DNS hijacking

Last updated

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. [1] This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

Contents

These modifications may be made for malicious purposes such as phishing, for self-serving purposes by Internet service providers (ISPs), by the Great Firewall of China and public/router-based online DNS server providers to direct users' web traffic to the ISP's own web servers where advertisements can be served, statistics collected, or other purposes of the ISP; and by DNS service providers to block access to selected domains as a form of censorship.

Technical background

One of the functions of a DNS server is to translate a domain name into an IP address that applications need to connect to an Internet resource such as a website. This functionality is defined in various formal internet standards that define the protocol in considerable detail. DNS servers are implicitly trusted by internet-facing computers and users to correctly resolve names to the actual addresses that are registered by the owners of an internet domain.

Screenshot of a dig command, showing a false response from an Iranian DNS server for a request to resolve Persian Wikipedia Netblocks Wikipedia Blocked in Iran 202003.png
Screenshot of a dig command, showing a false response from an Iranian DNS server for a request to resolve Persian Wikipedia

Rogue DNS server

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. A router's assigned DNS servers can also be altered through the remote exploitation of a vulnerability within the router's firmware. [2] When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is called phishing. [3]

Manipulation by ISPs

A number of consumer ISPs such as AT&T, [4] Cablevision's Optimum Online, [5] CenturyLink, [6] Cox Communications, RCN, [7] Rogers, [8] Charter Communications (Spectrum), Plusnet, [9] Verizon, [10] Sprint, [11] T-Mobile US, [12] Virgin Media, [13] [14] Frontier Communications, Bell Sympatico, [15] Deutsche Telekom AG, [16] Optus, [17] Mediacom, [18] ONO, [19] TalkTalk, [20] Bigpond (Telstra), [21] [22] [23] [24] TTNET, Türksat, and all Indonesian customer ISPs use or used DNS hijacking for their own purposes, such as displaying advertisements [25] or collecting statistics. Dutch ISPs XS4ALL and Ziggo use DNS hijacking by court order: they were ordered to block access to The Pirate Bay and display a warning page [26] while all customer ISP in Indonesia do DNS hijacking to comply with the National DNS law [27] which requires every customer Indonesian ISP to hijack port 53 and redirect it to their own server to block website that are listed in Trustpositif by Kominfo under Internet Sehat campaign. These practices violate the RFC standard for DNS (NXDOMAIN) responses, [28] and can potentially open users to cross-site scripting attacks. [25]

The concern with DNS hijacking involves this hijacking of the NXDOMAIN response. Internet and intranet applications rely on the NXDOMAIN response to describe the condition where the DNS has no entry for the specified host. If one were to query the invalid domain name (for example www.example.invalid), one should get an NXDOMAIN response – informing the application that the name is invalid and taking the appropriate action (for example, displaying an error or not attempting to connect to the server). However, if the domain name is queried on one of these non-compliant ISPs, one would always receive a fake IP address belonging to the ISP. In a web browser, this behavior can be annoying or offensive as connections to this IP address display the ISP redirect page of the provider, sometimes with advertising, instead of a proper error message. However, other applications that rely on the NXDOMAIN error will instead attempt to initiate connections to this spoofed IP address, potentially exposing sensitive information.

Examples of functionality that breaks when an ISP hijacks DNS:

In some, but not most cases, the ISPs provide subscriber-configurable settings to disable hijacking of NXDOMAIN responses. Correctly implemented, such a setting reverts DNS to standard behavior. Other ISPs, however, instead use a web browser cookie to store the preference. In this case, the underlying behavior is not resolved: DNS queries continue to be redirected, while the ISP redirect page is replaced with a counterfeit DNS error page. Applications other than web browsers cannot be opted out of the scheme using cookies as the opt-out targets only the HTTP protocol, when the scheme is actually implemented in the protocol-neutral DNS.

Response

In the UK, the Information Commissioner's Office has acknowledged that the practice of involuntary DNS hijacking contravenes PECR, and EC Directive 95/46 on Data Protection which require explicit consent for processing of communication traffic. However, they have refused to intervene, claiming that it would not be sensible to enforce the law, because it would not cause significant (or indeed any) demonstrable detriment to individuals. [13] [14] In Germany, in 2019 it was revealed that the Deutsche Telekom AG not only manipulated their DNS servers, but also transmitted network traffic (such as non-secure cookies when users did not use HTTPS) to a third-party company because the web portal T-Online, at which users were redirected due to the DNS manipulation, was not (any more) owned by the Deutsche Telekom. After a user filed a criminal complaint, the Deutsche Telekom stopped further DNS manipulations. [32]

ICANN, the international body responsible for administering top-level domain names, has published a memorandum highlighting its concerns, and affirming: [31]

ICANN strongly discourages the use of DNS redirection, wildcards, synthesized responses and any other form of NXDOMAIN substitution in existing gTLDs, ccTLDs and any other level in the DNS tree for registry-class domain names.

Remedy

End users, dissatisfied with poor "opt-out" options like cookies, have responded to the controversy by finding ways to avoid spoofed NXDOMAIN responses. DNS software such as BIND and Dnsmasq offer options to filter results, and can be run from a gateway or router to protect an entire network. Google, among others, run open DNS servers that currently do not return spoofed results. So a user could use Google Public DNS instead of their ISP's DNS servers if they are willing to accept that they use the service under Google's privacy policy and potentially be exposed to another method by which Google can track the user. One limitation of this approach is that some providers block or rewrite outside DNS requests. OpenDNS, owned by Cisco, is a similar popular service which does not alter NXDOMAIN responses.

Google in April 2016 launched DNS-over-HTTPS service. [33] This scheme can overcome the limitations of the legacy DNS protocol. It performs remote DNSSEC check and transfers the results in a secure HTTPS tunnel.

There are also application-level work-arounds, such as the NoRedirect [34] Firefox extension, that mitigate some of the behavior. An approach like that only fixes one application (in this example, Firefox) and will not address any other issues caused. Website owners may be able to fool some hijackers by using certain DNS settings. For example, setting a TXT record of "unused" on their wildcard address (e.g. *.example.com). Alternatively, they can try setting the CNAME of the wildcard to "example.invalid", making use of the fact that '.invalid' is guaranteed not to exist per the RFC. The limitation of that approach is that it only prevents hijacking on those particular domains, but it may address some VPN security issues caused by DNS hijacking.

See also

Related Research Articles

The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned to each of the associated entities. Most prominently, it translates readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. The Domain Name System has been an essential component of the functionality of the Internet since 1985.

In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As of 2017, 330.6 million domain names had been registered. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

<span class="mw-page-title-main">Captive portal</span> Web page displayed to new users of a network

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

A proxy auto-config (PAC) file defines how web browsers and other user agents can automatically choose the appropriate proxy server for fetching a given URL.

dnsmasq Lightweight DNS and DHCP server software

dnsmasq is free software providing Domain Name System (DNS) caching, a Dynamic Host Configuration Protocol (DHCP) server, router advertisement and network boot features, intended for small computer networks.

<span class="mw-page-title-main">OpenDNS</span> Domain name system provided by Cisco using closed-source software

OpenDNS is an American company providing Domain Name System (DNS) resolution services—with features such as phishing protection, optional content filtering, and DNS lookup in its DNS servers—and a cloud computing security product suite, Umbrella, designed to protect enterprise customers from malware, botnets, phishing, and targeted online attacks. The OpenDNS Global Network processes an estimated 100 billion DNS queries daily from 85 million users through 25 data centers worldwide.

Paxfire, Inc. was a startup based in Reston, Virginia founded by Mark Lewyn, a former USA Today tech reporter, and Alan Sullivan. The company filed for bankruptcy in December 2012.

An ISP redirect page is a spoof page served by major ISPs including: Cox Communications, Embarq, Verizon, Rogers, Earthlink, and various others when World Wide Web users enter an invalid DNS name.

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone. HSTS is an IETF standards track protocol and is specified in RFC 6797.

Google Public DNS is a Domain Name System (DNS) service offered to Internet users worldwide by Google. It functions as a recursive name server. Google Public DNS was announced on December 3, 2009, in an effort described as "making the web faster and more secure." As of 2018, it is the largest public DNS service in the world, handling over a trillion queries per day. Google Public DNS is not related to Google Cloud DNS, which is a DNS hosting service.

Norton ConnectSafe was a free public DNS service offered by Symantec Corporation that claimed to offer a faster and more reliable web browsing experience while blocking undesirable websites. The service was retired on November 15, 2018.

DNSCrypt is a network protocol that authenticates and encrypts Domain Name System (DNS) traffic between the user's computer and recursive name servers. It was originally designed by Frank Denis and Yecheng Fu.

Domain Name System blocking, or DNS blocking / filtering is a strategy for making it difficult for users to locate specific domains or websites on the Internet. It was first introduced in 1997 as a means to block spam email from known malicious IP addresses.

<span class="mw-page-title-main">Response policy zone</span> Internet firewall mechanism for DNS

A response policy zone (RPZ) is a mechanism to introduce a customized policy in Domain Name System servers, so that recursive resolvers return possibly modified results. By modifying a result, access to the corresponding host can be blocked.

A DNS leak is a security flaw that allows DNS requests to be revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. Although primarily of concern to VPN users, it is also possible to prevent it for proxy and direct internet users.

DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. A goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data by man-in-the-middle attacks by using the HTTPS protocol to encrypt the data between the DoH client and the DoH-based DNS resolver. By March 2018, Google and the Mozilla Foundation had started testing versions of DNS over HTTPS. In February 2020, Firefox switched to DNS over HTTPS by default for users in the United States.

References

  1. "What is a DNS Hijacking | Redirection Attacks Explained | Imperva". Learning Center. Retrieved 13 December 2020.
  2. Constantin, Lucian (27 January 2015). "DNS hijacking flaw affects D-Link DSL router, possibly other devices" . Retrieved 21 June 2017.
  3. "Rogue Domain Name System Servers". Trend Micro. Retrieved 15 December 2007.
  4. "ATT DNS Assist Page". 27 March 2017. Retrieved 24 February 2018.
  5. "Optimum Online DNS Assistance". Archived from the original on 13 August 2009.
  6. "Re: [Qwest] Opting out of CenturyLink Web Helper hijacking not w - CenturyLink | DSLReports Forums". DSL Reports. Retrieved 12 October 2016.
  7. "Who Stole My Web Browser?". 13 October 2009.
  8. "Rogers Uses Deep Packet Inspection for DNS Redirection". dslreports.com. 20 June 2008. Retrieved 15 June 2010.
  9. "UK ISP's providing cdn for google". equk.co.uk. Retrieved 25 October 2015.
  10. "Opting out of DNS Assistance". Archived from the original on 12 February 2015. Retrieved 12 February 2015.
  11. "Are Sprint 3G and 4G towers hijacking NXDOMAIN responses? More information in comments... • r/Sprint". reddit. 5 September 2014. Retrieved 24 February 2018.
  12. "How do I turn of NXDOMAIN hijacking? • r/tmobile". reddit. 20 July 2015. Retrieved 24 February 2018.
  13. 1 2 "ICO: We won't stop Advanced Network Error Search". Archived from the original on 17 February 2015.
  14. 1 2 "Case Reference Number ENQ0265706" (PDF). I am not convinced that there is any likelihood of detriment or harm to subscribers or users that would justify taking formal action in this case.[ permanent dead link ]
  15. "Bell Starts Hijacking NS Domain Queries".
  16. Reiko Kaps (17 April 2009). "Telekom leitet DNS-Fehlermeldungen um" (in German). Retrieved 9 December 2019.
  17. "Optus' "About the Search Results Page"". Archived from the original on 13 July 2012. Retrieved 10 December 2009.
  18. "Want a real world example of why we need network neutrality? I have one here". 25 September 2009.
  19. "XSS Reflected dnssearch.Ono.es NXD redirect". 10 May 2010. Archived from the original on 12 June 2018. Retrieved 24 February 2018.
  20. "TalkTalk - Search". error.talktalk.co.uk. Retrieved 24 February 2018.[ permanent dead link ]
  21. "BigPond redirects typos to 'unethical' branded search page". CRN Australia. Retrieved 24 February 2018.
  22. "Charter Corrupting DNS protocol ie hijacking hosts".
  23. "road runner dns hijack causing slow web-pages". Archived from the original on 10 December 2010.
  24. "Rogers violates net neutrality by hijacking failed DNS lookups". Archived from the original on 27 July 2008.
  25. 1 2 Singel, Ryan (19 April 2008). "ISPs Error Page Ads Let Hackers Hijack Entire Web, Researcher Discloses". Wired.
  26. Digined. "XS4ALL blokkeert adressen Pirate Bay voorlopig | XS4ALL Weblog". blog.xs4all.nl (in Dutch). Retrieved 5 October 2017.
  27. Tanjung, Tidar. "Kominfo Finalisasi DNS Nasional?" . Retrieved 11 June 2018.
  28. Andrews, M. (1998). "Negative Caching of DNS Queries". doi: 10.17487/RFC2308 .{{cite journal}}: Cite journal requires |journal= (help)
  29. "NetBIOS and WINS". howtonetworking.com. Retrieved 24 February 2018.
  30. "Using Firefox + NoRedirect Extension to Avoid DNS Hijacking". Archived from the original on 3 March 2011.
  31. 1 2 "Harms Caused by NXDOMAIN Substitution in Toplevel and Other Registry-class Domain Names" (PDF). ICANN. 24 November 2009. Retrieved 23 September 2010.
  32. "Telekom beendet DNS-Hijacking". de.
  33. "DNS-over-HTTPS - Public DNS". Google Developers. 4 September 2018. Retrieved 12 March 2019.
  34. "NoRedirect – Add-ons for Firefox". addons.mozilla.org. Archived from the original on 25 February 2018. Retrieved 24 February 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.