Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
6/1/2017
11:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

DNS Is Still the Achilles’ Heel of the Internet

Domain Name Services is too important to do without, so we better make sure it's reliable and incorruptible

Domain Name Services (DNS) is too important to do without, but it’s difficult to defend. This makes DNS services an excellent target for attack. Taking out an organization’s DNS service renders it unreachable to the rest of the world except by IP address. If  "f5.com" failed to be published online, every single Internet site and service we ran would be invisible. This means web servers, VPNs, mail services—everything.

Even worse, if hackers could change the DNS records, they could then redirect everyone to sites they controlled. Since DNS is built upon cooperation between millions of servers and clients over insecure and unreliable protocols, it is uniquely vulnerable to disruption, subversion, and hijacking. Here’s a quick rundown of the known major DNS attacks.

Denial of Service
Denial-of-service attacks are not limited to DNS, but taking out DNS decapitates an organization. Why bother flooding thousands of web sites when killing a single service does it all for you? The most famous DoS attack against DNS are the recent Dyn DDoS attacks which exceeded 40 gigabytes of noise blared at their DNS services. Dyn was running DNS services for many major organizations, so when they were drowned by a flood of illegitmate packets, so were companies like Amazon, Reddit, FiveThirtyEight, and Visa.

DNS can also be subverted for use as a denial-of-service weapon against other sites by way of DNS Amplification/Reflection. This works because DNS almost always returns a larger set of data than what it was queried. Since DNS runs over UDP, it’s a simple matter for attackers to craft fake packets spoofing a query source, so if they can fake thousands of queries from the victim’s IP address whose amplified responses will overwhelm the victim.

A DNS amplification attack floods the victim's server with a tsunami of fake requests. 
Image Source: F5
A DNS amplification attack floods the victim’s server with a tsunami of fake requests.
Image Source: F5

DNS Hijacking
Who owns what domain name, and what DNS servers are designated to answer queries are both managed by Domain Registrars. These are commercial services, such as GoDaddy, eNom, and Network Solutions Inc., where there are registered accounts controlling pointers to DNS servers. If attackers can hack those accounts, they can repoint a domain to a DNS server they control. This is how a Brazilian Internet banking site was completely taken over for hours.

DNS Server Vulnerabilities
Because DNS services are software, they can contain bugs that attackers can exploit. Luckily, DNS is old (so we’ve had time to find most of the bugs) and simple (so bugs are easy to spot), but problems have cropped up. In 2015, there was a rather significant hole found in BIND, an open-source DNS server running much of the Internet. Called CVE-2015-5477 (no cute name, thank you), BIND allowed an attacker to crash a DNS server with a single crafted query.

Another software vulnerability in DNS servers is the recursive DNS spoof cache poisoning technique, which means that an attacker can temporarily change DNS database entries by issuing specifically crafted queries.

Unauthorized DNS Changes
If you’ve got a server, someone must manage it. That means that you are dependent on how strongly you are authenticating the admins to that server, as well as ensuring the trustworthiness and competence of those admins. Because of the nature of DNS records, changes to DNS are cached by query clients; bad entries can sometimes take hours or days to unwind across the Internet.

DNS Data Leakage
You can’t run an unauthenticated Internet database full of important information without the occasional risk of leaking out something important. Attackers will query DNS servers looking for interesting Internet services that may not be widely known. DNS records can also aid phishing expeditions by using known server names in their phony baloney emails.

Many organizations run DNS on the inside of the network, advertising local resources for workstations. Some smaller organizations run split-horizon DNS servers that both DNS services to the world, as well as the inside network. A wrong configuration on that DNS server can lead to some devastating DNS data leakages as internal names and addresses are shared with attackers.

DNS Man-in-the-Middle
The easily spoofed protocol UDP that DNS uses is a weak link. An attacker inline between the victim and the DNS server they’re querying can intercept and monkey with DNS queries. It’s a pretty easy attack to pull off if you’re on the same wire or wireless as the victim or DNS server. An F5 researcher found a way to use it to steal Microsoft Outlook credentials. So, it’s an attack that shouldn’t be taken lightly.

Bottom line: We are stuck with DNS, so better make sure it’s reliable and incorruptible. The future of the Internet depends on it.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-16270
PUBLISHED: 2020-01-22
Samsung Galaxy Gear series before build RE2 includes the hcidump utility with no privilege or permission restriction. This allows an unprivileged process to dump Bluetooth HCI packets to an arbitrary file path.
CVE-2018-16271
PUBLISHED: 2020-01-22
The wemail_consumer_service (from the built-in application wemail) in Samsung Galaxy Gear series allows an unprivileged process to manipulate a user's mailbox, due to improper D-Bus security policy configurations. An arbitrary email can also be sent from the mailbox via the paired smartphone. This a...
CVE-2018-16272
PUBLISHED: 2020-01-22
The wpa_supplicant system service in Samsung Galaxy Gear series allows an unprivileged process to fully control the Wi-Fi interface, due to the lack of its D-Bus security policy configurations. This affects Tizen-based firmwares including Samsung Galaxy Gear series before build RE2.
CVE-2019-10780
PUBLISHED: 2020-01-22
BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open.
CVE-2019-10781
PUBLISHED: 2020-01-22
In schema-inspector before 1.6.9, a maliciously crafted JavaScript object can bypass the `sanitize()` and the `validate()` function used within schema-inspector.