Skip to content

Techniques

DGAs (Domain Generation Algorithms)

https://attack.mitre.org/techniques/T1568/002/

Domain name compromise

The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control - https://www.icann.org/groups/ssac/documents/sac-007-en.

Lame delegation

Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain - https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/.

DNS cache poisoning

also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver's cache by injecting false DNS records, causing the resolver to records controlled by the attacker - https://capec.mitre.org/data/deΈnitions/142.html

DNS rebinding

a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim's local resources - https://capec.mitre.org/data/deΈnitions/275.html

DNS server compromise

Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.

Stub resolver hijacking

The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses

Local recursive resolver hijacking

Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.

On-path DNS attack

“Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.” (https://www.imperva.com/learn/application-security/dns-hijacking-redirection/)

DoS against the DNS

Multiple systems sending malicious traffic to a target at the same time.

DNS as a vector for DoS

"Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented." These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.” (https://attack.mitre.org/techniques/T1498/002/)

Dynamic DNS resolution (as obfuscation technique)

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control. (https://attack.mitre.org/techniques/T1568/)

Dynamic DNS resolution: Fast flux (as obfuscation technique)

“Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.” (https://attack.mitre.org/techniques/T1568/001/)

Infiltration and exfiltration via the DNS

Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain's zone file information and configured to receive and respond to the queries sent by the compromised devices.

Malicious registration of (effective) second level domains

For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.

Creation of malicious subdomains under dynamic DNS providers

Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. See also https://en.wikipedia.org/wiki/Dynamic_DNS

Compromise of a non-DNS server to conduct abuse

Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.

Spoofing or otherwise using unregistered domain names

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.

Spoofing of a registered domain

In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.

DNS tunneling - tunneling another protocol over DNS

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic. (https://attack.mitre.org/techniques/T1071/004/)

DNS beacons - C2 communication

Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.