Tag Archives: DNS

Secure your DNS to avoid losing business – Part 3

What happens if someone “owns” your DNS records

The direct consequence is that suddenly when contacting domain.com and all its subdomains (www, mx, ftp, etc.), some other servers owned by the new owner (legal or attacker) answer.

This disruption in normal operation means a loss of reputation, loss of market share, loss of trust from your customers and last but not least, financial loss for your business.

dns-good
Unaltered DNS records
dns-wrong
Altered DNS records

As can be seen in the above illustration, from the moment in which the DNS records are altered, the company that owns domain.com will no longer control where the traffic goes. The new owner can set up his web server to serve www.domain.com and his email server to serve mx.domain.com. Yes, this means that he can receive all email traffic for that domain.

Owning a black-white list can have even more consequences: the new server can serve whatever fits its needs. Either block any request reporting back that the item should be blacklisted (valid web sites, emails, files, etc.) or allowing everything (marking as good any malicious website, email, file). Fortunately, in such services there are many other controls that make such a task pretty complex.

What can you do to secure your domains?

Yes, there are things which you can do to prevent an attacker from taking ownership of your domains.

Lock your domains

Domain Lock or Registrar Lock is a status which can be set to a domain. When set, the following actions are prohibited by the registrar:

  • Modification of the domain name, including:
    • Transferring of the domain name
    • Deletion of the domain name
  • Modification of the domain contact details

Renewal of the domain name is, however, still possible when this flag is set.

Unfortunately, not all registrars support this functionality. If you want more security, you should choose a registrar that supports this feature. This functionality usually doesn’t come for free, but the price is not very high (10$-50$/month) and it is worth paying, especially if you have a large website or company.

Secure your domain administration information

All registrars allow entering contact persons for various functions. For example, there are some contacts for changing the IP address or deleting the domain and some others for paying the subscription. Make sure you separate them.  Also, make sure that you have a contact email address that is not hosted at the respective domain. Otherwise, if something happens to the domain, you can’t access your email anymore. Remember that all traffic goes to the new owner, including your emails.

If you use some free email servers like Gmail, Yahoo or others, make sure to activate two factor authentication for those accounts.

Set up a good password and make sure you don’t use the address hosted on the domain you try to protect as the recovery email address.

Make it harder for the attacker to get access to your account.

If you have multiple domains, it would be better to host them at different registrars. If one goes down, you can at least use the other ones.

The post Secure your DNS to avoid losing business – Part 3 appeared first on Avira Blog.

Secure your DNS to avoid losing business – Part 2

What happens when DNS doesn’t work?

Of course, having a non function DNS causes problems. We have to differentiate between two types of disruptions which have as consequence that the DNS resolution doesn’t work anymore: unintentional and intentional.

Unintentional disruption

In this case, nobody intentionally caused the issue that prevents the DNS service to function correctly. This can happen because of a configuration error or a hardware failure.  A good IT administrator can deal with it rather fast, especially if there is no change in the IP addresses or domain names (it is about restoring). If there are IP or name changes, even if the problem gets fixed on the source quickly, it takes usually minimum 24h for the changes in the DNS to propagate to enough servers so that someone can feel the difference.  Propagation is the way DNS servers exchange information between them so that as many as possible services know how to resolve a certain domain to its IP address. This delay can cause serious problems to your customers and visitors.

Intentional disruption

There are, however, cases when DNS errors are caused intentionally by persons or organizations who want to produce damages to the owner of a domain. This happened many times in the past and even some big companies where hit by this problem (Facebook, Google, Twitter, AVG, Avira, WhatsApp, etc.).

Let’s see how someone can change your DNS records.

Registrar manipulation

DNS is a service, and as any service, there has to be a service provider that offers the infrastructure that host the records (the tables that map a name to an IP address). Such service providers, usually called registrars, are all big ISPs like Comcast, 1&1, Network Solutions and so on. If one of them gets hacked then it is possible to alter the DNS records for any of the domains hosted there. In the past 12 months a couple of big registrars were hacked and this resulted in downtime for many domains.

This attack has potentially global consequences since, most of the time, authoritative DNS servers are affected.

Cache poisoning

DNS cache poisoning or DNS Spoofing, is a complex attack because it targets a certain audience. It is directed against the users that are dependent on the attacked service.  This can happen after an attacker is successfully injecting malicious DNS data into the recursive DNS servers that are operated by many other ISPs. The attacker usually chooses the DNS servers that are the closest to the targeted users from a network topology perspective. The best way to prevent this type of attack is to use DNSSec. If this is not possible, another way to protect the DNS records is to restrict their propagation to only servers that prefer to get fresher information from the Internet instead of caching an entry for a long time (in order to save bandwidth and time).

Legal DNS takeover

While related to the first case which is illegal, this takeover is completely legal (it is enforced by a court order) and it is performed by the registrar directly without consulting the owner of the domain. Recently, in an incident with domains hosting malware in the U.S., Microsoft managed to obtain legal custody of the DNS entries of the well-known service NO-IP Managed DNS. This had as consequence that thousands of innocent users who used No-IP’s service were no longer able to resolve their domains. The customers were using a form of <user-dns>.no-ip.com and several other hosts to reach their own domains. Without no-ip.com, the base domain, no subdomain worked anymore.

This can happen at any time and in any country because the laws are (still) very blurry in regards to cybercrime and what is allowed and what not.

The post Secure your DNS to avoid losing business – Part 2 appeared first on Avira Blog.

Secure your DNS to avoid losing business – Part 1

What is DNS and where is it used?

What many don’t realize is that there is much more behind it than just name to IP translation (called DNS lookup) and the other way around (that is called reverse DNS lookup).

There are hidden services which are critical for the proper functionality of the Internet like mail, ftp, web  – just to name the most well-known.  All these services are used every day by billions of people, devices and online services around the world without even thinking at them. The only time when they are aware of their existence is, when they don’t function anymore. But before going into this, let’s briefly go through the most important of them: email and web.

Email

Mail transfer agents use DNS to find out where to deliver e-mail for a particular address. The domain to mail exchanger mapping provided by MX records (Mail eXchange) is another example of how DNS works. MX represents the entity (mail server) that can receive email for a domain. The MX record is used by mail servers to exchange emails and it is configured as a subdomain like mx.domain.com. For example, if a user [email protected] wants to send an email to [email protected], the two servers must communicate via their MX records (domain1.com connects to mx.domain2.com), negotiate and agree on certain parameters and then finally exchange the email message.

The first and most important thing that must happen is that the servers are able to contact each other. When trying to contact mx.domain2.com, the mail transfer agent running on domain1.com must be able to locate domain2.com (this is called A-Record). If the DNS resolution for a domain doesn’t work at all (the name to IP address translation doesn’t work) then it is impossible for that domain to receive any emails.

WWW

Ever wondered why do you have to almost always put a “www.” in front of a domain so that you can view its website? “www.“ is actually a subdomain for the main domain and it was historically chosen as an acronym for “World Wide Web” or simply said, the website of that domain. Same as for the email, if the main domain doesn’t get found, then you usually can’t see the website anymore.

Other uses of DNS

There are also other uses of the DNS which are even more hidden than the two mentioned above. Best example for such a service built on top of the DNS are white- and black-lists used to filter good and bad domains, respectively. A service makes a specially created query to a certain domain and get back an answer in form of an IP address (that’s what DNS does, right?). Many services use 127.0.0.1 for when the address is in the list and 127.0.0.2 when the address is not in the list.

Now you know exactly what DNS is used for and where. In our next part we will talk about what happens when DNS doesn’t work, so stay tuned!

The post Secure your DNS to avoid losing business – Part 1 appeared first on Avira Blog.

CloudFlare Aims to Defeat Massive DDoS Attacks with Virtual DNS

DDoS attacks have been a persistent problem for the the better part of 20 years, and as ISPs and enterprises have adjusted their defenses, attackers have adapted their tactics. One of the more effective tools in the attackers’ arsenal now is the use of botnets to generate massive numbers of DNS queries for a target […]

Internationalization and the Internet

The Internet is a child of the United States of America, so it does not come as a surprise that only Latin letters and some scientific characters were used when the systems and the software (then called ARPANET) were designed. In today’s world, where roughly half the global population, with its different letters and alphabets uses the Internet, things look different.

The Need for Internationalization

You might have seen a so-called IDN before. IDN stands for internationalized domain name and all it boils down to, is a web address with special characters. This can be of great help for Internet users that live in regions where the primary alphabet in use is not Latin-based or is extended with special characters. Take Swedish for instance: the letters ä, ö and å augment the standard Latin alphabet. Without the support of IDNs, you would have to agree on a different (Latin) character for domains – like a or aa instead of å. Instead of visiting the website of your favorite Swedish bakery with www.pågen.se, you would have to go to www.pagen.se. This is okay until another company with the name Pagen appears and wants to claim that domain name. It becomes confusing very quickly for the visitors.

Wait…IDN what?

The Domain Name Service (short: DNS), which is used to translate a web address to something the computer understands, only accepts Latin characters. To make internationalized domains work, a system called punycode is used. A complete explanation of the algorithm is way out of scope for this article, but here is a short one. Whenever you enter an address like pågen.se, punycode prepends xn--, skips all non-Latin characters of the domain (å) and appends a dash to the remaining characters (pgen). So far, the result is xn--pgen-. Now, some black magic (finite state machines and generalized variable length integers) is used to represent the location and the identity of the skipped characters. In the end, the result looks like xn--pgen-qoa.se. This is the domain that your browser will access. You, as a user, will not feel any difference as this is done transparently by your browser. Arguably the first internationalized domain (rather subdomain in this case) was http://räksmörgås.josefsson.org.

How it affects you?

There are alphabets which contain letters similar to the ones in other alphabets. Take the Cyrillic script for instance: the Cyrillic letter а resembles the Latin character a. In a so-called IDN homograph attack, a cyber-criminal uses exactly this resemblance to mimic trusted websites. Imagine the domain in the following pictures.

Internationalized version of a domain. The first a is Cyrillic, not Latin

Internationalized version of a domain. The first a is Cyrillic, not Latin

From the looks of it, it is paypal.com. You would almost have to be psychic to note that the first a is a Cyrillic letter. Now the attacker only needs to design a page that looks exactly like PayPal’s and send the login credentials to his or her email address – Mission accomplished.

If the domain is considered suspicious, modern browsers will show the punycoded variant

If the domain is considered suspicious, modern browsers will show the punycoded variant

Not all is lost

Fortunately, it is not that simple to deceive unsuspecting users anymore. Modern day browsers indicate that you are browsing an internationalized website as the image below shows.

Internationalization feature of Internet Explorer: shows a small icon in the address bar

Internationalization feature of Internet Explorer: shows a small icon in the address bar

In contrast to typosquatted URLs, where you might be able to spot phishy URLs by looking at them twice, IDNs can pose a real problem. You have to rely even more on a strong Web protection. It shows that common sense does not protect you from everything on the Internet and that it is crucial to have an up-to-date antimalware solution on all your devices.

Recommended Reading & Resources

Internationalized Domain Name
Punycode
Internet Usage Statistics
Internet
Homograph Attack
DNS

The post Internationalization and the Internet appeared first on Avira Blog.

Attackers Compromise ICANN, Access Zone Files System

Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started […]