SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: DNS

DNS Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to DNS attacks. DNS or Domain Name System servers operate by serving clients with information about a particular domain or subdomain, and are a critical part of internet and e-mail communication. For example, web browsers like Firefox or Internet Explorer require a url like "http://www.sonicwall.com". Once entered, the client system sends a dns request to a dns server. The server maps the domain name to an ip address (a number assigned and used much like a phone number) that the browsers can use to request web pages. DNS servers also point to other servers, for example mail servers or lower level DNS servers. SMTP servers, or the servers that deliver email, rely heavily on DNS to deliver email to the proper destination. However, because DNS servers provide a large amount of information about networks, and because they are central to processing inbound and outbound network traffic, they are an attractive point of attack for hackers.

DNS attacks come in four main varieties. Data mining attacks simply seek information for future attacks through zone transfers. Zone transfers usually are requested by remote DNS servers attempting to serve their own user's request for an IP address in the local domain. These transfers hand the remote DNS server a database of IP address maps, timestamps, and occasionally other information like the version numbers of software running on local servers. Attackers often pretend to be remote servers requesting a zone transfer to gather information about a network and locate vulnerabilities that they can exploit to break into the network in the future.

DNS spoofing attacks take advantage of DNS servers' routing function to misroute traffic. One way attackers can achieve this is through cache poisoning. Cache poisoning exploits the fact that DNS servers often perform zone transfers to cache the name-to-IP maps locally so that they can route traffic more quickly. An attacker can trick a DNS server into accepting a corrupted zone transfer that maps domain names to different IP addresses, rerouting users to unexpected, often malicious content while denying them access to the sites that they have requested.

Denial of service attacks target DNS servers to all but shut down inbound and outbound traffic on a specific domain. Denial of service attacks can take many forms. Attackers can, for example, try to tie up all available connections on a DNS server by making a large number of TCP requests that require the server to maintain open connections. One way is to make a large number of zone transfer requests. Attackers can also deny service to the back end of a server by "locking" the database so that it cannot be updated by administrators. Zone transfers can also be used for this type of attack, since a server performing a zone transfer usually keeps an administrator from changing the content of the database while it is being transferred. While these two types of attacks can be a nuisance, because they rely mostly on TCP connections, and most traffic that DNS servers serve are over UDP, they are not crippling.

Finally, buffer overfly attacks exploit vulnerabilities in the software that usually runs on DNS servers. To handle requests, a vast majority of DNS servers run BIND software, or Berkeley Internet Name Domain software, which has a large number of known vulnerabilities. Attackers can send unpatched servers carefully malformed requests that cause the server to execute arbitrary code, giving attackers control over the machine, or cause it to crash. In the first instance, attackers can use the compromised server for data mining, for rerouting inbound and outbound traffic by changing entries in the server, or for targeting attacks at computers inside the network. In the second instance, a crashed DNS server can shut down most inbound and outbound traffic on a domain since end users will not be served the proper IP addresses for content or mail servers when they request them. Unless users have memorized the correct IP addresses, online communication will be largely impossible.

SonicWALL DNS signatures are classified from low- to high-priority. Because many of the lower priority signatures identify traffic that is most often legitimate but occasionally abused by attackers, they are set to detect so that administrators can identify suspicious activity if it arises. The medium and high priority signatures, when enabled for prevention, can keep malicious DNS traffic from reaching the servers at all. However, it should be noted that patches and updates are available for DNS server that support new security extensions for DNS (DNSSEC). Administrators should install these updates and implement DNSSEC in conjunction to using SonicWALL signatures to ensure maximum security for their DNS servers.

  Windows DNS Server Remote Code Execution (CVE-2020-1350) 1
  Windows DNS Server Remote Code Execution (CVE-2020-1350) 2
  Windows DNS Server Remote Code Execution (CVE-2020-1350) 3
  Windows DNS Server Remote Code Execution (CVE-2020-1350) 4
  Windows DNS Server Remote Code Execution (CVE-2020-1350) 5
  Windows DNS Server Remote Code Execution (CVE-2020-1350) 6
  ISC BIND GSS-TSIG Out-of-Bounds Write
  DNS Malformed Request 2
  ISC BIND SPNEGO DoS
  DNS Malformed Request 3
  DNS Malformed Request 1
  ISC BIND EDNS Option Processing DoS
  libspf2 Macro Integer Underflow
  ISC BIND RDATA DoS
  PowerDNS Recursor DoS 1
  ISC BIND Delegation Chaining DoS
  ISC BIND Information Disclosure 2
  ISC BIND Information Disclosure 3
  TippingPoint Reverse DNS Lookup XSS
  DNS Malformed Response 1
  ISC BIND AUTHORS Request (TCP)
  ISC BIND AUTHORS Request (UDP)
  DNS Tunneling 1
  DNS Tunneling 2
  ISC BIND TSIG DoS 1
  ISC BIND TSIG DoS 2
  ISC BIND RegEx DoS 1
  DNS Malformed Response 2
  PowerDNS Nameserver DoS 1
  PowerDNS Nameserver DoS 2
  DNS Tunneling 3
  ISC BIND TKEY Query DoS 1
  ISC BIND TKEY Query DoS 2
  ISC BIND TKEY Query DoS 3
  ISC BIND TKEY Query DoS 4
  ISC BIND TKEY Query DoS 5
  PowerDNS Authoritative Server DoS 1
  ISC BIND db.c DoS
  ISC BIND db.c DoS 1
  ISC BIND apl_42.c DoS
  ISC BIND buffer.c DoS 1
  NGINX DNS Resolver DoS
  GNU glibc getaddrinfo Function Buffer Overflow 1
  GNU glibc getaddrinfo Function Buffer Overflow 2
  GNU glibc getaddrinfo Function Buffer Overflow 3
  GNU glibc getaddrinfo Function Buffer Overflow 4
  ISC BIND DNAME DoS
  ISC BIND Cookie Option DoS
  ISC BIND rndc DoS
  ISC BIND lwresd DoS
  ISC BIND buffer.c DoS 2
  ISC BIND DNAME Response Processing DoS
  ISC BIND RTYPE ANY DoS
  ISC BIND RRSIG RRsets DoS 2
  ISC BIND DNS64/RPZ DoS
  ISC BIND rndc Control Channel DoS
  ISC BIND Referral DoS
  systemd resolved dns_packet_new Heap Buffer Overflow
  DNS Malformed Response 3
  Cesanta Mongoose DNS Request DoS
  systemd DNS NSEC Resource Record DoS 1
  systemd DNS NSEC Resource Record DoS 2
  Windows DNSAPI Remote Code Execution (JUN 18)
  ISC BIND deny-answer-aliases DoS
  PowerDNS Recursor DoS 2
  PowerDNS Authoritative Server DoS 2
  Windows DNS Server Remote Code Execution (CVE-2021-24078)
  dnsmasq DNSSEC Heap Buffer Overflow
  dnsmasq DNSSEC Heap Buffer Overflow 2
  dnsmasq DNSSEC Heap Buffer Overflow 3
  dnsmasq DNSSEC Buffer Overflow
  Windows DNS Server Remote Code Execution (CVE-2021-26877)
  Windows DNS Server Remote Code Execution (CVE-2021-26897)
  NGINX DNS Resolver Heap Buffer Overflow 1
  Windows DNS Server DoS (MS12-017)
  NGINX DNS Resolver Heap Buffer Overflow 2
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 1
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 2
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 3
  dnsmasq add_pseudoheader Integer Underflow
  systemd resolved dns_packet_new Heap Buffer Overflow 2
  Windows DNS Server WPAD Registration Spoofing (MS09-008)
  Squid DNS Replies Memory Corruption 1
  Squid DNS Replies Memory Corruption 2
  Tftpd32 DNS Server Buffer Overflow
  ISC BIND RRSIG Query DoS
  ISC BIND RRSIG RRsets DoS
  ISC BIND CNAME RRSIG Query DoS
  DNSSEC KeyTrap DoS 1
  DNSSEC KeyTrap DoS 2
  DNSSEC NSEC3 Response DoS
  Exim DKIM Heap Buffer Overflow
  HAProxy dns.c Compressed Pointer DoS
  ISC BIND EDNS0 DoS
  Unbound NOTIFY Query DoS


Relevant Information