DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).
Windows Vista IPv4 Configuration tab
Concerns:
- Malware can replace the DNS settings with its own settings. (One example: Trojan:Win32/Alureon.CO) When malware has made this change, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who they do business with (bank with). The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute a web address of their own choosing. A prompt for user ID and password would collect responses, returning an dummy “access denied” message. This leaves the bad guy with working credentials.
- Since DNS settings are typically ignored, this payload is typically ignored. Anti-virus software would not detect an “infection” since these are IP addresses, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?“
In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims. - Each DNS implementation has security vulnerabilities. DNS has its own issues; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required. As a bonus DNS lookup history is an important intrusion detection mechanism, discovering if malicious sites are being accessed.
At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.
If you are using your router to provide IP and DNS addresses, consider providing more secure DNS servers. However, you may wish to revisit how you are managing IP addresses; that would be a subject for a different post.
| Google Public DNS | 8.8.8.8 | 8.8.4.4 |
| OpenDNS | 208.67.222.222 | 208.67.220.220 |
Windows assigns DNS settings for each network adapter. If you switch from a wireless connection to a wired connection, you may be using different DNS settings.
Some hotels assume that you do not specify DNS settings. Their DHCP solution delivers DNS servers that you are required to use. That is, specifying DNS settings breaks some hotel Internet usage.
The ESET SysInspector utility reveals the DNS settings you are currently using.
Note that it is also possible for the DNS server itself to be attacked, such as in the NetNames breach. This has much the same effect; the URL you are used to using goes to a different destination.
10-Nov-2011: Seven accused in $14 million click-hijacking scam (by Elinor Mills) illustrates how this DNS-settings-changing payload can be monetized.
The Rove botnet changed client settings to use malicious DNS servers. See the DNS Changer Working Group (dcwg.org) for more information. The IP addresses used were:
| Between this IP… | … and this IP |
| 77.67.83.1 | 77.67.83.254 |
| 85.255.112.1 | 85.255.127.254 |
| 67.210.0.1 | 67.210.15.254 |
| 93.188.160.1 | 93.188.167.254 |
| 213.109.64.1 | 213.109.79.254 |
| 64.28.176.1 | 64.28.191.254 |
Very informative entry, thanks! Did you see this video about how to setup a free server? Interesting – I’m thinking of setting one up to use an antispam appliance.