mPulse

Thursday, March 26, 2009

Legitimate DNS Hijacking and You

DNS hijacking is an occurrence that sends fear into the hearts of man and beast. It takes a perfectly harmless (yet critical) process and turns it into a weapon for chaos and mayhem.

This tool, however, does not simply reside in the hands of people looking to maliciously redirect traffic for purposes I can't quite fathom - I'll admit, there is still some simple naivete in my Canadian mind.

Legitimate companies, ISPs, service providers also have this tool at their disposal for their own purposes. An useful and accepted version of this exists already in the form of content delivery networks (CDNs) and other third-parties who take a portion of a companies domain name space and use it to deliver distributed edge content and computing, web analytics, or advertising services.

But let's move this inside the firewall or into the consumer ISP space. These companies provide DNS for millions of customers. As a result, they could easily re-write DNS entries to reflect their own needs rather than those of the consumer.

In the case of corporate IT networks, there is not much that can be done - they own the wire, hardware and software being used, so they will claim it's part of the corporate IT policy that all employees sign and that will be that.

Consumers, on the other hand, should expect free and unencumbered access to the worldwide DNS network, without being intercepted or redirected by their own ISPs. And there is frankly no way to verify that this is not happening unless you run your own caching BIND server on your home network.

The alternate is to use one of the external third-party services (OpenDNS or DNS Advantage). But these services also provide Phishing and Filtering services, which means that they can easily modify and redirect an incoming request using the most basic and critical service on the Internet.

While this may sound like the rant of a paranoid, it is a concept that has practical consequences. As an organization, how do you know that you aren't on the DNS filter list of these providers, or the ISPs? If they can filter and redirect DNS requests, what else are they doing with the information? Are they providing open and trusted access to the core DNS services of the Internet?

Stepping back as far as you can into the process of going to your favorite pages, you will find that you can't get there without DNS. And if DNS can no longer be trusted, even from legitimate providers, the entire basis of the Internet dissolves.

No comments:

Post a Comment