DNS hijacking

DNS hijacking or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

These modifications may be made for malicious purposes such as phishing, or for self-serving purposes by Internet service providers (ISPs) and public/router-based online DNS server providers to direct users' web traffic to the ISP's own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.

Technical background

One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standards that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

Rogue DNS server

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. A router's assigned DNS servers can also be altered through the remote exploitation of a vulnerability within the router's firmware.[1] When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.[2]

Manipulation by ISPs

A number of consumer ISPs such as Cablevision's Optimum Online,[3] Comcast,[4] CenturyLink,[5] Time Warner, Cox Communications, RCN,[6] Rogers,[7] Charter Communications, Plusnet,[8] Verizon,[9] Sprint,[10] T-Mobile US,[11] Virgin Media,[12][13] Frontier Communications, Bell Sympatico,[14] UPC,[15] T-Online,[16] Optus,[17] Mediacom,[18] ONO,[19] TalkTalk,[20] Bigpond (Telstra),[21][22][23][24] and TTNET use DNS hijacking for their own purposes, such as displaying advertisements[25] or collecting statistics. This practice violates the RFC standard for DNS (NXDOMAIN) responses,[26] and can potentially open users to cross-site scripting attacks.[25]

The concern with DNS hijacking involves this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (for example www.example.invalid), one should get an NXDOMAIN response - informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.

Examples of functionality that breaks when an ISP hijacks DNS:

In some cases, the ISPs provide subscriber-configurable settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Other ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit dns error page. Applications other than web-browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS system.

Manipulation by registrars

Some domain name registrars, notably Name.com,[30] perform a DNS hijacking on failed domain name lookups despite objection to this practice by ICANN[31] and their consumers.

Response

In the UK, the Information Commissioner's Office have acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic. However they have refused to intervene, claiming that it would not be sensible to enforce the law, because it would not cause significant (or indeed any) demonstrable detriment to individuals.[12][13]

ICANN, the international body responsible for administering top-level domain names, has published a memorandum highlighting its concerns, and affirming:[29]

ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing gTLDs, ccTLDs and any other level in the DNS tree for registry-class domain names.

Remedy

End users, dissatisfied with poor "opt-out" options like cookies, have responded to the controversy by finding ways to avoid spoofed NXDOMAIN responses. DNS software such as BIND and Dnsmasq offer options to filter results, and can be run from a gateway or router to protect an entire network. Google, among others, run open DNS servers that currently do not return spoofed results. So a user could use Google Public DNS instead of their ISP's DNS servers if they are willing to accept that they use the service under Google's privacy policy. One limitation of this approach is that some providers block or rewrite outside DNS requests.

Google in April 2016 launched DNS-over-HTTPS service. This scheme can overcome the limitations of the legacy DNS protocol. It performs remote DNSSEC check and transfers the results in a secure HTTPS tunnel. There are also tools that can be used to access this service even with the legacy software such as DNSd.

There are also application level work-arounds, such as the NoRedirect Firefox extension add-on that mitigate some of the behavior. An approach like that only fixes one application (in this example, Firefox) and will not address any other issues caused. Website owners may be able to fool some hijackers by using certain DNS settings. For example, setting a TXT record of "unused" on their wildcard address (e.g. *.example.com). Alternatively, they can try setting the CNAME of the wildcard to "example.invalid", making use of the fact that '.invalid' is guaranteed not to exist per the RFC. The limitation of that approach is that it only prevents hijacking on those particular domains, but it may address some VPN security issues caused by DNS hijacking.

See also

References

  1. "DNS hijacking flaw affects D-Link DSL router, possibly other devices".
  2. "Rogue Domain Name System Servers". Trend Micro. Retrieved 2007-12-15.
  3. "Optimum Online DNS Assistance". Archived from the original on 13 August 2009.
  4. "Comcast trials Domain Helper service DNS hijacker". The Register. Retrieved 2009-10-07.
  5. "Re: [Qwest] Opting out of CenturyLink Web Helper hijacking not w - CenturyLink | DSLReports Forums". DSL Reports. Retrieved 2016-10-12.
  6. "Who Stole My Web Browser?".
  7. "Rogers Uses Deep Packet Inspection for DNS Redirection". dslreports.com. 2008-06-20. Retrieved 2010-06-15.
  8. "UK ISP's providing cdn for google". equk.co.uk. Retrieved 2015-10-25.
  9. "Opting out of DNS Assistance".
  10. http://www.reddit.com/r/Sprint/comments/2fl6pk/are_sprint_3g_and_4g_towers_hijacking_nxdomain/
  11. https://www.reddit.com/r/tmobile/comments/3dyk1h/how_do_i_turn_of_nxdomain_hijacking/
  12. 1 2 "ICO: We won't stop Advanced Network Error Search".
  13. 1 2 "Case Reference Number ENQ0265706" (PDF). I am not convinced that there is any likelihood of detriment or harm to subscribers or users that would justify taking formal action in this case.
  14. "Bell Starts Hijacking NS Domain Queries".
  15. "UPC FAQ about the "navigation service"".
  16. T-Home-Team (2009-04-09). "Neues Leistungsmerkmal 'Navigationshilfe'" [New 'Navigation Help' Feature] (in German). Retrieved 2009-12-02. Ist die Navigationshilfe aktiviert, werden DNS-Server zugewiesen, die dieses Leistungsmerkmal unterstützen; ist sie deaktiviert, werden herkömmliche DNS-Server zugewiesen.
  17. Optus' "About the Search Results Page"
  18. "Want a real world example of why we need network neutrality? I have one here.".
  19. XSS Reflected dnssearch.Ono.es NXD redirect « iniqua
  20. TalkTalk | About This Page
  21. BigPond redirects typos to 'unethical' branded search page - CRN Australia
  22. "Charter Corrupting DNS protocol ie hijacking hosts".
  23. "road runner dns hijack causing slow web-pages". Archived from the original on 10 December 2010.
  24. "Rogers violates net neutrality by hijacking failed DNS lookups". Archived from the original on 27 July 2008.
  25. 1 2 Singel, Ryan (19 April 2008). "ISPs Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses". Wired.
  26. "Negative Caching of DNS Queries".
  27. http://www.howtonetworking.com/netbios&wins.htm#How%20to%20modify%20Node%20Type
  28. "Using Firefox + NoRedirect Extension to Avoid DNS Hijacking". Archived from the original on 3 March 2011.
  29. 1 2 "Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names" (PDF). ICANN. 2009-11-24. Retrieved 2010-09-23.
  30. "Name.com is doing some really sketchy stuff".
  31. "Harms and Concerns Posed by NXDOMAIN Substitution (DNS Wildcard and Similar Technologies) at Registry Level". ICANN.
This article is issued from Wikipedia - version of the 12/4/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.