Internet World Wide Web Abstract Tech Background

DNS hijacks: what to look for

What is DNS?

The definition: The domain name system (DNS) is the way that internet domain names are located and translated into Internet Protocol addresses.

When trying to explain the concept of DNS name resolution I think that finding a phone number for a certain person is a good analogy. There are several ways to find a person’s phone number and the same is true for resolving an IP address that belongs to a domain name. The same is true for dialing a wrong number, you could end up at the wrong server. How this can happen? We need to go into some more detail about how DNS works.

Following order

The following order in which your system attempts to resolve the IP address is important in understanding how several of the attacks, which we will discuss later on, work. I will stick to the analogy of the phone number to clarify some points. The below is specific for Windows computers.

  • Windows first looks in the DNS cache, you could compare this to your list of recently called numbers.
  • Then it checks if the requested address is not on your own computer. Anything that resolves to 127.0.0.1 or another alias.
  • Then it looks in a file called hosts on your system, which is sort of a personal phonebook that can also be used to block bad sites, or abused to reroute your traffic.
  • Your computer sends a request to a DNS server, which you can compare to an online phonebook. Which DNS server(s) are contacted is an important detail which we will discuss further later on.
  • If all that fails your system resorts to NetBIOS name resolution, which is outside of our scope for today.
connectionsettings

Connection configured to use OpenDNS servers

DNS servers

Important to know is that not all DNS servers are the same. In other words there are differences in the online phonebooks. This can be due to changes that haven’t been recorded yet or entries have been adapted by design. But how does your computer decide which one to use? Usually the DNS servers are set in the properties of your internet connection or on the router that handles your internet connection. In both cases you will find that they were provided by your ISP, unless at some point you changed them, or someone did that for you.

routersettings

Settings on the router are usually provided by the ISP

Attack vectors

Now that we know how the procedure works we can talk about the possibilities this offers to malware writers to change our DNS results.

Locally they can alter our hosts file. This has been done by the QHost Trojan in the past to block updates, downloads from and visits to the sites of anti-malware companies. Or Vundo variants that redirected traffic from popular social networks to their servers by dropping a hidden new hosts file. Or what to think of the recent Shopperz adware that altered dnsapi.dll to point to a different file of their own making instead of to the actual hosts file.

Another local attack vector is changing the DNS servers for your connection, like for example DNS Unlocker does.

On the router level we have seen malware such as Moose trying to brute force devices in order to change their settings, among which the DNS servers. Have you changed the default password on your router yet?!?

At server level there is little or nothing the home user can do about DNS hijacks other than change their DNS servers manually to something they trust. Besides deliberate false entries imposed by an ISP or (for example governmental) censorship, another way in which your DNS servers might be sending you the wrong way is DNS spoofing aka DNS cache poisoning. DNS servers cache information they receive from other DNS servers to save time.

If you have ever moved your website to a different server you will have noticed how long it can take before everyone actually lands on the new IP address. This happens because servers keep using their cached (old) information.

It takes a while for the new IP to get updated from server to server.  This phenomenon is referred to as DNS propagation. In more or less the same way false information can be put on a compromised DNS server and that information can spread to other servers.

Cache poisoning can be done at all levels, local, router and as described above at server level.

Summary

DNS name resolution is a complex process that can be interfered with at many levels. It is good to be aware of the general principles because that knowledge offers us some level of control.

Resources:

Domain name system (DNS) definition

How Domain Name Servers Work

Microsoft TCP/IP Host Name Resolution Order

Stop DNS hijacking

China’s Great Firewall spreads overseas

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.