DNS Hijacking Targets the Internet’s Infrastructure

DNS, or Domain Name Service, is perhaps the most important “convenience” technology on the Internet. “Convenience” probably isn’t the right word, because that implies it’s an optional luxury and not an essential feature. DNS plays a critical role in making the Internet widely accessible.

The Internet runs on IP addresses. Every machine connected to it has an address that allows traffic to emanate from it and converge to it. Machines love numbers, but humans aren’t very good at remembering them. DNS is the technology that enables us to use easy-to-remember names to identify websites we want to visit rather than their hard-to-remember IP addresses. Without DNS, we’d have to punch in 172.217.8.174 to get to Google, 172.28.5.75 to get to Amazon, and 172.28.5.75 to get Facebook, and that’s assuming we’re using the shorter IP-version-4 addresses. If we were to use the longer IP-version-6 addresses, we’d face an even tougher memory test. DNS maps human-readable domain names to IP addresses and vice-versa, and this goes a long way toward making the Internet usable.

For being such a key part of the infrastructure, it receives so little love and attention from cybersecurity professionals. We tend to regard it as a set-and-forget kind of appliance, but it isn’t. It can be compromised just like any other computer technology. When it is, the ramifications are swift and widespread.

There are thirteen authoritative domain name servers on the planet, and they delegate parts of their job to a well-dispersed army of less authoritative secondary domain name servers scattered everywhere. When you enter the name of a website you want to visit, your browser sends it to your assigned domain name server. That server will look through its records to see if it knows how to map the domain name you supplied to an IP address. If it does, it will send back the IP address so your request can be properly routed. If it doesn’t, it will check with the next domain name server in its hierarchical web of domain name servers, going all the way to one of the thirteen authorities if necessary. Through these exchanges, you request will eventually be correctly mapped to an IP address, provided you entered a valid domain name, and provided the DNS system hasn’t been interrupted.

A problem arises, however, if someone is able to change those domain-name-to-ip-address mappings. For example, instead of directing 172.217.8.174 to Google, if a hacker is able to map that IP address to a fake Google site that they themselves have set up, and if they make their fake site look identical to the real thing, they can intercept all your search attempts. Or, as another example, suppose you attempt to go to a page you use to log into a site. If the hacker is able to change that domain name to an IP address it controls, and if he makes the fake page that is parked there look exactly like the login page you always use, you’ll be directed there, instead, by DNS, and the hacker will be able to intercept your login credentials.

Clearly, these kinds of DNS hijacking attacks can cause a lot of damage. Lately, they have been, and Iran has been particularly active. But this current wave is not the first time or the only way DNS has been leveraged as part of an attack. In 2017, large parts of the Internet were slowed to a frustrating crawl by Mirai botnet, which used cheap and poorly designed Internet-of-Things (IoT) devices to flood DNS servers with so much garbage traffic that they couldn’t respond to legitimate requests for domain-name-IP-address translations. During that distributed denial-of-service (DDoS) attack, the only way a person could get to a website was to pretend that DNS didn’t exist: they had to punch in the IP address of the site they wanted to visit. Talk about inconvenient!

DNS is perhaps the most critical infrastructure underlying the critical infrastructure that is the Internet. The fact that it is so remarkably frail with no significant comparable backup service. should give us pause. There are ways to make it more secure, such as DNSSEC, a technology that cryptographically verifies the authenticity of domain-name-to-ip-address translations. But companies have been very slow to adopt it. There are signs of hope, as solutions are appearing that make adopting DNSSEC as easy as clicking a mouse. Until DNSSEC is more widely adopted, however, our Internet use remains at the mercy of an essential but relatively ignored and insecure core technology. We need to pay more attention to securing the Domain Name Service.

About Ray Klump

Professor and chair of Mathematics and Computer Science Director, Master of Science in Information Security Lewis University http://online.lewisu.edu/ms-information-security.asp, http://online.lewisu.edu/resource/engineering-technology/articles.asp, http://cs.lewisu.edu. You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *