All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability Until February this year, Amazon Route53's DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider. In a presentation earlier this week at the Black Hat USA 2021 security conference …
DDNS service providers have misconfigured systems. That's bad. Multiple orgs are required to enact individual fixes.
MS's unique algorithm facilitates the exploit, sorry, non-vulnerability. That's bad. Said corporate refuses to act to protect its user base. Problem mitigated in one fell swoop while the multiple DDNS outfits sort out their end. No-hoe!
An OS should protect against known issues (avoiding the "vulnerability" semantics) regardless of where the issue arises. Why doesn't MS reintroduce SHA1 hashing in 'doze, it's not their problem after all. Ah, is it possible that M$ were enjoying the DDNS exploit for their own reasons? And are scrabbling for the last few terabytes of slurp before the DDNS providers sort it.
Regardless of any ulterior motive, MS are remiss not closing the door.
No one ever got sacked for buying IBM M$. Time shareholders changed that.
If you are using a cloud based DNS service to manage your internal DNS where your computers update their DNS records THAT'S YOUR FAULT!
This should be 100% internal and behind your security devices and 100% in your comtrol!
Public and or cloud based DNS services are for PUBLIC resources.
DNS services traditionally are be-nine and only collect information on number hits. For a very long time I have been suspicious of big tech hosting these services. Google takes an unhealthy interest where you go and what you are looking at gives them a commercial advantage. To stop this change your services or better still setup your own connecting to the 13 root domain servers. Pretty much all the domestic routers can be modify to look else ware for name resolution.
Agreed with the "big tech" view.
Unfortunately all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers. DDNS yes, but that's not what we're looking for I think.
Also, the routers are often key components for the ISP's service so can't be easily switched out (1:1) for "real" networking kit. Bloody DOCSIS >:|
So set-up becomes ISP's router at the incoming pipe with second router behind it. Hello Pi. (Mmmmm, Pi...)
Easy enough, but not convenient thanks to the ISP vendor lock-in bollox. Some users won't have two boxes where one will do.
(?Benign)
> all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers
Don't use the ISP supplied router. I have never used an ISP supplied router in over 28 years, except when testing a network fault to prove it isn't my kit at fault (which it never has been). ISP routers are the cheapest they can find, poorly specced, often out of date and with no updates. If an ISP requires you to use their router don't buy their service, many others are available.
And yes, I am talking about the UK.
"routers are often key components for the ISP's service so can't be easily switched out"
PlusNet's can be switched out. I've recently done this after discovering that they'd reconfigured theirs from their end (itself a worry) with the net effect of me not being able to configure my DHCP as I wish.
As the original setup had a separate VDSL modem a combined unit has actually taken the box count down.
"(?Benign)"
Bind9, maybe.
"Also, the routers are often key components for the ISP's service so can't be easily switched out (1:1) for "real" networking kit. Bloody DOCSIS >:|"
However most I've come across have the option to become "cable modem only", and you can install your own kit on your side of the network. The ISP provided device just becomes the NTE of the external connection, and you take ownership of securing everything inside.
Unfortunately all routers I've had supplied by (mainstream) ISPs in the UK (& BE) over the past 10+ years have no ability to set DNS servers. DDNS yes, but that's not what we're looking for I think.
You can however often turn off DHCP entirely. My BT "Smart" Hub has locked DNS servers but I simply killed DHCP and run a PiHole (which can optionally serve DHCP as well as DNS). This without putting the router into "modem mode" because I didn't really want to buy a second router and access point - the -ac wifi on the SmartHubs is actually pretty decent and I already had an RPi lying around.
So I'm still using the router as a router, just offloading DHCP/DNS duties. Neatly, the RPi is actually powered off the USB port on the back of the SmartHub (which I think is notionally a way of sharing a USB hard drive or printer over the network). The hardware is pretty decent, just a shame BT's firmware is so limited.
"Pretty much all the domestic routers can be modify to look else ware for name resolution"
Sadly not mine.
"For a very long time I have been suspicious of big tech hosting these services"
Agreed, I've often thought Google would be logging those DNS queries for its own use, it fits their MO.
Also those "certificate transparency" logs too, the tracking of certs that is supposed to find rogue certs but doesn't. The potential for surveillance of who visits what sites is there too.
That cert logging seems to be completely useless for the purpose it is claimed for, to monitor and find rogue certs. It's not a security measure, its an accountancy measure.
So I see a cert for [Man-In-Middle-entity]
and it has alternates [unrelated #1] [unrelated #2] [unrelated #3] [apparent NSA cyber contractor pretending to be mom-pop business #4][unrelated online bank #5][unrelated major corp #6][non-existent entity #7].....
Clearly not alternates, clearly not the same entity as [Man-In-Middle-entity]. I don't care about [Man-In-Middle-entity] claimed usage or unplausible justification.
Clearly, [a] I do not trust this cert or the authority that issued it. and [b] I view any audit process that would allow such a cert, is a security joke.
A browser accepting a cert on my behalf, that I would never accept in a million years, is unacceptable.
So I want *client*-side pinning of certs. I want browsers to be able to lock certs to only the correct cert for a site, correct being *my* decision based on how much I trust the cert authority involved.
I click pin, and it is pinned locally and that's it, the browser will not accept alternates without *my* say-so.
I want this also for cert-authorities, I want to say "I do not trust this crappy authority and its crappy certs never, ever", or "I will accept this authority, but only for this site".
AND, I also want to pin "no cert". So, since I started tracking certs, I've seen sites that for some pages/sometimes get a certficate and appear encrypted, but normally the site is never encrypted, I want to pin "no cert" and reject the pages when they appears encrypted and should not be. I don't know what the game is there, I don't care, I don't want it. My choice.
It's ludicrous that decades into the internet, we're still playing backdoor whackamole.
If your router doesn't allow you to specify your own DNS then there are a couple of options.
Replace your ISP provided router with something else if possible, the BT homehub 5s can be flashed with OpenWRT and they are much more configurable than an ISP provided router. You can even buy them ready flashed with WRT from ebay for about £20 if you don't want the hassle of doing the flashing yourself.
Set up your own DOH or DOT DNS server on a cheap VPS to encrypt your DNS traffic from your devices so you are bypassing the routers DNS settings. You could even run Pihole on it and block ads as well
Following on from mark l 2:
Before swapping out your router or flashing OpenWRT check if your ISP requires DHCP Options 60/61 and that your intended config handles them if necessary.
AFAIK that's some Sky and NowTV services.
That gives me an idea, I see Synology NAS do a DHCP server (with DNS config ) and maybe I can even route through their VPN package too.
I could make that the fake router. An Asus access point, using the Synology DHCP for its addresses for Wifi devices....
Thnx marki2 for the idea,
also thx Lil Endian, OpenWRT is not an option but I appreciate the suggestions.
For what's it's worth, Google swears they don't use your DNS requests for anything nefarious, not even ad targeting:
https://developers.google.com/speed/public-dns/privacy
I was surprised as well.
I'm not surprised and frankly, what could they change ?
The algorythm does have to go and query the DNS servers at one point or another, there's nothing to do to avoid that part, so, for once, this is not actually Borkzilla's fault.
It would, however, be nice if Borkzilla could brainstorm a mitigation of some sort, since there are DNS providers who are not impacted by this vulnerability.
Well, I'll admit I'm making a couple of assumptions:
1. Assuming our Vulture is unbiased in mentioning only Windows, I infer other OSs are not vulnerable.
2. The reference to MS's "unique algorithm" suggests they're doing something that other DNS resolution code doesn't do.
I've tried to find refs to other OSs suffering from this attack but haven't found any yet.
It would be nice to be able to compare code from different OSs but we can't (I guess) because of proprietary code. (No, that is not a dig at MS, it's fine their code is closed source.) The leak maybe comes from how the resolver handles responses to its own query...?
So, I'm not saying you're wrong Pascal, or disagreeing. I'm just going with those inferences. I'd be happy to accept clarification, to eliminate the inferences. (Well, not happy happy, cos it's still a balls-up!)
I am one of the researchers. Many people approached us with questions on checking how they are vulnerable so we created a free web tool to check for Dynamic DNS misconfiguration
https://twitter.com/wiz_io/status/1423772511871795206?s=20
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
