back to article All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability

Until February this year, Amazon Route53's DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider. In a presentation earlier this week at the Black Hat USA 2021 security conference …

  1. Anonymous Coward
    Anonymous Coward

    Never trust a DNS server you don't fully control

    and most of the ones you do.

    1. Foxglove

      Re: Never trust a DNS server you don't fully control

      I fail to see how your proposal is practical dear AC.

      1. Unbelievable!

        Re: Never trust a DNS server you don't fully control

        "I fail to see how your proposal is practical dear AC."

        If Bezos,

        End if

      2. Anonymous Coward
        Anonymous Coward

        Re: Never trust a DNS server you don't fully control

        Whatever you do don't go anywhere near that internet, it's a dangerous scary place.

        1. Snowy Silver badge
          Holmes

          Re: Never trust a DNS server you don't fully control

          Yes the internet where you hope the good guys are good.

      3. Anonymous Coward
        Anonymous Coward

        Re: Never trust a DNS server you don't fully control

        If you don't mind slow as balls DNS there is always root hints.

  2. Lil Endian

    WTAF?

    DDNS service providers have misconfigured systems. That's bad. Multiple orgs are required to enact individual fixes.

    MS's unique algorithm facilitates the exploit, sorry, non-vulnerability. That's bad. Said corporate refuses to act to protect its user base. Problem mitigated in one fell swoop while the multiple DDNS outfits sort out their end. No-hoe!

    An OS should protect against known issues (avoiding the "vulnerability" semantics) regardless of where the issue arises. Why doesn't MS reintroduce SHA1 hashing in 'doze, it's not their problem after all. Ah, is it possible that M$ were enjoying the DDNS exploit for their own reasons? And are scrabbling for the last few terabytes of slurp before the DDNS providers sort it.

    Regardless of any ulterior motive, MS are remiss not closing the door.

    No one ever got sacked for buying IBM M$. Time shareholders changed that.

    1. Cliffwilliams44 Bronze badge

      Re: WTAF?

      If you are using a cloud based DNS service to manage your internal DNS where your computers update their DNS records THAT'S YOUR FAULT!

      This should be 100% internal and behind your security devices and 100% in your comtrol!

      Public and or cloud based DNS services are for PUBLIC resources.

  3. JimPoak
    Holmes

    DNS services traditionally are be-nine and only collect information on number hits. For a very long time I have been suspicious of big tech hosting these services. Google takes an unhealthy interest where you go and what you are looking at gives them a commercial advantage. To stop this change your services or better still setup your own connecting to the 13 root domain servers. Pretty much all the domestic routers can be modify to look else ware for name resolution.

    1. Lil Endian

      ISP Routers

      Agreed with the "big tech" view.

      Unfortunately all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers. DDNS yes, but that's not what we're looking for I think.

      Also, the routers are often key components for the ISP's service so can't be easily switched out (1:1) for "real" networking kit. Bloody DOCSIS >:|

      So set-up becomes ISP's router at the incoming pipe with second router behind it. Hello Pi. (Mmmmm, Pi...)

      Easy enough, but not convenient thanks to the ISP vendor lock-in bollox. Some users won't have two boxes where one will do.

      (?Benign)

      1. TimMaher Silver badge
        Thumb Up

        Re: ISP Routers

        So true.

        I always set our Virgin media routers to modem only and shove a consumer/SME router behind it. At least that way I have reasonable control over the entre pot and hinterland.

        1. Anonymous Coward
          Anonymous Coward

          Re: ISP Routers

          Exactly the same as I have always done.

        2. anothercynic Silver badge

          Re: ISP Routers

          Same here. At least I'll know what I let in and out based on *my* preferences. But then again I have a grown-up ISP, so this doesn't generally cause a problem.

      2. Irongut Silver badge

        Re: ISP Routers

        > all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers

        Don't use the ISP supplied router. I have never used an ISP supplied router in over 28 years, except when testing a network fault to prove it isn't my kit at fault (which it never has been). ISP routers are the cheapest they can find, poorly specced, often out of date and with no updates. If an ISP requires you to use their router don't buy their service, many others are available.

        And yes, I am talking about the UK.

      3. Doctor Syntax Silver badge

        Re: ISP Routers

        "routers are often key components for the ISP's service so can't be easily switched out"

        PlusNet's can be switched out. I've recently done this after discovering that they'd reconfigured theirs from their end (itself a worry) with the net effect of me not being able to configure my DHCP as I wish.

        As the original setup had a separate VDSL modem a combined unit has actually taken the box count down.

        "(?Benign)"

        Bind9, maybe.

        1. Lil Endian
          Pint

          Bind9, maybe.

          Bravo!

      4. sitta_europea Silver badge

        Re: ISP Routers

        "...So set-up becomes ISP's router at the incoming pipe with second router behind it. Hello Pi...."

        Been doing it that way for decades now. Not a Pi though, ALIX etc. are more reliable.

      5. gerdesj Silver badge
        Childcatcher

        Re: ISP Routers

        "Also, the routers are often key components for the ISP's service"

        Utter tosh in the UK. I've never used an ISP supplied router/modem except in extremis. I have customers across the length and breadth of the UK, including Hull.

      6. Velv
        Boffin

        Re: ISP Routers

        "Also, the routers are often key components for the ISP's service so can't be easily switched out (1:1) for "real" networking kit. Bloody DOCSIS >:|"

        However most I've come across have the option to become "cable modem only", and you can install your own kit on your side of the network. The ISP provided device just becomes the NTE of the external connection, and you take ownership of securing everything inside.

      7. rg287 Silver badge

        Re: ISP Routers

        Unfortunately all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers. DDNS yes, but that's not what we're looking for I think.

        You can however often turn off DHCP entirely. My BT "Smart" Hub has locked DNS servers but I simply killed DHCP and run a PiHole (which can optionally serve DHCP as well as DNS). This without putting the router into "modem mode" because I didn't really want to buy a second router and access point - the -ac wifi on the SmartHubs is actually pretty decent and I already had an RPi lying around.

        So I'm still using the router as a router, just offloading DHCP/DNS duties. Neatly, the RPi is actually powered off the USB port on the back of the SmartHub (which I think is notionally a way of sharing a USB hard drive or printer over the network). The hardware is pretty decent, just a shame BT's firmware is so limited.

    2. Anonymous Coward
      Anonymous Coward

      "Pretty much all the domestic routers can be modify to look else ware for name resolution"

      Sadly not mine.

      "For a very long time I have been suspicious of big tech hosting these services"

      Agreed, I've often thought Google would be logging those DNS queries for its own use, it fits their MO.

      Also those "certificate transparency" logs too, the tracking of certs that is supposed to find rogue certs but doesn't. The potential for surveillance of who visits what sites is there too.

      That cert logging seems to be completely useless for the purpose it is claimed for, to monitor and find rogue certs. It's not a security measure, its an accountancy measure.

      So I see a cert for [Man-In-Middle-entity]

      and it has alternates [unrelated #1] [unrelated #2] [unrelated #3] [apparent NSA cyber contractor pretending to be mom-pop business #4][unrelated online bank #5][unrelated major corp #6][non-existent entity #7].....

      Clearly not alternates, clearly not the same entity as [Man-In-Middle-entity]. I don't care about [Man-In-Middle-entity] claimed usage or unplausible justification.

      Clearly, [a] I do not trust this cert or the authority that issued it. and [b] I view any audit process that would allow such a cert, is a security joke.

      A browser accepting a cert on my behalf, that I would never accept in a million years, is unacceptable.

      So I want *client*-side pinning of certs. I want browsers to be able to lock certs to only the correct cert for a site, correct being *my* decision based on how much I trust the cert authority involved.

      I click pin, and it is pinned locally and that's it, the browser will not accept alternates without *my* say-so.

      I want this also for cert-authorities, I want to say "I do not trust this crappy authority and its crappy certs never, ever", or "I will accept this authority, but only for this site".

      AND, I also want to pin "no cert". So, since I started tracking certs, I've seen sites that for some pages/sometimes get a certficate and appear encrypted, but normally the site is never encrypted, I want to pin "no cert" and reject the pages when they appears encrypted and should not be. I don't know what the game is there, I don't care, I don't want it. My choice.

      It's ludicrous that decades into the internet, we're still playing backdoor whackamole.

      1. Lil Endian

        Take control over the browser with the OS, eg:

        # dpkg-reconfigure ca-certificates

        Source: https://askubuntu.com/questions/440580/how-does-one-remove-a-certificate-authoritys-certificate-from-a-system#440594

        I think that's a part of what you mean AC.

      2. mark l 2 Silver badge

        If your router doesn't allow you to specify your own DNS then there are a couple of options.

        Replace your ISP provided router with something else if possible, the BT homehub 5s can be flashed with OpenWRT and they are much more configurable than an ISP provided router. You can even buy them ready flashed with WRT from ebay for about £20 if you don't want the hassle of doing the flashing yourself.

        Set up your own DOH or DOT DNS server on a cheap VPS to encrypt your DNS traffic from your devices so you are bypassing the routers DNS settings. You could even run Pihole on it and block ads as well

        1. Lil Endian

          Following on from mark l 2:

          Before swapping out your router or flashing OpenWRT check if your ISP requires DHCP Options 60/61 and that your intended config handles them if necessary.

          AFAIK that's some Sky and NowTV services.

        2. Anonymous Coward
          Anonymous Coward

          That gives me an idea, I see Synology NAS do a DHCP server (with DNS config ) and maybe I can even route through their VPN package too.

          I could make that the fake router. An Asus access point, using the Synology DHCP for its addresses for Wifi devices....

          Thnx marki2 for the idea,

          also thx Lil Endian, OpenWRT is not an option but I appreciate the suggestions.

  4. Anonymous Coward
    Anonymous Coward

    DNS Spying: The Number of Beast

    is 8.8.8.8

    1. Dinanziame Silver badge

      Re: DNS Spying: The Number of Beast

      For what's it's worth, Google swears they don't use your DNS requests for anything nefarious, not even ad targeting:

      https://developers.google.com/speed/public-dns/privacy

      I was surprised as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: DNS Spying: The Number of Beast

        When a companies motto is "Don't be Evil" you can be pretty certain they are in fact evil in the same way Dr Evil called himself Dr Evil.

        1. Andy The Hat Silver badge

          Re: DNS Spying: The Number of Beast

          Im not sure - was Dr Nefario actually nefarious? (Can you have a philosophical discussion about the physcological makeup of a cartoon character?)

  5. Pascal Monett Silver badge

    "Microsoft, however, does not plan to revise its algorithm"

    I'm not surprised and frankly, what could they change ?

    The algorythm does have to go and query the DNS servers at one point or another, there's nothing to do to avoid that part, so, for once, this is not actually Borkzilla's fault.

    It would, however, be nice if Borkzilla could brainstorm a mitigation of some sort, since there are DNS providers who are not impacted by this vulnerability.

    1. Lil Endian

      Re: "Microsoft, however, does not plan to revise its algorithm"

      Well, I'll admit I'm making a couple of assumptions:

      1. Assuming our Vulture is unbiased in mentioning only Windows, I infer other OSs are not vulnerable.

      2. The reference to MS's "unique algorithm" suggests they're doing something that other DNS resolution code doesn't do.

      I've tried to find refs to other OSs suffering from this attack but haven't found any yet.

      It would be nice to be able to compare code from different OSs but we can't (I guess) because of proprietary code. (No, that is not a dig at MS, it's fine their code is closed source.) The leak maybe comes from how the resolver handles responses to its own query...?

      So, I'm not saying you're wrong Pascal, or disagreeing. I'm just going with those inferences. I'd be happy to accept clarification, to eliminate the inferences. (Well, not happy happy, cos it's still a balls-up!)

  6. Amilu

    We created a tool to help you check your domain for this vulnerability

    I am one of the researchers. Many people approached us with questions on checking how they are vulnerable so we created a free web tool to check for Dynamic DNS misconfiguration

    https://twitter.com/wiz_io/status/1423772511871795206?s=20

    1. Lil Endian
      Thumb Up

      Re: We created a tool to help you check your domain for this vulnerability

      Awesome Amilu!

      Thank you! Good work, keep it up ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021