DNS security is of great importance to the internet as a whole. DNS, or Domain Name System, is a naming standard in which names are resolved to IP addresses. When you surf the internet your ISP’s name servers are queried and the appropriate IP address is found, you’re then forwarded to the correct location of your choice.
IPv4 and IPv6 protocols may make IP addresses appear different, but DNS is used regardless of the IP protocol used. While DNS is more of a phone book or database than the method used for communicating data (the IP protocols themselves), attackers can use DNS changing techniques to their benefit. (Actually there are a lot more differences than appearances when dealing with the new IPv6, but that’s beyond the scope of this article.)
Threats from DNS exploitation include the DNS Changer/Alureon virus and social engineering/harvester attacks used in phishing. Have you ever spent any time in Backtrack Linux? You can easily create faked login pages for use during certain types of man-in-the-middle (MITM) attacks. Such pages can be concealed to appear real but, in actuality, forward your valuable information to an attacker. Some, like the aforementioned harvester attack, will forward you to the correct page afterwards… you’ll never know you were taken advantage of!
Note: Backtrack is a legitimate security auditing Linux distribution. Don’t use it against others (after all, this blog is for folks really interested in security not as a “hacking guide”).
Credential Harvester
One of the most effective attacks is the replication of a false login page. As seen by using the Metasploit Framework. Absolutely any type of false login can be created using the Social Engineering Toolkit (SET). When combined with a successful MITM attack or by including such a payload in malware, an attacker can gain sensitive information about you.
Alternative name server solutions sometimes offer greater security over your standard ISP’s DNS servers. Such tools can often be used to detect false sites as they resolve.
Further Reading on SET’s Credential Harvester
Metasploit Unleashed – Credential Harvester Attack:
http://www.offensive-security.com/metasploit-unleashed/SET_Credential_Harvester_Attack
Note: If you’re interested in seriously studying computer security you owe it to yourself to check out the Metasploit Framework.
History Repeating: The DNSChanger Scare
Almost everyone remembers the scare we had recently with the DNS Changer incident. Uncured computers infected with DNSChanger/Alureon that faced a big problem: with the arrest of botnet masters across the globe, the FBI feared that maliciously redirected DNS entries would – instead of resolving to unintended sites for phishing and advertising – instead, simply fail.
The DNS Changer Working Group (DCWG) has a nifty website that checks for whether or not your DNS resolution was hijacked. The incident turned out to be a major disaster for the FBI and few others. Internet
Service Providers compensated for this and allowed their own name servers to re-redirect the faulty computers. In the news the FBI seemed to blame everyone but themselves. In actuality they overestimated the risk. They even failed to notify people that DNSChanger was actually the very old and well known Alureon to begin with.
Also, the DCWG website would have apparently given nearly everyone in the United States a false sense of security. With ISPs compensating for DNSChanger months in advance (in some cases nearly since Alureon has been around), the page would have infected machines to be uninfected simply by virtue of your ISP correcting the problem (the number one complaint made by the FBI against ISPs).
Guess the internet didn’t shut off! Okay, disperse people. We can all go back to work safely.
Yet on an individual level DNS changing malware is still a very real security problem and, if launched successfully, can mean you handing over sensitive information to the attacker.
As I’m writing this I’ve noticed the DCWG page is back online. While the “global meltdown” is no longer a real threat, the page still can be used to attempt to detect DNSChanger on individual computers. Note that I’m not saying it isn’t a real concern, it is a concern merely not a global threat as the FBI suggested. Prior to the DCWG page going back online, a notice was post explaining how ISPs compensated for DNSChanger and therefore would have rendered their site useless against actually detecting DNSChanger.
So a joke? No. OpenDNS.com reported in blog posts that over hundreds of thousands were infected but simply didn’t know it. While there wasn’t a global meltdown of epic proportions, users should still take note that the threat is real and do everything they can to ensure their own safety. Use DCWG but simply keep in mind that many ISPs have independently addressed this issue: if you are still infected you should get it cleaned up. Also be sure to run regularly updated malware protection.
DNS Changer Detection (DCWG): http://www.dcwg.org/detect/
Malware Bytes: http://www.malwarebytes.org/
Further Reading on DNSChanger
Blog Post on DNSChanger on Geek Street:
http://mountainloopexpress.com/index.php?fn_mode=fullnews&fn_id=694
Tech Republic Post by Alfonso Barreiro Prior to Incident:
http://www.techrepublic.com/blog/security/preparing-for-the-dnschanger-internet-outage/7863?tag=nl.e036
DNA India on DNS Changer Prior to Incident:
http://www.dnaindia.com/pune/report_dns-syndrome-not-a-major-threat-experts_1712350
Peckham, Matt. “DNSChanger: No, the Internet Isn’t Shutting Down on Monday.” Time Magazine. July 6, 2012. Note: Prior to incident, warnings that a global meltdown scenario is not accurate but threat is still real.
Chabrow, Eric. “Malware Monday: Much Ado About Nothing.” Bank Info Sec. July 5, 2012.
DNS Cache Poisoning/Spoofing Attacks
The types of attacks above are DNS Cache Poisoning attacks and rely on an attacker changing your DNS table to facilitate faulty look-ups (ones that can appear real but be used to steal your information).
More info on DNS poisoning generally can be found on these sites:
http://searchsecurity.techtarget.com/definition/cache-poisoning
http://cr.yp.to/djbdns/notes.html#poison
Alternative DNS Solutions
There are quite a number of different ways to protect against phishing online from nifty router firewall software that monitors the sites you visit to anti-virus software. In the end, used intelligently, a combination of all these methods can be utilized to safeguard your presence online. One small solution (the focus of this article) is to use an alternative name server with security tools built-in to protect you from visiting faulty or purposely misleading websites.
OpenDNS is a terrific solution which provides fast and stable name servers with anti-phishing protection. Combined with DNSCrypt, your DNS look-ups will also be encrypted so that if you have a virus, it’ll be more difficult to change your DNS look-up behavior. Plus OpenDNS enables the use of parental controls for parents to block access to certain types of sites. There’s a paid version and an ad-supported free version which, upon entering an unresolvable IP, you’ll get an error page, like normal, but with an ad.
This solution does not replace the need for a VPN, does not offer the extendability and protection of a good proxy, does not anonymize you in any way, shape, or form, and does not encrypt data passing through your network (for a free solution that encompasses all of those forms of protection, please look into running an OpenVPN+Squid Virtual Private Network as I describe as being effective in this article). This solution is for those wishing to either secure their DNS querying, protecting their system from the above risks and/or accessing sites their ISP would otherwise prohibit them from seeing (such as regional restrictions).
For more information on OpenDNS with DNSCrypt, see ghacks.net’s article entitled, “OpenDNS DNSCrypt, Increase Security By Encrypting DNS Traffic.”
DNSCrypt relies on elliptic-curve cryptography, Curve25519, as outlined here: http://dnscurve.org/crypto.html — keep in mind that the DNS server must actually use DNSCurve in order for you to gain its benefits. If in doubt, call your ISP to see if you can make use of it by itself or use DNSCrypt with the the OpenDNS Service. To setup DNSCurve without relying on OpenDNS, click here for instructions.
DNSSEC Protection: Why It Isn’t Enough
DNS Security Extensions is a way of authenticating DNS entries and ensuring that the response from a queryed server is coming from the intended server. In and of itself it offers no crypto-level protection but it does add a small layer of protection. When considering DNS service providers you should choose ones that use DNSSEC in combination with an encryption tool depending on your needs.
DNS Server Logging and Record Keeping
(Should You Use an Alternative DNS Server?)
Theoretically OpenDNS can compile a list of every site you access (name and IP address). But they do not have access to your data. Once a name server resolves a name to an IP address, a link is created and the DNS server’s role is at an end (simplistically speaking). That means that your ISP actually has even more information about you than any sole DNS server could ever have.
Not only does your ISP have access to the sites you visit through their name server logs, they could potentially see your web traffic so long as it’s unencrypted (not using SSL) since it is running through their network.
It all comes down to personal choice and who you’re willing to trust more (or more completely). Your ISP or your ISP and a third party DNS service. Everyone’s goals and desires are different, the purpose of this post is to inform you of the technology, the threat and possible solutions.
Keep in mind that despite your best efforts to be safe online, your unencrypted information is out there. Plenty of third party sites know what you do. Even by using proxy chains (and I’ve used some pretty extensive proxy chains), most of your activities can eventually be tracked back to you. Generally speaking, your ISP will always have extensive records chronicling your internet adventures.
In an insecure world, what measures do you think are acceptable and worth going through in order to safeguard your privacy?
As a great American Hero once said, “Only You Can Prevent Forest Fires.”
Related post: “Public Wi-fi? Be Mindful of Session Hijacking.”