Skip to main content
Build the future with Agentforce at TDX in San Francisco or on Salesforce+ on March 5–6. Register now.

Identify Threats Targeting Domain Name System Technology

Learning Objectives

After completing this unit, you’ll be able to:

  • Identify common Domain Name System (DNS) security issues.
  • Describe how a DNS firewall can mitigate common security issues.

Domain Name System Security Threats

Despite the Domain Name System’s (DNS) central role in the functionality of the internet and your organization’s network infrastructure, the technology may be implemented in a way that’s poorly secured or improperly configured. Cybercriminals often take advantage of security loopholes or unpatched flaws in DNS to launch a variety of attacks. According to the 2021 Global DNS Threat Report, nearly 90% of organizations suffered an attack on their DNS the previous year, with over 26% of organizations reporting that sensitive customer information was stolen. 

So, what can you do to minimize the chance of this happening to you? The good news is that a DNS firewall can protect against DNS hijacking and other common attacks against the technology. Let’s take a look at these various attacks and how implementing a DNS firewall can mitigate them.

Typosquatting

Typosquatting or uniform resource locator (URL) hijacking is a type of social engineering attack that takes advantage of people who incorrectly type a web address into their browser. Malicious actors use typosquatting to lure unsuspecting individuals to a fake version of a legitimate website. Let’s look at an example.

The website “examplebank.com” belongs to an online banking company where customers can log in with their username and password to view and perform transactions on their bank accounts. Because the attacker knows these users are prone to mistyping the domain name, the malicious actor registers a bunch of domains with incorrect spellings imitating the valid domain name, such as “xamplebank.com” and “exxamplebank.com”.

These fake domains redirect the user to a website the attacker has designed to mimic, with convincing detail, the actual “examplebank.com” website. The attacker waits for the user to browse the fake site and enter sensitive information, like their account username and password. The attacker then uses these login details to access a user’s legitimate account and make transactions on behalf of the user.

Mitigation against typosquatting requires network administrators at your organization to monitor your registered domain names against similar names. Without tools and automation, this becomes a tedious task which may not scale depending on how many domains your organization has registered. By having a DNS firewall in place within your network architecture, your organization can receive threat intelligence feeds to perform domain registration monitoring. This allows the DNS firewall to constantly and automatically identify names that are similar to your domains and prevent routing to them.

Distributed Denial of Service and Amplification Attacks

Distributed Denial of Service (DDoS) is not a threat specific to DNS. However, DNS is particularly vulnerable to such attacks because it represents a logical choke point on the network and is often overlooked by organizations during capacity-planning design of their network infrastructure. If your organization's DNS infrastructure cannot handle the number of incoming requests it receives, your network will have degraded performance, resulting in even legitimate traffic to the site to be denied. 

A DNS amplification attack is a DDoS attack in which the attacker exploits vulnerabilities in DNS servers to turn initially small queries into much larger ones. The goal is to flood a website with so many fake DNS lookup requests that they consume network bandwidth to the point that the site fails to load. 

When a user types “example.com” into their browser, DNS finds the internet protocol (IP) address assigned to that domain name, and sends it back to the browser so the client can connect to that website. Internally, a corporate network typically only resolves DNS requests for its own employees. However, the internet is full of publicly accessible DNS resolvers that will resolve requests for anyone—including attackers. Using these open resolvers, attackers can send many fake requests without raising any red flags. These fake requests can overwhelm a website, preventing legitimate users from accessing it. 

Most DNS firewalls now include DDoS protection services. These include protection against amplification attacks by using Response Rate Limiting (RRL). RRL allows your organization to limit the maximum number of responses per second being sent from the domain name server. This limitation prevents high volumes of malicious queries at any given moment so the server is not overwhelmed.

An adversary sitting behind a laptop, with lines connecting the laptop to many other laptops connected to a server, symbolizing a DDoS attack

DNS Cache Poisoning

DNS cache poisoning uses security gaps in the DNS protocol to redirect internet traffic to malicious websites. DNS cache poisoning happens when a malicious actor intervenes in the DNS resolution process and supplies incorrect query responses. This type of man-in-the-middle attack is also called DNS spoofing. A malicious actor tricks the DNS server into thinking it has found the authoritative DNS name server when it hasn’t. Once the browser or application is tricked into thinking it received the right answer to its query, the malicious actor can divert traffic. To mitigate this, DNS firewalls have cache poisoning detection tools and filtering capabilities to check against malicious sites.

Hacking — URL Redirector Abuse

URL redirectors forward an incoming browser request to an alternate web page. DNS firewalls provide allowlisting capabilities—a mechanism that explicitly allows some identified entities to access a particular privilege, service, or application while denying access to entities not on the list. This allows DNS firewalls to check whether a website is non-malicious and allowed for user access. If the website is not part of the allow list, DNS firewalls can further protect a user by redirecting the requesting application to a non-malicious site.

Sum It Up

You’re all set up with your DNS firewall ready to go! You can now use your firewall to mitigate common threats to DNS.

Interested in learning more about cybersecurity careers and best practices? Head on over to the Cybersecurity Learning Hub to explore cybersecurity roles and hear from real security practitioners.

Resources

Compartilhe seu feedback do Trailhead usando a Ajuda do Salesforce.

Queremos saber sobre sua experiência com o Trailhead. Agora você pode acessar o novo formulário de feedback, a qualquer momento, no site Ajuda do Salesforce.

Saiba mais Continue compartilhando feedback