Jump to content

DNS hijacking

From Wikipedia, the free encyclopedia

DNS hijacking,DNS poisoning,orDNS redirectionis the practice of subverting the resolution ofDomain Name System(DNS) queries.[1]This can be achieved by malware that overrides a computer'sTCP/IPconfiguration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply withinternet standards.

These modifications may be made for malicious purposes such asphishing,for self-serving purposes byInternet service providers(ISPs), by theGreat Firewall of Chinaand public/router-based onlineDNS server providersto direct users' web traffic to the ISP's ownweb serverswhere advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form ofcensorship.

Technical background[edit]

One of the functions of a DNS server is to translate adomain nameinto anIP addressthatapplicationsneed to connect to an Internet resource such as awebsite.This functionality is defined in various formalinternet standardsthat define theprotocolin considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

Screenshot of adig command,showing a false response from an Iranian DNS server for a request to resolvePersian Wikipedia

Rogue DNS server[edit]

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by theirISPs.A router's assigned DNS servers can also be altered through the remote exploitation of a vulnerability within the router's firmware.[2]When users try to visit websites, they are instead sent to a bogus website. This attack is termedpharming.If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is calledphishing.[3]

Manipulation by ISPs[edit]

A number of consumer ISPs such asAT&T,[4]Cablevision'sOptimum Online,[5]CenturyLink,[6]Cox Communications,RCN,[7]Rogers,[8]Charter Communications (Spectrum),Plusnet,[9]Verizon,[10]Sprint,[11]T-Mobile US,[12]Virgin Media,[13][14]Frontier Communications,Bell Sympatico,[15]Deutsche Telekom AG,[16]Optus,[17]Mediacom,[18]ONO,[19]TalkTalk,[20]Bigpond(Telstra),[21][22][23][24]TTNET, Türksat, and all Indonesian customer ISPs use or used DNS hijacking for their own purposes, such as displaying advertisements[25]or collecting statistics. Dutch ISPs XS4ALL and Ziggo use DNS hijacking by court order: they were ordered to block access toThe Pirate Bayand display a warning page[26]while all customer ISP in Indonesia do DNS hijacking to comply with the National DNS law[27]which requires every customer Indonesian ISP to hijackport 53and redirect it to their own server to block website that are listed inTrustpositifbyKominfounder Internet Sehat campaign. These practices violate theRFCstandard for DNS (NXDOMAIN) responses,[28]and can potentially open users tocross-site scriptingattacks.[25]

The concern with DNS hijacking involves this hijacking of the NXDOMAIN response. Internet andintranetapplications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (for example example.invalid), one should get an NXDOMAIN response – informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In aweb browser,this behavior can be annoying or offensive as connections to this IP address display theISP redirect pageof the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.

Examples of functionality that breaks when an ISP hijacks DNS:

  • Roaming laptops that are members of aWindows Server domainwill falsely be led to believe that they are back on a corporate network because resources such asdomain controllers,email serversand other infrastructure will appear to be available. Applications will therefore attempt to initiate connections to these corporate servers, but fail, resulting in degraded performance, unnecessarytraffic on the Internet connectionandtimeouts.
  • Many small office and home networks do not have their own DNS server, relying instead onbroadcastname resolution. Many versions of Microsoft Windows default to prioritizing DNS name resolution above NetBIOS name resolution broadcasts; therefore, when an ISP DNS server returns a (technically valid) IP address for the name of the desired computer on the LAN, the connecting computer uses this incorrect IP address and inevitably fails to connect to the desired computer on the LAN. Workarounds include using the correct IP address instead of the computer name, or changing the DhcpNodeType registry value to change name resolution service ordering.[29]
  • Browsers such asFirefoxno longer have their 'Browse By Name' functionality (where keywords typed in the address bar take users to the closest matching site).[30]
  • The local DNS client built into modern operating systems will cache results of DNS searches for performance reasons. If a client switches between a home network and aVPN,false entries may remain cached, thereby creating a service outage on the VPN connection.
  • DNSBLanti-spam solutions rely on DNS; false DNS results therefore interfere with their operation.
  • Confidential user data might beleakedby applications that are tricked by the ISP into believing that the servers they wish to connect to are available.
  • User choice over which search engine to consult in the event of a URL being mistyped in a browser is removed as the ISP determines what search results are displayed to the user.
  • Computers configured to use asplit tunnelwith a VPN connection will stop working because intranet names that should not be resolved outside the tunnel over the public Internet will start resolving to fictitious addresses, instead of resolving correctly over the VPN tunnel on a private DNS server when an NXDOMAIN response is received from the Internet. For example, a mail client attempting to resolve the DNS A record for an internal mail server may receive a false DNS response that directed it to a paid-results web server, with messages queued for delivery for days while retransmission was attempted in vain.[31]
  • It breaksWeb Proxy Autodiscovery Protocol(WPAD) by leading web browsers to believe incorrectly that the ISP has aproxy serverconfigured.
  • It breaks monitoring software. For example, if one periodically contacts a server to determine its health, a monitor will never see a failure unless the monitor tries to verify the server's cryptographic key.

In some, but not most cases, the ISPs provide subscriber-configurable settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Other ISPs, however, instead use a web browsercookieto store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit DNS error page. Applications other than web browsers cannot be opted out of the scheme using cookies as the opt-out targets only theHTTPprotocol, when the scheme is actually implemented in the protocol-neutral DNS.

Response[edit]

In the UK, the Information Commissioner's Office has acknowledged that the practice of involuntary DNS hijacking contravenesPECR,and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic.[13]In Germany, in 2019 it was revealed that the Deutsche Telekom AG not only manipulated their DNS servers, but also transmitted network traffic (such as non-secure cookies when users did not useHTTPS) to a third-party company because the web portal T-Online, at which users were redirected due to the DNS manipulation, was not (any more) owned by the Deutsche Telekom. After a user filed a criminal complaint, the Deutsche Telekom stopped further DNS manipulations.[32]

ICANN,the international body responsible for administering top-level domain names, has published a memorandum highlighting its concerns, and affirming:[31]

ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing gTLDs, ccTLDs and any other level in the DNS tree for registry-class domain names.

Remedy[edit]

End users, dissatisfied with poor "opt-out" options like cookies, have responded to the controversy by finding ways to avoid spoofed NXDOMAIN responses. DNS software such asBINDandDnsmasqoffer options to filter results, and can be run from a gateway or router to protect an entire network. Google, among others, run open DNS servers that currently do not return spoofed results. So a user could useGoogle Public DNSinstead of their ISP's DNS servers if they are willing to accept that they use the service underGoogle's privacy policyand potentially be exposed to another method by which Google can track the user. One limitation of this approach is that some providers block or rewrite outside DNS requests.OpenDNS,owned by Cisco, is a similar popular service which does not alter NXDOMAIN responses.

Google in April 2016 launched DNS-over-HTTPS service.[33]This scheme can overcome the limitations of the legacy DNS protocol. It performs remote DNSSEC check and transfers the results in a secure HTTPS tunnel.

There are also application-level work-arounds, such as the NoRedirect[34]Firefox extension,that mitigate some of the behavior. An approach like that only fixes one application (in this example, Firefox) and will not address any other issues caused. Website owners may be able to fool some hijackers by using certain DNS settings. For example, setting a TXT record of "unused" on their wildcard address (e.g. *.example ). Alternatively, they can try setting the CNAME of the wildcard to "example.invalid", making use of the fact that '.invalid' is guaranteed not to exist per the RFC. The limitation of that approach is that it only prevents hijacking on those particular domains, but it may address some VPN security issues caused by DNS hijacking.

See also[edit]

References[edit]

  1. ^"What is a DNS Hijacking | Redirection Attacks Explained | Imperva".Learning Center.Retrieved13 December2020.
  2. ^Constantin, Lucian (27 January 2015)."DNS hijacking flaw affects D-Link DSL router, possibly other devices".Retrieved21 June2017.
  3. ^"Rogue Domain Name System Servers".Trend Micro.Retrieved15 December2007.
  4. ^"ATT DNS Assist Page".27 March 2017.Retrieved24 February2018.
  5. ^"Optimum Online DNS Assistance".Archived fromthe originalon 13 August 2009.
  6. ^"Re: [Qwest] Opting out of CenturyLink Web Helper hijacking not w - CenturyLink | DSLReports Forums".DSL Reports.Retrieved12 October2016.
  7. ^"Who Stole My Web Browser?".13 October 2009.
  8. ^"Rogers Uses Deep Packet Inspection for DNS Redirection".dslreports. 20 June 2008.Retrieved15 June2010.
  9. ^"UK ISP's providing cdn for google".equk.co.uk. 7 April 2014.Retrieved25 October2015.
  10. ^"Opting out of DNS Assistance".Archived fromthe originalon 12 February 2015.Retrieved12 February2015.
  11. ^"Are Sprint 3G and 4G towers hijacking NXDOMAIN responses? More information in comments... • r/Sprint".reddit.5 September 2014.Retrieved24 February2018.
  12. ^"How do I turn of NXDOMAIN hijacking? • r/tmobile".reddit.20 July 2015.Retrieved24 February2018.
  13. ^ab"ICO: We won't stop Advanced Network Error Search".Archived fromthe originalon 17 February 2015.
  14. ^"Case Reference Number ENQ0265706"(PDF).I am not convinced that there is any likelihood of detriment or harm to subscribers or users that would justify taking formal action in this case.[permanent dead link]
  15. ^"Bell Starts Hijacking NS Domain Queries".4 August 2009.
  16. ^Reiko Kaps (17 April 2009)."Telekom leitet DNS-Fehlermeldungen um"(in German).Retrieved9 December2019.
  17. ^"Optus'" About the Search Results Page "".Archived fromthe originalon 13 July 2012.Retrieved10 December2009.
  18. ^"Want a real world example of why we need network neutrality? I have one here".25 September 2009.
  19. ^"XSS Reflected dnssearch.Ono.es NXD redirect".10 May 2010. Archived fromthe originalon 12 June 2018.Retrieved24 February2018.
  20. ^"TalkTalk - Search".error.talktalk.co.uk.Retrieved24 February2018.[permanent dead link]
  21. ^"BigPond redirects typos to 'unethical' branded search page".CRN Australia.Retrieved24 February2018.
  22. ^"Charter Corrupting DNS protocol ie hijacking hosts".
  23. ^"road runner dns hijack causing slow web-pages".Archived fromthe originalon 10 December 2010.
  24. ^"Rogers violates net neutrality by hijacking failed DNS lookups".Archived fromthe originalon 27 July 2008.
  25. ^abSingel, Ryan (19 April 2008)."ISPs Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses".Wired.
  26. ^Digined."XS4ALL blokkeert adressen Pirate Bay voorlopig | XS4ALL Weblog".blog.xs4all.nl(in Dutch).Retrieved5 October2017.
  27. ^Tanjung, Tidar."Kominfo Finalisasi DNS Nasional?".Retrieved11 June2018.
  28. ^Andrews, M. (1998)."Negative Caching of DNS Queries".doi:10.17487/RFC2308.{{cite journal}}:Cite journal requires|journal=(help)
  29. ^"NetBIOS and WINS".howtonetworking.Retrieved24 February2018.
  30. ^"Using Firefox + NoRedirect Extension to Avoid DNS Hijacking".Archived fromthe originalon 3 March 2011.
  31. ^ab"Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names"(PDF).ICANN.24 November 2009.Retrieved23 September2010.
  32. ^"Telekom beendet DNS-Hijacking".de.
  33. ^"DNS-over-HTTPS - Public DNS".Google Developers.4 September 2018.Retrieved12 March2019.
  34. ^"NoRedirect – Add-ons for Firefox".addons.mozilla.org.Archived fromthe originalon 25 February 2018.Retrieved24 February2018.
Retrieved from "https://en.wikipedia.org/w/index.php?title=DNS_hijacking&oldid=1225091104"