Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Attacks Via DNS

Posted by timothy on from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

3 of 147 comments (clear)

  1. Old news by fred87 · · Score: 5, Informative

    nessus has been pointing this out as a security hole in it's scan results for at least 3 months now...

  2. Re:TCP or UDP by Anonymous Coward · · Score: 5, Informative

    An interesting property of DNS is that there are servers all over the net which will happily relay your message. Even if your only connection to the net is through application level proxies, you probably have a local DNS resolver. That's all you need. No packet has to traverse the firewall directly.

    They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

  3. That's why you use proxies! by wowbagger · · Score: 5, Informative

    That is why any GOOD sysadmin will set up the system so that there is a single DNS server for the plant, and that server and that server alone is allowed to send and receive DNS packets to the greater Internet - all other machines are to use the local DNS server.

    Not only does this GREATLY reduce the amount of DNS traffic a shop produces (by caching all requests locally) it helps prevent this sort of foolishness by requiring all packets to be well formed DNS packets - else the server drops them.

    Then, you can block any client that makes more than a few requests a second.

    Yes, it is easier to set up a firewall to be very porous to outbound traffic, but it is more secure to deny all direct access, and force clients to run through proxies for the various services.

    --
    www.eFax.com are spammers