New DNS name server hijacking attack revealed …


Researchers have discovered a “new” class of DNS vulnerabilities in AWS Route53 and other DNS as a service offerings that disclose sensitive information about businesses and government customers in a single, simple registration process. cloud security researchers took a quick look at Amazon Web Services’ Route 53 Domain Name Service (DNS) earlier this year and suddenly realized that its domain registration system in self-service could configure a new host zone with the same name. It was. The actual AWS name server that you were using. In seconds, discover fake name servers inundated with DNS queries from other AWS customer networks (external and internal IP addresses, financial computer names, human resources, production servers, organization names). I was shocked.

Anyway, after registering a fake AWS name server as follows, I received traffic from over 15,000 different AWS customers and one million endpoints., The same name as the actual AWS name server.

Ami Luttwak, co-founder and CTO of and former member of Microsoft’s cloud security team, said, “I was trying to figure out how to crack the DNS, but what traffic was generated? I didn’t know if that was the case. “Theoretically, if you register the name of the name server … it should have no effect.” “

DNS services such as AWS Route53 allow you to update your domain name and the name server whose domain points to your DNS query. Researchers say they just created a new hosted zone inside wIn the same Monica, it points to an IP address. Then I received a DNS request from a Route 53 client’s device to a server of the same name which was fraudulent.

Researchers were able to use the traffic to gather a treasure trove of information on Fortune 500 companies, including commodity trading companies, 45 U.S. government agencies, and 85 foreign government agencies. They collected details from their traffic data, such as the physical locations of offices and employees in certain organizations. “In just a few hours of tapping a small part of the network, we discovered that we had an incredible body of information,” says Luttwak. “I called it a nation-state intelligence function using a simple domain registration.”

For example, researchers could use the DNS query data to explore the locations of the offices of trading companies and the number of employees, as well as large subsidiaries of credit unions and other organizations with branches in Iran.

AWS fixed the hole in mid-February, shortly after researchers warned in January, but at least two other vendors contacted by researchers about the flaw have yet to fix it in their DNS service. An AWS spokesperson did not provide details, but Route53 confirmed that it was “not affected by this issue” and the service “prevented the creation of a hosted zone for the associated DNS name. to the Route53 name server “. I will do it. “

All that was needed to fix the AWS Route53 vulnerability was to put the official name of the AWS name server on the so-called “ignore” list, explains Shir Tamari, head of the security research team at .. “The problem was that anyone could register official nameservers on the platform, so putting the list of nameservers in the ‘ignore’ list would prevent an attacker from registering them.

“It was a very quick and efficient solution,” adds Tamari.

According to the researchers, DNS providers like the other two services are vulnerable to this vulnerability. This is essentially an implementation flaw. The team has notified affected vendors, but will not release the name because the issue has yet to be resolved.

Meeting of DNS “OG” and DNSaaS
This attack takes advantage of the gray area of ​​the DNS infrastructure. This is an unintended and unexpected result of combining traditional old-fashioned DNS technology on some Windows machines with the DNS service capabilities of today’s cloud. Traditional DNS client software is old, some of which were created 20 years ago and are designed for trusted internal corporate domains rather than cloud-based corporate infrastructure.

According to the researchers, endpoints reveal sensitive information when they query DNS servers, which is in large part a result of the complexity of the DNS itself. “DNS clients perform non-standard queries and DNS providers allow clients to enter their own DNS zones on the server,” Luttwak explains. The client reveals details through dynamic DNS updates. This is fine in an internal DNS infrastructure environment, but if you are using a cloud-based DNS service, it may leak to other clients of that service provider.

“That is, if the teleworking endpoint is no longer in use [internal] The DNS resolver accesses the network from a DNS server, ”he explains, updating the searcher’s malicious name server rather than his own. All algorithms introduced in Windows 20 years ago [use] Logic built when there were no internet issues – it wasn’t for a shared DNS server. As a result, the endpoint “registers itself with a cloud-based name server,” he says.

There is also an IPv6 factor. The researchers found that some devices using the new version of the Internet Protocol (IP) are exposed and can be accessed by attackers. “Of the millions of endpoints that sent dynamic DNS data, we found that we could access the internal IPv6 endpoint,” says Tamari. Therefore, users working away from their home or office and running IPv6 risk exposing their devices to the Internet.

According to Tamari Soy Sauce, researchers found that about 6% of IPv6 devices are exposed through, for example, HTTP, RDP (Remote Desktop Protocol), and SMB.

Researchers say they can’t tell if an attacker exploited this DNS weakness, but warn that it may exist in the services of other DNS providers as well. “This is important for all DNS providers”, it is important not to leave customers exposed through this vulnerable DNS configuration.

This vulnerability is unlike other flaws the research team saw in cloud services. This is not a classic software bug. “The logical flow leads to unexpected results,” he says. “It’s hard to find these new types of vulnerabilities. It is in the logic of how to build them. [DNS] a service. “

Researchers say DNS providers must use the DNS RFC specification for reserved domain names, validate domains, and verify domain ownership.

Protect DNS
Your organization also has the option of protecting DNS traffic from DNS hijacking. “There are some things organizations can do to prevent dynamic DNS from reaching malicious servers,” says Tamari, such as firewalls and DNS traffic monitoring tools. From the endpoint.

Kelly Jackson Higgins is the editor-in-chief of Dark Reading. She is an award-winning technology and business veteran journalist with over 20 years of experience reporting and editing various publications such as Network Computing and Secure Enterprise… See Full Biography

Recommended reading:

Other information


About Author

Leave A Reply