7 Common Targets of Stealth Threats

DNS Poisoning

The Threat

DNS servers translate raw Internet addresses (such as 12.94.65.175) into human-friendly domain names (www.myfunsite.com). With a little work, the info

Illustration: Jeffrey Pelo
rmation provided by some DNS servers can be hijacked or misdirected -- "poisoned" -- allowing an attacker to send someone to any Web site they choose.

The Mechanism

The most common DNS poisoning attacks exploit flaws in DNS server software to allow fake name-resolution data to be sent to clients. One of the worst examples of DNS poisoning surfaced in 2008, when computer researcher Dan Kaminsky demonstrated how domains could be redirected with the then-current version of BIND, the software that most servers use to perform DNS resolution. The end result: You can hijack an entire domain -- including its subdomains, its mail servers (MX entries), its SPF records and everything else that can be stuffed into its DNS resources.

The Prevention

In this case, prevention is mostly up to the people running domain name services. Admins should update to the most recent version of BIND, which is much more skeptical about the data it receives and performs more thorough cross-checking to prevent poisoning.

If you have doubts about the validity of your DNS hosting, you can test it through the DNSStuff.com toolset. Its DNSreport Demo (free for regular users; the full non-demo version is for-pay) lets you check the results of DNS resolution for common domain names from your servers. If you suspect your DNS servers are dodgy or compromised, you can always use a different one by editing your TCP/IP settings or by setting your in-house router (if you use one) to resolve to another server. The Google Public DNS service might come in handy here, since Google claims its DNS is less vulnerable to poisoning.

Subscribe to the Security Watch Newsletter

Comments