The Domain Name System (DNS) is a distributed directory capable of resolving human-readable hostnames, such as www.dyn.com, into machine-readable IP addresses like 126.96.36.199. It is also a directory of crucial information about domain names, such as email servers (MX records) and sending verification (DKIM, SPF, DMARC), and SSH fingerprints (SSHFP), and TXT record verification of domain ownership.
DNS is thus like a phone book for the internet. If you know a person’s name but not aware of their telephone number, you can just look it up in a phone book. This same service is provided by DNS to the internet. If you ping a site and it is live, but you cannot connect to it with your browser, you could be experiencing a DNS problem. Employ the following measures if you suspect you are experiencing a DNS problem:
Check your DNS settings
Ensure that your DNS settings are correct for your network or ISP. If you had entered them incorrectly, find out from your ISP or network administrator what your DNS settings should exactly be, or check another DNS service for their server settings. After this process, you will have to make sure that you have entered the DNS settings properly.
Examine if your ISP is having DNS problems
Your ISP could be one main source of the DNS problem. One possibility could refer to the fact that one of its DNS servers is down and you are trying to access the downed server. If you are aware of the addresses of the DNS servers, ping each of your ISP's DNS servers, and if you find some of them not responding, remove them from your DNS list. If you are not aware of the address of the DNS servers and you are supposed to use the choose “Obtain DNS server address automatically” setting, you will then have to call your ISP to examine whether its DNS servers are having problems. In turn, you can use the OpenDNS servers instead of your ISP’s DNS servers.
Flush your DNS cache
The problem could be related to your DNS cache, hence go ahead and flush it out. Type ipconfig /flushdns at a command prompt in order to flush the cache.
Check your HOSTS file
If your HOSTS file contains an outdated or incorrect listing, you will not be able to connect. Even if you don't recall adding listings to a HOSTS file, it could still contain listings, because some Internet accelerator utilities edit them without your knowledge. Open your HOSTS file with Notepad and check if the site you cannot connect to is listed there. If it is, then go ahead and delete the entry, following which you should be able to connect.
Why is DNS Security Important?
Standard DNS queries, which are essential for almost all web traffic, make opportunities for DNS exploits such as man-in-the-middle attacks and DNS hijacking. These attacks are capable of redirecting a website’s inbound traffic to a fake copy of the website, gathering sensitive user information and exposing businesses to major liability.
Some common attacks involving DNS include:
Random subdomain attack: In this attack, DNS queries for several random, non-existent subdomains of one legitimate site are sent by the attacker. The focus here is to develop a denial-of-service for the domain’s authoritative nameserver in order to make it impossible to look up the website from the nameserver. As a reflex action, the ISP serving the attacker could also get impacted, as their recursive resolver's cache will be loaded with malicious requests.
DNS spoofing/cache poisoning: In this type of attack, fake DNS data is introduced into a DNS resolver’s cache, allowing the resolver to return an incorrect IP address for a domain. Instead of going to the accurate website, traffic can actually be diverted to a malicious machine or anywhere else that is desired by the attacker. This will often be a replica of the original site used for malicious purposes such as gathering login information or distributing malware.
DNS hijacking: In DNS hijacking, queries get redirected by the attacker to a different domain name server. This can be executed either with the unauthorized modification of a DNS server or with malware. Even though the outcome is similar to that of DNS spoofing, this is basically considered to be a different type of attack because it targets the DNS record of the website on the nameserver and not a resolver’s cache.
DNS tunneling: This attack makes use of other protocols to tunnel via DNS queries and responses. Attackers can use TCP, SSH, or HTTP to pass stolen information or malware into DNS queries, unnoticed by most firewalls.
Phantom domain attack: A bunch of ‘phantom’ domain servers gets set up by the attacker. These servers either respond to requests very slowly or not at all. This is followed by the resolver getting hit with huge volumes of requests to these domains and the resolver then gets tied up just waiting for responses, thus resulting in slow performance and denial-of-service.
Random subdomain attack: In this attack, the attacker sends DNS queries for a number of random, non-existent subdomains of one legitimate site. The aim here is to develop a denial-of-service for the domain’s authoritative nameserver, thus making it impossible to look up the website from the nameserver. As a side effect, it could be possible for the ISP serving the attacker to also get impacted, as their recursive resolver's cache will be loaded with bad requests.
Domain lock-up attack: Bad actors organize this form of attack by setting up special domains and resolvers to develop TCP connections with other authentic resolvers. When requests get sent by the targeted resolvers, these domains, in turn, send back slow streams of random packets, thus tying up the resolver’s resources.
Botnet-based CPE attack: Customer Premise Equipment (CPE) devices are used to execute this type of attack. CPE is hardware supplied by service providers for use by their customers, such as routers, cable boxes, modems, etc. The attackers succeed in compromising the CPEs and the devices then become part of a botnet, used to execute random subdomain attacks against one domain or site.
Why cWatch Web is the Best Way to Protect Against DNS-Based Attacks?
cWatch Web is a Managed Security Service (MSS) developed by Comodo in order to provide website users with excellent web security services. Comodo’s centrally managed Security Information and Event Management (SIEM) system is hosted inside both the Content Delivery Network (CDN) and the Authoritative DNS in order to observe traffic and provide comprehensive visibility. The SIEM has the potential to deliver early detection of threats and breaches, compliance reporting, log management, and rapid incident response times. This is implemented with threat intelligence data from Comodo's 85 million global endpoints and over 100 million validated domains to detect risks even before they occur. The SIEM is thus treated to be the brain of the cWatch web security stack as it also sends alerts to the Cyber Security Operation Center (CSOC) team to detect and mitigate threats for a customer even before they can occur and helping them to respond faster to attacks.
Comodo cWatch Web is thus the only solution available that offers a complete web security stack that includes more than just a managed CDN and DNS. This web security tool includes the following features in one whole solution:
- Secure Content Delivery Network (CDN): A global system of distributed servers to boost the performance of web applications and websites.
- Security Information and Event Management (SIEM): Advanced intelligence that can leverage existing events and data from 85M+ endpoints and 100M+ domains.
- Web Application Firewall (WAF): Powerful, real-time edge protection for websites and web applications providing advanced security, filtering, and intrusion protection.
- PCI Scanning: This scanning process allows merchants and service providers to stay compliant with the Payment Card Industry Data Security Standard (PCI DSS).
- Malware Monitoring and Remediation: Detects malware, provides the methods and tools to remove it, and prevents future malware attacks.
- Cyber Security Operations Center (CSOC): A team of always-on certified cybersecurity professionals providing round-the-clock surveillance and remediation services.