How Do DNS Attacks Work?
The Domain Name System (DNS) is the address book for the entire internet. Your DNS knows the contact information, or IP Address, for each device and infrastructure element on your network. When the domain is found at the root DNS server, the request is logged and a connection is created between your device and the server.
This process becomes dangerous when the root DNS server is connected to a bad actor. Through an attack technique known as Tunneling, bad actors find and exfiltrate data in a way that is very difficult to detect and mitigate. Through an infected link, malicious email attachment, or other method, malware is installed on the device. The malware surfs the internal network to find files and extract personal data; this data is encrypted and tacked onto the beginning of the domain address with random character generation. The stolen data is then sent back to the malicious host domain via DNS server.
Tunneling is difficult to detect because the technique very closely replicates legitimate DNS communication. Detection models based on the common characteristics of tunneling attacks fall short. Using a detection model based on user behavior has a much higher success rate.
Infoblox Detection Methods for DNS Attacks & DGA Domains
Infoblox uses a DNS analytical detection model which applies behavioral analysis to classify the transmission of data in DNS queries. Their patented algorithm examines all DNS records. Certain attributes increase a record’s threat score, while other attributes decrease the threat score. When the threat score reaches a given threshold, the DNS record is categorized as an active threat, and the queries are shut down.
Infoblox can also determine if a domain itself is malicious. Domain Generation Algorithms (DGA) send out as many domain names as possible in order to cause confusion. Normal DGAs create strings of random characters; Dictionary DGAs create strings of random words from the dictionary. Dictionary DGAs are more difficult to detect because they use actual words and can look like legitimate domains.
Infoblox uses a detection method for Dictionary DGA domains that is based on graphical analysis. The connection between words from DGAs creates a pattern on a graph; benign domains are random and have no pattern. When it is determined that a domain was created by a DGA and is therefore malicious, there will be no DNS connection made to that domain and tunneling efforts will stop before they start.