SonicALERT
Search

Sonicwall Signatures

 

  All Categories


Category: DNS

DNS Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to DNS attacks. DNS or Domain Name System servers operate by serving clients with information about a particular domain or subdomain, and are a critical part of internet and e-mail communication. For example, web browsers like Firefox or Internet Explorer require a url like "http://www.sonicwall.com". Once entered, the client system sends a dns request to a dns server. The server maps the domain name to an ip address (a number assigned and used much like a phone number) that the browsers can use to request web pages. DNS servers also point to other servers, for example mail servers or lower level DNS servers. SMTP servers, or the servers that deliver email, rely heavily on DNS to deliver email to the proper destination. However, because DNS servers provide a large amount of information about networks, and because they are central to processing inbound and outbound network traffic, they are an attractive point of attack for hackers.

DNS attacks come in four main varieties. Data mining attacks simply seek information for future attacks through zone transfers. Zone transfers usually are requested by remote DNS servers attempting to serve their own user's request for an IP address in the local domain. These transfers hand the remote DNS server a database of IP address maps, timestamps, and occasionally other information like the version numbers of software running on local servers. Attackers often pretend to be remote servers requesting a zone transfer to gather information about a network and locate vulnerabilities that they can exploit to break into the network in the future.

DNS spoofing attacks take advantage of DNS servers' routing function to misroute traffic. One way attackers can achieve this is through cache poisoning. Cache poisoning exploits the fact that DNS servers often perform zone transfers to cache the name-to-IP maps locally so that they can route traffic more quickly. An attacker can trick a DNS server into accepting a corrupted zone transfer that maps domain names to different IP addresses, rerouting users to unexpected, often malicious content while denying them access to the sites that they have requested.

Denial of service attacks target DNS servers to all but shut down inbound and outbound traffic on a specific domain. Denial of service attacks can take many forms. Attackers can, for example, try to tie up all available connections on a DNS server by making a large number of TCP requests that require the server to maintain open connections. One way is to make a large number of zone transfer requests. Attackers can also deny service to the back end of a server by "locking" the database so that it cannot be updated by administrators. Zone transfers can also be used for this type of attack, since a server performing a zone transfer usually keeps an administrator from changing the content of the database while it is being transferred. While these two types of attacks can be a nuisance, because they rely mostly on TCP connections, and most traffic that DNS servers serve are over UDP, they are not crippling.

Finally, buffer overfly attacks exploit vulnerabilities in the software that usually runs on DNS servers. To handle requests, a vast majority of DNS servers run BIND software, or Berkeley Internet Name Domain software, which has a large number of known vulnerabilities. Attackers can send unpatched servers carefully malformed requests that cause the server to execute arbitrary code, giving attackers control over the machine, or cause it to crash. In the first instance, attackers can use the compromised server for data mining, for rerouting inbound and outbound traffic by changing entries in the server, or for targeting attacks at computers inside the network. In the second instance, a crashed DNS server can shut down most inbound and outbound traffic on a domain since end users will not be served the proper IP addresses for content or mail servers when they request them. Unless users have memorized the correct IP addresses, online communication will be largely impossible.

SonicWALL DNS signatures are classified from low- to high-priority. Because many of the lower priority signatures identify traffic that is most often legitimate but occasionally abused by attackers, they are set to detect so that administrators can identify suspicious activity if it arises. The medium and high priority signatures, when enabled for prevention, can keep malicious DNS traffic from reaching the servers at all. However, it should be noted that patches and updates are available for DNS server that support new security extensions for DNS (DNSSEC). Administrators should install these updates and implement DNSSEC in conjunction to using SonicWALL signatures to ensure maximum security for their DNS servers.

  Malformed DNS Response 1
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 1
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 2
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 3
  Malformed DNS Request 1
  Squid DNS Replies Memory Corruption 1
  Squid DNS Replies Memory Corruption 2
  DNS Query ym.rctrhash.com
  Squid DNS Lookup DoS 1
  Squid DNS Lookup DoS 2
  DeleGate DNS Message Decompression DoS
  Windows NAT Helper Components DNS DoS 1
  ISC BIND EDNS Option Processing DoS
  ISC BIND Dynamic Update Request DoS
  Symantec Enterprise Firewall DNS Proxy Cache Poisoning 2
  ISC BIND RDATA DoS
  PHP php_parserr Function Heap Buffer Overflow
  Windows NAT Helper Components DNS DoS 2
  Windows SMTP Component DNS MX Record DoS (MS10-024) 1
  Exim DKIM Heap Buffer Overflow
  libspf2 DNS TXT Record Handling Heap Buffer Overflow
  Windows DNS Server WPAD Registration Spoofing (MS09-008) 1
  Windows DNS Server WPAD Registration Spoofing (MS09-008) 2
  PowerDNS Recursor DoS 1
  ISC BIND Delegation Chaining DoS
  ISC BIND RRSIG Query DoS
  ISC BIND RRSIG RRsets DoS
  ISC BIND CNAME RRSIG Query DoS
  Windows DNS Server NAPTR Query Remote Code Execution (MS11-058) 4
  Malformed DNS Request 2
  ISC BIND Information Disclosure 2
  ISC BIND Information Disclosure 3
  ISC BIND Information Disclosure 1
  ISC BIND TSIG Buffer Overflow
  Malformed DNS Response 2
  ISC BIND RegEx DoS 2
  ISC BIND AUTHORS Request (TCP)
  ISC BIND AUTHORS Request (UDP)
  DNS Tunneling Traffic 1
  DNS Tunneling Traffic 2
  Windows SMTP Component DNS MX Record DoS (MS10-024) 2
  ISC BIND TSIG DoS 1
  libevent DNS Response DoS 1
  libevent DNS Response DoS 2
  libevent DNS Response DoS 3
  libevent DNS Response DoS 4
  libevent DNS Response DoS 5
  libevent DNS Response DoS 6
  ISC BIND TSIG DoS 2
  ISC BIND RegEx DoS 1
  Malformed DNS Response 3
  PowerDNS Nameserver DoS 1
  PowerDNS Nameserver DoS 2
  DNS Tunneling Traffic 3
  ISC BIND TKEY Query DoS 1
  ISC BIND TKEY Query DoS 2
  ISC BIND TKEY Query DoS 3
  ISC BIND TKEY Query DoS 4
  ISC BIND TKEY Query DoS 5
  PowerDNS Authoritative Server DoS
  ISC BIND db.c DoS
  ISC BIND db.c DoS 1
  ISC BIND apl_42.c DoS
  ISC BIND buffer.c DoS 1
  Nginx DNS DoS
  glibc getaddrinfo Function Buffer Overflow 1
  glibc getaddrinfo Function Buffer Overflow 2
  glibc getaddrinfo Function Buffer Overflow 3
  glibc getaddrinfo Function Buffer Overflow 4
  glibc getaddrinfo Function Buffer Overflow 5
  ISC BIND DNAME DoS
  ISC BIND Cookie Option DoS
  ISC BIND rndc DoS
  ISC BIND lwresd DoS
  ISC BIND buffer.c DoS 2
  ISC BIND DNAME Response Processing DoS
  ISC BIND RTYPE ANY DoS
  ISC BIND RRSIG RRsets DoS 2
  ISC BIND DNS64/RPZ DoS
  ISC BIND rndc Control Channel DoS
  ISC BIND Referral DoS
  Windows DNS Server DoS (MAY 17)
  systemd resolved dns_packet_new Heap Buffer Overflow
  Malformed DNS Response 4
  Cesanta Mongoose DNS Request DoS
  systemd DNS NSEC Resource Record DoS 1
  systemd DNS NSEC Resource Record DoS 2
  Windows DNSAPI Remote Code Execution (JUN 18)
  DNS Tunneling Traffic 4
  DNS Tunneling Traffic 5
  Malformed DNS Response 5
  PowerDNS Recursor DoS 2
  HAProxy dns.c Compressed Pointer DoS
  ISC BIND EDNS0 DoS
  PHP dns_get_record Memory Corruption 1
  PHP dns_get_record Memory Corruption 2
  Unbound NOTIFY Query DoS


Relevant Information