DNS Poisoning: What it is? And how to stop it!
In the past week, the Chinese hacking group StormBamboo has targeted both macOS and Windows systems to deliver malicious code through legitimate software update requests. The attack comes on the back of several high-profile DNS attacks in recent years.
This all appears to indicate that, despite multiple attempts to secure DNS, poisoning is still a valid attack vector, and is becoming increasingly sophisticated.
In this article, we’ll look at:
-
- What is DNS poisoning?
- Does the risk still exist today, what with all the DNS security features?
- Attack prevention methods.
DNS Poisoning: What is it?
DNS poisoning is a cyberattack in which bad actors manipulate the DNS protocol, or DNS response, to redirect users to a compromised website. This can also be known as DNS cache poisoning or DNS spoofing. It is an attack vector used, amongst other things, to deliver malicious code. It is also commonly used as part of phishing attacks, to direct users to a website that captured login or account details.
For example, in the StormBamboo attack, the hackers broke into an (unnamed) ISP to redirect the domain name responses of legitimate hosts to a website that delivered a compromised config file called YouTube.config. This file then downloads malware masquerading as a .png file. In this instance, the malware was MACMA for macOS devices or POCOSTICK for Windows devices.
The malware variant is irrelevant. It could be anything. The point is, that a hacker can force a request from an approved application (that automatically self-installs updates) to download compromised code.
Furthermore, you probably won’t know about it.
DNS Poisoning: Is it a thing anymore?
With modern security features such as caching, SSL, and DNSSEC, is DNS spoofing something I still need to worry about?
The answer is “it depends” … on a number of things.
DNS is a fundamental part of the Internet. DNS turns a human-recognisable internet address, such as www.zorbsecurity.com, into a machine-recognisable IP address, such as IPv4 111.222.123.456. Unless you host your own DNS server, every web request first goes to an ISP to provide the IP address of the target host. The requesting device then uses the IP address provided in the DNS response to send an HTTP(S) request to the host, in order to initiate the web session or file transfer, etc. This IP address is stored for a period of time before it times out. After which, traffic to the website requires a new DNS request, in case the IP address has changed.
Compromise any part of this sequence and there is a chance that the user device is not connecting to the correct host.
Network Compromise
If an attacker has gained access to a network, it is relatively easy for them to set up a compromised DNS relay and spoof DNS responses. Thereby pointing any or all, web requests to any endpoint they want. A common way to deliver malware or a MITM attack. Security solutions may or may not be able to detect a network-based DNS rerouting.
If your infrastructure has other protocols besides HTTP, DNS spoofing can still be very effective. For example, protocols like FTP, SFTP, Telnet, and SMB can be a route towards DNS spoofing. This is often seen in attacks on ICS networks where these protocols are common.
ISP Compromise
Slightly harder, is to spoof a DNS response at an ISP. As with StormBamboo attack below, the attackers first gained access to an ISP. Yet, this demonstrates that it is indeed possible to attack at the source.
Phishing
Phishing attacks can, in a way, spoof DNS. Phishing usually includes some sort of link shortening. Whilst not the same as HTTP redirect, it is easy for an attacker to hide a malicious address behind the shortened link. How many people bother to check the legitimacy of a shorted URL before clicking on it?
A similar attack is URL squatting, where the URL of a link has been very slightly changed so as to go unnoticed by a human. For example.. www.Z0RBSECURITY.com (notice that the “o” in ZORB is in fact a zero.)
Good DNS Spoofing
It’s not all bad news though. Cyber defenders, such as an ISP, redirect whole ranges of requests to blackholed IP addresses. This is a common method of taking down malware such as botnets. This way, any requests made from a bot sat on a compromised device will go to a benign (safe) endpoint, instead of the botmaster’s server.
Recent DNS poisoning examples
Up until around 2008, DNS had a significant vulnerability that allowed cache poisoning for phishing attacks. The attack was first identified by Dan Kaminsky, who then worked hard for the DNS protocol to be re-written.
Whilst the fix reduced the chances of DNS spoofing, the attack does still occur today:
- August 2024 – Chinese hacking group StormBamboo gain access to an ISP to poison DNS.
- March 2024 – Financial institutions and their customers were targets of a large-scale DNS cache poisoning campaign to push users to fake phishing sites designed to steal login credentials.
- November 2023 – It was reported that 90% of financial firms have reported at least one DNS attack during 2022.
- 2023 – Saw a surge in botnets using DNS-based attacks. We also saw a 106% increase in DNS-based phishing attacks. Data showed a 1250% increase in new malicious domain IP blocks being used within 24 hours of being registered.
- April 2022 – Attackers managed to modify Atlassian’s DNS records to redirect some of its users to malicious sites.
- March 2022 – a critical vulnerability was identified in a software library used by most router vendors that permitted DNS poisoning.
Can attacks against DNS be prevented?
DNS usually runs over UDP, rather than TCP. The advantage of this is that UDP has a faster request/response mechanism than TCP. The disadvantage is UDP has little (to no) security and does not validate the server it is requesting from.
Some DNS providers now enforce DNS over HTTPS or DNS over TLS. The reason for this is that many applications still request their code updates via unsecured HTTP. Applying this fix could mean having to change the DNS provider, or in the extreme case, to stop using a preferred application.
DNSSEC (Domain Name System Security Extensions) has been designed to prevent attacks on DNS, especially spoofing. It aims to use digital signatures attached to the DNS record so that these can be verified by the requestor. (Although they too can be spoofed.)
Also consider your own infrastructure. Keep DNS servers patched, and regularly pen test your DNS infrastructure to identify vulnerabilities.
Outgoing Data Security: Prevent DNS poisoning
The above suggestions can be quite involved. And, indeed, maybe outside of your sphere of control.
An easier solution is to apply outgoing data security – i.e. monitoring the integrity of all outbound data flows.
ZORB questions the integrity of EVERY outbound data flow for what has requested the data transmission, where is it going to, and how is it getting there.
Take the case of a Microsoft update request (although this is the same for all applications):
- initially, ZORB blocks the update request from leaving the PC, until trust can be proven
- the source application is challenged to confirm it is a legitimate, business-approved application (not malware)
- the destination IP address is challenged as to its association with the application vendor. In this instance, a) is the DNS request destined to your approved DNS provider? And b) is the IP address, from said DNS response, related to a known Microsoft IP?
- the transfer method is also challenged. For example, is the flow over HTTPS or TLS, and not via a potentially covert channel such as TOR, or FTP. If the company policy dictates that all outgoing data should be via a VPN, is this transfer about to go via VPN?
- only then, once the data transfer has been proven to be legitimate, is the data allowed to be transmitted from the device.
This is possible to do via an outbound firewall, provided you have the resources to define and maintain all the rulesets. ZORB takes this upkeep maintenance away from an organisation by making it easy to implement zero-trust for outgoing data at a device level.
Alternatively, if you are not after ease, this could provide a belt-and-braces defence to your other solutions.
Click for a more specific example of how to prevent update poisoning.
Conclusion
Despite the security features introduced to DNS, poisoning remains an active, sophisticated attack vector for bad actors to deliver malicious code, or to capture user details in a phishing attack.
Furthermore, without monitoring the responses to each DNS request, it is unlikely you will know an attack is in progress.
Outgoing data security is one method to address such attacks, to ensure that web requests are directed to the legitimate endpoint.
Read Next . . .
Download Your FREE Guide
ZERO TRUST is at the core of preventing data theft