notes blog about

DDoS attacks

Amplification attacks

$ dig any +norec +dnssec | grep -i size
;; MSG SIZE  rcvd: 3390

Reflection attacks

Combination attacks

Cache poisoning

  1. The attacker has prior knowledge of the target domain and sends a query to the recursive DNS server for a name that does not exist, such as
  2. Because this is a name that does not exist, the recursive DNS server must traverse the DNS namespace to find it.
  3. The attacker can beat the legitimate NXDOMAIN response from the authoritative name server, by sending a lot of spoofed responses that look like they are coming from the legitimate authoritative name server. In the spoofed response, attacker claims is the NS record of the domain, to trick the recursive name server into accepting and its IP address.
  4. By the laws of probability, the attacker’s spoofed response may be accepted by the recursive server, and the bad answer is now stored in its cache.
  5. Unsuspecting client queries for the name A record.
  6. The recursive server provides the answer from the now-poisoned cache with the forged answer from the attacker.

See Cloudflare’s article for more.

Data exfiltration via DNS tunneling

DNS tunneling allows for

In the last two cases, clients evade detection by breaking data down into query-sized chunks, disguising sensitive data as DNS queries, and sending them to malicious DNS servers on the far end who can unpack these queries and reconstruct the data.


Detection using DNS server logs

Source: Using Splunk to detect DNS tunelling

Payload analysis

FQDN entropy

$ shannon < /tmp/hostnames.txt

FQDN length

Unusual records types

Traffic analysis

Volumes of DNS requests

Geographic location