Network Attacks Via DNS

← Back to Stories (view on slashdot.org)

Posted by timothy on Saturday July 31, 2004 @11:54PM from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

6 of 147 comments (clear)

Min score:

Reason:

Sort:

90% of the internet is valnerable ... by after · 2004-08-01 00:04 · Score: 4, Interesting

to somthing called DNS poison. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.

BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.

Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and 2) Linux comes with BIND as it's default name library.

Alternative like djbdns should be used.
1. Re:90% of the internet is valnerable ... by Anonymous Coward · 2004-08-01 00:08 · Score: 3, Interesting
  
  ufortunately, djbdns is not open-source. Until a true open source alternative to BIND appears, we're stuck with it.
Re:TCP or UDP by digitalhermit · 2004-08-01 00:51 · Score: 5, Interesting

They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

Yup, and that's not the half of it. With the extensions being duct-taped onto the existing spec it makes it easier and easier to do this. I've seen some hacks to allow all sorts of arbitrary information to live on the servers, some relayed automatically because of the extensions, some used to modify how mail servers respond, some even for routing. It's nothing new (remember transferring data via ICMP ECHO?) but it's on a new level now.

KL
Re:Cheating Wireless networks by Neduz · 2004-08-01 00:58 · Score: 3, Interesting

You are right, I know people who do that when they travel through international airports. It doesn't work that fast (something like a 36k modem) , but it is free. AFAIK you do need a domain and a DNS server you control yourself.

--
This is one lame signature, please read the message above instead.
"without DNS" = LDAP by Anonymous Coward · 2004-08-01 02:56 · Score: 4, Interesting

Note that LDAP is fully capable of doing host name resolution, there's even an RFC for it (AFAIK the one that specifies how to store POSIX user info also specifies how to store host names).
And in fact, DNS can be used for user details via Hesiod.

Both LDAP and DNS are hierarchical federated database systems. Personally, I find current LDAP implementations to be more manageable, better designed, and generally nicer (can set very fine grained permissions) than current DNS implementations. A name system based on LDAP rather than DNS would be fully feasible and IMHO as or more globally scalable.

But we must distinguish between DNS-the-protocol and DNS-the-implementations - It would be possible to have the same piece of software answer both DNS and LDAP queries from the same database. Hey, hello Microsoft Active Directory! But MAD is nasty for other reasons - so where are the Open Source projects to provide a slapd plugin for DNS protocol lookup to openldap databases? It should actually be pretty simple, maybe it's so simple no-one is interested hacking on it....
How about this : OpenVPN over UDP port 53 ie. DNS by anti-NAT · 2004-08-01 03:02 · Score: 5, Interesting

Thought of this almost two years ago. Run OpenVPN over UDP port 53. I figure a fair number of firewalls may not analyse UDP DNS traffic to see if it actually is UDP DNS traffic. Haven't had a chance to try it out though.

Thinking big picture, you realise that once opportunistic IPsec becomes available, and with IPv6 it will be, any device in the network trying to interpret traffic, such as firewalls and proxy servers, will become just about useless.

--
The Internet's nature is peer to peer - 20050301_cs_profs.pdf