FIRST DNS Abuse Techniques Matrix
The Domain Name System (DNS) is a critical part of the Internet, including mapping domain names to IP addresses. Malicious threat actors use domain names, their corresponding technical resources, and other parts of the DNS infrastructure, including its protocols, for their malicious cyber operations. CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies. Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency. See also https://www.first.org/global/sigs/dns/ for more information.
Authors
| Authors and/or Contributors |
|---|
| FIRST.org |
| Andrey Meshkov (AdGuard) |
| Ángel González (INCIBE-CERT) |
| Angela Matlapeng (bwCSIRT) |
| Benedict Addis (Shadowserver) |
| Brett Carr (Nominet) |
| Carlos Alvarez (ICANN; founding member) |
| David Ruefenacht (Infoguard) |
| Gabriel Andrews (FBI) |
| John Todd (Quad9; current co-chair of DNS Abuse SIG) |
| Jonathan Matkowsky (RiskIQ / Microsoft; former co-chair) |
| Jonathan Spring (CISA; current co-chair of DNS Abuse SIG) |
| Mark Henderson (IRS) |
| Mark Svancarek (Microsoft) |
| Merike Kaeo (Double Shot Security) |
| Michael Hausding (SWITCH-CERT; former co-chair, current FIRST board member) |
| Peter Lowe (DNSFilter; current co-chair of DNS Abuse SIG) |
| Shoko Nakai (JPCERT/CC) |
| Swapneel Patnekar (Shreshta IT) |
| Trey Darley (FIRST board; founding member) |
DGAs
DGAs - Domain Generation Algorithm
Internal MISP references
UUID bbb63c10-548a-5ddc-8c6d-c5d8712df26d which can be used as unique global reference for DGAs in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Domain name compromise
The wrongfully taking control of a domain name from the rightful name holder. Compromised domains can be used for different kinds of malicious activity like sending spam or phishing, for distributing malware or as botnet command and control.
Internal MISP references
UUID 1c46402d-ca07-5cd7-a49c-477a4e868d12 which can be used as unique global reference for Domain name compromise in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Lame delegations
Lame delegations occur as a result of expired nameserver domains allowing attackers to take control of the domain resolution by re-registering this expired nameserver domain.
Internal MISP references
UUID 8f013ccd-6697-566d-8b83-9cbfdc802342 which can be used as unique global reference for Lame delegations in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DNS cache poisoning
DNS cache poisoning - also known as DNS spoofing, is a type of cyber attack in which an attacker corrupts a DNS resolver's cache by injecting false DNS records, causing the resolver to records controlled by the attacker.
Internal MISP references
UUID 3b236fe5-83c2-563b-8744-bf11e414a6ad which can be used as unique global reference for DNS cache poisoning in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DNS rebinding
DNS rebinding - a type of attack where a malicious website directs a client to a local network address, allowing the attacker to bypass the same-origin policy and gain access to the victim's local resources.
Internal MISP references
UUID 8c30074b-e718-5262-86fe-b7a6493cf731 which can be used as unique global reference for DNS rebinding in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DNS server compromise
Attacker gains administrative privileges on an open recursive DNS server, authoritative DNS server, organizational recursive DNS server, or ISP-operated recursive DNS server.
Internal MISP references
UUID 094f218e-51fe-5f3b-a202-1cc9b016dedc which can be used as unique global reference for DNS server compromise in MISP communities and other software using the MISP galaxy
Stub resolver hijacking
The attacker compromises the Operating System of a computer or a phone with malicious code that intercepts and responds to DNS queries with rogue or malicious responses.
Internal MISP references
UUID 9bbd1e65-d11b-5e29-adf2-f0a997c51547 which can be used as unique global reference for Stub resolver hijacking in MISP communities and other software using the MISP galaxy
Local recursive resolver hijacking
Consumer Premise Equipment (CPE), such as home routers, often provide DNS recursion on the local network. If the CPE device is compromised, the attacker can change the recursive resolver behavior; for example, by changing responses.
Internal MISP references
UUID ec27edc4-7908-5100-9fc7-4159c283691d which can be used as unique global reference for Local recursive resolver hijacking in MISP communities and other software using the MISP galaxy
On-path DNS attack
Attackers intercept communication between a user and a DNS server and provide different destination IP addresses pointing to malicious sites.
Internal MISP references
UUID dea01e07-c348-56ef-b22f-312a64717431 which can be used as unique global reference for On-path DNS attack in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
DoS against the DNS
Multiple systems sending malicious traffic to a target at the same time.
Internal MISP references
UUID 7cbb69c3-1cf1-5219-97e8-c908cdbedde6 which can be used as unique global reference for DoS against the DNS in MISP communities and other software using the MISP galaxy
DNS as a vector for DoS
Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP through the use of several others in the wild have been documented. These Reflection and Amplification Floods can be directed against components of the DNS, like authoritative nameservers, rendering them unresponsive.
Internal MISP references
UUID 735b95e1-bd17-5375-a318-f5bf5ee014e6 which can be used as unique global reference for DNS as a vector for DoS in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Dynamic DNS resolution
Dynamic DNS resolution (as obfuscation technique) - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name IP address or port number the malware uses for command and control.
Internal MISP references
UUID 3664fb70-5179-5004-828a-1d090b78fa7a which can be used as unique global reference for Dynamic DNS resolution in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Dynamic DNS resolution: Fast flux
Dynamic DNS resolution: Fast flux (as obfuscation technique) - Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name with multiple IP addresses assigned to it which are swapped with high frequency using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.
Internal MISP references
UUID 5a99f82a-48c8-5f89-836f-78901e764677 which can be used as unique global reference for Dynamic DNS resolution: Fast flux in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
Infiltration and exfiltration via the DNS
Exfiltration via the DNS requires a delegated domain or, if the domain does not exist in the public DNS, the operation of a resolver preloaded with that domain's zone file information and configured to receive and respond to the queries sent by the compromised devices.
Internal MISP references
UUID 9e98500e-4a22-578a-9839-69c169079a68 which can be used as unique global reference for Infiltration and exfiltration via the DNS in MISP communities and other software using the MISP galaxy
Malicious registration of (effective) second level domains
For example, before attacking a victim, adversaries purchase or register domains from an ICANN-accredited registrar that can be used during targeting. See also CAPEC-630.
Internal MISP references
UUID a53e05a5-0931-5975-b16a-2434a0f2356a which can be used as unique global reference for Malicious registration of (effective) second level domains in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Creation of malicious subdomains under dynamic DNS providers
Before attacking a victim, adversaries purchase or create domains from an entity other than a registrar or registry that provides subdomains under domains they own and control. S
Internal MISP references
UUID ed6477e2-426f-5c55-a740-0b6ba4547b77 which can be used as unique global reference for Creation of malicious subdomains under dynamic DNS providers in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Compromise of a non-DNS server to conduct abuse
- Internet attack infrastructure is a broad category, and this covers any non-DNS server. Many compromised servers, such as web servers or mail servers, interact with the DNS or may be instrumental in conducting DNS abuse. For example, compromised mail servers are one technique that may be used to send phishing emails.
Internal MISP references
UUID e4115a11-6975-57f9-aa27-89351e18a402 which can be used as unique global reference for Compromise of a non-DNS server to conduct abuse in MISP communities and other software using the MISP galaxy
Spoofing or otherwise using unregistered domain names
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is not controlled by or registered to a legitimate registrant.
Internal MISP references
UUID bc197790-2b89-56e7-b019-871bdc36323a which can be used as unique global reference for Spoofing or otherwise using unregistered domain names in MISP communities and other software using the MISP galaxy
Spoofing of a registered domain
In a context where a domain name is expected (such as the From header in mail or a URL in a web page or message body), supplying a domain name not controlled by the attacker and that is in fact controlled by or registered to a legitimate registrant.
Internal MISP references
UUID 88d804bc-f3e0-5b33-9c07-d05dfb1806df which can be used as unique global reference for Spoofing of a registered domain in MISP communities and other software using the MISP galaxy
DNS tunneling
DNS tunneling - tunneling another protocol over DNS - The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal expected traffic.
Internal MISP references
UUID b1b60f03-a603-506f-870b-7ea4da0cbeaa which can be used as unique global reference for DNS tunneling in MISP communities and other software using the MISP galaxy
External references
Associated metadata
| Metadata key | Value |
|---|---|
Related clusters
To see the related clusters, click here.
DNS beacons - C2 communication
DNS beacons - C2 communication - Successive or periodic DNS queries to a command & control server, either to exfiltrate data or await further commands from the C2.
Internal MISP references
UUID 23f785fa-902f-563a-959f-67d2053cb25a which can be used as unique global reference for DNS beacons - C2 communication in MISP communities and other software using the MISP galaxy