Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


April 2008

Conquer 2 New DNS Exploits

A WPADproblem and a resolver-reconfiguration vulnerability are targeting stub resolvers and wreaking havoc
RSS
Subscribe to Windows IT Pro | See More Domain Name System (DNS) Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Tried-and-True DNS Wisdom

Malicious Resolver Reconfiguration
Recently, the Measurement Factory conducted a survey of the Internet’s DNS infrastructure (dns.measurement-factory.com/surveys/200710.html) and found roughly 16 million open recursors. Open recursors are Internet IP addresses that will accept recursive queries from any querier. These findings are bad enough in and of themselves: Hackers can use open recursors as accomplices in distributed Denial of Service (DoS) attacks against targets on the Internet. Open recursive name servers are also more susceptible to cachepoisoning attacks. However, further investigation into the nature of these open recursors revealed a more insidious threat.

A team of researchers (including Georgia Tech’s David Dagon) sent queries to a subset of these open recursors and examined the responses. Most of the responses were correct, but some were wrong—most apparently due to bugs or misconfiguration. But some of the open recursors (about 68,000) returned responses that were both wrong and potentially malicious. These open recursors always returned the same addresses as the response to any query. Many of these addresses appear to belong to open proxy servers in unsavory locations (from an Internet standpoint), such as Russia and China, or on networks flagged to be frequent sources of spam.

Of course, no one in his or her right mind would deliberately reconfigure a computer’s resolver to point to one of these open recursors. Yet, in captures of Georgia Tech’s DNS traffic, Dagon and his team found many computers using these open recursors as primary sources of name resolution. Their resolvers had likely been reconfigured to use these open recursors by malware downloaded from the Internet—many species of malware do just this. Once the computers were thus reconfigured, the responses from the open recursors would shunt all Web traffic through these remote proxy servers, where the data (e.g., passwords, credit card information) could be captured and used maliciously.

Defending Against Resolver Reconfiguration
Besides the standard-issue precautions against downloading malware—such as educating users to employ proper discretion when downloading files from the Internet— there are measures you can take to prevent even compromised computers from falling victim to this scheme. Firewall rules should prevent arbitrary internal computers from querying name servers on the Internet. If malware is successful in changing a computer’s resolver configuration, the resolver will simply stop working. The computer’s user will likely report this problem to IT staff, who can then diagnose the problem, remove the malware, and restore the resolver’s original configuration.

Table 1 shows a set of firewall rules that permits a designated set of internal name servers to query Internet name servers (and receive responses) but deny queries sent directly from internal resolvers to Internet name servers. If possible, the firewall should also use stateful filtering of UDP to accept UDP datagrams only from the IP addresses of Internet name servers that were recently queried by an internal name server.

Don’t Forget the Client
Like most IT administrators, you might be focusing your efforts on securing name servers, but attacks can also target clients. Due attention is therefore necessary. Successful attacks against resolvers can result in just as much damage—and can be considerably more subtle—than attacks against name servers.

For more helpful DNS best practices and tools, please visit my online library of resources at www.infoblox.com/library/dns_resources.cfm.

End of Article

   Previous  1  [2]  Next  


Reader Comments

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...


Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education

Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

Check out our list of Free Email Newsletters!

Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement