| Filename | DNS hijacking |
| Permission | rw-r--r-- |
| Author | WhySoSeriousssssssssssss |
| Date and Time | 22:51 |
| Label | hack |
| Action |
Domain Name System (DNS)
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.
An often-used analogy to explain the Domain Name System is that it serves as the phonebook for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.32.10 (IPv4) and 2620:0:2d0:200::10 (IPv6).
The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them.
One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website. This functionality is defined in various internet standards that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.
Rogue DNS server
A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers.[citation needed] When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.
Manipulation by ISPs
A number of consumer ISPs such as Cablevision's Optimum Online, Comcast, Time Warner, Cox Communications, RCN, Rogers, Charter Communications, Verizon, Virgin Media, Frontier Communications, Bell Sympatico, UPC, T-Online, Optus, Mediacom,, ONO and Bigpond (Telstra) use DNS hijacking for their own purposes, such as displaying advertisements or collecting statistics. This practice violates the RFC standard for DNS (NXDOMAIN) responses, and can potentially open users to cross-site scripting attacks.
Redirecting can be more benign, allowing a DNS server provided by a service such as OpenDNS to intercept and block known sites known to be malicious or with content which the user wishes to block, etc. The provider of the DNS server may charge a fee for this service, or also show advertisements, collect statistics, etc.
The concern with DNS hijacking has to do with this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (fakeexample.com), one should get a NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a Web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.
Examples of functionality that breaks when an ISP hijacks DNS:
- Roaming laptops that are members of a Windows Server domain will falsely be led to believe that they are back on a corporate network because resources such as domain controllers, email servers and other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessary traffic on the internet connection and timeouts.
NOTE: A Windows domain is a logical group of computers running versions of the Microsoft Windows operating system that share a central directory database. This central database (known as Active Directory starting with Windows 2000,[1] Active Directory Domain Services in Windows Server 2008 and Server 2008 R2, also referred to as NT Directory Services on Windows NT operating systems, or NTDS) contains the user accounts and security information for the resources in that domain. Each person who uses computers within a domain receives his or her own unique account, or user name. This account can then be assigned access to resources within the domain.
In a domain, the directory resides on computers that are configured as "domain controllers." A domain controller is a server that manages all security-related aspects between user and domain interactions, centralizing security and administration. A Windows Server domain is generally suited for businesses and/or organizations when more than 10 PCs are in use.
- Many small office and most home networks do not have their own DNS server, relying instead on broadcast name resolution. However because DNS lookups are prioritized over local broadcasts, all names will falsely resolve to a server belonging to the ISP, and local networking will not work.
- Browsers such as Firefox no longer have their 'Browse By Name' functionality (Where keywords typed in the address bar take you to the closest matching site
- The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and a VPN, false entries may remain cached, thereby creating a service outage on the VPN connection.
NOTE: A Virtual Private Network (VPN) is a method of computer networking--typically using the public internet--that allows users to privately share information between remote locations, or between a remote location and a business' home network. A VPN can provide secure information transport by authenticating users, and encrypting data to prevent unauthorized persons from reading the information transmitted. The VPN can be used to send any kind of network traffic securely.
- DNSBL anti-spam solutions rely on DNS; false DNS results therefore interfere with their operation.
NOTE: A DNSBL (DNS-based Blackhole List, Block List, or Blacklist) is a list of IP addresses published through the Internet Domain Name Service (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists.
- Confidential user data might be leaked by applications that are tricked by the ISP into believing that the servers they wish to connect to are available.
- User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user; functionality of applications like the Google Toolbar do not work correctly.
- Computers configured to use a split tunnel with a VPN connection will stop working because intranet names that should not be resolved outside the tunnel over the public Internet will start resolving to fictitious addresses, instead of resolving correctly over the VPN tunnel on a private DNS server when an NXDOMAIN response is received from the Internet. For example, a mail client attempting to resolve the DNS A record for an internal mail server may receive a false DNS response that directed it to a paid-results web server, with messages queued for delivery for days while retransmission was attempted in vain.
It breaks Web Proxy Autodiscovery Protocol (WPAD) by leading web browsers to believe incorrectly that the ISP has a proxy server configured.
NOTE: The Web Proxy Auto-Discovery Protocol (WPAD) is a method used by clients to locate a URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete it can be executed to determine the proxy for a specified URL. The WPAD protocol only outlines the mechanism for discovering the location of this file, but the most commonly deployed configuration file format is the Proxy auto-config format originally designed by Netscape in 1996 for Netscape Navigator 2.0. The WPAD protocol was drafted by a consortium of companies including Inktomi Corporation, Microsoft Corporation, RealNetworks, Inc., and Sun Microsystems, Inc.. WPAD is documented in an INTERNET-DRAFT which expired in December 1999. However WPAD is still supported by all major browsers. WPAD was first included with Internet Explorer 5.0.
NOTE: A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource, available from a different server. The proxy server evaluates the request according to its filtering rules. For example, it may filter traffic by IP address or protocol. If the request is validated by the filter, the proxy provides the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may optionally alter the client's request or the server's response, and sometimes it may serve the request without contacting the specified server. In this case, it 'caches' responses from the remote server, and returns subsequent requests for the same content directly.
In some cases, the ISPs provide settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Some ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit dns error page (as exampled by charter here. Notice the "Manage Opt-In settings" link). Applications other than web-browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS protocol.
Turkish hacker TurkGuvenligi hijacked 350 Israeli websites with a Domain Name System (DNS) attack
The divert was the result of the group's attack on computers that hold web address information. Real URL names were deliberately mistranslated into the IP address of the hackers' site. No data from the seven victims was lost or compromised as a result of the attack.
The hacking group, called Turkguvenligi, targeted the net's Domain Name System (DNS). This acts as an address book for the web and turns the names that people use into IP address numbers that computers understand (e.g. 212.58.246.90). DNS is consulted by a person's web browser when they want to visit a particular site.
In its attack, the Turkguvenligi group changed the records relating to seven sites in DNS databases run by NetNames and Ascio - two subsidiaries of domain name management firm Group NBT. In an interview with The Guardian, Turkguvenligi http://www.guardian.co.uk/technology/2011/sep/05/dns-hackers-telegraph-interview revealed that it got access to the files using a well-established attack method known as SQL injection.
0 comments:
Post a Comment