Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Attacks Via DNS

Posted by timothy on from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

10 of 147 comments (clear)

  1. This is why.... by Cylix · · Score: 2, Insightful

    I've set control lists for DNS for a long long time.

    After the IP over DNS tunnel came out... it was actually a bit necessary. Our staff would do anything to get out of doing work...

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  2. Suspicious? by timgoh0 · · Score: 3, Insightful

    Wouldn't large amounts of DNS traffic look suspicious? Especially if they originated from one machine.

  3. Irrelevant^2 by warrax_666 · · Score: 4, Insightful
    The $500 security guarantee is utterly irrelevant. (Btw: Who gets to judge what is a security problem? That's right, DJB himself. If that doesn't tell you something, then you're not the sharpest tool in the shed).

    The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.


    BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.

    BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.

    So they are both equally "insecure" from that perspective.
    --
    HAND.
  4. Cheating Wireless networks by technothrasher · · Score: 5, Insightful
    I've noticed in the past that many of the public wireless networks that want you to pay to use allow DNS traffic to flow even before you've paid. I've often thought that'd you could use that to build a tunnel and not have to pay for service.

    Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.

  5. AGH Colour by Anonymous Coward · · Score: 0, Insightful

    This colour hurts my eyes.

  6. Re:90% of the internet is valnerable ... by Korth · · Score: 2, Insightful

    Take a look at PowerDNS
    http://www.powerdns.com/products/powerdn s/

  7. Re:90% of the internet is valnerable ... by johnnyb · · Score: 3, Insightful

    "Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process"

    Can you make binaries of your new program and distribute them? If not, I can't see how you call this open-source. It cuts off all of the distributors from carrying patched versions that work with their own distribution, instead of whatever way that djb wants.

    --
    Engineering and the Ultimate
  8. Harmless? by jjeffrey · · Score: 5, Insightful

    I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.

  9. Covert communication over DNS tunnels by Timbo · · Score: 2, Insightful

    There was an old slashdot story eons ago about people using DNS tunnels to abuse the free dial up lines used for setting up a dial up ISP account. Covert comms over DNS is nothing new, but oddly it doesn't seem to have ever caught on.

  10. Doesn't work that way by Fished · · Score: 2, Insightful
    The packets in question are (or at least could be) well formed.

    Imagine that I own ISpy.com, and a user does a lookup on "user.jsmith.passwd.12345.ispy.com". Your server, in the middle, will forward that request to the NS for ispy.com more or less unchanged. And it doesn't have to be this obvious - it would certainly be easy enough to come up with some form of steganography appropriate to use in DNS.

    Not that proxies are a bad idea, but in this case proxies will not prevent the attack. Mostly, they'll just give you the ability to log the attack easily.

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1