Malicious Resolver
Reconfiguration
Recently, the Measurement
Factory conducted a survey of
the Internet’s DNS infrastructure
(dns.measurement-factory.com/surveys/200710.html) and
found roughly 16 million open
recursors. Open recursors are
Internet IP addresses
that will accept
recursive queries
from any querier.
These findings are
bad enough in and of themselves:
Hackers can use open recursors
as accomplices in distributed
Denial of Service (DoS) attacks
against targets on the Internet.
Open recursive name servers are
also more susceptible to cachepoisoning
attacks. However, further
investigation into the nature
of these open recursors revealed
a more insidious threat.
A team of researchers (including
Georgia Tech’s David
Dagon) sent queries to a subset
of these open recursors and
examined the responses. Most
of the responses were correct,
but some were wrong—most
apparently due to bugs or misconfiguration.
But some of the
open recursors (about 68,000)
returned responses that were
both wrong and potentially
malicious. These open recursors
always returned the same
addresses as the response to any
query. Many of these addresses
appear to belong to open proxy
servers in unsavory locations
(from an Internet standpoint),
such as Russia and China, or on
networks flagged to be frequent
sources of spam.
Of course, no one in his or her
right mind would deliberately
reconfigure a computer’s resolver
to point to one of these open
recursors. Yet, in captures of Georgia
Tech’s DNS traffic, Dagon and his team found many computers using
these open recursors as primary sources
of name resolution. Their resolvers had
likely been reconfigured to use these open
recursors by malware downloaded from
the Internet—many species of malware do
just this. Once the computers were thus
reconfigured, the responses from the open
recursors would shunt all Web traffic through
these remote proxy servers, where the data
(e.g., passwords, credit card information)
could be captured and used maliciously.
Defending Against
Resolver Reconfiguration
Besides the standard-issue precautions
against downloading malware—such as
educating users to employ proper discretion
when downloading files from the Internet—
there are measures you can take to prevent
even compromised computers from falling
victim to this scheme. Firewall rules should
prevent arbitrary internal computers from
querying name servers on the Internet. If
malware is successful in changing a computer’s
resolver configuration, the resolver
will simply stop working. The computer’s
user will likely report this problem to IT
staff, who can then diagnose the problem,
remove the malware, and restore the
resolver’s original configuration.
Table 1 shows a set of firewall rules that
permits a designated set of internal name
servers to query Internet name servers (and
receive responses) but deny queries sent
directly from internal resolvers to Internet
name servers. If possible, the firewall should
also use stateful filtering of UDP to accept
UDP datagrams only from the IP addresses of Internet name servers that were recently
queried by an internal name server.
Don’t Forget the Client
Like most IT administrators, you might be
focusing your efforts on securing name
servers, but attacks can also target clients.
Due attention is therefore necessary. Successful
attacks against resolvers can result
in just as much damage—and can be considerably
more subtle—than attacks against
name servers.
For more helpful DNS best practices
and tools, please visit my online library of
resources at www.infoblox.com/library/dns_resources.cfm.
Register
