DNS stands for Domain Name System.[^1] It translates human-readable hostnames like “google.com” to IP addresses.[^1] The ICANN organization registers the domain names.[^1] In a hostname the “.com/.gov” is considered the top-level domain.[^1] There are 12 root servers globally that resolve top-level domains.[^1] Distributed sub-domain servers manage small portions of IP addresses.[^1] A DNS server will cache entries for greater speed upon subsequent lookups.[^1] DNS uses a connectionless protocol.[^1] DNS can be used in amplification attacks.[^1] Most organizations have at least 2 DNS servers., but some can have more.[^2] Cloudfare andGoogle act as DNS forwarders/resolvers.[^1] With a long Time To Live (TTL) setting an attacker’s poisoned packets can be propagated by large cloud providers.[^2]
When authorities take down a site, they put their own controlled site in the DNS address for that domain. The DNS is the common addressing system used in the Internet. A protective DNS can provide network security for remote workers.[^3] The DNS translates the human-readable domains into the IP addresses of the actual computers.[^4] A DNS system obtains the IP addresses for domains that are not in its cache by requesting from other authoritative nameservers.[^5] The DNS system is involved in every aspect of web activity, the requests are allowed to flow through firewalls without inspection, and it has no bulit-in security measures.[^5] If an attacker can control a DNS server, they can redirect users to fraudulent websites. DNS usually communicates through UDP. Opsec breaches in DNS Start of Authority (SOA) records can expose emails used to register network domains.[^6] Threat actors can hide malware in hex form in DNS history logs
[[Amplification Attacks]] – use DNS
[[DHCP]] – sets DNS servers
[[Internet Routers]] – provide DNS functionality
[[SMTP]] – an SMTP server could have multiple mail MX addresses
[[Mastercard DNS Vulnerability]] – misspelled domain
[[Cloudfare]] – acts as a DNS forwarder/resolver
[[Indicators of Compromise]] – could be an unusual DNS configuration
[[inetsim]] – can simulate a DNS server
[[Lumma Stealer]] – exfiltrates data about User’s DNS configurations
[[Network Engineering Practices]] – you should place DNS servers in a network DMZ
[[Tor]] – Tor DNS queries include torproject.org as a suffix
[[Data Exfiltration]] – can use DNS protocols
[[114DNS]] – a Chinese DNS service
[[FastFlux]] – rapidly rotates DNS records
[[Moobot Botnet]] – creates OpenDNS server IP addresses
[[DNS Tunneling]] – used by DOGE in malicious activity
[[DNS Poisoning]]
[[Green Sky27]] – use Chinese Dynamic DNS Infrastructure Providers
[[DNS Rebind Attack]]
[[DNS Pinning]]
[[dig Command]] – DNS lookup tools
[[Iranian Cyber Army]] – social-engineered the DNS of their victim
[[APT34]] – used DNS exfiltration
[[MESSYFORK (COOKBOX)]] – DNS domain from C2 directs to cloudfare
[[Turla (Venomous Bear)]] – C2 infrastructure uses dynamic DNS
[[Targeted Intrusion Methods]] – You should know how many devices are acting as a DNS server
[[DeltaCharlie]] – is capable of DNS attacks
[[Burp Suite Usage]] – DNS pingbacks can be used to de-anonymize Tor services
[[Silent Push]] – can be used to search DNS SOA records
[[DNS Data Exfiltration]]
[[GRID]] – this tool requires a custom DNS server
[[dnsexit.com]] – dynamic DNS company
[[Cybersecurity OPSEC]] – DNS for guaranteed egress
[[Expedition Cloud]] – includes DNS gateways
[[Tor Hidden Service]] – the TOR browser can find an onion site in a similar way to a DNS request
[[ipconfig Command]] – the /displaydns option can show the dns cache
[[IPFire]] – allows for dynamic DNS
[[pfSense]] – functions as a DNS server for local devices
[[OPNSense]] – dynamic DNS server and forwarder
[[DNS Zone Transfer]]
Backlinks
[[Application Layer]]
[[Cache Poisoning]]
[[Data Exfiltration]]
[[Google]]
[[Internet]]
[[IP Addresses]]
[[OSINT]]
[[UDP]]
[[WIndows]]
Sources
[1] “networking102.” Accessed: Dec. 30, 2024. [Online]. Available: https://ubnetdef.org/slides/fall2017/networking102.pdf
[2] “MasterCard DNS Error Went Unnoticed for Years – Krebs on Security.” Accessed: Jan. 27, 2025. [Online]. Available: https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/
[3] “#StopRansomware Guide,” CISA.brandondorsey_attackingPrivateNetworks[^4]
Akami_whatIsDNSRebinding[^5]
[6] “Iranian IO Domains – Sneek Peak,” Memeticwarfare. [Online]. Available: https://www.memeticwarfare.io/p/iranian-io-domains-sneak-peek