Skip to content

Techniques

DGAs (Domain Generation Algorithms)

Domain Generation Algorithms (DGAs) allow threat actors to construct and register unique domains very quickly for malicious purposes such as phishing campaigns or malware command and control (C2) that evades filtering. Because DGA domains are generated semi-randomly, they have proven difficult to block using blocklists of known “bad” domains. DGA domains for the most part are limited only by the DGA operator’s ability to generate domains and register them through registrars.

Note: The term “DGA” technically means the algorithm itself, but is also commonly used to refer to a domain that is generated by a DGA. This document mixes both uses.

DGA domains can serve as infrastructure for various types of other abuse and misuse. For example, in a SMS/text messaging campaign, they can be used as the initial link in the message, as part of a redirect farm, or as the endpoint holding the phishing content.

A DGA domain may or may not consist of random letters or numbers. For example, a DGA could append letters or numbers to a string, a word list, etc. DGAs can also potentially evade detection by using dictionary words in English or words from other languages instead using random mix of letters and numbers (for example, carhorsebatterystaplehousewindow.example could be a generated domain).

DGAs are listed as a technique for C2 traffic in MITRE ATT&CK T1568.002:

“Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions…

“Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control”

https://attack.mitre.org/techniques/T1568/002/


Domain name compromise

The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.

https://www.icann.org/groups/ssac/documents/sac-007-en


Lame delegation

Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.

https://blog.apnic.net/2021/03/16/the-prevalence-persistence-perils-of-lame-nameservers/

https://kb.isc.org/docs/lame-servers-what-are-they-and-how-does-bind-deal-with-them

Note: these are also known as “dangling delegations”, which is the most common form of attack involving lame delegations. It’s also possible that lame delegations might help to enable DoS attacks or compromises, which are covered elsewhere.


DNS cache poisoning

DNS cache poisoning – also known as DNS spoofing – is a type of cyber attack in which an attacker corrupts a DNS resolver's cache by injecting false DNS records, causing the resolver to return incorrect responses that are controlled by the attacker - usually for redirecting users or machines to malicious resources like phishing pages or attacker-controlled proxies.

CAPEC entry: https://capec.mitre.org/data/definitions/142.html

Some examples of how this can be achieved by the attacker are through on-path modification of network traffic, sending false updates to improperly secured caching DNS servers, or exploiting vulnerabilities in implementations or protocols.


DNS rebinding

DNS rebinding is a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim's local resources. - https://capec.mitre.org/data/definitions/275.html


DNS server compromise

DNS server compromise involves unauthorized control over, or access to, a legitimate DNS server or its records, enabling adversaries to redirect traffic, manipulate queries, force the server to return malicious IP addresses, and possibly launch several other cyberattacks.


Stub resolver hijacking

A stub resolver converts queries from applications on a device into DNS requests that are sent to a DNS server.

Stub resolver hijacking is where the attacker compromises the Operating System of a computer or other device with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.

Note: For the purposes of this document, this includes modifications of the hosts file, even though this technically bypasses actual DNS lookups.


Local recursive resolver hijacking

Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.

In a corporate environment, this may be a DNS resolver configured on a local network.


On-path DNS attack

From https://www.imperva.com/learn/application-security/dns-hijacking-redirection/:

“Attackers intercept communication between a user and a DNS server and manipulates the content of the reply to the client”

From https://www.cloudflare.com/en-gb/learning/security/threats/on-path-attack/:

“On-path attackers place themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two. The attackers can then collect information as well as impersonate either of the two agents. In addition to websites, these attacks can target email communications, DNS lookups, and public WiFi networks. Typical targets of on-path attackers include SaaS businesses, ecommerce businesses, and users of financial apps.”

On-path DNS attacks cover both manipulation of DNS queries and listening in on DNS traffic.


DoS against the DNS

DoS stands for Denial of Service. A DoS attack against the DNS aims to ultimately result in the DNS service becoming inaccessible or severely degraded. DoS attacks may be crashing a DNS server via some form of vulnerability in the DNS server software or cutting off access through a network interruption.

In Distributed Denial of Service (DDoS) attacks, attackers deploy multiple devices to attack a single DNS server, depleting its network, memory, and CPU resources.


DNS as a vector for DoS

DNS is used as a vector for Denial of Service (DoS) attacks in a number of ways.

A common situation is using DNS for reflection amplification attacks by sending queries to open recursive (resolver) servers and spoofing the IP address of the victim. The spoofed IPs would be the target of the DoS attack and can include web servers, mail servers, or any network resource.

DNS can also be used as the protocol through which a straight query flood attack can take place using a botnet or compromised servers.

In some cases, DNSSEC queries can cause increased usage of DNS server resources.

This is part of the definition from MITRE ATT&CK for Network Denial of Service: Reflection Amplification:

"Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented."

These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.”


Obfuscation via Dynamic DNS

Dynamic DNS (DDNS) works by keeping the DNS updated with the correct IP address for a domain.

Many online resources, such as file servers, APIs, or web servers, run on internet connections that have their IP addresses changed frequently. This creates a problem if the operators of those endpoints want to give a hosted resource a specific domain name.

For example, if a web administrator is operating a website with a domain name of www.example.com and an IP address of 192.0.2.0, any time a user enters www.example.com into their browser, the DNS will direct them to the server at 192.0.2.0. If the server changes its IP address (e.g. if it was updated by the ISP), a dynamic DNS service can automatically update the DNS record to reflect this change.

Dynamic DNS (DDNS) is a legitimate online service for many end users. However, because the IP addresses are dynamic and the DDNS services are free or relatively cheap, DDNS services are commonly used to enable other attacks such as phishing, fast-flux, or malware command and control.

This can be used as an obfuscation technique to allow malicious actors to avoid detection by regularly changing their IP addresses. It differs from fast-flux in speed and aggressiveness - where fast-flux is constant, rapidly changing addresses, using Dynamic DNS updates less frequently.

(Adapted from: https://www.cloudflare.com/en-gb/learning/dns/glossary/dynamic-dns/)


Fast flux

DNS fast flux is a technique where the resource records of a domain are rapidly updated to avoid detection and takedown. "Double fast flux" is where both A/AAAA and NS records are updated to further hide malicious activity. Fast flux is used by botnets, command and control servers, to hide phishing sites, and generally to provide resilience to malicious resources.

Note: there are sometimes legitimate reasons for the use of fast flux, for example with CDNs or load balancers, but here we assume that the intent is malicious.

IP reputation can be affected by fast flux. As an example, when a fully qualified domain name (FQDN) using fast flux resolves to IP addresses of well-known service providers, the domain gains a positive reputation score and is less likely to be blocked by DNS firewalls or other filtering techniques. The malware controllers can then temporarily resolve the FQDN to the IP address they use for their attack.

Fast flux is commonly used with other techniques such as CNAME chaining to create a malware distribution network or as a backup command and control (C2) server to regain control of their malware. Fast flux has some technical characteristics similar to valid DNS uses such as content distribution networks (CDNs) and other types of load balancing. However, there are certain technical features that are almost exclusively used in fast flux as opposed to similar benign use cases.

For example, fast flux networks use IP addresses on a variety of autonomous systems (AS) and effective second level domains whereas CDNs tend to own all the IP addresses they use, and therefore the IP addresses are in a small number of AS’s. Similarly, CDNs use a relatively small number of effective second level domains. Furthermore, the IP addresses in a CDN or load balancing setup are usually all active and not parked, whereas a fast flux network tends to use a large number of parked IP addresses. A parked domain is one on which no services are actually available on the target of the resource record.


Infiltration and exfiltration via the DNS

Infiltration means getting information into an organization when that is against organization policy. Exfiltration means getting information out of an organization when that is against organization policy. Therefore, detection of exfiltration generally means examining DNS queries whereas detection of infiltration generally means examining DNS response (both errors and response content).

There are a few techniques for embedding other protocols within the DNS. These are generally called “tunneling” and are handled under the “DNS Tunneling” technique. This section describes situations where data is encoded in the DNS protocol without using some other protocol. Tunneling has distinct detection and mitigation opportunities and therefore is handled separately.

Infiltration via DNS traffic, without being encoded into another protocol, is used for control (as in malware command and control).


Malicious registration of (effective) second level domains

Malicious registration of domains is the creation of new domains by threat actors online.

This technique is when someone who is going to do a bad thing registers a domain themselves. It is distinguished from an actor stealing, compromising, taking over, or otherwise hijacking DNS resources. See also CAPEC-630.


Creation of malicious subdomains under dynamic DNS providers

Dynamic DNS (DDNS) works by keeping the DNS updated with the correct IP address for a domain. Dynamic DNS providers typically also provide the ability to create subdomains under existing domains.

Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry a Dynamic DNS provider that provides these subdomains.

Dynamic DNS enables the threat actors to launch phishing, malware etc campaigns without registering for a domain name with an entity covered by, for example, the ICANN terms of use.

Dynamic DNS providers are one source of domains for threat actors. Like some registrars, dynamic DNS providers often have an API to programmatically generate subdomains to make it easy and efficient to create many domains. Threat actors use this capability to launch campaigns with highly scalable numbers of fully qualified domains.


Compromise of a non-DNS server to conduct abuse

Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.


Use of an unregistered domain

This is the use of a domain in a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), and providing an unregistered domain name.

An unregistered domain in this context is any domain which does not exist in the DNS. Registrars can “register” a domain, but still not publish it in the parent registry, however it is effectively the same.

It should be noted that use of an unregistered domain is not always technically “DNS Abuse”. However, due to this technique’s relation to and interaction with the DNS, it is considered useful to include advice as a category to aid incident responders and security teams in their work.

Abuse of this type also includes deliberately invalid queries to a DNS server to generate NXDOMAIN responses. This is also known as a “water torture attack”, where resources are expended as part of an attack. NSEC3 exacerbates this due to the increased resources needed for generating hashes.

Another use of unregistered domains is with DGA, where a piece of malware may generate a list of thousands of domains which are potentially their Command and Control server, but only one or a few are actually registered. See also: Domain Generation Algorithms.


Spoofing of a registered domain

In contexts where a domain name is expected, such as in the "From" header of an email or in a URL within a webpage or message body, spoofing involves using a domain name that the attacker does not control, but which is actually owned or registered by a legitimate party.

This type of DNS abuse is related to, but distinct from, an on-path attack where a legitimate domain is being used but impersonated by modifying or spoofing DNS records.


DNS tunneling

DNS tunneling is the use of the DNS network protocols to encapsulate other protocols. Tunneling is a process in which the client encodes and sends requests and responses to a server that accepts DNS requests, which will translate or decode the DNS traffic and convert it to the target protocol. DNS tunneling can be used for command and control (“C2” or” C&C”) communication and as a functional equivalent of a Virtual Private Network.

DNS tunneling could be used for exfiltration and infiltration. Exfiltration and infiltration of information via the DNS has been separated into another section in order to address the different approaches in detection and prevention.


DNS beacons - C2 communication

Some kinds of malware send periodic DNS queries to command and control (C2) servers. These periodic communications are known as beacons. DNS beacons can be used to re-establish control over malware, as a form of keepalive for infected hosts, or a low-bandwidth form of C2 communication.