What’s in a name? Generally speaking TCP/IP relies on DNS to function. Without DNS all connections would have to be specified by IP address directly. But even specifying an IP address is not enough, as most web hosting environments serve multiple websites from a single IP and use the HOST header to differentiate sites. Effectively without DNS there is no Internet like we know it.
I started off by saying generally speaking. That is because DNS is not the only name resolution mechanism that can be used. For a Windows machine there is a clearly defined order and preference.
When a domain name is queried with a PING request the following sequence is followed:
Name resolution issues can cause headaches when trying to get things to work, but a far more serious problem from a security perspective is DNS cache poisoning. The basic concept is to change the destination IP address of a valid name. Traffic will then be routed to the malicious site instead of the intended site.
As an example, if the DNS records for Facebook are compromised, login credentials could easily be harvested by redirecting users to a “fake” Facebook site that look real enough for users to enter their credentials. This concept if often referred to a pharming.
The importance of DNS was illustrated recently when GoDaddy's DNS servers were down and all hosted sites became unavailable.
The name resolution attack vector can be approached in a number of ways. Here are some examples:
Compromise HOSTS File
The easiest and most effective target is to compromise the local HOSTS file. The reason for this is because this is a simple text file on a computer. It can be edited without any complex methods. It is also first in line for name resolution so a compromise here is extremely effective.
Compromise DNS Servers
The second is to compromise DNS servers directly. This is a far more complex undertaking and as such is seen far less frequently.
Compromise Network Equipment
A third method is a combination approach of the first two, as it involves attacking network equipment such as consumer DSL routers and directing DNS requests to a server controlled by a malicious party.
DNSchanger was a widely publicized piece of Malware that also exploited naming vulnerabilities.
The steps below will illustrate the problem presented by a compromised a HOSTS file. For this example I am using yahoo.com.
The image shows both the original and hacked site. This was a very quick and basic hack but you can see how effective this can be to catch out the average user.
The reason this happens is that Internet Explorer, like PING, will resolve the name in the usual manner. Picking up our compromised yahoo.com record from the HOSTS file and using that IP.
If however you are using Forefront TMG as a proxy, you will still correctly be routed to the site.
The reason Forefront TMG prevents this exploit is because the client’s HTTP request is sent to the Forefront TMG proxy server. The TMG proxy does the DNS lookup on the client’s behalf, determines the correct IP and directs the traffic there.
Forefront TMG itself follows the same name resolution sequence as the client. The name lookup sequence when using TMG as a proxy is as follows:
So if the HOSTS file on TMG has been compromised or purposefully edited, those addresses would be used instead of being resolved via DNS. You could therefore potentially use the HOSTS file as a very crude URL Filtering mechanism.
It is important to note that this behaviour is only for proxy clients. If you are using TMG as a secure NAT client this does not apply.
As you can see Forefront TMG can mitigate name resolution related attacks for your corporate users, providing Forefront TMG's own naming configuration is sound.
Returning to the opening question. What’s in a name? As it turns out, it is quite a bit!
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
Make The World A Better Place with Fastvue and Microsoft Reputation Services (MRS)
How to Report on YouTube Activity with Fastvue TMG Reporter