DNS poisoning the 'thin end of a wedge'

DNS poisoning the 'thin end of a wedge'

Summary: Manipulating the internet's domain-name system (DNS) to reduce the impact of criminal malware DNSChanger has proved successful. Extending the technique to deal with other matters, however, represents the thin end of a wedge, according to DNS pioneer Dr Paul Vixie.


Manipulating the internet's domain-name system (DNS) to reduce the impact of criminal malware DNSChanger has proved successful. Extending the technique to deal with other matters, however, represents the thin end of a wedge, according to DNS pioneer Dr Paul Vixie.

Paul Vixie
(Credit: Zennith Geisler/ZDNet Australia)

The FBI said that in 2007, DNSChanger infected 4 million computers worldwide, altering their settings so that they used DNS servers provided by the criminals, which allowed them to redirect the users to fraudulent websites.

A subsequent investigation by the FBI and NASA's Office of the Inspector General (NASA-OIG), dubbed "Operation Ghost Click", led to the arrest on 8 November 2011 of six Estonians involved in the malware, although a seventh suspect remains at large.

Search warrants were executed simultaneously in Estonia, New York and Chicago, and the rogue DNS servers were seized. Dr Vixie was part of the DNSChanger Working Group that provided replacement "clean" DNS servers, so that infected computers could keep operating until the users could be contacted, including dns-ok.gov.au in Australia.

These replacement DNS servers are scheduled to be turned off on 9 July 2012. As of 30 April, only 40 per cent of affected computers have moved to new DNS servers.

Operation Ghost Click isn't the only time that the DNS has been manipulated.

The voluntary filtering scheme set up by some Australian internet service providers (ISPs) to implement the Interpol child abuse material blacklist uses the DNS to redirect users to a block page. Similar techniques are sometimes used by other content-filtering systems.

In 2004, Telstra manipulated the DNS for its BigPond customers to cover a mistake made when it advertised the website of a 1970s gay porn star, instead of the winner of Australian Idol.

The key difference between these other cases and the work of the DNSChanger Working Group is that they return false DNS data, a process known as "poisoning".

"What the court order authorised me to do was to provide clean DNS," Vixie told the AusCERT information security conference. And that included the necessary authorisation to direct internet traffic to replacement sites, like dns-ok.gov.au.

"No judge has given me the ability to import the Interpol child-exploitation domain list and send all those people to walled gardens or whatever, and no judge, I think, would — at least, not in the US," he said.

"There is a thin edge of a wedge, and it's coming in under us just now," Vixie said, referring to the push from the copyright industries represented by the recently defeated Stop Online Piracy Act (SOPA).

"US Congress has been petitioned quite heavily by the United States entertainment industry to please require all American ISPs to import various blacklists for DNS purposes. We have successfully fought it in this round. We've stopped it. I don't know that we've stopped it on the merits, so much as just we outlasted it."

But the big worry, according to Vixie, is what the rest of the world will do.

"The internet is a pretty open framework, so if it becomes common to block certain things for reasons that are not popular with the end users who wanted that content, they will just move their DNS to other places," he said.

For example, the Italian Government required the country's ISPs to block DNS look-ups for unlicensed online gambling sites.

"Within about a week's time, 6 million users in Italy changed their DNS to use Google's DNS ... what did you think was going to happen, right? I think it would be better if Italian DNS was evaluated on Italian soil. I don't see a reason that we should have to go overseas in order to get clean DNS, but that's what we're going to push for if we keep looking at simplistic solutions."

The risk there is that the DNS would be seen less as the internet's inviolable navigation system, and more as a tool able to be manipulated to support all manner of government and commercial needs.

Topics: AUSCERT, Censorship, Security


Stilgherrian is a freelance journalist, commentator and podcaster interested in big-picture internet issues, especially security, cybercrime and hoovering up bulldust.

He studied computing science and linguistics before a wide-ranging media career and a stint at running an IT business. He can write iptables firewall rules, set a rabbit trap, clear a jam in an IBM model 026 card punch and mix a mean whiskey sour.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • To go back to the Blackout day, and in particular to the webcomic XKCD (http://xkcd.com/1005/). The hidden message reads:

    "A message from all sysadmins everywhere: Seriously, don't screw with DNS. If you break this Internet, we are NOT making you a new one."

    DNS is a pretty fragile system. All it takes is to change some values, and suddenly looking up, say zdnet.com.au, would redirect to a malware riddled page. That's why it's important that no government agencies or corporations tamper with it. The backlash was already seen and felt against SOPA, but for hackers that sort of protesting would only have been the beginning.