DNS is one of the oldest technologies in the modern realities of the Internet. In the era of the appearance of domain names, when people became too lazy to remember the IP addresses to log on to a particular computer, the very text tables with IP address aliases were created. You are asking the DNS server: who is domain.com? And he answered your IP address. But when the Internet began to spread around the world, there were a lot of domains and it turned out to be inconvenient to carry this table with you, a modern implementation of DNS servers appeared.
Modern DNS servers are distributed. They are located in every part of the world and cache data with different types of records. This entry is for mail and this entry is for SIP. The A record will return the IPv4 address familiar to everyone, AAAA – IPv6. Then DNSSEC pulled up. In general, that plate was overgrown with features, but the essence itself remained unchanged.
For example, there is such a request type – AXFR. This is a DNS zone transfer request. It is used to replicate the DNS server, and if the server is configured incorrectly, it can return all used records of a specific domain on that server. Firstly, this misconfigure allows you to find out technical information about the infrastructure of a site, what are the IP addresses and subdomains. This is how the HL2 sources were stolen (maybe that’s why there is no third: D for so long)? And since in the vast majority of cases, DNS works over UDP, it’s easy to spoof the sender.
This is what the virus makers did, requesting from thousands of servers all the data about a domain. As a result of such a request, a large and thick packet is returned in the response, containing detailed information about the network configuration, but it will not go to us, but the specified address. The result is obvious: by sending out a large list of “vulnerable” domains, using small network resources, and forging the return address, the attacker will ensure that responses from thousands of DNS servers will simply bomb the forged IP address.
DNS Rebinding / Anti DNS Pinning
But attacks on clients are not unusual either. One of the attacks allows an attacker to bypass SOP and thereby perform any action in the context of the user’s browser on his behalf. Well, not completely bypass, but use one feature to attack. The name is DNS Rebinding (aka Anti DNS Pinning).