Blog: DNS

Steve Gibson, one of the hosts of the popular "SecurityNow!" podcast, has created a tool that allows the checking of DNS servers for spoofability. This tool works by asking the user's browser to retrieve an image located at a uniquely named subdomain of the type xxxxxxxxxxxxx.dns.grc.com, "where the “xxxxxxxxxxxxx” is replaced with a unique 13-character string of characters that has never been used before."*

Then, in order to know the IP address for this special domain, the browser sends a DNS query to its DNS server, which then forwards this query to a special nameserver located at grc.com. This nameserver tells the DNS server that the location of that image is actually an "'alias' of the real domain name, which is a good deal longer and more complex."* The nameserver instructs the DNS server to look up the name of the "real" location of the image which looks like "...a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.a.xxxxxxxxxxxxx.dns.grc.com"* (with about 50 preceding 'a''s) [more]

The DNS server sends queries to the GRC nameserver, attempting to resolve the IP address of the given domain name one sub-domain at a time , causing the DNS server to send hundreds of requests which are collected by the GRC nameserver. As the nameserver collects these requests, it creates a scatter plot of both the Source Port and the Query Transaction ID of each request. Then, the data is analyzed to see the randomness of the Source Port and the Query Transaction ID which reveals the spoofability of the used DNS servers.

This tool is quite interesting, and shows that even as vulnerabilities arise on these critical systems, many do not fix the vulnerabilities, leaving the users at risk to visit a malicious web site believing that it is the site they were looking for which potentially places their private data at risk.

*A more thorough and detailed analysis of how this tool works can be found by reading GRC's article on how the DNS Nameserver Spoffability Test works.


 

Recently, an unscrupulous individual was trying to setup a fake copy of one of our customers for what was likely a phishing scheme on a server located in Netherlands.  Upon examining the whois record, there was a contact listed as the admin with an address and phone number.  Upon calling the number the individual that answered the phone of course knew nothing about the person that registered the website.  Other entries appeared to indicate that Yahoo was involved in the hosting.  However, in order to actually connect to the website, the DNS records are registered with name servers that are usually from the webhost provider. Below is a screen shot of the Whois results (with some of the information removed). [more]

After querying the name server’s DNS for citibo.com, it was clear that these servers were pointing back to a server named hosting1-nl.santrex.net.  Santrex.net showed to have hosting servers located in Netherlands.  A trouble ticket was created for abuse on the santrex.net website, and a few hours later, the webhost provider suspended the account.  While we were still waiting for the FBI to get back with us, it was really helpful to contact the webhost provider, and get the website taken down.


 

It’s good to check with your Internet Service Provider (ISP) every once and a while to make sure there haven’t been any changes to their DNS servers.  I was recently working with a customer who was having a problem viewing a certain webpage.  Even though the webpage was valid, when the customer would try to access it, an “under construction” page would appear.  Troubleshooting revealed that when their DNS servers had to do a recursive query, they were getting invalid IP addresses from their ISP’s DNS servers.

I called the ISP’s tech support and the case was quickly escalated to tier 2.  When I received a call back, the engineer explained that the DNS servers that were entered for resolving recursive queries did not actually respond to queries, but were authoritative only. I was given a different pair of IP DNS server IP addresses to use for queries.  Once the change was made, the website displayed correctly.


 

I was recently configuring an ISA server for a network support customer including automatic configuration using WPAD.  The customer had a 2008 SBS server and a 2003 ISA server (running ISA 2006).  I added a "wpad" alias (CNAME) to the DNS server on the SBS box to allow clients to automatically detect the new ISA server.  However, when I tried to resolve the entry on the SBS server as well as other hosts on the network, it never would resolve.  I tried other CNAME entries on the server, and they all worked fine.  I tried removing the entry and reading it, but got the same behavior.  I decided to let it sit overnight to see if it was a timing issue.  The next day, I still couldn’t resolve "wpad" or "wpad.bofc.local".  I started digging and found that the DNS service on Windows Server 2008 has a built-in "block list" for some potentially dangerous DNS names.  The default list includes "wpad" and "isatap".  Gotcha!  Since I wasn’t concerned with blocking any DNS names, I decided to turn off the "block list".  I used the following dnscmd command: [more]

dnscmd /config /enableglobalqueryblocklist 0

Other helpful commands when dealing with this include (from http://technet.microsoft.com/en-us/library/cc995158.aspx):

To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist

To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist

To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist

To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…


 

If you're running DHCP on a Windows 2003 domain controller that is also running DNS, you may see Event 1056 (see link) errors in the System log.  This is because DHCP does not have separate credentials (a domain-user 'service' acct is recommended) for DNS dynamic registration.  The danger here is that DNS records could be overwritten.  This is not a default config, but Microsoft recommends you use separate 'DNScredentials' or not run DNS and DHCP on the same domain controller. [more] See the link below to enter the credentials into the DHCP mgmt console.

http://support.microsoft.com/kb/282001


 

On July 8, security researcher Dan Kaminsky announced he planned to reveal details about the DNS vulnerability (DNS cache poisoning) at Black Hat.  Since then, many technology vendors have provided patches to help fix the flaw.

Kaminsky has provided a "DNS Checker" self test on his website - see his personal blog at http://www.doxpara.com/


 

Windows has a tendency to cache negative DNS lookups so that even if you fix a DNS problem you still cannot look up a name. A negative DNS lookup occurs when trying to resolve the address for a name that has no corresponding DNS record.  There is a registry entry that specifies cache times for DNS.  One of them specifies how long to cache these negative entries.  I would suggest setting it to zero so it will always try to query a DNS server even though the name did not exist before.  Doing this might save you some confusion when troubleshooting DNS issues.  Read about it here http://support.microsoft.com/kb/318803.

There is also a dnscmd Windows Support tool that is handy for updating DNS without having to run the GUI.  You can read about it here http://technet2.microsoft.com/WindowsServer/en/library/5c497b2e-3387-4ecf-adf5-562045620a961033.mspx.


 

Opendns.com is a free DNS resolution service that provides some useful added features:

  • Corrects common typos and misspellings (i.e. yahoo.cmo)
  • Allows you to create custom short cuts (i.e. you can make "mail" resolve to "mail.<yourdomain>.com")
  • Offers filtering of web sites with a few different predefined categories such as pornography, tasteless, and anonymizing
  • Manage custom whitelists and blacklists

This is a good solution for someone who wants to do basic web filtering at home or a small business. [more]

To use Opendns, create an account and define the IP address or subnet you’re using.  For home use with a dynamic IP, you’ll have to manually update your IP or install a dynamic DNS update client.  Security is in place to prevent specifying the same subnet or IP twice, or entering a subnet when you’re not currently using an IP from that network.