A few days ago, the site google.co.ma, the Moroccan version of the well-known search engine was reported as defaced (screenshot here). Only the URL ‘google.co.ma’ was defaced, the long version ‘www.google.co.ma’ was still working properly. What happened? In fact, Google was clearly not the target in this case but the site nic.ma which is in charge of the TLD .ma.
What can we learn from this story? Often small or medium companies do not run their own primary name servers (the server in charge of resolving requests to their domain name(s)). They delegate the management of their domain names to external partners. Even if their security perimeter is strongly protected against external threads (using firewalls, waf’s, IDPS, etc), the domain name system can become their Achille’s heel if not properly protected. DNS redirection attack can compromise your business like in the case describe above.
How to protect you? DNS redirection can occur internally or externally. DNS is a critical service: without DNS you won’t be able to access the Internet and your customers won’t be able to access your websites. In case of an internal attack, clients connected on your LAN will receive a bad DNS configuration provided by a rogue DHCP server. This untrusted name server will handle requests coming from your clients and forward them to a fake website (example: to redirect an e-banking website to a malicious one and steal data). To protect you, track any potential rogue DHCP servers and, most important, limit the traffic to name servers (port 53 UDP &TCP) to a limited set of trusted IP’s.
An external redirection attack will have much more impact on your business and/or reputation. If the domain name hoster or the TLD registrar is vulnerable to an attack or does not keep its business safe, your website traffic can be redirected to another IP address. But in this case, all Internet users will be redirected to the wrong destination, not only your local workstations.
To detect any unexpected change in your DNS, it’s easy to use monitoring tools like Nagios Icinga or Groundwork. They provide a lot of plug-ins to check almost all kind of network or system resources. The check_dns plug-in does exactly what we need in this case: It can resolve a host name and warn is the returned IP address is not the expected one:
# ./check_dns -H www.yahoo.com -a 87.248.113.14 DNS OK: 0.140 seconds response time. www.yahoo.com returns \ 87.248.113.14|time=0.139685s;;;0.000000 # echo $? 0
Now if the returned address changed:
# ./check_dns -H www.yahoo.com -a 87.248.113.15 DNS CRITICAL - expected '87.248.113.15' but got '87.248.113.14' # echo $? 2
As you can see, the return code differs. Now let’s write a small script which will monitor our business critical websites:
#cat >myhosts.cfg <<_END_
www.yahoo.com a.b.c.d
www.paypal.com e.f.g.h
www.ebay.com w.x.y.z
_END_
# cat >dnsmon.sh <<_END_
#!/bin/bash
cat myhosts.cfg | while read DATA
do
set $DATA; HNAME=$1; IPADDR=$2
check_dns -H $HNAME -a $IPADDR >/dev/null 2>&1
[ "$?" != "0" ] && echo "ALERT: $HNAME IP address changed?"
done
_END_
Just schedule the small script above with a crontab every hour. If an IP address changed, you will be notified! Here the plug-in is used as a stand alone tool but used inside Nagios, it can alert you and benefit of all the available features.
Note that the script above don’t take care of multipe IP address returned. This is just a quick example of what can be done to increase your security.