Pinpoint the Source of Compromise with DNS Lookup API and DNS Database Download

In the aftermath of every cyberattack, digital entrepreneurs often scramble to get to the bottom of how it occurred. That’s not surprising since only 36% of organizations can respond to a breach. Worse, they sometimes don’t have any inkling as to what caused it.

Yet while no one expects every website owner to tinker with penetration-testing tools and source codes, it helps to have an understanding of one’s cybersecurity posture at least.

By knowing the extent of your network’s attack surface, you can fend off devastating breaches before they even occur.

This guide aims to show how to identify indicators of compromise (IoCs) with DNS Lookup API and DNS Database Download following—but hopefully before—an attack.

But first, let’s take a look at why attackers target Domain Name System (DNS) servers and how they do so.

Why Attack DNS Servers and How Do DNS-Based Attacks Work?

The primary reason for going after an organization’s DNS server is simple: Successfully taking it down disrupts operations.

A DNS-based attack thus inflicts maximum strain on any company as it loses its means of communicating with clients, thus negatively affecting its bottom line.

To instigate DNS-based attacks, threat actors typically send a massive amount of randomized subdomain queries to overload a target’s servers while bypassing caching servers found on the way.

In the normal course of things, a user’s browser query passes through a recursive server then an authoritative server to get a result. Any disruption to this looped process constitutes a DNS-based attack.

A DNS-based attack can affect an organization in two ways because DNS servers mainly do two things—host answers (authoritative servers) and find answers (recursive servers).

Attacks Against Authoritative Servers

Authoritative servers maintain a company’s DNS zone and related records, much like a database. The records all need to point to the business’s DNS zone. Otherwise, website visitors won’t get directed to the business’ website.

Authoritative servers can suffer from a subdomain attack—a type of denial-of-service (DoS) attack that overwhelms them so they can no longer respond to legitimate queries.

In such an attack, the hacker sends a lot of queries to subdomains that don’t even exist, consuming the authoritative server’s resources.

Attacks Against Recursive Servers

Recursive servers take domain names (e.g. from a website name or uniform resource locator (URL)) as requests from users and check the records from authoritative servers to point them to the right IP address.

This is necessary to access the resource, e.g. the website. In short, they point searchers to the correct pages.

Recursive servers can suffer from cache poisoning attacks where threat actors corrupt answers stored in a cache.

That prevents users from getting the right results, embodying also the risk of sending benevolent users of correct URLs to malicious websites. These name servers can also be affected by phantom domain attacks, which are very similar to subdomain attacks.

The only difference being the attackers’ direct users to nonexistent recursive servers thus using up resources only to find out they don’t exist and filling up the cache with useless answers until they cease to function.

What Can Companies Do to Mitigate Attacks?

To prevent DNS-based attacks, organizations need to protect all their DNS servers. They can do so by:

  • Restricting recursive server management to internal users: That would prevent cache poisoning by hackers and other attacks against recursive servers.
  • Managing authoritative servers in-house: A tool like DNS Lookup API can list down all the records associated with their DNS zones. They can then make sure all these have the correct settings.

These mitigation practices should help companies prevent DNS-based attacks. But are there also ways for them to thwart attacks in progress? Read on to find out.

How to Track Down the Source of Attacks with DNS Record Lookups

Triaging a cyber incident involves a thorough assessment of an attack. In the event of a DoS attack, for instance, an incident responder would immediately work on diagnosing the problem, for example, by checking if an application vulnerability or network misconfiguration caused it.

However, that is only possible if the company has proper on-premise tools that allow traffic visibility.

Hunting for IoCs and indicators of attacks (IoAs) is a critical step after that. Here are some common red flags to look for:

Sudden Surge in Request Sizes

DNS lookups are also crucial for analyzing a web server’s traffic. Before an attack, it is common for websites to experience a spike in traffic. Query sizes that are way above the baseline for a communication protocol, even during high-peak times, may come from unwanted sources.

Among other actions, users can employ DNS Lookup API to check if any changes were recently made to their zone files and authoritative name servers to cause such anomalies.

Entering a domain into the API will give a list of all the DNS records associated with it for investigation.

Queries Coming from Unusual Domain Names

With a packet analyzer, users can see all the domain names their network is attempting to contact and vice versa.

If, for instance, one of these looks like a mix of random numbers, strings, and letters, it could belong to a command-and-control (C&C) server designed to exfiltrate data from a network.

Though nowadays many domain generation algorithms (DGAs) also generate human-readable domain names.

Run unusual or suspicious domains from logs in the API to retrieve its records for further inspection. Better yet, users can do this for all domains accessing their corporate network by integrating DNS Lookup API into network filtering solutions.

By examining hostnames and other resource records linked to a domain, they can deduce if requests are legitimate or not.

Domain Look-Alikes or Redirects

Hackers employ multiple tactics to compromise a website successfully. One method is by setting up a domain look-alike to mislead unsuspecting users to web pages under their control.

Users may mistype a domain name and end up on the hackers’ site. That can lead to the download of a malicious program onto their computers. Some may also land on copycat websites via fake ads.

Bear in mind, however, that attackers don’t have to use copycat domains or websites to capture a target’s customers. They can also hijack domains and redirect visitors to wherever they please if these have dangling pointers (forgotten and insufficiently secured records).

To prevent nefarious actors from taking over servers, users can employ DNS Database Download to scan their domain for unused subdomains they may have neglected. The database lets users know when a domain was last updated and this can serve as a clue in investigations.

Email-Related Issues

Email remains a primary attack vector used to deliver a payload or malicious program that executes the attack.

Company employees may have clicked a link or downloaded an attachment from a phishing email, enabling the hacker to take over their accounts and consequently domain.

Use DNS Lookup API to check the TXT record associated with the Sender Policy Framework (SPF). The TXT record should contain the correct IP addresses, mail servers, and time to live (TTL) values. Any inconsistencies may indicate a compromise.

A report revealed that 60% of “progressive” organizations (those with a high level of cybersecurity preparedness) had leaders who prioritized their cybersecurity plans.

If this doesn’t sound like your company, it’s high time you consider implementing a more robust security strategy.

Additionally, the above examples only show a few IoCs to look for in the event of an attack—more work has to be done if you want to beef up your cyber resilience.

Tools such as DNS Lookup API and DNS Database Download can start you off on the right track.

About the Author

Jonathan Zhang is the founder and CEO of Threat Intelligence Platform (TIP)—a data, tool, and API provider that specializes in automated threat detection, security analysis, and threat intelligence solutions for Fortune 1000 and cybersecurity companies. TIP is part of the WhoisXML API family, a trusted intelligence vendor by over 50,000 clients.