Video Screencast Help
Security Response

Implicit Trust in DNS Servers

Created: 12 Oct 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:45:38 GMT
Ron Bowes's picture
0 0 Votes
Login to vote

When you visit a Web site, you typicallytype the URL into the browser or click on a bookmark. In either case,the domain name (for example, "www.symantec.com") is sent to yourdomain name system (DNS) server. This server takes the domain name andsends back the server's address. This structure can lead to someinteresting consequences.

How many people actually know which DNS server they're using? And,if they know which server they're using, how much do they trust theperson or company running the server? The majority of networks areconfigured with dynamic host configuration protocol (DHCP). DHCP is aprotocol that allows computers to broadcast a generic "configure me"message to the local network. Any server on the network can respond tothe message, telling the computer which DNS server to use (among otherthings). This problem is two-fold: first, there is no guarantee thatthe response is coming from the expected server. And second, even if itcomes from the proper server, what guarantee does the user have thatthe DNS server provided is actually valid and secure?

Most DNS servers are run by Internet service providers (ISPs). When auser connects to their ISP, they are typically directed to use theISP's DNS server. So who actually maintains that DNS server? And howmuch guarantee does a user have that this nameless person maintainingthe DNS server isn't malicious? With a few select commands, this personcan redirect your Google search to point to a list of malicious sites.

Even if the person maintaining the DNS server is trustworthy, howmuch emphasis is put on the security of the ISP's DNS server? Sinceexternal users need to connect to the server, there is potentialsurface area for attack. Additionally, other ports may be open formaintenance, or an attacker may plant a backdoor on the computer of theperson maintaining the DNS. In any of these cases, it is possible for aDNS server to be less trustworthy than people expect.

If a DNS server is exploited, any Web site you visit may be fake.This includes search engines, Web mail, banks, online stores, etc.Although sites that use SSL will give some warning (as discussedbelow), there are still some potential avenues for attack. Byredirecting a search engine, search results can be faked, leading theuser to malicious sites. By redirecting Web mail, a user's emailaccount can be stolen. By redirecting forums or message boards, auser's password can be stolen (since many users use the same passwordfor multiple sites, it could be more dangerous than usual). Any ofthese can be dangerous for a user, and, even worse, a smart attackercan make these completely invisible to the user.

The good news is that sites with SSL certificates will give awarning if the connection is redirected. That is, sites with a"https://" prefix. This means that, if you try visiting your bank sitewhile using a malicious DNS server, your browser will inform you thatthere's a potential attack taking place. However, most users wouldn'tknow what this message means or why it's important.

The bottom line is that implicit trust in DNS servers is dangerous,because your DNS server, like any other computer, can potentially actmaliciously.