Number of Rogue DNS Servers Increasing
Researchers from Google and the Georgia Institute of Technology have published a paper indicating the increasing number of attacks from the use of rogue DNS servers (the paper estimates that there are currently about 68,000 of these servers). For those that are unfamiliar with DNS, it is an important element to the workings of the Internet(s). DNS servers, short for Domain Name System servers, are used to look up the IP addresses of servers that correspond to the desired domain addresses (i.e. www.google.com). Although the actual details are a bit more complicated, essentially, when a user types in a domain into his/her browser (and as long as the domain’s IP address wasn’t already cached), the user’s machine sends a request to the DNS for the domain’s IP address so that it can then send requests to this IP address which would then usually send back the contents of the webpage. So it’s essentially a huge table of domain names and their corresponding server IP addresses. The addresses of the DNS servers are pre-configured onto the users’ computers. So if a malicious hacker can gain access to this, they can change it to point to their own fake DNS server. A rogue DNS server, can then give out incorrect IP addresses that point to the hacker’s own malicious websites. The hackers can then use spoofed web pages (phishing) to try to steal personal information like usernames and passwords. An interesting note is that the rogue DNS servers sometimes work correctly and only send fake IP addresses sometimes, making it harder for users to determine if they are affected. The users can detect if their DNS server paths have been overwritten by running a virus scan, and unless the infrastructure of the Internet is changed, it seems like this the only defense people have against this attack. Original article can be found here.
Comment by Robert
February 15, 2008 @ 11:22 pm
There are many interesting DNS attacks that can be utilized by adversaries. Many companies fail to realize the importance of a properly secured DNS system. Since a lot of companies have their own DNS servers that serve their clients requests, an improperly secured system can allow an adversary to create a new root zone (.) on their DNS servers and then create nested zones like com, net, etc. Through this they can spoof addresses for every client behind that DNS server or simply just perform a DoS on client lookups.
Adversaries can also request zone transfers from improperly secured servers and learn a lot about the internal setup of a corporate network including server names and IP addresses.
It is important for ISPs and companies to secure their DNS systems because although DNS serves a simple purpose, it can be an easy target for adversaries. Simple solutions like secured zone transfers and split DNS configurations are easy to implement and can be very effective against stopping these kinds of attacks.