Until February of this year, Amazon’s Route53 DNS service offered largely unrecognized network listening capabilities. And this undocumented spy option was also available from Google Cloud DNS and at least one other DNS-as-a-service provider.
In a presentation Earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak of security firm Wiz, described how they found a DNS name server hijacking flaw that allowed to spy on the dynamic DNS traffic from other customers.
“We found a simple flaw that allowed us to intercept some of the global dynamic DNS traffic passing through managed DNS providers like Amazon and Google,” Tamari explained in a blog post. “Essentially, we’ve ‘bugged’ the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices. “
To do this, it was enough to register a new domain on Route53 with the same name as the official AWS DNS server. Specifically, they created a new “hosted zone” within the AWS nameserver.
ns-1611.awsdns-09.co.uk they called
“Each time a domain is added to Route53, four different DNS servers are selected to manage the domain,” Tamari explained. “We have ensured that any nameservers we register on the platform are managed on the same server.”
After repeating this process on some 2,000 name servers on AWS, they had partial control of the hosted zone and pointed it to their own IP address. This way, when a DNS client queries the name server for itself – a common occurrence in dynamic DNS configurations – it captures that dynamic DNS traffic.
Tamari and Luttwak found a variety of sensitive data during their experience, including computer names, employee names, office locations, and information about organizations’ exposed web resources. For example, they claim to have identified a company that appeared to violate US trade sanctions. Malicious adversaries could use this data to help launch network attacks.
According to Tamari, Amazon and Google have fixed this issue in their respective DNS services, but other DNS service providers may still be vulnerable. The researchers said three of the six DNS-as-a-service providers they found were vulnerable.
Researchers attribute the vulnerability to the way Microsoft’s dynamic DNS (RFC 2136) works under Windows.
“Microsoft machines use a unique algorithm to find and update the master DNS server when changing IP addresses,” Tamari explained. “Eventually, the algorithm will query the hacked name server for its own address.” And that sends dynamic DNS traffic to the malicious IP address.
Microsoft does not plan to revise its algorithm, however, Tamari said, because Redmond does not view this as a vulnerability. Rather, the company considers this to be a known misconfiguration issue when customers work with external DNS resolvers.
Microsoft did not immediately respond to a request for comment.
Tamari said it’s up to organizations to configure their DNS resolvers to prevent dynamic DNS updates from leaving their network.
“Google has blocked associated domain names to protect customers from this issue and we have not seen any evidence of malicious abuse on our platform,” a company spokesperson said in a statement to The register. “We appreciate the work of Wiz.io and the efforts of the community at large to identify potential exploits like this.”
Amazon did not immediately respond to a request for comment. ®