During a Black Hat security conference held in August, a couple of researchers from Wiz.io announced a new class of DNS vulnerabilities impacting major DNS as a Service (DNSaaS) providers like Amazon Route 53, Google Cloud DNS, and Akamai that could allow attackers to access sensitive information from corporate networks.
In a controlled experiment, the Black Hat researchers were able to intercept sensitive data (internal and external IP addresses, computer names, employee names, and office locations) from 15,000 organizations, including Fortune 500 companies and U.S. and international government agencies.
Why does this matter? In the exploit world, the more information you have about your target, the greater the probability of successfully compromising that target.
The root of the issue
DNS is supported by domain registrars and hosting providers. Registrars are accredited companies that register domain names (e.g., insight.com) with the Internet Corporation for Assigned Names and Numbers (ICANN), while DNS hosting providers enable customers to update domain names and specify which servers domain names point to.
A DNS hosting provider will let you add any domain name you want. Theoretically, it doesn’t matter whether you own it. The core assumption is that there’s complete isolation between DNS customers hosted in the same tenant. This is the first problem.
Let’s say I add tunde.is.the.greatest.com as a domain name with my hosting provider. I don’t have to register this domain name — I’m simply hosting DNS zone name tunde.is.the.greatest.com on my hosted DNS server. Many DNS hosting providers will let you do this without proper domain name validation.
But this has consequences. Registering a domain with the same name as its name server breaks the isolation between tenants.
The vulnerabilities result from a unique algorithm within Microsoft machines that finds and updates master DNS servers on IP address changes. Eventually, the algorithm can query hijacked name servers for its own address, giving attackers access to all query traffic.
When the Black Hat team was conducting its research, they registered a new domain on the Route 53 platform that had the same name as its DNS server. They ensured any name server they registered on the platform fell under the management of the same server. Then, they pointed it to their own IP address. Whenever a DNS client queried this name server about itself, the traffic was rerouted to the Black Hat researchers’ IP address, revealing thousands of compromising data points.
How to fix the issue
Fixing DNS isn’t exactly simple. There are things that managed DNS providers could do to improve security for their customers. For example, they could verify ownership of domains before allowing customers to register them. Both Amazon Route 53 and Google have done so recently.
Microsoft could also update its dynamic DNS algorithm. However, when the Black Hat researchers reported their discovery to Microsoft, the company communicated that it considered the DNS issues a known misconfiguration rather than a vulnerability.
For the record, I believe Microsoft is correct. I join them in advocating for SPLIT DNS implementation in corporate environments — any group using SPLIT DNS would not be vulnerable to this exploit by default.
Regardless of who should do what, given the state of things today, it’s critical that businesses take steps to prevent business data from leaking. It’s completely within your control to configure DNS resolvers properly so that dynamic DNS updates do not leave the internal network — and your business is protected from DNS-initiated attacks.
You’re not alone
This is a complex threat vector with global impact that should be taken seriously. Many organizations could experience significant consequences, simply because DNS isn’t broadly understood.
My team has your back. We bring proven expertise in DNS implementation and security and are fully aware of this newly discovered vulnerability and how to protect against it. Please reach out if you have any questions. We are here to help.
For more about the research from Black Hat, read the technical blog here.