DNS - beyond the changer

Opinion by Nathan Pearce

We've seen a lot of fear, uncertainty and doubt around the DNSChanger botnet recently, which has caused a lot of speculation about the security of the Domain Name Server (DNS).

We've seen a lot of fear, uncertainty and doubt around the DNSChanger botnet recently, which has caused a lot of speculation about the security of the Domain Name Server (DNS).

Do people understand what DNS is at all and should we worry? Essentially, people find it easier to remember words than numbers, which is why we have domain names in the style that we do today, such as www.scmagazineuk.com. But machines work with numbers, not words, so networks automatically convert these domain names into the IP addresses that we're all familiar with.

More specifically, devices such as PCs transmit web page requests to their ISP and somewhere along the line, the ISP finds a DNS. The DNS translates the domain name into an IPv4 or IPv6 address (for example, or FE80:0000:0000:0000:0202:B3FF:FE1E:8329) and then into a binary IP address.

The DNS doesn't store an infinite cache of these translations, so they'll frequently bounce requests further up the chain to other servers until the IP address is found. DNS is a very trusting system, so it'll keep cached data without verifying future requests, directing users onwards without validating this data.

This can linger for weeks or months until it expires, which can be exploited by ‘cache poisoning' where incorrect DNS addresses are inserted or suggested by a malevolent party and then left unchanged.

However, this isn't what went wrong with the DNSChanger botnet. This botnet infected user PCs and redirected DNS requests to rogue DNS servers, which misdirected traffic to pages with fake advertising on it, compromising four million PCs and apparently generating $14 million in revenue for the hackers.

This is reasonably simple to do by editing the ipconfig settings on a machine and is probably how the DNSChanger malware worked. People have also long since used the hosts file on a PC to block undesirable websites by changing how computers process domain name requests – it doesn't always have to be done at the server level.

There are further possible misapplications of DNS hacking, and the FUD has been extensive. However we have been talking about the possibilities of DNSSec for a long time, digitally signing DNS transactions using PKI and making sure that servers are valid and that data is not changed in transit.

DNSSec doesn't encrypt data or provide confidentiality, but it does make sure that data has come from – and is going to – the right place. Whilst this will generate more demands on processing for web servers, they can look into DNS offload, putting the DNS processing onto different servers in much the same way as SSL offload is already done by many servers.

This chain of trust would have prevented the DNSChanger from operating, and would also stop ‘cache poisoning'.

DNS can seem like a reasonably harmless thing to corrupt, falling more into ‘mischievous' than ‘malicious' hacking, but DNSChanger malware – as evidenced by the four million compromised PCs and $14 million of revenue – has proved otherwise.

Whilst we should always be careful to avoid jumping at every "movie plot threat" as Bruce Schneier says, DNSSec would certainly solve a multitude of problems reasonably easily. For this reason, it should be worth a look.

Nathan Pearce is EMEA product manager at F5 Networks


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events