Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Number of Rogue DNS Servers on the Rise 154

bosoxsux writes "Rogue DNS servers are an increasingly popular tool for scam artists, according to a new report. Their numbers are on the rise, in part because they're difficult for antivirus software to deal with. 'There are now approximately 68,000 rogue DNS servers across the Internet, The authenticity of the sites such servers redirect to varies greatly, from near-perfect copies to laughably bad, but the problem they represent is quite serious. Once an end user's computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site the malware author feels like serving up.'"
This discussion has been archived. No new comments can be posted.

Number of Rogue DNS Servers on the Rise

Comments Filter:
  • certs too (Score:5, Interesting)

    by OrangeTide ( 124937 ) on Friday February 15, 2008 @04:36PM (#22439824) Homepage Journal
    Once a machine has been compromised you can add your own certificate server to the list too. And start handing out certs for whatever bullshit you want.
    • Fascinating idea....and if you've got access to the computer to change the DNS anyway, you could add in an authorization for the false cert agency, too.

      Do you have a newsletter? I'd subscribe to it.
      • You don't need to. Usability studies have shown conclusively that nobody (and I do mean absolutely nobody) will avoid browsing to a site because of an SSL warning. Even software engineers and other computer experts will just click through the dialog. SSL is an absolute failure at avoiding spoofing due to poor UI.
        • I get SSL warnings on my own website because I never bothered to pay and just self-sign my certificate. But if I got warnings on my bank's website I might not want to plug in my account info.
    • Re: (Score:3, Informative)

      by cheater512 ( 783349 )
      Even SSL fails with this method of attack.
      Too many ways to add a new root certificate.
      • Re: (Score:3, Informative)

        by Fred_A ( 10934 )

        Even SSL fails with this method of attack.
        Too many ways to add a new root certificate.
        You'd have to edit the cache so that the new key matches though (because it won't be the same one).
        • Re: (Score:3, Insightful)

          by lintux ( 125434 )
          > You'd have to edit the cache so that the new key matches though (because it won't be the same one).

          Heck, when you have enough access to a machine to change its DNS settings, you have enough access to flush the cache or to just disable all SSL safety checks.
  • netsh interface ip set dns "Local Area Connection" static 4.2.2.4
    netsh interface ip add dns "Local Area Connection" 4.2.2.1 index=2

    Doesn't seem to hard to fix this exploit, sneaky as it may sound. Of course, run FF/NoScript etc...
    • by TripMaster Monkey ( 862126 ) on Friday February 15, 2008 @04:41PM (#22439906)
      Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.
      • Re: (Score:3, Insightful)

        by Penguinisto ( 415985 )
        Even worse - sometimes an ISP will refuse to tell you what their DNS IP addys actually are.

        /P

        • How can they not? (Score:3, Insightful)

          by davidwr ( 791652 )
          If an ISP expects me to use their DNS service, they have to tell me, either up-front or as part of the DHCP configuration request.

          Otherwise, I'll have to use someone else's DNS or do without.
          • True, but either one of us could find it rather quickly at a terminal/command -prompt.

            Most users OTOH fear those things.

            /P

      • Of course it's not difficult to fix...the problem is that most users aren't going to check their DNS settings like you or I would...heck...most users don't even know what a DNS server is.

        What're you talking about? I know exactly what a Dorrito's Nachos Server is. Now if only she would hurry up and bring my plate out here....

    • by mlts ( 1038732 ) * on Friday February 15, 2008 @04:42PM (#22439922)
      I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers.

      Then clients can grab the results from any DNS server and validate that they are actual results or phonies.

      Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.
      • by rwyoder ( 759998 ) on Friday February 15, 2008 @04:55PM (#22440072)

        I wonder if the next stage would be "certified" DNS results, where a company gets a certificate signed by their registrar, signs DNS with their own private key, and propagates the results to the secondary servers. Then clients can grab the results from any DNS server and validate that they are actual results or phonies. Caveat: This would add another layer of processing and fetching keys, slowing everything down, when DNS is supposed to be a quick way to fetch an IP from a host name. You also have your usual PKI issues as well, such as compromised keys, expired certifications, etc.
        Google "DNSsec".
        • by rthille ( 8526 )
          I tried, and the Googol page I got back said, "I'm sorry Dave, but you don't need to see that."
    • Really, think about it. That is what the internet is. Zillions of network devices attached. Everybody is vulnrable to any type of attack. Along with this post. Don't you agree that if one person can create rogue DNS servers, they are just as capable as implementing rougue routers. It really comes down to, you just have to trust your ISP and do your homework.
  • So will that server have the real URL for a legit site and then be able to fake you out? Also when is this internet 2 that I hear about all the time gonna come out. I like the ideas of a newer, faster, sexier (I dunno how it would be sexier...) internet that has more control over content allowed in and services, etc etc.
  • After all, one must set your computer to use one of those servers.

    I can think of a few possible ways to do this--a worm that modifies default-passworded routers, for instance, would be capable of modifying DNS entries at the router level--but is there an easy exploit to do so at the end-user's computer? Or a method of modifying the DNS via a browser window?
    • If one has the ability to run malicious code on the target system, it would be pretty easy. I don't know about a browser window, but the DNS setting can be modified easily by a VB script, or trivially easy via the command prompt (one line command).
      • Perhaps DNS settings should be shadowed or otherwise obfuscated...though how that would be done, I'm not quite sure.
        • by TripMaster Monkey ( 862126 ) on Friday February 15, 2008 @05:11PM (#22440260)
          Actually, I ran across some malware that did something similar a few years ago. This malware modified the registry to put in an invisible SOCKS proxy, so all HTTP traffic went to the internet via its own server, which sniffed all packets en route. It was a real bitch to get rid of...once I removed the obvious parts, HTTP was just plain broken until I fixed the malicious registry entries.

          • That's absolutely brilliant....where'd they host the proxy? Same machine? Or did they host the proxy somewhere themselves?
            • They hosted the proxy themselves.
        • Geez, or perhaps user applications like fucking browsers shouldn't run with system-level God privileges.

          But that's a whole 'nother (mega)thread...
  • Huh? (Score:4, Funny)

    by JK_the_Slacker ( 1175625 ) on Friday February 15, 2008 @04:43PM (#22439934) Homepage

    You can run Rogue on a DNS server? Sweet! I know what I'm doing this weekend...

  • So we have to know exactly which DNS to use then. This is not good, most people don't know and don't care to find out about such things. But a computer has to be infected in the first place for DNS to be spoofed, so as long as there are no infected computers... oh...
  • Hijack it yourself (Score:5, Interesting)

    by RT Alec ( 608475 ) <alec@slashdot.chuck l e . com> on Friday February 15, 2008 @04:46PM (#22439958) Homepage Journal

    Whenever I set up the network infrastructure for a business, particularly on that has a lot of laptops, I make sure to intercept all DNS traffic and redirect it to a local server (since most of the boxes are routers, firewalls, NTP and DNS servers all in one, on (Open|Free)BSD this is easier).

    For PF, it's as simple as:
    rdr pass on $if proto {tcp,udp} from any to any port 53 -> 127.0.0.1 port 53

    If you still use IPFilter, use this rule in ipnat.rules:
    rdr de0 0.0.0.0/0 port 53 -> 127.0.0.1 port 53 tcp/udp

    • by drakyri ( 727902 ) on Friday February 15, 2008 @05:10PM (#22440256)
      If you're not up to setting up your own DNS server, how about just setting all local systems to use the local gateway as a DNS server - then use pf or ipfw to redirect those packets (incoming to gateway:53) to your ISP's DNS servers?

      Drop any incoming packets on the internal interface on port 53 that aren't addressed to the gateway. That'll allow you to keep an eye on the DNS servers easily on a machine that's presumably running *nix and not as susceptible to viruses without having to set up your own.
  • by Waffle Iron ( 339739 ) on Friday February 15, 2008 @04:50PM (#22439990)

    The spoof sites run the gamut. Some are stunningly convincing, others amusingly bogus with spelling errors and typos.

    Now I'm afraid that I'm a victim of this scam. It looks like this "Slashdot" site I've been using could actually be nothing more than a bad spoof...

  • by davidwr ( 791652 ) on Friday February 15, 2008 @04:51PM (#22440004) Homepage Journal
    If ISPs would offer an optional "cleaning" service to block suspicious activity not only would fewer people fall victim, but the bang-for-the-buck would go down and it might not be worth the scammer's effort.

    A cleaning service would act like a deep-packet-inspection router but at the ISP head end.

    Useful services to offer:
    * net-nanny/thinkofthechildren content blocking
    * block known hostile/poisoned sites
    * tattletale/reporting
    * time-of-day blocking
    * login-required services - no port 80 or 443 without a cookie identifying which member of the family is using the computer
    * DNS interception/reroute to canonical ISP DNS
    * DNS interception/reroute to modified-for-the-customer ISP-provided DNS
    * DNS interception blocking DNS to known rogue sites
    * much, much more
    * Arbitrary, customer-controlled port blocking for inbound and outbound ports

    ISPs should offer "protect the network" or "protect from criminal activity" blocks like poisoned-DNS blocks for free/build the cost into their basic rates, and charge a premium for parental-control/business-use-control services.

    Of course they shouldn't force anyone to use these services if they don't want to.
    • Or simply put it in the terms of service and require such a "service" for their "ultra-safe internet connection"--and incidentally have authorization to do all manner of net neutrality violating things.

      Put it in enough marketspeak, and you'd be all set.
    • Re: (Score:3, Informative)

      by Klaus_1250 ( 987230 )
      OpenDNS already offers most of these services, for free... Downside is, that if you look at their Terms of Service, they might also block things you don't ask for (e.g. p2p-sites and such). But for businesses, it should be fairly safe.
  • by Anonymous Coward on Friday February 15, 2008 @04:52PM (#22440024)
    Try it: resolver1.opendns.com and resolver2.opendns.com return a CNAME for www.google.com. When you use OpenDNS, your browser really connects to google.navigation.opendns.com instead of www.google.com, and that name resolves to an OpenDNS IP address. Bet you didn't expect that from a service which touts to be "Open" something...
    • Yeah, actually this is *exactly* why I use OpenDNS.

      As you probably already know (why else are you posting as an AC?) this is a workaround for a nasty thing that Dell and Google have come up with to present the user with a screen full of ads when they make a typo in the search box. It's installed by default on new Dell machines. It's impossible for an ordinary user to to turn off. I'm a hardcore techie and I had a rough time with it on my new Inspiron. More details here: http://blog.opendns.com/2007/05/22 [opendns.com]
      • by Niten ( 201835 ) on Friday February 15, 2008 @07:27PM (#22441574)

        FUD? There's no FUD about it: if you use OpenDNS and perform a Google search, your search queries are being proxied through OpenDNS's servers. That's quite a breach of trust because -- unless they've changed something since I last checked -- this proxying of search data isn't exactly advertised to the user in advance. Even if I felt I could absolutely trust OpenDNS with all my data, such covert behavior would still make me uncomfortable.

        As for the Google/Dell deal: yeah, it's evil, and the OpenDNS guys are right to bring attention to it. But it's a problem that needs to be solved at the application level, not by mucking around with users' DNS whether they're on an affected Dell or not. It's the wrong place and the wrong approach to solve this problem, and borderline creepy to boot.

        I'm not sure why you're so angry with the Anonymous Coward for pointing this out; everything he said was unbiased and factually accurate. If the truth is going to "convince people not to use OpenDNS," then so be it.

      • by lintux ( 125434 )
        It can't be that hard to remove/ignore.. Or does it hook into other browsers than MSIE as well?

        But still, that thing is indeed a little bit disappointing. I'm not sure if OpenDNS has the right to call it spyware though. It seems to fit the definition of adware. But like this, OpenDNS can see everything that's supposed to go to google.com. And IMHO, a truly paranoid person should trust OpenDNS as much as he/she trusts Google... Pot, kettle?
      • by Skapare ( 16644 )

        And this is also a reason Dell doesn't like Linux on consumer desktop PCs; they lose all that recurring ad revenue.

  • A malicious software purported for an unrelated application could easily ask a user to authenticate with admin credentials during the installation.
    Wham-bam, the porn-viewer, or icon-designer has now changed your DNS settings...
    Considering that most OS X virus scanners are still either in infancy, or completely ineffective this would be an easy target.

    What's the best strategy against something like this? Installing apps in ~/Applications vs /Applications ?
    Maybe Apple could make that the default behavior, or
    • by Firehed ( 942385 )
      That's true of any software where you have to authenticate. However, most installations on OS X (the "drag the icon into /Applications ones) don't require authentication since they don't have to make any major file changes. I'm rather weary about software from an untrusted publisher that asks for authentication, which is really the whole point behind not running as root. It could just as easily hit Linux installs of any flavor.

      I think the best defense on the part of all OS writers would be to make it so
  • just block outgoing dns requests from your lan interface, secure your router and make everything on your network use 10.0.0.1 (or whatever) for dns...
  • by Anonymous Coward on Friday February 15, 2008 @05:13PM (#22440274)
    The threat described has been understood for quite a while. Standards for applying digital signatures to DNS data have been in the works for a decade and recently there has been a lot of progress in implementation. Current versions of BIND and several other DNS packages provide DNSSEC support. Several Country Code TLDs are signed. Verisign has just announced support support for DNSSEC in the root zone ("."). Check out dnssec.net, dnssec-deployment.org, etc.
    • Not really. If the caching resolver isn't trusted, it doesn't matter if it is DNSSEC-aware or not. The clients usually run only stub resolvers and rely on the caching resolver to do the hard work.

      And given that the switch to the untrustworthy DNS resolvers typically occurs when the user installs some alleged video codec, it would be easy to add additional DNSSEC trust anchors at this stage, too. For X.509 web server CAs, it has already been demonstrated that this is feasible when Comscore, through its Ma
  • Really, think about this. The internet is a zillion of network devices attached. Don't you agree you can create a rogue DNS server just as easy as creating a rouge router. It comes down to how much homework you did when choosing your ISP.
  • by BuhDuh ( 1102769 ) on Friday February 15, 2008 @05:40PM (#22440552)
    and should be ditched immediately. It's insecure and slow. We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.
    • by rewt66 ( 738525 ) on Friday February 15, 2008 @05:45PM (#22440602)
      *cough*ARP poisoning*cough*
      • by woolio ( 927141 )
        *cough*ARP poisoning*cough*

        That's why real geeks know by heart their ISP's

        1) Gateway IP address
        2) Gateway MAC address
        3) Subnet Mask
        4) DNS IP address
        5) DNS MAC address [if on local subnet]
        6) DHCP Server MAC Address

        Anything less is just being careless :->

    • by lintux ( 125434 )
      > We should all go back to remembering the dot-quads of the sites we know are safe, the way it was in the good old days.

      You're going to love the day IPv4 gets abandoned in favour of IPv6...
    • by Skapare ( 16644 )

      We are running out of dot-quads. They have this new supply of colon-hex things, but they are sooooo big.

    • by Lennie ( 16154 )
      I know your kidding, but I just wanted to point out...

      There are not enough IPv4-addresses to host all the websites, most use HTTP-Host-headers-fields (more then one site per IP-address).

      So it would not be dot-quads, but IPv6-addresses if we would want to keep all sites online, I wish you luck.
  • If you can find them, and count them, why can't you kill them off as well?
  • It seems that the fundamental problem with DNS poisoning is that the token field of DNS packets is too short to prevent a brute-force or birthday attack. The long term solution is definitely a solution involving certificates, but I think that there might be a short-term solution.

    Can a DNS request ask for two domains at once? If so, I think that this sort of attack could be blocked without having to upgrade all servers at once.

    In addition to your normal request, you could ask for the IP address of "jl39dl9

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...