Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Attacks Via DNS

Posted by timothy on from the operator-please dept.

Iphtashu Fitz writes "Without DNS the internet wouldn't be all that useful. Despite being a ubiquitous part of the internet it is overlooked by many as a potential security hole. At this weekends Defcon 12 conference in Las Vegas, security researcher Dan Kaminsky warned that DNS can open up seemingly secure networks to attack. Because most firewalls and other security devices treat DNS requests as harmless it provides an excellent conduit for transferring covert data in and out of otherwise protected systems. At Defcon, Kaminsky demonstrated some software that allows a server to act as a communications hub using DNS. This let him transmit instant messages and even audio streams over an encrypted connection carried by spoofed DNS requests."

"Because the data looked like typical DNS traffic it wouldn't be detected or logged by firewalls or intrusion detection systems. He also pointed out that monitoring DNS could help in other unrelated ways: because the recent MSBlast worm did lookups on windowsupdate.com infected machines could have been detected by simply monitoring DNS server logs."

39 of 147 comments (clear)

  1. TCP or UDP by rf0 · · Score: 2, Interesting

    I have to wonder what protocol they used as DNS does allow for both UDP and TCP (TCP when the messages is over 512 bytes IIRC)

    Rus

    --
    Cheap UK and US VPS
    1. Re:TCP or UDP by Anonymous Coward · · Score: 5, Informative

      An interesting property of DNS is that there are servers all over the net which will happily relay your message. Even if your only connection to the net is through application level proxies, you probably have a local DNS resolver. That's all you need. No packet has to traverse the firewall directly.

      They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

    2. Re:TCP or UDP by digitalhermit · · Score: 5, Interesting


      They may have used spoofed DNS packets just to bypass a firewall, but information can also be tunneled in real DNS packets, so even if you only allow DNS to/from certain servers, you're still not safe from this leak.

      Yup, and that's not the half of it. With the extensions being duct-taped onto the existing spec it makes it easier and easier to do this. I've seen some hacks to allow all sorts of arbitrary information to live on the servers, some relayed automatically because of the extensions, some used to modify how mail servers respond, some even for routing. It's nothing new (remember transferring data via ICMP ECHO?) but it's on a new level now.

      KL

  2. Old news by fred87 · · Score: 5, Informative

    nessus has been pointing this out as a security hole in it's scan results for at least 3 months now...

  3. This is supposed to be 'news'? by fw3 · · Score: 4, Informative

    Layering services over dns has been a discussed topic in books / seminars for at least a decade already.

    --
    Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
    bsds are of course just BSD
  4. So does this mean by foidulus · · Score: 3, Funny

    That is should change my bookmark to http://66.35.250.150 now?

  5. In other news... by Zorilla · · Score: 3, Funny

    ...Microsoft plans to release a security update to Windows XP which will secure the DNS hack. For all future internet usage, please enter in http://216.239.57.99. It's not a bug, it's a feature.

    --

    It would be cool if it didn't suck.
  6. 90% of the internet is valnerable ... by after · · Score: 4, Interesting

    to somthing called DNS poison. Why? Because system administrators are anal and fail to realize that software like BIND is not written to be secure. Hell, DNS was not even designed for such a large internet. The original DNS implementors were bad programmers and designers.

    BIND9... don't get your hopes up. The BIND company sells paches for their software. Meaning that if you don't pay them money then you're going to be running an errornouse DNS server.

    Still most people use BIND for two reasons: no one wants to learn the crusty details of DNS and 2) Linux comes with BIND as it's default name library.

    Alternative like djbdns should be used.

    1. Re:90% of the internet is valnerable ... by Anonymous Coward · · Score: 3, Interesting

      ufortunately, djbdns is not open-source. Until a true open source alternative to BIND appears, we're stuck with it.

    2. Re:90% of the internet is valnerable ... by Tony+Hoyle · · Score: 2, Informative

      Bind9 isn't vulnerable to that. Heck, I doubt even bind8 was.. sounds like a pretty lame attack.

    3. Re:90% of the internet is valnerable ... by shepd · · Score: 4, Informative

      >ufortunately, djbdns is not open-source.

      Incorrect, it is open source.

      It isn't GPL.

      There's a big difference.

      >Until a true open source alternative to BIND appears, we're stuck with it.

      By "true alternative" do you mean it has to be GPLable?

      Get real. djbdns' source is 100% available for you to look at and patch to your hearts content. If you find an error, send a fix to DJB and he'll add it after review. He'll even give you $500 as a reward for your hard work. Find me a GPL program that makes an offer like that.

      Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process

      For the disbelievers, here's the source code.

      Here's bernstein's statement about the freedom of his software. Feel free to print it out and sign it if you're insane on the idea he can revoke your license.

      --
      If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
    4. Re:90% of the internet is valnerable ... by Dionysus · · Score: 2, Interesting

      Bind9 isn't vulnerable to that. Heck, I doubt even bind8 was.

      That't not what this securityfocus article says.

      --
      Je ne parle pas francais.
    5. Re:90% of the internet is valnerable ... by Anonymous Coward · · Score: 2, Informative

      That's what people call "shared source". Open Source requires that you can distribute modifications of the source. Bernstein doesn't allow that, so consequentially djbdns is not Open Source. This may or may not make it less valuable to you, but don't lie about the facts to lure others into misevaluating the situation.

    6. Re:90% of the internet is valnerable ... by Korth · · Score: 2, Insightful

      Take a look at PowerDNS
      http://www.powerdns.com/products/powerdn s/

    7. Re:90% of the internet is valnerable ... by Anonymous Coward · · Score: 3, Informative

      No doubt you'll be on +5 informative soon for this 15 year old information.

      BIND hasn't been vulnerable to DNS Poisoning since about version 4.8 unless you set it up allowing external updates from 0.0.0.0 (have to be specified as they're not allowed by default).

      And djbdns is about as useful as a condom machine in the vatican for anyone needing more than a dns cache for a LAN.

    8. Re:90% of the internet is valnerable ... by johnnyb · · Score: 3, Insightful

      "Now, if he doesn't like your patch, you can post the patch on the internet. You can even put it alongside the source. You can even make an autopatch program that will patch djbdns during make so that dumb users can handle the process"

      Can you make binaries of your new program and distribute them? If not, I can't see how you call this open-source. It cuts off all of the distributors from carrying patched versions that work with their own distribution, instead of whatever way that djb wants.

      --
      Engineering and the Ultimate
  7. Re:Old news by fred87 · · Score: 3, Informative

    Here's a link:

    http://cgi.nessus.org/plugins/dump.php3?id=11580

  8. helpful by Scythr0x0rs · · Score: 5, Funny

    some good people could break into the nameservers of a large ISP such as AOL and send out spoofed NS records for update.windowsupdate.com or whatever it is and deploy linux to all windows users.

    Warning: this update may require a reboot.

  9. This is why.... by Cylix · · Score: 2, Insightful

    I've set control lists for DNS for a long long time.

    After the IP over DNS tunnel came out... it was actually a bit necessary. Our staff would do anything to get out of doing work...

    --
    "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
  10. Suspicious? by timgoh0 · · Score: 3, Insightful

    Wouldn't large amounts of DNS traffic look suspicious? Especially if they originated from one machine.

    1. Re:Suspicious? by Anonymous Coward · · Score: 2, Interesting

      I don't think so. I would assume a normal user browsing the net (especially sites with lots of ads) and sending 4-5 emails (without using a relaying proxy) generates quite a bit of DNS traffic.

      I think it may be worth the firewall's while to check if the DNS packets are in the right format - for example if the domain name in the request is ghjj!!&^ then one should frown ! I don't what kind of load this would mean for the firewall, though.

      (I type this even as I recover from the nausea, vomitting and sickness caused by the new colour scheme).

  11. Irrelevant^2 by warrax_666 · · Score: 4, Insightful
    The $500 security guarantee is utterly irrelevant. (Btw: Who gets to judge what is a security problem? That's right, DJB himself. If that doesn't tell you something, then you're not the sharpest tool in the shed).

    The $500 correpsonds to less than 50 hours at $10 an hour (being extremely generous with the hourly wages here, in favour of the "gaurantee"). Do you think anyone can audit the djbdns source code -- even ignoring the fact that it's largely uncommented and messy (#define, what's that?) -- in 50 hours? No, I didn't think so.


    BIND is open source, but that doesn't make it safe and secure. it's probobly more insecure just because of that.

    BIND may be Open Source (note capitalization) while djbdns isn't. That doesn't mean you can't get source for djbdns. In fact it's probably easier to get source than binaries for djbdns because of the unbelievably stupid djbdns license.

    So they are both equally "insecure" from that perspective.
    --
    HAND.
  12. Cheating Wireless networks by technothrasher · · Score: 5, Insightful
    I've noticed in the past that many of the public wireless networks that want you to pay to use allow DNS traffic to flow even before you've paid. I've often thought that'd you could use that to build a tunnel and not have to pay for service.

    Mind you, I've never done it because it would be kind of rotten, but it did cross my mind.

    1. Re:Cheating Wireless networks by Neduz · · Score: 3, Interesting

      You are right, I know people who do that when they travel through international airports. It doesn't work that fast (something like a 36k modem) , but it is free. AFAIK you do need a domain and a DNS server you control yourself.

      --
      This is one lame signature, please read the message above instead.
  13. Re:Old news by Anonymous Coward · · Score: 3, Informative

    Here's a link:

    http://cgi.nessus.org/plugins/dump.php3?id=11580

    And here's a clickable hyperlink (you may have seen these before):
    http://cgi.nessus.org/plugins/dump.php3?id=11580

    Seriously, it's not that hard! In Slashdot all you have to do is put <URL: at the start and > at the end.

  14. Harmless? by jjeffrey · · Score: 5, Insightful

    I don't think that networks allow DNS because it is harmless, but because it is necessary, that's an important distinction.

  15. That's why you use proxies! by wowbagger · · Score: 5, Informative

    That is why any GOOD sysadmin will set up the system so that there is a single DNS server for the plant, and that server and that server alone is allowed to send and receive DNS packets to the greater Internet - all other machines are to use the local DNS server.

    Not only does this GREATLY reduce the amount of DNS traffic a shop produces (by caching all requests locally) it helps prevent this sort of foolishness by requiring all packets to be well formed DNS packets - else the server drops them.

    Then, you can block any client that makes more than a few requests a second.

    Yes, it is easier to set up a firewall to be very porous to outbound traffic, but it is more secure to deny all direct access, and force clients to run through proxies for the various services.

    --
    www.eFax.com are spammers
    1. Re:That's why you use proxies! by Effugas · · Score: 2, Informative

      Yeah, check out the slides. I rather obsessively follow the spec (limit to Base32 my upstream queries, Base64 my downstream TXT records, though I could just as easily use Base32'd CNAME's or MX's).

      The whole point is that DNS is equivalent to every web server proxying, and that this proxy service does have security implications.

      But please, cache stuff locally :-) It makes my radio hack work much much better.

      --Dan

  16. Covert communication over DNS tunnels by Timbo · · Score: 2, Insightful

    There was an old slashdot story eons ago about people using DNS tunnels to abuse the free dial up lines used for setting up a dial up ISP account. Covert comms over DNS is nothing new, but oddly it doesn't seem to have ever caught on.

  17. Duh... by blixel · · Score: 4, Funny

    That flaw in most firms' network security leaves a vulnerability that can be used by hackers to sneak intellectual property outside a company, communicate with a compromised server inside the company,

    In other security news alerts, there was a major hole disocvered in SSH. It turns out if a hacker installs a rogue SSH daemon on the server, he can do nefarious things with it.

    1. Re:Duh... by Effugas · · Score: 3, Informative

      Most trojans need to poll the outside world periodically, to determine whether they have a new set of operations to execute. With this approach, no polling is necessary -- there's an open pipe _into_ the organization, and the trojan can remain perfectly silent.

      --Dan

  18. "without DNS" = LDAP by Anonymous Coward · · Score: 4, Interesting

    Note that LDAP is fully capable of doing host name resolution, there's even an RFC for it (AFAIK the one that specifies how to store POSIX user info also specifies how to store host names).
    And in fact, DNS can be used for user details via Hesiod.

    Both LDAP and DNS are hierarchical federated database systems. Personally, I find current LDAP implementations to be more manageable, better designed, and generally nicer (can set very fine grained permissions) than current DNS implementations. A name system based on LDAP rather than DNS would be fully feasible and IMHO as or more globally scalable.

    But we must distinguish between DNS-the-protocol and DNS-the-implementations - It would be possible to have the same piece of software answer both DNS and LDAP queries from the same database. Hey, hello Microsoft Active Directory! But MAD is nasty for other reasons - so where are the Open Source projects to provide a slapd plugin for DNS protocol lookup to openldap databases? It should actually be pretty simple, maybe it's so simple no-one is interested hacking on it....

  19. How about this : OpenVPN over UDP port 53 ie. DNS by anti-NAT · · Score: 5, Interesting

    Thought of this almost two years ago. Run OpenVPN over UDP port 53. I figure a fair number of firewalls may not analyse UDP DNS traffic to see if it actually is UDP DNS traffic. Haven't had a chance to try it out though.

    Thinking big picture, you realise that once opportunistic IPsec becomes available, and with IPv6 it will be, any device in the network trying to interpret traffic, such as firewalls and proxy servers, will become just about useless.

    --
    The Internet's nature is peer to peer - 20050301_cs_profs.pdf
  20. Re:Old news by Xoder · · Score: 2, Informative

    Really? Last I checked X copy works in all web browsers (even graphical links!)

    Mozilla: Select the url, middle click into a new tab. Bam.
    Konqueror: Ibid.
    Links (graphical): Select the url, hit g, middle click

    --
    The previous sig has been removed due to /. protecting your best interests
  21. Doesn't work that way by Fished · · Score: 2, Insightful
    The packets in question are (or at least could be) well formed.

    Imagine that I own ISpy.com, and a user does a lookup on "user.jsmith.passwd.12345.ispy.com". Your server, in the middle, will forward that request to the NS for ispy.com more or less unchanged. And it doesn't have to be this obvious - it would certainly be easy enough to come up with some form of steganography appropriate to use in DNS.

    Not that proxies are a bad idea, but in this case proxies will not prevent the attack. Mostly, they'll just give you the ability to log the attack easily.

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
  22. Re:Old news by lysander · · Score: 2
    Dan is literally *using* DNS to hide his traffic, not just using udp:53.

    Even so, this still isn't that interesting. So you mime encode it (or whatever), tack on a domain, and talk to a rogue dns server. Anyone dealing with secure networks should know that having any opening to the internet is a security risk and take that into account when designing one's network.

    --
    GET YOUR WEAPONS READY! --DR.LIGHT
  23. Quick Summary: What's New by Effugas · · Score: 3, Informative

    OK, let me repeat.

    Throwing arbitrary data in DNS -- NOT a big deal.

    Even doing network tunneling over DNS -- ALSO not that big a deal; NSTX has been doing this for a while.

    DNS radio is new. By segmenting audio into small chunks, we actually get universal caching of the streaming signal -- a functionality we've never really had before. Generally, audio broadcast over the Internet falls apart after a few thousand users. Based on this ring-buffer-into-BIND architecture, combined with the utterly minimal bandwidth load of Speex, we should be able to host audio for a much greater number of listeners.

    The entire suite of incoming attacks to firewalls are also new. DNS trusts the hierarchy to tell it the next hop to its target name; since I can acquire second level domains in the hierarchy for minimal cost, it's trivial for me to insert arbitrary destinations along the DNS route path. In technical terms, whenever a recursing resolver comes to my name server to resolve a name, rather than providing an answer, I can redirect that request to another, supposedly authoritative server. That server can be at any address -- even one I cannot IP route to -- but if the resolver communicating with me can route to that address (say 10.0.1.11) my communication will reach that host. If there's an SSH over DNS daemon running on 10.0.1.11, I've now achieved incoming connectivity to the network of my choice, completely bypassing firewalls and a trojan's need to poll.

    Recursion on dual hosted interfaces is not even necessary. There are large numbers of applications that, upon receiving untrusted traffic, execute DNS name lookups. Most commonly, they are reverse PTR lookups, but occasionally there are other types (MX from mail servers, most notably) that can be easily induced. When they are induced, the hierarchy is followed. When the hierarchy is followed, the attacks previously discussed start working. In practice, this means an IDS triggers the DNS server to start proxying traffic between an external attacker host and an internal trojaned machine. Nasty.

    There's some other stuff -- check out the slides and the code -- but long story short, there's some new stuff out :-)

    --Dan

  24. Re:Old news by Effugas · · Score: 2, Informative

    Recursive lookup support isn't required to achieve incoming connectivity (see induced lookups), and being able to do lookups against the outside world isn't identified by anyone as a risk.

    --Dan

  25. Re:nstx by nutznboltz · · Score: 2, Informative

    I was poking around the the FTP site that has nstx and I noticed migr. It's a hack to migrate processes between systems. The migration is not completely transparent to the migrated process since it will lose filepoint locations at least. It appears to reload the migrated process by installing it as a SEGV handler with signal stack and then unmapping most of the loader causing a segfault which starts the migrated process.