addresses. Attackers can exploit this weakness by hijacking the NS records and redirecting traffic to their own malicious sites.

OS server takeover

Operation System - command execution can result in attackers gaining control of the DNS infrastructure.

IP Spoofing/MitM

Attack can allow attackers to intercept and modify traffic between a user and a DNS server.

Denial of Service

Disruptions to online services. These attacks aim to overwhelm DNS servers with traffic, rendering them unable to respond to legitimate requests.

Zone export misconfiguration (access for everyone)

Can result in unintended access to DNS information. This can occur when DNS zone configuration allows access to everyone, potentially exposing sensitive information.

Information leakage

Can expose sensitive information such as: internal IP addresses, software version (CHAOS), revDNS vhost and data from TXT records. This information can be used to launch further attacks.

DDoS amplification

Amplify the amount of traffic directed at a target, causing a denial of service (DoS) attack. Attackers can exploit vulnerable DNS servers using techniques such as DNS reflection or DNS amplification.

TTL length

TTL length in DNS entries can affect the time it takes for DNS changes to propagate. Longer TTLs can make it harder to respond quickly to incidents, while shorter TTLs can result in increased traffic and potential availability issues.

Data exfiltration

Data exfiltration can occur through DNS queries or by manipulating DNS responses to send sensitive information to attackers. This can allow attackers to steal data without being detected.

Phishing

Buying similar domains, and homoglyph attacks can be used to trick users into visiting malicious sites or providing sensitive information.

Autocomplete search like badWPAD vulnerability

Autocomplete search vulnerabilities like badWPAD can allow attackers to intercept traffic and redirect users to malicious sites. This can occur through DNS resolution, allowing attackers to steal sensitive information.

Tunnel over DNS

Tunnel over DNS attacks can be used to bypass network security controls by using DNS queries to transmit data.

Secondary DNS in the same network

Secondary DNS servers located in the same place can lead to availability issues in the event of an attack or outage. It is recommended to have secondary DNS servers in different locations to ensure redundancy and availability.

Cache poisoning/DNS snooping

This attacks can exploit vulnerabilities in DNS caching to manipulate DNS responses and redirect users to malicious sites.

DNS rebinding

DNS rebinding attacks can exploit vulnerabilities in web browsers to bypass security controls and access sensitive information.

AP/router takeover

AP/router takeover attacks can allow attackers to reconfigure DNS settings and redirect traffic to malicious sites. This can occur through vulnerabilities in network devices, such as routers or access points.

Malware on workstation

Malware on workstations can be used to manipulate DNS settings or intercept traffic to steal sensitive information or deliver further attacks.

Open resolver

Open resolver vulnerabilities can allow attackers to exploit DNS servers to launch DDoS amplification attacks.

Zone update misconfiguration

DNS zone update misconfiguration can lead to unintended changes to DNS entries. It depends on wrong access list configuration in DNS software.

DNS blackholing on TLD level

If, by chance or attack, the real domain gets on the list of banned domains (e.g. there may be a law at the country level that prohibits access to gambling sites), this may cause an accessibility problem.

DNS software vulnerability

DNS software vulnerabilities can be exploited by attackers to gain unauthorized access to DNS servers.

DNS misconfiguration (SPF old IP address)

DNS misconfiguration, such as using old IP addresses in SPF records, can lead to unintended consequences and potential security vulnerabilities.

TLS/SSL certificate registration

Information leak in process of registering TLS/SSL certificate.

Cache - privacy

Information leakage consisting in obtaining knowledge whether a given domain is in the cache of the DNS server.

Subdomain bruteforce

It is easy to use a brute force attack to check thousands of subdomains.

Ownership problem

For example - marketing agency is creating websites and they registers domain for their data (not the customers data).

Written on March 8, 2023 by Borys Łącki

We invite you to contact us

through the following form:

LogicalTrust sp. z o.o.
sp. k.

al. Aleksandra Brücknera 25-43
51-411 Wrocław, Poland, EU

NIP: 8952177980
KRS: 0000713515

T.: +48 71 738 24 35
K.: +48 514 812 431

office@logicaltrust.net
Key:   PGP/GPG