Networking / Beginners

DNS Domain Hijacking

Although the direct DNS risks impact fundamental issues with the protocol, technical risks are based on configuration issues. The ability to impact or modify a DNS server's data directly leads to DNS compromises. Technical risks include DNS domain hijacking, server hijacking, update durations, and DDNS.

Any owner of a DNS server can configure the server to act as a primary source for any domain. DNS does not contain the concept of domain ownership. If a company wants to configure its internal DNS server to be a primary source for the microsoft. com domain, there is nothing to stop it. The DNS hierarchy prevents this type of configuration from flooding the Internet with invalid information. If the DNS server is high enough up the chain of servers (e.g., a SLD, ccTLD, or large service provider caching server), however, then it can be used to hijack entire domains.

DNS domain hijacking has viable uses. Many computer worms, viruses, spyware, and assorted malware report information to remote hosts on the Internet. Besides "do not become infected," the most common approach for mitigating these risks is to disable the malware collection hosts. If the host is unreachable, then it cannot collect information. When the malware sites are specified by IP addresses, egress filtering at the firewall can prevent user access. When the malware accesses a remote host by name, however, DNS becomes the best filtering option. The local DNS server can be configured to reject hostname lookups for malware sites. If the hostname cannot be resolved to an IP address, then the host becomes unreachable.

Using the DNS server to block undesirable hostname lookups can block access to undesirable sites that host services related to porn, fraud, and malware. Many sites take the filtering beyond online risks. Some providers have been reported to filter liberal and conservative viewpoints or to serve political agendas. Web sites such as 2600 The Hacker Quarterly, abortion and sex education sites, and even political candidates have been victims of domain hijacking. China has been repeatedly criticized for hijacking domain names-preventing access to certain Web sites and countries.

Not all domain hijacking is intentional. In 1999, a Fortune-500 company fell victim to an accidental domain hijacking. Many large companies have branches worldwide. This company had a large branch in Japan. A major ISP in Japan saw that emails from the company were using a network route through the ISP, and the route was not optimal. By changing the ISP's DNS server (modifying the MX records), the email would be directed to an optimal route.

Unfortunately, the ISP implemented it wrong. Rather than setting the ISP as a less-desirable route, they were set to be more desirable. And the information was loaded into a very high-level DNS server. The Fortune-500 company saw their email volume drop dramatically as all emails were routed through the ISP. The ISP saw their volume increase to such as level that they fell under an unintentional DoS attack. Although the problem was identified and corrected within a few hours, it took nearly five days for the changes to propagate to all the caching DNS servers.

Although uncommon, this type of unintentional DNS hijacking occurs more often than expected. Most large corporations experience similar misconfigurations every few years.

[Previous] [Contents] [Next]