



Until February of this year, Amazon Route53’s DNS service provided a network eavesdropping feature that was rarely evaluated. This undocumented espionage option was also available to Google Cloud DNS and its DNS provider as at least one other service.

At a presentation at the Black Hat USA 2021 Security Conference in Las Vegas, Nevada earlier this week, security firms Shir Tamari and Ami Luttwak explain how they found a flaw in DNS name server hijacking that could spy on dynamic DNS traffic. Did. Of other customers.

“We found a simple loophole that could intercept some of the dynamic DNS traffic around the world through managed DNS providers such as Amazon and Google,” Tamari explains in a blog post. “Basically, we’eavesdropped’ on the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices. “

All you had to do was register a new domain with Route 53 with the same name as AWS’s official DNS server. Specifically, I created a new “host zone” in the AWS name server ns-1611.awsdns-09.co.uk called ns-852.awsdns-42.net.

“Every time a domain is added to Route 53, four different DNS servers are selected to manage the domain,” explains Tamari. “We have confirmed that all name servers registered on the platform are under the control of the same server.”

After repeating this process on AWS’s approximately 2,000 name servers, I had partial control over the hosted zone and specified a unique IP address. In this way, when a DNS client queries a name server for itself, it often happens in a dynamic DNS setup to capture that dynamic DNS traffic.

During the experiment, Tamari and Luttwak discovered a variety of sensitive data, including computer names, employee names, office locations, and information about the organization’s published web resources. For example, they claim to have identified a company that appears to be in breach of US trade sanctions. A malicious attacker could use this data to launch a network attack.

According to Tamari, Amazon and Google have fixed this issue with their respective DNS services, but other DNS service providers may still be vulnerable. Researchers said three of the six DNS providers they found were vulnerable.

Researchers attribute this vulnerability to the way Microsoft’s Dynamic DNS (RFC 2136) algorithm works on Windows.

“Microsoft machines use their own algorithms to find and update the master DNS server when the IP address changes,” explains Tamari. “Ultimately, the algorithm queries the hijacked name server for its address.” And it sends dynamic DNS traffic to the malicious IP address.

However, Microsoft has no plans to revise the algorithm, Tamari said. Redmond does not consider this a vulnerability. Rather, if the customer uses an external DNS resolver, the company sees this as a known misconfiguration issue.

Microsoft did not immediately respond to the request for comment.

Tamari said it’s up to the organization to configure the DNS resolver to keep dynamic DNS updates from leaving the network.

“Google is blocking relevant domain names to protect customers from this issue, and there was no evidence of malicious abuse on the platform,” a company spokeswoman emailed to the register. Said in a statement. “We are grateful for Wiz.io’s work and the broad community’s efforts to identify such potential exploits.”

Amazon did not immediately respond to the request for comment.

