In our previous blog post on Domain Name System (DNS), we introduced you to the basics of DNS, including what it is, how it works, as well as concepts such as DNS caching and DNS record types. In this blog post, we continue exploring DNS further and discuss common DNS issues, troubleshooting steps, security risks, and security considerations for DNS.


This blog post will answer the following questions:

1. What Are Some Common DNS Issues?

2. How Can You Troubleshoot DNS Issues?

3. What Are The Common Security Risks For DNS?

4. How Can You Secure DNS?
   

There are a number of common DNS issues that can arise, the following are the most common ones:

1. DNS Resolution Failure

DNS resolution failure occurs when a DNS server is unable to resolve a domain name to an IP address. This is usually caused by unregistered domains, incorrect DNS configuration, or network connectivity issues.

2. DNS Server Not Responding

The “DNS server not responding” error commonly occurs when the DNS server is down or is not configured correctly. Another cause of this is network connectivity issues.

3. Incorrect DNS Configuration

DNS problems are very often caused by incorrectly configured DNS records. If there are any mistakes in the values and IP addresses of your records, then these will surely cause DNS resolution issues. Additionally, configuration errors in DNS records such as MX, SPF, and DKIM will also prevent the server from receiving and delivering emails.

4. High DNS Latency

DNS latency is a measure of the time taken by data to reach its destination across a network and then back to its source. Latency is measured in milliseconds (ms) and the lower the latency, the better. High DNS latency means high loading times, which means poor user experience.

Network congestion and under-scaling of DNS infrastructure negatively impact latency. The location of DNS servers is another important factor. The farther the server is from the user, the higher the latency.

5. High TTL Values

Time to Live (TTL) is the amount of time that a record cached in a DNS resolver should exist before requesting a new one. TTL is set within each record in the DNS configuration and is measured in seconds.

Typically, high TTL values are set for DNS records, such as MX or TXT, that rarely change. But resources that are frequently updated require a low TTL value. So lower TTL is essential for website and network changes. In such cases, improper TTL settings can lead to high propagation wait times as well as downtimes when moving traffic between servers. 

Understanding how to use TTL effectively is necessary for providing a better user experience as well as maximizing your DNS strategy.

A DNS error essentially means that your device or application is unable to connect to an IP address. As we learned in our previous blog on DNS, it is a network of servers with a hierarchical structure, starting with the recursive resolver and going all the way to the authoritative nameserver.

Troubleshooting a DNS error can be quite complex owing to the number of steps and different factors involved in the domain name resolution process. Nevertheless, like any other technical problem, DNS issues can also be resolved using the following troubleshooting steps:

1. Check for network connectivity

One of the first things in the troubleshooting process is to check if the device has a stable network connection that allows it to communicate with the DNS server. For a detailed step-by-step guide on network connectivity problems, check out our earlier blog: How to Troubleshoot Network Connectivity Problems.

2. Verify DNS settings

Check the DNS settings on the device and ensure that they are correctly configured. Verify that the DNS server IP addresses are correct and the DNS settings have not been changed.

3. Check the TCP/IP settings

The TCP/IP settings establish how your device communicates with other network-connected devices. Changes to these settings can cause DNS errors. To fix errors caused by changes to TCP/IP settings, do the following:

1. Go to Settings, then select Network & Internet 

2. Then click on the name of the network you are connected to

3. Scroll down to find “IP assignment” and “DNS assignment” and ensure that each is set to “Automatic”.

4. Flush your DNS cache

The DNS cache stores networking information of recent visits to web domains. While this is designed to speed up the domain name resolution, the cache can sometimes become corrupted and leads to DNS errors.

To fix this problem, you can clear or flush the cache using the “ipconfig /flushdns”. Entering ipconfig /flushdns in the command prompt forces the DNS cache to be renewed the next time you visit the website. So any inaccurate information in the cache will be cleared and replaced with the most recent and accurate information.

5. Verify DNS Records

You can use the “nslookup” command, which is a handy DNS diagnostics tool, to verify your DNS records. Be sure to check the following three records that are usually the cause of DNS errors:

• A record

You can use the nlookup command followed by the domain name to check the A record (Address record). For example, nslookup www.google.com to see the A record for google.com. From the output displayed on the command prompt, you can verify that the domain is pointing to the right IP address and vice versa.

• CNAME

CNAME (Canonical Name) record is used to point one domain name at another domain name, which will have an A record that points to an IP address. You verify that the domains are pointing to the right places, using the nlookup option for CNAME. For example, in the command prompt, you can type nslookup -type=cname www.google.com to see the record for google.com.

• MX

MX (Mail Exchanger) record specifies the mail servers that handle email for a domain. If users are facing problems sending emails to your domain, you can check the MX record to ensure that it maps to your domain. For example, in the command prompt, you can type nslookup -type=mx www.google.com to see the MX record for google.com.

For more information on nslookup options refer to nslookup syntax.

6. Check the DNS server logs

Sometimes DNS issues may be caused by server hardware or software malfunctions. To identify such issues you can check the server logs for errors.

7. Check with your internet provider or hosting company

If after exhausting all of the steps above, you can still experience DNS issues, reach out to your internet service provider (ISP) or hosting provider for assistance.

DNS is a critical infrastructure component, hence, it is a common target for cyber attacks. The following are some of the most common cyber attacks targeted at DNS:

DNS spoofing is a cyberattack in which DNS records are altered to redirect online traffic to a fake website that resembles the original website the user intended to visit. Once the user lands on the fake website, they are prompted to log in or enter sensitive information that is then stolen by the perpetrator. Often, such malicious websites are also used to install malware on the user’s device.

Although DNS cache poisoning and DNS spoofing are used interchangeably, they are not the same thing. DNS Poisoning is the technique hackers use to compromise and replace DNS data with a malicious redirect.

So, DNS poisoning is the process of inserting false information into a DNS cache, while DNS spoofing is the redirection of traffic to the malicious website via the poisoned cache. In other words, DNS cache poisoning is the process and DNS spoofing is the end goal.

DNS amplification attack is a distributed denial-of-service (DDoS) attack, which takes advantage of the functionality of open DNS resolvers to turn initially small queries into much larger payloads in order to overwhelm a target server or network, making them inaccessible to users. DNS amplification is a type of reflection attack that elicits a response from a DNS resolver to a spoofed IP address.


In this type of attack, the attacker sends out a DNS query (using a forged IP address) to an open DNS resolver. This prompts the resolver to respond back with a DNS response. The attacker’s goal is to overwhelm the victim’s network with the sheer number of DNS responses received in response to the large volume of such fake queries. Botnets can also be used to send and amplify the volume of DNS queries.

DNS tunneling is a technique that is often used to bypass security measures. It involves encoding data of other programs or protocols in DNS queries and responses.

DNS traffic is typically highly trusted and allowed to pass through firewalls. Attackers leverage this fact by using DNS requests to implement a command and control channel for their malware, which is usually implanted on a device within the targeted network.

The attackers use inbound DNS traffic to send commands to the malware and exfiltrate sensitive data or receive responses from the malware via the outbound DNS traffic. 

DNS hijacking or DNS redirection is a type of attack that sabotages the resolution of DNS queries to redirect users to malicious sites. Such attacks are usually achieved using malware that overrides a device's TCP/IP configuration, taking over routers, or intercepting DNS communications.

DNS hijacking is commonly used in sophisticated phishing attacks that take users to fake websites as well as in adware that displays unwanted ads to generate revenue.

The domain name system was not created with security in mind. Consequently, it has several limitations that can be exploited by hackers owing to the advances in technology since the creation of DNS. Moreover, DNS is an integral part of communication over the internet, hence, it is a prime target for cyberattacks.

To help you prevent and mitigate attacks on your DNS, here’s a list of tools and best practices that will get you well on the way to securing your infrastructure involving involve the DNS protocol:

1. Secure DNS With DNSSEC

DNS Security Extensions (DNSSEC) is a set of security extensions that ensures the security and confidentiality of DNS queries and responses. DNSSEC server responses are digitally signed, which can be checked by a DNSSEC resolver to verify if the data that came from a valid server and if it is identical to the data on the authoritative DNS server. DNSSEC is therefore useful in preventing attacks such as DNS cache poisoning.

2. DNS Filtering

DNS filtering is a security measure that blocks malicious websites from loading and filters out malicious content. This gives network administrators control over what the users can access while on the network and helps ensure that the network remains secure.

Since all DNS queries go through a DNS resolver, DNS resolvers can be configured to act as a filter and refuse to resolve queries for certain domains. This can be done by using a blocklist containing known malicious domains or an allow list containing known safe domains. In this way, the DNS resolver can prevent malicious websites used for phishing or malware delivery from loading.

3. DNS Activities Logging

DNS activities logs provide comprehensive details of DNS events. The logs can provide valuable insights into activities such as access or manipulation attempts. By monitoring these logs you can find if there have been any unauthorized access attempts and malicious traffic. So, you can prevent attacks such as cache poisoning and malicious redirects.

4. DNS Updates

Like any other piece of technology, DNS servers and software also need to be kept up-to-date to prevent known vulnerabilities from being exploited.


Implementing the above security measures will help secure your DNS to a large extent. However, DNS security is an ongoing process that needs constant monitoring and maintenance.

Conclusion

DNS is a critical infrastructure component that requires constant monitoring and maintenance for ensuring network performance and good user experience. But more importantly, it needs to be secured against the persistent threat of cyberattacks.

Is your DNS secure and performing efficiently? Is it geared to face the rising threats and changing threat landscape? Click the button below to reach out to us and learn how we can help secure your DNS and your entire network infrastructure.

If you liked the blog, please share it with your friends