A DNS server is an integral part of an AD environment. Simple yet crucial activities are accomplished using DNS servers, such as authenticating, searching for computers, and identifying domain controllers.

But attackers know there are a lot of loopholes in DNS that they can exploit. And, they often already know about these vulnerabilities. In this blog, you will learn how attackers can abuse:

Attacking AD by abusing the DNS cache 

The DNS cache is the local repository of DNS queries utilized by a client. When a client requests a resource, say example.com, the DNS server resolves the requested domain name to its equivalent IP address with the help of name resolvers. DNS caches accelerate this process by storing the the resolved values in memory for quick retrievals. For repetitive queries, the DNS server will search for and return the IP address values stored in the cache, which reduces the turn around time.

Attackers often try to manipulate the DNS cache records to replace legitimate IP addresses with malicious IP addresses to gain access to sensitive information.

Cache poisoning attacks can be launched even by novice attackers within ten minutes. How? Check out this on-demand webinar where a website is spoofed and resolves to a malicious site within minutes.

 The attack vectors required to pull off this attack:

  1. Malicious site replicating the legitimate site

  2. Kali Linux and its toolbox to perform ARP cache poisoning to spoof DNS

If you’ve watched the webinar, you’ve seen that DNS spoofing has been around for a long time. But, we can proactively take actions. To thwart DNS attacks, detect malicious DNS activity, and to ensure the security of your AD infrastructure, a SIEM solution can help.

A SIEM tool can help track and monitor DNS changes. It can also notify you in real time about malicious activities taking place at the DNS level, and help you remediate these threats or at least contain the damage caused by the attacks.

The zone transfer vulnerability of DNS 

One of the simplest, yet dangerous, attacks against the DNS is the exploitation of the AXFR protocol. The zone transfer mechanism in DNS, which is used to replicate the records from one DNS server to another, uses the AXFR protocol. The reason behind replicating DNS zones is to ensure business continuity even if the primary DNS server malfunctions.

The AXFR protocol’s query for DNS record is a simple, single-line dig command:

$ dig axfr zonetransfer.me @<domain name>

The AXFR protocol requires no authentication. If your DNS server isn’t properly configured, the zone transfer protocol can be abused by any client and a copy of the entire zone can be created. To prevent this, it is critical to configure your DNS servers to only trust reputed IP addresses. You can list the IP addresses of the trusted name servers to allow DNS replication only for those IP addresses.

Here’s how you can feed the trusted name servers into the DNS server:

acl trusted-nameservers {
  <IP address 1>;

  <IP address 2>;

Here’s how you can allow DNS zone replication for trusted name servers:

 zone zonetransfer.me {
  type <master>;
  file “zones/zonetransfer.me”;
  allow-transfer { trusted-nameservers; };

If a client tampers with the zone transfer protocol, you can detect it with a SIEM solution. A SIEM tool can help track DNS zone changes and permission changes. Check out ManageEngine Log360, an all-inclusive SIEM solution that helps you monitor DNS activities and secure your infrastructure end-to-end.

Explore Log360 on your own by downloading a free, 30-day trial here. You can also schedule a free, personalized demo to receive answers to your product questions from one of our solution experts.

Shehnaaz N
Product Marketing Specialist