The Internet's Phone Book Is Broken

B ack in January, the Cybersecurity and Infrastructure Security Agency, a division of Homeland Security, issued its first emergency directive requiring federal civilian agencies to secure themselves against a global hacking campaign targeting the Domain Name System (DNS) that security firm FireEye claims with “moderate confidence” was sponsored by the Iranian government .

Security firm Farsight has alleged that DNS vulnerabilities played a role in the infamous Democratic National Committee email hack . Motherboard reports that Venezuelan President Nicolás Maduro’s administration appears to have abused DNS vulnerabilities using what’s known as a homograph attack to collect names, email addresses, passwords, and other personal information from anti-Maduro activists.

For five hours on October 22, 2016, anyone who logged into an unnamed Brazilian bank’s website actually gave their login credentials to hackers who utilized weak points in the bank’s DNS infrastructure. Last April, the same thing happened to users of a cryptocurrency exchange , resulting in more than $150,000 being stolen from users of the exchange.

Most of us assume core internet infrastructure like DNS will always work as advertised. Simply type the URL for your bank’s website into your browser, and milliseconds later, you should be looking at your bank’s login page. Punch in your credentials and you’re off to the races, browsing your account activity, transferring money, and bemoaning last weekend’s ill-advised bar tab. Simple, safe, secure. But as the victims of these attacks learned the hard way, that’s not always the case.

The vast majority of DNS traffic is still verified using the honor system.

DNS is the umbrella term for the protocol and series of servers that take a “name” such as “www.medium.com” and turn it into an IP address, which is used to route requests through the internet to their destination. The system’s primary purpose has led many to describe DNS with a metaphor as dry as the source material: DNS is the internet’s yellow pages. But hidden behind its mundane facade is a veritable cornucopia of malicious opportunity.

The attacks against DNS are quite well known within the security world — DNS is ubiquitous and often poorly secured by IT professionals, making it a juicy target for hackers. The system is engaged almost every time a device sends data across the internet, meaning a single weakness at the protocol level opens literally every internet user to DNS-based attacks. The tedious and unremarkable nature of DNS lulls IT specialists into a false sense of security and makes breaching the protocol appealing to hackers. That might all be fine if the system were secure by default, but the vast majority of DNS traffic is still verified using the honor system.

The decentralized database protocol was defined in 1983 by Paul Mockapetris to help the burgeoning internet handle increasing request volume. The optimism and innate sense of trust that guided so much of the early internet’s innovation was imbued into DNS; the original specifications of DNS had no encryption and no way to verify that a name-to-address mapping wasn’t spoofed or hijacked. These shortcomings remain as part of DNS’s vestigial DNA.

There are two major kinds of DNS servers: name servers and resolvers. Name servers are the source of truth — they map names of web services, such as google.com and fbi.gov, to IP addresses. Resolvers are the concierges of the DNS world — they query all the relevant name servers on our behalf and then give us the resulting IP address.

While plenty of standards modifications and encryption-providing alternatives have emerged, the default state of DNS traffic is still unencrypted. The most widely used and de facto standard DNS resolver, BIND , still does not offer encryption in its latest version and has several well-documented security vulnerabilities . Without significant manual labor , your DNS traffic is sent across the internet in plain text. This gives a motivated adversary — and your ISP — a wealth of information about what websites you visit, how often you visit them, and when you visit them. This information has been sold to advertisers , and depending on which websites you’re visiting, it might well be used as part of a cyber-extortion scheme .

DNS is well known as a leaky pipe, sometimes even leaking information through the protection of a VPN and providing adversaries with a tool to deanonymize Tor traffic . But the problems with DNS don’t stop at privacy.

Hacking DNS

Attacks against DNS have become so common that in February, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit responsible for coordinating and maintaining much of DNS’s critical infrastructure — issued a warning :

It is essential that members of the domain name industry, registries, registrars, resellers, and related others take immediate proactive and precautionary measures, including implementing security best practices, to protect their systems, their customers’ systems and information reachable via the DNS.

In addition to privacy leaks and phishing attacks, DNS has been used to covertly install and control malware, exfiltrate data from secure servers, and bring web infrastructure to its knees in denial of service attacks.

Because DNS data is rarely encrypted, it is highly susceptible to man-in-the-middle attacks, where DNS queries and responses are replaced or modified in transit. By modifying DNS queries, attackers can trick unsuspecting users into loading malicious websites. These types of attacks are often used to direct users to a lookalike website, where the users’ credentials are harvested. This is the central tactic behind the two phishing schemes targeting Brazilian banks and the cryptocurrency exchange.

In the Brazilian banking scheme, attackers appear to have compromised employee credentials to the bank’s DNS infrastructure, allowing them to modify the DNS records from the source. Other DNS poisoning schemes involve infecting home routers with malware that swaps out DNS records as they transit. Last September, an enormous DNS poisoning botnet was found to have infected more than 100,000 routers , mainly in Brazil.

The attack against a cryptocurrency exchange last April was a bit different. Sophisticated attackers exploited DNS’s lack of encryption and verifiability, as well as another well-known attack vector called a BGP leak , in order to steal users’ credentials. Major DNS infrastructure operated by Amazon was also targeted in the attack. Hackers were able to redirect DNS queries asking for the exchange’s IP address to infected servers. The infected servers returned bogus IP addresses in response, successfully masquerading as the authoritative DNS servers that the cryptocurrency exchange pays Amazon to operate on its behalf.

By masquerading as one of the authoritative name servers, attackers were able to trick major DNS resolvers to save the fraudulent records, which allowed them to steal data from even more victims. Major resolvers, including Cloudflare’s 1.1.1.1 and Google’s 8.8.8.8, were tricked into serving the poisoned DNS records, amplifying the attack’s impact.

Fortunately, other safeguards are in place that can help mitigate the impact of attacks like these. Transport Layer Security (TLS) — the foundation of many encrypted web requests, including all HTTPS traffic — provides mechanisms to ensure that the server you’re communicating with actually belongs to the organization you think it does. Using a digital certificate and public key encryption, your browser can often detect phishing websites. In the attack against the cryptocurrency exchange, the perpetrators were unable to fake a digital certificate, which means the vast majority of users would have seen a warning page generated by their browser:

Users who chose to disregard this warning were directed to a website that looked very much like the real exchange website. When those users typed in their login credentials, the attackers saved their credentials and then forwarded the users to the real cryptocurrency exchange site. From a user’s perspective, it appeared as though they had logged in successfully after a weird security warning.

Clever attackers have also abused DNS without directly intercepting or altering web traffic. The use of internationalized domain names — which allow domains to use Unicode characters in addition to the limited ASCII character set — has allowed attackers to register domain names that look an awful lot like well-known domains but send you to malicious IP addresses. Consider the following URLs (but do not paste them into your URL bar):

Medium[dot]com

Meḍium[dot]com

Can you see the dot below the “d” in the second URL? You would be forgiven for thinking it was just a speck of dust on your screen, but it’s actually the Unicode character U+1E0d, a “Latin small letter d with dot below.” Security writer Brian Krebs explains how these characters have been used to direct unsuspecting users to phishing sites . Merike Käo, the former CTO of Farsight Security, spoke about this vulnerability at the RSA conference in 2018, stating that malicious registry of homographs (words that look similar) is widespread and especially common for famous brands . Even worse, attackers can easily obtain a digital certificate for the bogus domain, which means victims won’t get a security warning from their browser.

Recently, DNS has been abused to trick users into installing DNSpionage, a type of malware that then uses DNS to receive commands from the attackers and exfiltrate data from infected hosts. Cisco’s Talos Intelligence team described this DNS double whammy last year. On highly secure networks, inbound and outbound data are tightly monitored and analyzed for suspicious or risky behavior. But because DNS is so widely used and so boring, many network administrators overlook DNS as an attack or exfiltration vector — hence ICANN’s call for improvements earlier this year. This lackadaisical attitude is part of what DNSpionage exploits. By hiding malicious traffic inside DNS queries, attackers were able to sneak it past network firewalls, enabling them to both steal data and control the DNSpionage malware. But because DNS truly is critical to the operation of any network, this security hole can be hard to plug .

It’s hard to lay all the blame for these vulnerabilities at network administrators’ feet. Any big organization will generate massive amounts of legitimate DNS traffic, which makes finding and preventing malicious DNS queries a bit like plucking a needle from a haystack. Still, experts have noted that security extensions to DNS that were standardized way back in 2005 (called DNSSEC ) would mitigate or prevent a huge amount of DNS-based phishing attacks, as well as some of the vulnerabilities that DNSpionage exploits. Currently, however, only about 20 percent of DNS traffic is secured with DNSSEC.

It’s wildly irresponsible for operating systems developers and DNS providers to continue neglecting such a widely abused attack vector.

DNS has also been abused to execute denial of service (DoS) attacks. The goal of a DoS attack is to render some internet service unusable — and DNS is often used as a tool to orchestrate DoS attacks, as well as being a popular target of such attacks. In 2015, Turkish DNS infrastructure was taken offline by a DoS attack, rendering nearly all 400,000 websites with a .tr domain unreachable . In 2016, a DoS attack targeting Dyn’s DNS infrastructure rendered huge swaths of the internet unreachable for North American and European users.

DNS is vulnerable to both “reflection” and “amplification” attacks, making it a popular choice for DoS attacks . With reflection, attackers send a DNS request with a spoofed source IP address. This allows attackers to leverage powerful DNS resolvers to generate more traffic than the attackers could on their own. Amplification happens when a very small query results in much larger responses. Used in combination, attackers send a lot of very small DNS requests to unsecured resolvers, which then send a lot of very large responses to the victim.

Protocols providing end-to-end encryption for DNS traffic have been standardized. One such standard uses the same TLS protocol that encrypts HTTPS traffic to encrypt DNS traffic . While the DNS over TLS standard has been adopted by some major providers and resolvers, including Google and Cloudflare , many others still do not support the protocol, which could seriously curtail man-in-the-middle attacks.

Making matters worse, most operating systems still do not support DNS over TLS out of the box — and configuring a nonstandard DNS resolver is quite a challenge for most users . Although it is relatively easy to enable DNS over TLS on up-to-date Android devices , support for encrypted DNS on Windows 10, Mac OS, iOS, and BIND still lags behind. And unless both sides of the connection support DNS over TLS, the connection will be forced to fall back to unencrypted methods.

It’s the same story for DNSSEC, which protects DNS responses against malicious tampering through the use of digital signatures instead of encryption. While the protocol has been standardized since 2005, adoption lags behind, leaving many of us vulnerable to DNS hijacking and poisoning attacks. In an ironic twist, DNSSEC is the feature that makes DNS most susceptible to amplification attacks . This fact serves as a reminder that software security is a world full of trade-offs and imperfect options.

Kirstjen Nielsen, chief of the Department of Homeland Security, recently indicated that cyberwarfare is the greatest threat to the United States and the companies that operate here. Nation-states , cybermercenaries , and organized cybercriminals are all becoming more sophisticated in the dark arts of malicious computing. It’s terrifying that a core piece of infrastructure like DNS is so riddled with vulnerabilities, and it’s infuriating that most of the problems have been solved in theory but continue to exist in practice due to slow adoption and poor security practices.

DNSSEC has been available since 2005, but only 20 percent of DNS traffic is secured by it. On the other hand, we have DNS over TLS, which was introduced in 2016 and is already supported by Google, Cloudflare, Quad9, and others , proving it is possible to keep up with security standards. But because most operating systems still don’t support the standard, very few users are able to realize the benefits of encrypted DNS. Enterprise IT, DevOps, and security teams should definitely audit their DNS configurations and infrastructure — or consider paying a provider with a serious commitment to security, such as Cloudflare or NS1 .

For the savvy and paranoid, it is possible to install an alternative DNS resolver, such as Unbound , or even build a DNS proxy using a Raspberry Pi and have your router redirect all your DNS traffic through the proxy. For everyone else, your best bet right now is to switch to a DNSSEC-supporting resolver like 8.8.8.8 , 1.1.1.1 , or 9.9.9.9 .

It’s wildly irresponsible for operating systems developers and DNS providers to continue neglecting such a widely abused attack vector — especially for companies that talk a big game on privacy, like Microsoft and Apple . We should demand support by default for DNS over TLS from companies like Microsoft and Apple—before we lose even more of our personal information to nefarious actors.