Slashdot Mirror

← Back to Stories (view on slashdot.org)

Number of Rogue DNS Servers on the Rise

Posted by Zonk on from the servers-what-fib dept.

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"

154 comments

  1. if I were to own a rogue DNS server by JeanBaptiste · · Score: 0, Redundant

    how the heck would I ever get anyone to use it? Most are set by DHCP from your ISP, and they usually run their own DNS.... and I certainly wouldn't use one randomly....

    1. Re:if I were to own a rogue DNS server by apdyck · · Score: 1

      I don't know how this would happen, but there was a brief time (about 3 days, before the software warned me it needed to update) that my antivirus software update servers were pointed to localhost using my hosts file. This was a bit disconcerting for me, given that there is no way someone should have been able to pull off that hack, without knowing exactly what AV software I use and have access to my hosts file. Funny thing is, it only affected one of the four computers on my network, all of which run the same AV software.

      --
      .sig
    2. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 5, Informative

      I'd do it at the router level, myself. Lots of routers out there with easy or default passwords, and if you know the interface for that particular model/company, then changing the DNS settings would be easy as pie.

      Get a lot of folks who have the money for a broadband connection that way--the folks with money and not much sense who are really ideal for identity theft.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    3. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 5, Interesting

      With all due respect, there aren't that many different kinds of AV software out there, and only a relatively limited number of configurations possible. The changes to hosts.txt would be relatively small and would be easy to insert on a compromised computer--you could rehost all the common AV servers in hosts.txt with a relatively small worm payload, for instance--no version detection necessary.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    4. Re:if I were to own a rogue DNS server by apdyck · · Score: 1

      I understand your point, but this was clearly a targetted attack - no other servers were listed, the only entries in my hosts file were the ones I had inserted and the four AV servers. In addition, I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir. It is primarily unheard of in North America, although it is, hands down, the best AV software I have ever used (or at least since the days of F-Prot for DOS). This is why it baffled me so much. If you were to write a worm to modify the hosts file, why not make it for one of the big-name AV programs? Or, as mentioned, why not make it for as many as you can think of?

      --
      .sig
    5. Re:if I were to own a rogue DNS server by TripMaster+Monkey · · Score: 1

      True. Many normal users worry about securing their systems, but they completely forget about their routers.

      Of course, unless they've enabled remote administration, you wouldn't be able to access the router from outside the user's home LAN. That's where hacking the wireless connection comes in. ^_^

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    6. Re:if I were to own a rogue DNS server by Firehed · · Score: 1

      The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving. I'm sure you'd be intelligent enough to clear out the router logs, but if someone else manages to get the machines themselves on the network infected with a DNS server attack, that's going to override your own.

      --
      How are sites slashdotted when nobody reads TFAs?
    7. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 1

      Perhaps there's a vulnerability in that particular platform that lends itself to spreading something in particular?

      Or perhaps the author of the exploit wishes to spread things in a subtle manner, so as to delay discovery of their malware?

      Or maybe someone's after you. Check your tinfoil hat. ;-p

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    8. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 1

      Do it via the usual means, then--the browser hijack, or the email trojan, or whatever else you'd want to use.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    9. Re:if I were to own a rogue DNS server by KublaiKhan · · Score: 1

      Once you've got the router infected, you could use your new control over domains to inject other things to infect the machines, I suppose.

      Or do it in reverse order, and get the machine first and the router after--so even if they fix their machine, on the next resynchronization they'd be hijacked again.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    10. Re:if I were to own a rogue DNS server by Intron · · Score: 3, Informative

      Setting the Avira address to localhost gets rid of the nag ads to buy the non-free version. Somebody using your computer changed the hosts file.

      --
      Intron: the portion of DNA which expresses nothing useful.
    11. Re:if I were to own a rogue DNS server by apdyck · · Score: 1

      Well now, that is informative. I'm glad to hear that it was likely this, rather than a virus, although concerned that someone other than me (with that amount of technical knowledge, my gf is non-technical) was using my computer. Regardless, I will gladly take the benefit of having automatic updates over the cost of having a single advertisement a day for the free version; I don't mind the ads at all, and it's not browser-based ads, so I have no complaints. Anyhow, removing the offending hosts entries solved my problem and I was off to the races again.

      --
      .sig
    12. Re:if I were to own a rogue DNS server by Lobster+Quadrille · · Score: 2, Funny

      I do not use a mainstream AV program (i.e. Norton or McAfee) - I use Avira Antivir. Just a thought, but maybe they know what AV software you use because you posted it on slashdot.
      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
    13. Re:if I were to own a rogue DNS server by Raven42rac · · Score: 1

      Your ISP's server could also do a zone transfer from a rogue DNS server and get poisoned cache. But most smart ISPs won't allow that.

      --
      I hate sigs.
    14. Re:if I were to own a rogue DNS server by DragonWriter · · Score: 1

      The problem with that is that they'll either have had to enable WAN router control panel access (unlikely if they weren't bright enough to change the default password) or you have to physically hit their network - even if just wardriving.


      Don't most routers disable wireless control panel access by default as well?
    15. Re:if I were to own a rogue DNS server by Yaa+101 · · Score: 1

      Trojans, I removed some recently on somebodies system, the get it by downloading those fake codecs.

      You can fool most people in doing anything these days, it's called social engineering.

    16. Re:if I were to own a rogue DNS server by bendodge · · Score: 1

      Getting rid of the Avira nag is much easier than that. Just create a hash rule on the nag exe. I think you can even delete it, but I'm not sure.

      --
      The government can't save you.
    17. Re:if I were to own a rogue DNS server by Jarjarthejedi · · Score: 1

      "I'm glad to hear that it was likely this, rather than a virus, although concerned that someone other than me (with that amount of technical knowledge, my gf is non-technical) was using my computer."

      In the google age a solution for a problem like that can be found and used by a non-technical person easily. It's entirely possible that your girlfriend saw the ad, was annoyed, googled it, and found a step-by-step to get rid of it.

      Now get off slashdot! You're not allowed to have a girlfriend here! Can you imagine the damage it would do to our stereotypes if it got around that people on slashdot were in relationships!?

      --
      There are two kinds of fool One says 'This is old therefore good' Another says 'This is new therefore better'- Dean Ing
    18. Re:if I were to own a rogue DNS server by killmofasta · · Score: 1

      Ahh! The cache on YOUR dns gets poisoned.

      Crist! There's a wikipage out it... ( I digress )

      The security rundown on how it happens:

      http://www.secureworks.com/research/articles/dns-cache-poisoning/

      Step 1 - Attacker sends a large number of quires to the vicum nameserver, all for the sam domain name.
      Step 2 - Attacker sedns spoofed replies giving fake answers for the quieris it made.
      Get the picture?

      Solution: Apply patches to your DNS server. ( i.e. patch your MS Server )

      Cert notification:
      http://www.kb.cert.org/vuls/id/484649

    19. Re:if I were to own a rogue DNS server by Vectronic · · Score: 1

      Ok well, is this a public mini-network? maybe someone else with a "bit" of knowledge who was using it got sick of it trying to update?

      "why not make it for as many as you can think of?"

      Maybe it did, and maybe it checks what is installed, and only adds the necessary ones for that software.

      And who knows, maybe you blocked it yourself? maybe AntiVir (if its the "Security Suite") blocked itself? Perhaps a little too trigger happy with the dialogs? or maybe another Firewall that for whatever reason uses your HOSTS file? (which I dont think ive ever seen, but quite a few SpyWare scanners do)...

      And as another side note, if AntiVir doesnt protect your HOSTS file, its obviously not that good, considering I think even Norton has gotten that far...

    20. Re:if I were to own a rogue DNS server by john951 · · Score: 1

      Unfortunately (stupidly), no. In the UK, "wireless broadband" as advertised all over the place = an 802.11b/g router and modem, with possibly a few 10/100 Ethernet ports: you can hit the admin page from a wireless IP as well as a wired, and on mine (SpeedTouch 780), there's no obvious feature to disable it.

  2. certs too by OrangeTide · · Score: 4, Interesting

    Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:certs too by KublaiKhan · · Score: 1

      Fascinating idea....and if you've got access to the computer to change the DNS anyway, you could add in an authorization for the false cert agency, too.

      Do you have a newsletter? I'd subscribe to it.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    2. Re:certs too by IamTheRealMike · · Score: 1

      You don't need to. Usability studies have shown conclusively that nobody (and I do mean absolutely nobody) will avoid browsing to a site because of an SSL warning. Even software engineers and other computer experts will just click through the dialog. SSL is an absolute failure at avoiding spoofing due to poor UI.

    3. Re:certs too by OrangeTide · · Score: 1

      I get SSL warnings on my own website because I never bothered to pay and just self-sign my certificate. But if I got warnings on my bank's website I might not want to plug in my account info.

      --
      “Common sense is not so common.” — Voltaire
  3. Suddenly, by robo_mojo · · Score: 1

    SSL

    1. Re:Suddenly, by cheater512 · · Score: 2, Informative

      Even SSL fails with this method of attack.
      Too many ways to add a new root certificate.

    2. Re:Suddenly, by Fred_A · · Score: 2, Informative

      Even SSL fails with this method of attack.
      Too many ways to add a new root certificate. You'd have to edit the cache so that the new key matches though (because it won't be the same one).
      --

      May contain traces of nut.
      Made from the freshest electrons.
    3. Re:Suddenly, by lintux · · Score: 2, Insightful

      > You'd have to edit the cache so that the new key matches though (because it won't be the same one).

      Heck, when you have enough access to a machine to change its DNS settings, you have enough access to flush the cache or to just disable all SSL safety checks.

    4. Re:Suddenly, by robo_mojo · · Score: 1

      If the attacker is able to run code on your computer, all bets are off and a DNS hijack is the least of your worries.

      If the attacker is just subverting your DNS outside your computer, say by breaking into your router via javascript and a weak password on the router, then SSL will still clearly help (as long as you aren't the type to go clicking "OK" on every warning box).

    5. Re:Suddenly, by Anonymous Coward · · Score: 0

      Then at least that would require direct access. That means as long as your computer is reasonably locked down, you're pretty safe. The attack route of open wifi routers with malicious DNSes are not as big a threat if you visit sites where you've precached their SSL cert.

  4. Simple fix for those running Windows? by HeliosTrick · · Score: 2, Informative

    netsh interface ip set dns "Local Area Connection" static 4.2.2.4
    netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

    Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...

    1. Re:Simple fix for those running Windows? by TripMaster+Monkey · · Score: 4, Insightful

      Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Simple fix for those running Windows? by mlts · · Score: 3, Interesting

      I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

      Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

      Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.

    3. Re:Simple fix for those running Windows? by Penguinisto · · Score: 2, Insightful
      Even worse - sometimes an ISP will refuse to tell you what their DNS IP addys actually are.

      /P

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    4. Re:Simple fix for those running Windows? by morgan_greywolf · · Score: 1

      Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

      What're you talking about? I know exactly what a Dorrito's Nachos Server is. Now if only she would hurry up and bring my plate out here....

      --
      My blog
    5. Re:Simple fix for those running Windows? by rwyoder · · Score: 5, Interesting

      I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.
      Google "DNSsec".
    6. Re:Simple fix for those running Windows? by Bring+the+Brain · · Score: 1

      Really, think about it. That is what the internet is. Zillions of network devices attached. Everybody is vulnrable to any type of attack. Along with this post. Don't you agree that if one person can create rogue DNS servers, they are just as capable as implementing rougue routers. It really comes down to, you just have to trust your ISP and do your homework.

    7. Re:Simple fix for those running Windows? by rthille · · Score: 1

      I tried, and the Googol page I got back said, "I'm sorry Dave, but you don't need to see that."

      --
      Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
    8. Re:Simple fix for those running Windows? by killmofasta · · Score: 1

      Mod parent +1 ( at least, its actually very interesting )

      What makes the commands you typed interesting,
      is that if another type of attack, say, a virus, script, or activeX control,
      issued those commands, or a storm-bot client,
      issued those commands. Your DNS is now poisoned.

    9. Re:Simple fix for those running Windows? by mnemonic_ · · Score: 1

      Dude, get a hobby. And lose the ascii art sig.

  5. read more, submit less by OrangeTide · · Score: 4, Informative

    "Once an end user's computer has been modified to use a poisoned DNS server" .. it's right there in the post. You don't even have to RTFA.

    --
    “Common sense is not so common.” — Voltaire
    1. Re:read more, submit less by JeanBaptiste · · Score: 1

      yes. and I was wondering how they do that. I could go read up on it myself I suppose.

    2. Re:read more, submit less by TFGeditor · · Score: 1

      What the parent said. How would my machine get compromised to use a a poisoned DNS server? Inquiring minds....

      --
      Ignorance is curable, stupid is forever.
    3. Re:read more, submit less by TripMaster+Monkey · · Score: 1

      The machine would have to be owned by a previous exploit. Then, all that's necessary is to run a one-line command in command prompt, and then sit back and wait for the sucker^H^H^H^H^H^Hunfortunate victim to visit my malicious web page.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    4. Re:read more, submit less by Hamstaus · · Score: 5, Informative

      The same way your machine would get compromised to have a virus or spyware. Any virus could easily modify your hostname or DNS settings to use a rogue DNS server. You may not know it, but if you're using DHCP, one of the first things your computer (or router) does when it connects to your ISP is to ask what DNS servers it should use. Generally you'll use your ISP's DNS servers. If you're not using DHCP, you'll have had to enter the DNS settings yourself. In any event, it's an easily manipulated property of your network connection. Any virus or software flaw could be utilized to change your DNS to a rogue server. I bet unpatched IE Javascript flaws could even do it.

      --
      I moderate "-1, Fool"
    5. Re:read more, submit less by Firehed · · Score: 1

      Well you can set the DNS server to use within the OS - the machine just uses the first DNS server it knows about (local first, then router-level, then to your ISP, etc). Presumably, you just get some funky malware that makes the appropriate system changes.

      I don't see why they wouldn't go for a poisoned HOSTS file. It's also been done in the past, and would be much harder to spot since so relative few people would think to look there if problems arise. Of course, the disadvantage of that approach is that the person running the hack doesn't (really) get to update your HOSTS file at any point in time, where they can point a poisoned DNS server to another bad site or add in more.

      --
      How are sites slashdotted when nobody reads TFAs?
    6. Re:read more, submit less by Anonymous Coward · · Score: 0

      The poisoned DNS on the machine is the result of an infection ?

      So this doesn't happen by magic ,Wouldn't you need to get infected with something first ,. so the part about anti virus not working doesn't make sense , the anti virus program will or should detect the code that would modify the machines DNS before it actually runs ,

    7. Re:read more, submit less by Beardo+the+Bearded · · Score: 1

      Some anti-* programs (e.g. Spybot) can lock your hosts file.

      I imagine that the next version will lock your DNS settings.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    8. Re:read more, submit less by FelixGordon · · Score: 3, Interesting

      Perhaps you're one of the many people with an insecure wireless network using the default admin/password combination?

      Or perhaps you're one of the many people clever enough to use someone else's insecure wireless network to access the internet?

    9. Re:read more, submit less by Anonymous Coward · · Score: 4, Insightful

      Easier than you think to use a rogue DNS server. Two words: Open WIFI.

      The default networking settings in a computer is to grab IP and DNS settings from the WIFI. This will get the rogue DNS right in.

      The way around is to change networking settings to have the DNS to point to a pre-chosen known ISP, but how many are doing that.

    10. Re:read more, submit less by ehrichweiss · · Score: 1

      If a rogue DHCP server is "closer"(faster response time basically) to the target than the real one, it is an almost trivial task to poison their DNS. One could setup a fake AP and then route all traffic to the real AP but only after the DHCP server has had time to do its work. The same can go for wired communication as well, especially since running a DHCP server on a cable network is going to give the rogue server a much quicker response time for the machines in the server's general physical area.

      --
      0x09F911029D74E35BD84156C5635688C0
    11. Re:read more, submit less by OrangeTide · · Score: 1

      an exercise left to the reader.

      Given the number of Windows zombies out there in the wild I assume rooting a box is old hat now days.

      --
      “Common sense is not so common.” — Voltaire
    12. Re:read more, submit less by FishWithAHammer · · Score: 1

      Or an open wireless connection that picks up a nasty DNS...

      --
      "You can either have software quality or you can have pointer arithmetic, but you cannot have both at the same time."
    13. Re:read more, submit less by OrangeTide · · Score: 1

      anti-virus / security software could one day (maybe it already does) protect your DNS settings and hosts file so that this easy scam cannot be so easy anymore.

      --
      “Common sense is not so common.” — Voltaire
    14. Re:read more, submit less by NotBorg · · Score: 3, Interesting

      Ideally this would be something that could only be done via an infrequently used administrator account. The reality, however, is that most windows installs are setup to automatically login to an administrator account by default. Most Windows users don't even know they are doing it.

      Personally I think the boys and girls at MS should release a critical security update (you know ones that go off regardless of weather you have them enabled or not [-1 troll]) which launches a wizard to educate users about the differences between an administrator and non-administrator accounts. In addition, the wizard would assist in creating a non-administrator account and migrating the user's files and settings to it.

      Call me crazy, but when I installed Linux it was a natural thing from the get go that I shouldn't do everything as root only things that could not be done otherwise. I don't have to worry much that my host file or DNS settings got owned. Lots of things don't get owned. Windows could be made closer to this.

      --
      I want this account deleted.
    15. Re:read more, submit less by empaler · · Score: 1

      Doesn't even have to be a nasty DNS if the perp has full control over the connection - could just filter the DNS requests and only inject your own answers when you want to - just monitor port 53 for the stuff you want, like 'paypal.com', and Bob's your uncle.

    16. Re:read more, submit less by NnT042 · · Score: 2, Informative

      I don't know if the situation has improved any in Vista, but as far as XP goes there are a LOT of programs you simply can't use that way. I run as admin constantly, and with a full awareness of how dangerous it is. At least a third of the programs I use, poorly written as they are, try to do things like save configuration files (or saved games) in their installation folder. Unfortunately limited accounts are not allowed write access to Program Files, and there is no getting these boneheads to RTFM and learn what %AppData% is for. So like it or not, I'm Admin.

      I tried Vista, and reverted the next day - couldn't stand it. No telling if they've fixed this problem or managed to beat some sense into the developers yet, and I don't know if/when it will be necessary for me to find out.

    17. Re:read more, submit less by MadnessASAP · · Score: 1

      Becuase I regularly have problems with my ISPs DNS server I often times manually configure mine to 4.2.2.1 and 4.2.2.2

      --
      I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
    18. Re:read more, submit less by TheThiefMaster · · Score: 2, Informative

      I run as a "Power User" on XP. No permission to install or write to the Windows folder, but can write to Program Files.

      Seems a good compromise.

    19. Re:read more, submit less by harry666t · · Score: 1

      There should be no compromises in security.

      If Windows' FS wasn't so braindamaged I'd do symlinks to saved games which themselves would live in another (user-writable) folder.

      Thank gods I run unices on all my boxes.

    20. Re:read more, submit less by Palinchron · · Score: 1
      Actually, Windows does support a form of symlinks called "junctions". Sysinternals used to have a program to create them. They aren't completely the same thing as symlinks; there are two pitfalls to keep in mind:
      • If you rm -rf a junction, you remove all of the linked directory's contents, not just the link itself.
      • Most Windows tools are not aware of the existence of symlinks, so if you create a circular directory structure (/a/b/c linking to /a) you're in for a nasty surprise whenever a program is going to scan a complete directory tree.
      --
      The lesson here is that a sufficiently large corporation is indistinguishable from government. --ultranova
    21. Re:read more, submit less by TheThiefMaster · · Score: 1

      Or you could just make the game's saved-games folder user-writable.

    22. Re:read more, submit less by harry666t · · Score: 1

      I actually am aware of this hack, but this is exactly the brain damage that kept me away from freely experimenting with multiple installations of various Quake3s and JK3 (I was a modder at the time). I used to have 2 or 3 parallel installs of JK3 (each at least ~1.2 GB, and disk space wasn't that cheap by then) for my experiments and one for regular playing, and keeping track of these stupid "rm -rf"-unaware junctions was just...

      Eh, how nice JK3 works well under Wine.

  6. So fake site look more real? by HartDev · · Score: 1

    So will that server have the real URL for a legit site and then be able to fake you out? Also when is this internet 2 that I hear about all the time gonna come out. I like the ideas of a newer, faster, sexier (I dunno how it would be sexier...) internet that has more control over content allowed in and services, etc etc.

    --
    To see a few of my Android apps goto: www.hartwired.com
    1. Re:So fake site look more real? by wsuschmitt · · Score: 1

      The internet will be sexier because it is faster at downloading that porn you're looking for...

    2. Re:So fake site look more real? by Lobster+Quadrille · · Score: 1

      It's been out for years, but only the cool people have access to the other internet, and you have to know somebody to get in.

      It's quite nice though. All the pron you could want, free of copyright restrictions, and blazing fast speeds.

      that's also where all the hot geek girls hang out, while you guys are all reading slashdot.

      --
      "The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
    3. Re:So fake site look more real? by HartDev · · Score: 1

      I knew it!

      --
      To see a few of my Android apps goto: www.hartwired.com
  7. Key word is 'modified' by KublaiKhan · · Score: 1

    After all, one must set your computer to use one of those servers.

    I can think of a few possible ways to do this--a worm that modifies default-passworded routers, for instance, would be capable of modifying DNS entries at the router level--but is there an easy exploit to do so at the end-user's computer? Or a method of modifying the DNS via a browser window?

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
    1. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 1

      If one has the ability to run malicious code on the target system, it would be pretty easy. I don't know about a browser window, but the DNS setting can be modified easily by a VB script, or trivially easy via the command prompt (one line command).

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    2. Re:Key word is 'modified' by KublaiKhan · · Score: 1

      Perhaps DNS settings should be shadowed or otherwise obfuscated...though how that would be done, I'm not quite sure.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    3. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 3, Informative

      Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    4. Re:Key word is 'modified' by KublaiKhan · · Score: 1

      That's absolutely brilliant....where'd they host the proxy? Same machine? Or did they host the proxy somewhere themselves?

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    5. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 1

      They hosted the proxy themselves.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    6. Re:Key word is 'modified' by KublaiKhan · · Score: 1

      Bit of a risk there, because you could trace it to 'em that way, potentially. That, and there might be a bit of lag going on. Helpful in terms up updating, though.

      Still quite interesting, though. I wonder how many similar proxies there are out there....

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    7. Re:Key word is 'modified' by TripMaster+Monkey · · Score: 2, Interesting

      Well, when I say "host it themselves", I'm pretty sure the proxy machine isn't theirs physically. In all probability, it's another 0wned box, chosen for this role due to its higher specs and fatter pipe. Then, the system can periodically dump the accumulated data to another location (like an obscure newsgroup) for later retrieval.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

    8. Re:Key word is 'modified' by Quadraginta · · Score: 1

      Geez, or perhaps user applications like fucking browsers shouldn't run with system-level God privileges.

      But that's a whole 'nother (mega)thread...

    9. Re:Key word is 'modified' by killmofasta · · Score: 1

      "After all, one must set your computer to use one of those servers."

      No. Your... the DNS your computer points to, can be comprimised, if left unpatched.

      You dont need to do anything, just request a IP from a poisoned cache...

      Hint: you can also recover
      ipconfig /flushdns

  8. Huh? by JK_the_Slacker · · Score: 4, Funny

    You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

    --
    I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
    1. Re:Huh? by WwWonka · · Score: 1

      I think I'd be more interested in DOING Rogue on a DNS server! Talk about a dead lay.

    2. Re:Huh? by Ambiguous+Puzuma · · Score: 4, Funny

      It probably requires a net hack.

    3. Re:Huh? by mindstrm · · Score: 1

      The article is sensationalist to be sure - obviously simply having a dns server gives you power over nobody.

      The practice of poisoning/changing/redirecting a target's DNS requests to a DNS server you control, is what's on the rise.

      The problem is the amount of trust built upon DNS... so much of web-based security is built on same-domain policies and things like that. Once you control someone's DNS lookups, you control just about everything they do on the internet.

  9. Interesting problem by roman_mir · · Score: 1

    So we have to know exactly which DNS to use then. This is not good, most people don't know and don't care to find out about such things. But a computer has to be infected in the first place for DNS to be spoofed, so as long as there are no infected computers... oh...

    --
    You can't handle the truth.
    1. Re:Interesting problem by killmofasta · · Score: 1

      Not really, you just need to point to a DNS server that is patched.

      I had a few clients that were using PacificHell's DNS servers.
      After the third call, I finally pointed their third DNS directly to
      Berkeley's DNS server. Then they only had complaints about slowness,
      instead of totally off line. ( Lucky that they were close to berkeley ),

      Although Berkeley's got some big iron as DNS, it wont work so well,
      if their DNS servers get DNSlashDNotted, so pick a close school, ( MIT, GeorgiaTech, UniversityOfHawaii... Mabye not )
      that you *know* is picky about security, and point to them.

      ( My choices are 1) Fastest 2) Their ISPs DNS 3) Berkeley, 4) The top levels DNS. ( for instance comcast.nets top level DNS is for Level 3 communications. You dont want all your queries going there, but if your DNS looks weird, ( something slips through, ) or like pacificHELL its on a 386SX/16. ( Mabye this has changed...110ms 130ms 110ms Or mabye it hasent.)
      You want to flush your cache, and hit your most used sites.

    2. Re:Interesting problem by Fnord666 · · Score: 1

      What about openDNS? Do people use their DNS servers, and how up to date are their patches?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    3. Re:Interesting problem by killmofasta · · Score: 1

      No one I know, nor me, use openDNS, right now, BUT, I am looking into pointing to it for my systems, and my clients. It looks VERY interesting.

      Ahhahah! How up to date are openDNS machines? I would guess sate of the art, but let me poke around their DNS server...Well, the pokeing indicates that security is at the higest levels, ( of course ), and I have opened a discussion with them regarding their maintenence.

      BIND is currently at 9.4.2, and 8.2.x was the one vunerable, and IIs

      Hehe! Look at this:

      http://vdb.dragonsoft.com/detail.php?id=3028

      "ISC BIND 9 - 9.5.0a are exist remote cache poisoning vulnerability, caused by the DNS query ID generation code."

      This site:

      http://www.kb.cert.org/vuls/id/927905

      Lists Microsoft Windows as 'Not Vunerable"

      "Thank you for the heads up. While we do use the BIND protocol, we have our own implementation so these implementation-specific vulnerabilities should not affect us."

      But of course, this proves that the above is a mistatement...

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3898

      "The DNS server in Microsoft Windows 2000 Server SP4, and Server 2003 SP1 and SP2, uses predictable transaction IDs when querying other DNS servers, which allows remote attackers to spoof DNS replies, poison the DNS cache, and facilitate further attack vectors."

      The Patch for servers is:

      http://www.microsoft.com/technet/security/bulletin/ms07-062.mspx
      ( Nice of them to patch a vunerability that they claim they dont have! )

    4. Re:Interesting problem by killmofasta · · Score: 1

      I just wanted to add, in response to this vunerbility,
      its more of the same FUD, as in Pollute and Delute, and then lie though your teeth about it. ( are theses guys going to join the White House Spokesmen? )

    5. Re:Interesting problem by killmofasta · · Score: 1

      I am now using openDNS, and it ROCKS!
      First off, I cannot now see any of the servers that I had problems with blacklisting.
      They are not resolvable. ( thanks openDNS! )
      Second, first hits are a tiny bit slower, on the order of 150~250ms,
      but after a site has had a few lookups, its not noticable.

      They are running custom software, that they have anitcipated all the cache poisioning problems, i.e. their random number generator, is much better, hence it would take trillions of lookups to get a chance to poison the cache, if at all.

      I have seen BIND( The basic DNS program ) become part of the internet, and waving!addresses!goodbye! I have seen BIND problems get resolved, and imagined and real problems fixed, and others seem to take on a life of their own. The Random Number problem, has been a real nut cracker for BIND. You have to be fast, and pass statistical tests too! And like I said, M$ said they were writing custom software, and had it licked, but then its not shipping on Windows anbd you have to patch your servers.

      I would believe the openDNS guys if they said Its not a concern. They activly patch, and secure their systems on a daily basis( even on 3 day weekends ), and probibly have an extrodinary blacklist of RogueDNS servers, growing by the second. I am going to switch everyone I can over to openDNS. THEY ROCK! I am VERY pleased with their DNS. I am lucky that they are close, and they are directly connected to Alter.net. Let them get DNSlashDNotted! I am sure they have the capacity to handle it.

  10. Hijack it yourself by RT+Alec · · Score: 5, Interesting

    Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

    For PF, it's as simple as:
    rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

    If you still use IPFilter, use this rule in ipnat.rules:
    rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

    1. Re:Hijack it yourself by drakyri · · Score: 3, Informative

      If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

      Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.

  11. I use the DoD's DNS Servers..... by Farakin · · Score: 0

    I should probably not do that anymore.....

  12. Worrying news FTA by Waffle+Iron · · Score: 5, Funny

    The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

    Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

  13. Sounds like an ISP opportunity by davidwr · · Score: 5, Interesting

    If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

    A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

    Useful services to offer:
    * net-nanny/thinkofthechildren content blocking
    * block known hostile/poisoned sites
    * tattletale/reporting
    * time-of-day blocking
    * login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
    * DNS interception/reroute to canonical ISP DNS
    * DNS interception/reroute to modified-for-the-customer ISP-provided DNS
    * DNS interception blocking DNS to known rogue sites
    * much, much more
    * Arbitrary, customer-controlled port blocking for inbound and outbound ports

    ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

    Of course they shouldn't force anyone to use these services if they don't want to.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Sounds like an ISP opportunity by KublaiKhan · · Score: 1

      Or simply put it in the terms of service and require such a "service" for their "ultra-safe internet connection"--and incidentally have authorization to do all manner of net neutrality violating things.

      Put it in enough marketspeak, and you'd be all set.

      --
      In Xanadu did Kubla Khan
      A stately pleasure dome decree
    2. Re:Sounds like an ISP opportunity by Klaus_1250 · · Score: 2, Informative

      OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.

      --
      It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
    3. Re:Sounds like an ISP opportunity by ostomator · · Score: 1

      Wow!
      while I agree in principle with you (but then again, I agree in principal to universal health care),
      I realllllly don't want my isp to be examine pretty much anything unless I sign up for said service.

      you need to balance the common good with reasonable efforts of reasonable people to protect themselves.
      The "average user" explanation ceases to hold water in this day and age.

      Or maybe that is your point and I am just not grokking it. In that case, my humblest.

      Caveat Emptor!

    4. Re:Sounds like an ISP opportunity by Veinor · · Score: 1

      Plus there's the thing where they automatically rewrite the URL firefox uses for it's address bar autosearching into one that uses their own yahoo-based search, and you can't turn it off unless you e-mail support. Which is why I don't use OpenDNS.

  14. Is this about OpenDNS redirecting www.Google.com? by Anonymous Coward · · Score: 5, Interesting

    Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...

  15. How can they not? by davidwr · · Score: 3, Insightful

    If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

    Otherwise, I'll have to use someone else's DNS or do without.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:How can they not? by Penguinisto · · Score: 1
      True, but either one of us could find it rather quickly at a terminal/command -prompt.

      Most users OTOH fear those things.

      /P

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
  16. Scary stuff... Could even hit OS X easily by Tibor+the+Hun · · Score: 1, Interesting

    A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
    Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
    Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.

    What's the best strategy against something like this? Installing apps in ~/Applications vs /Applications ?
    Maybe Apple could make that the default behavior, or at least a user preference via Account settings.

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Scary stuff... Could even hit OS X easily by Firehed · · Score: 1

      That's true of any software where you have to authenticate. However, most installations on OS X (the "drag the icon into /Applications ones) don't require authentication since they don't have to make any major file changes. I'm rather weary about software from an untrusted publisher that asks for authentication, which is really the whole point behind not running as root. It could just as easily hit Linux installs of any flavor.

      I think the best defense on the part of all OS writers would be to make it so you can't make changes to certain specific areas of the low-level system without having to authenticate twice - once for your standard /System changes, and a second with an explicit warning that network-related (or whatever) changes are to be made for file changes in /wherver/these/settings/are. But then you're hitting the Vista UAC problem where you ask people to authenticate so often that it starts being ignored.

      At the end of the day, the best defense is just being suspect of any program that asks for authentication. Those areas of the file-system require root-level access for a reason.

      --
      How are sites slashdotted when nobody reads TFAs?
  17. Speaking of reading more... by Anonymous Coward · · Score: 0

    It's too bad they only linked to the AP story in this submission, which can be found everywhere, and didn't bother to mention the researchers in question (David Dagon, Chris Lee and Wenke Lee of the Georgia Institute of Technology and Niels Provos of Google).

    Unfortunately, it's harder to find a direct link to their paper. This was the best I could find, but it doesn't actually have the paper as best I can tell.

    1. Re:Speaking of reading more... by FatdogHaiku · · Score: 3, Informative

      This might help: http://www.citi.umich.edu/u/provos/papers/ndss08_dns.pdf
      Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  18. Waiting for the Worms by Gary+W.+Longsine · · Score: 2, Funny

    Ooooh, you cannot reach me now
    Ooooh, no matter how you try
    Goodbye, cruel 'Net, it's over
    Surf on by.

    Sitting in a bunker here behind fire-wall
    Waiting for the worms to come.
    In perfect isolation here behind fire-wall
    Waiting for the worms to come.

    We're {waiting to succeed} and going to convene outside Pharmington
    Dot Com where we're going to be...

    Waiting to infect their PC.
    Waiting to read all their e-mail.
    Waiting to follow the worms.
    Waiting to set up fake bank sites.
    Waiting to update the rootkits.
    Waiting to smash in their windows
    And change their config.
    Waiting for the final solution
    To "clean up" this strain.
    Waiting to follow the worms.
    Waiting to gather their idents
    And pretend to be them.

    Waiting for windows based desktops
    and laptops and cell phones.
    Waiting to follow the worms.

    Would you like to see deposits
    bank, again, my friend?
    All you have to do is follow the worms.
    Would you like to send your credit rating
    Home to me, my friend?

    All you need to do is follow the worms.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
  19. It's a tree, not a shrubbery. by jd · · Score: 1
    DNS servers have local records but look elsewhere for authoratitive records for other sites. Authoratitive records still have to come from somewhere, though. If you've more than a few static/public IP addresses, it makes sense to run your own DNS and put the local information into that. Until that information is cached elsewhere, queries placed onto the DNS network will eventually make it onto your DNS server to be resolved.

    So far, so nothing much. However, it's the first response to queries that matters, not who responds. So if your DNS has false entries for other sites, and those entries get back before the real ones do, then the query will return the false results. Oh, I've made use of this feature in helpful ways. I had a problem with an associated group having an unstable DNS server. This made establishing connections unreliable, so I simply transferred the zone to my own DNS server, which (naturally) I'd set up rather better. Problem solved. Totally unassociated network, but DNS just doesn't give a damn.

    A malicious person who had the means of poisoning caches or corrupting local entries can use this exact same property to return falsified records for other servers. Any server could be modified to claim to be such-and-such a machine. Makes no odds that it's on a different network, it only has to get the response to the target machine first. You've then got a way of carrying out phishing scams in which the hostname is genuinely fine but the machine that it points to could be anything and anywhere.

    DNS has optional security and authentication mechanisms, but nobody uses them so they don't make a difference. Only one infiltrated DNS system would be enough to cause problems, but tens of thousands pushes the problem into the high risk arena.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:It's a tree, not a shrubbery. by Intron · · Score: 1

      Actually, there was just an article on the problem of poisoning DNS responses.

      http://it.slashdot.org/article.pl?sid=08/02/10/0136236

      Your attack won't work since DNS uses a 16-bit randomized ID on each request and rejects any response with a non-matching key. Of course some DNS servers may not check the key, but Bind does.

      --
      Intron: the portion of DNA which expresses nothing useful.
    2. Re:It's a tree, not a shrubbery. by hal9000(jr) · · Score: 1

      For a blind attack, yes. But if you can view the packets on the wire, say in a request, and if you can craft a response and get it to the requester first, you win.

  20. easy to prevent by koreanbabykilla · · Score: 1

    just block outgoing dns requests from your lan interface, secure your router and make everything on your network use 10.0.0.1 (or whatever) for dns...

    1. Re:easy to prevent by shentino · · Score: 1

      And how is that going to help you if you need to access data that an external DNS server is authoritative for?

      Unless you plan on disallowing ALL outgoing traffic altogether, you still need external DNS of some sort. Your internal DNS server is HARDLY going to be authoritative for anything outside of your control.

      Plus, what about TTL records that expire? Don't those need to be refreshed?

    2. Re:easy to prevent by gujo-odori · · Score: 1

      For a simple example, let's say you have a few PCs at home, NATted behind a broadband router. Every broadband router I've ever used has a nameserver built-in, and you configure the router so that the only DNS requests allowed through the internal interface are DNS requests to the router's internal interface address. Everything else gets dropped on the floor. That won't protect a vulnerable machine from having its DNS settings highjacked, but it will stop it from querying any rogue DNS servers. The end result will be that for that machine, DNS will break completely.

      There are, of course, several problems with that approach:

      1) Not all broadband routers support writing those sorts of firewall rules. I'd be surprised if most do.

      2) Most home users don't have the technical expertise to do that, nor understand why it is necessary. The ones who do are far less likely to become victims in the first place

      3) If a vulnerability is found in the router itself and the router gets owned and pointed to a rogue DNS, all bets are off

      As a security precaution, it's not a bad idea for those who have the ability to implement and hardware that allows it, but overall dnssec is a better solution to the problem.

  21. DNSSEC provides a solution by Anonymous Coward · · Score: 5, Informative

    The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.

    1. Re:DNSSEC provides a solution by Florian+Weimer · · Score: 1

      Not really. If the caching resolver isn't trusted, it doesn't matter if it is DNSSEC-aware or not. The clients usually run only stub resolvers and rely on the caching resolver to do the hard work.

      And given that the switch to the untrustworthy DNS resolvers typically occurs when the user installs some alleged video codec, it would be easy to add additional DNSSEC trust anchors at this stage, too. For X.509 web server CAs, it has already been demonstrated that this is feasible when Comscore, through its Marketscore brand, did exactly that in order to be able to route HTTPS traffic through its proxies and analyze it in the clear.

  22. MOOT! by Bring+the+Brain · · Score: 1

    Really, think about this. The internet is a zillion of network devices attached. Don't you agree you can create a rogue DNS server just as easy as creating a rouge router. It comes down to how much homework you did when choosing your ISP.

  23. mod parent up by Anonymous Coward · · Score: 0

    this isn't off topic! it's a funny reply to it's parent, answering the question posed. mods... get a grip!

  24. Ummm... by GlobalColding · · Score: 1

    Dont you have to be kinda stupid to fall for that?

  25. DNS is obviously a failure.... by BuhDuh · · Score: 3, Funny

    and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

    --
    Enlightenment? It's just a flush in the pan.
    1. Re:DNS is obviously a failure.... by rewt66 · · Score: 4, Funny

      *cough*ARP poisoning*cough*

    2. Re:DNS is obviously a failure.... by lintux · · Score: 1

      > We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

      You're going to love the day IPv4 gets abandoned in favour of IPv6...

    3. Re:DNS is obviously a failure.... by woolio · · Score: 1

      *cough*ARP poisoning*cough*

      That's why real geeks know by heart their ISP's

      1) Gateway IP address
      2) Gateway MAC address
      3) Subnet Mask
      4) DNS IP address
      5) DNS MAC address [if on local subnet]
      6) DHCP Server MAC Address

      Anything less is just being careless :->

    4. Re:DNS is obviously a failure.... by Neanderthal+Ninny · · Score: 1

      Is this anything like Polonium poisoning of Alexander Litvinenko?

      Yes, DNS is a failure under it current condition. Root DNS servers are well protected but all the other DNS servers can't be authenticated with the root servers so that where the problems are at. Any idiot can make a DNS server and then write a script or malware so they can rewrite the DNS server setting so it will point to that idiot's DNS server so they do what they can to you. A average person on the street doesn't know what DNS servers IP address are and what they are supposed to be is therein lies the problem. However even a technically savvy person will have a hard time also when they travel and they jump from one network to another and DNS servers change per ISP/network.
      Opendns is a good solution for those who are in doubt of their DNS server settings but some ISP/network doesn't allow external DNS servers into their network so you are at the mercy of the ISP/network.
      However this can goes it knees because of a a$$hole wants to do a DDOS on the root servers or opendns.

    5. Re:DNS is obviously a failure.... by Skapare · · Score: 1

      We are running out of dot-quads. They have this new supply of colon-hex things, but they are sooooo big.

      --
      now we need to go OSS in diesel cars
    6. Re:DNS is obviously a failure.... by Lennie · · Score: 1

      I know your kidding, but I just wanted to point out...

      There are not enough IPv4-addresses to host all the websites, most use HTTP-Host-headers-fields (more then one site per IP-address).

      So it would not be dot-quads, but IPv6-addresses if we would want to keep all sites online, I wish you luck.

      --
      New things are always on the horizon
  26. Find'em Kill'em by Nom+du+Keyboard · · Score: 1

    If you can find them, and count them, why can't you kill them off as well?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  27. Re:Is this about OpenDNS redirecting www.Google.co by Xgamer4 · · Score: 1

    Because I use OpenDNS I figured I'd look into this. Apparently the intent of this was to prevent spyware on some Dell computers from completely filling up any typoed addresses with ads. This link goes into more detail:
    http://blog.opendns.com/2007/05/22/google-turns-the-page/

  28. Re:Is this about OpenDNS redirecting www.Google.co by fhic · · Score: 2, Informative

    Yeah, actually this is *exactly* why I use OpenDNS.

    As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22/google-turns-the-page/

    So, AC, do you work for Google or Dell? Shame on you in either case for spreading this FUD. If you work for Google, even more shame for violating the "don't be evil" policy. Because this is pretty fucking evil, and trying to convince people not to use OpenDNS because of it is even more evil.

  29. By Neruos by Anonymous Coward · · Score: 0

    No such thing as a rogue DNS, only rogue users or people. A object can not be rogue. There is also no such thing as a evil DNS or a bad DNS. Only Technology used for evil or bad purposes.

  30. Re:Is this about OpenDNS redirecting www.Google.co by Niten · · Score: 4, Insightful

    FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

    As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

    I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

  31. Re:Is this about OpenDNS redirecting www.Google.co by Anonymous Coward · · Score: 0

    Situation recap: Some percentage of Dell customers have incomplete or mistyped URLs handled by a local software which came preinstalled on their computer. Their regular browsing is unaffected, like all browsing of non-Dell customers, including typos and incomplete URLs. To solve this problem for the small percentage of Dell customers who a) know about OpenDNS and b) know how to change DNS settings but c) don't know how to uninstall a browser helper object or install a different browser, OpenDNS redirects all www.google.com URLs for all OpenDNS users, including URLs with session IDs and other sensitive information, through OpenDNS servers.

    Even if you think that that is a defensible position, it is still DNS hijacking, and since very few OpenDNS users know about it, it can only be classified as a rogue DNS server. I don't work for Google or Dell and I despise typo-squatting of any kind, but I have to wonder why you think that posting the fact that OpenDNS hijacks www.google.com implies an affiliation. OpenDNS hijacks the most-used domain and is not upfront about it. If that bothers people and convinces them to use a different resolver, it is not because I told them it's going on, but because that's what's going on.

  32. Re:Is this about OpenDNS redirecting www.Google.co by lintux · · Score: 1

    It can't be that hard to remove/ignore.. Or does it hook into other browsers than MSIE as well?

    But still, that thing is indeed a little bit disappointing. I'm not sure if OpenDNS has the right to call it spyware though. It seems to fit the definition of adware. But like this, OpenDNS can see everything that's supposed to go to google.com. And IMHO, a truly paranoid person should trust OpenDNS as much as he/she trusts Google... Pot, kettle?

  33. Anyone gotta link to the paper by hal9000(jr) · · Score: 1

    All I can find a a bunch of copies of the AP article.

  34. Mod Parent Up, Please! by billstewart · · Score: 4, Interesting
    Not only is it possible for an Open Wifi system to be running a rogue DNS or other untrustworthy configuration, it's in fact nearly universal at commercial establishments that want to hand you a login page before letting you have access. It may be a non-free page that wants you to give them a credit card number, or it may be a free wireless system that wants you to check a box saying "Yes, I agree you're connecting me to the Real Internet, and anything unpleasant I see their is Not Your Fault." And there have been a number of proposals for "free" municipal wireless that want to hijack every web page you access to put banner ads on them, as well as the ones that just give you the ad banners when you first connect.


    That doesn't mean, of course, that logging onto a random "linksys" SSID in a residential neighborhood won't actually get you a rogue DNS installed on a virus-infected computer, or a kid's wireless system trolling for passwords from nearby gamerz. But those are at least not *guaranteed* to be hijacking you.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
    1. Re:Mod Parent Up, Please! by Anonymous Coward · · Score: 0

      There is nothing wrong with public wifi networks that ask for login, password and credit card as long as they are protected via SSL and the trust chain is properly validated -- given of course they don't bill you for data usage of the person who hijacks your connection after you packup and leave the area.

      Remember the Internet itself isn't secure or trusted in any way. End to End security technologies is the only measure we have to conduct secure communications over untrusted networks.

      As with any access to the Internet even from your DSL or Cable modem at home if you don't keep the above in mind you will eventually get acid burned 0wned!1 or whatever.

  35. Re:Is this about OpenDNS redirecting www.Google.co by robo_mojo · · Score: 1

    I don't own a Dell nor do I have any Google software installed on my computer. Why again would I want to have my Google searches hijacked by my DNS provider? How is hijacking search results justified in that case?

    Why accuse someone of working for Google or Dell when they say they don't want their searches hijacked?

    Note, I don't work for Google or Dell or OpenDNS. Actually I just run BIND 9 on my network to do DNS recursion and get the answers from authority nameservers directly. Cut out the middleman and save yourself a lot of trouble if it is such a big deal.

  36. Hide in Shadows by antirelic · · Score: 0

    I wonder if rogue DNS servers know if their hide in shadows and move silently checks fail?

    --
    20th century Marxism is not progress...
  37. Question about DNS and Zone Alarm firewall. by Anonymous Coward · · Score: 0

    I have a dial-up connection and am running Zone Alarm firewall. Whenever I connect to the net, Zone Alarm asks me if I want 0.0.0.0:DNS to connect to the net. I always answer no. Then it asks me if I want [the DNS used by my ISP] to connect. I answer yes, and I'm on the net.
    Has anyone had similar experience, and does anyone know what this 0.0.0.0:DNS is?

  38. And who is controlling them? by jjrff · · Score: 1

    My rogue dhcpd servers ... muhahahaha! thank you ISC...

  39. Re:Is this about OpenDNS redirecting www.Google.co by Anonymous Coward · · Score: 0

    If you're so concerned about it, use something like Scroogle

  40. Idea for preventing this stuff by Myria · · Score: 1

    It seems that the fundamental problem with DNS poisoning is that the token field of DNS packets is too short to prevent a brute-force or birthday attack. The long term solution is definitely a solution involving certificates, but I think that there might be a short-term solution.

    Can a DNS request ask for two domains at once? If so, I think that this sort of attack could be blocked without having to upgrade all servers at once.

    In addition to your normal request, you could ask for the IP address of "jl39dl9z.bogus.dns". When the reply comes back, it will naturally say that "jl39dl9z.bogus.dns" does not exist. The garbage name would be used as an additional token - that the server replied with it at all shows that the correct DNS server received the packet and replied. An attacker wouldn't be able to guess it.

    Am I totally wrong about this? I don't know the actual DNS protocol.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
  41. Re:I use the DoD's DNS Servers..... by killmofasta · · Score: 1

    Not only that, they are probibly a bit slow.
    You can do a ping to the nameserver to see
    how close/fast it is. Some nameservers,
    have the ping port closed, so it dosnet work all the time,

    and if you would not like a knock on your door...
    try to avoid poking around the DoD or DHSs security.
    Get a look at WhiteHouse.com!!! Hey.....

  42. YOU CHEATED by killmofasta · · Score: 1

    You read the DNS book. :P
    You can also use other DNS roots:

    http://en.wikipedia.org/wiki/Alternative_DNS_root

  43. Re:Is this about OpenDNS redirecting www.Google.co by Skapare · · Score: 1

    And this is also a reason Dell doesn't like Linux on consumer desktop PCs; they lose all that recurring ad revenue.

    --
    now we need to go OSS in diesel cars
  44. Huh? by rs79 · · Score: 1

    I've read TFA and every comment on this page.

    Can somebody actually show me a "rogue" DNS server?

    What constitutes a "rogue" dns server? One that doesn't track exactly the US Government root or one that has incorrect addresses for sites for commercial gain (ie paypal, banks etc).

    About a decade ago a guy went to prison for redirecting the internic by DNS cache poisoning. It was a big deal. Now I'm suppoed to believe 60,000 people are doing it and it's not in the news?

    The half dozen or so ISP's around here, and Hughes sat use a "transparent" web cache proxy. Doesn't matter what dns servers you tell your computer to use, you get the dns your ISP wants you to see, at least for web. Other protocols are unaffected. My understanding it this is quite widespread.

    --
    Need Mercedes parts ?
  45. Another way to possibly get a rouge DNS listing by impish500 · · Score: 1

    It could be possible that your ISP's DNS could have a bad DNS entry of someone could be performing a "man-in-the-middle" DNS requests sniffing and point your computer to one of "their" DNS servers.

    1. Re:Another way to possibly get a rouge DNS listing by BurgerTime · · Score: 1

      A rouge DNS listing? Have you been watching Trading Spaces too much again?

  46. Re:Is this about OpenDNS redirecting www.Google.co by Veinor · · Score: 1

    "If you're so concerned about OpenDNS playing around with your information, use this other site! They're trustworthy, I swear!" Not convinced.

  47. Mod Parent Down, Please! by Anonymous Coward · · Score: 0

    What you describe is not only incorrect but way overthinking.

    Go read up here.

  48. Re:Is this about OpenDNS redirecting www.Google.co by mindstrm · · Score: 1

    Wow - thanks for that.
    I've been using opendns for years - It's faster, reliable, and an easy choice.

    I had no IDEA they were returning fake queries for google...... that's just nasty, and maybe even illegal.

  49. Solution by pdwalker · · Score: 1

    Use OpenDNS as your DNS server.

    Problem solved as long as you ensure your computers continue to use it.

    (Disclaimer: I am a happy user of their service)

  50. Real Men Don't Use DNS by ehaggis · · Score: 1

    They use IP Addresses. If you want more manliness (mod up +1 machismo) use MAC addresses.

    --
    One ring to bind them - should probably have more fiber and less rings in their diet.
  51. I had an ISP use rogue servers by qwan · · Score: 1

    There was an ISP who also hosts websites. A particular website was hosted with them(it was not operational and it pointed to the ISP homepage), and then they transferred to another host. If you used a connection on that particular ISP then It would still redirect to their homepage. They never changed the DNS settings, rather they don't automatically update their DNS server. When Asked they said that they forgot to change it. I pointed out that DNS servers are supposed to be updated automatically. The website owner was not willing to sue them. This was in 2001 at that time I had posted this in a few forums asking if this was illegal, but nobody knew what I was talking about(at least in those forums which was web design related). Well they are closed now. But I feel these rogue servers can be used by ISP and cyber centres. Otherwise I don't see how these rogue servers could affect someone. AAhhh if a virus/malware/spyware could be written to change the DNS server settings in your network properties then these DNS servers could be dangerous. I think this is the only way they can be used.

  52. rogue dns servers??? by buck19 · · Score: 1

    I've never heard of that being a major problem. Most people today use routers that you can easily password lock as to the DNS server and other settings. And by default those routers are never accessible on from the Internet even with no password. There are plenty of good alternative DNS servers people use for various reasons that are not rogue or evil. You can fix your DNS server settings even while keeping your IP setting DHCP in the Linux and windows OS so they go to the DNS servers of your choice(usually people use their ISP's by default) and do not rely upon. Host.txt if used or hosts can be locked to root. I think windows settings are encrypted and not easily changeable by any virus.

  53. Simple alteration by RT+Alec · · Score: 1

    In my sample code, change 127.0.0.1 to the IP address of the DNS server you wish to use.