DNS settings are typically ignored. Management of DNS settings is deferred to the Internet Service Provider (ISP).
Windows Vista IPv4 Configuration tab
Concerns:
- Malware can replace the DNS settings with its own settings. (One example: Trojan:Win32/Alureon.CO) When malware has made this change, a client who connects to a legitimate web site (such as their bank) tells the malware DNS server who they do business with (bank with). The malware DNS server collects information about web sites the client uses. At any time, the malware DNS server can substitute an IP address of their own choosing. There should be a certificate error when the victim connects, but certificate errors can be ignored. A prompt for user ID and password would collect use ID and password. To allay suspicion, give the victim an “access denied” message. The bad actor now has with working credentials.
- DNS settings are typically ignored. When the payload is DNS settings, the payload is ignored. Anti-virus software would not detect an “infection” since these are configuration settings, not a file. This is one of the many reasons you should not rely upon “cleaning” a system to make it trustworthy. See Can You Clean a Virus?
In a corporate environment, an inventory system which gathers DNS settings (such as Microsoft’s SCCM) can be used to reveal this payload. See Finding the DNS Hijacking Victims. - DNS implementation can have security vulnerabilities; search US-CERT. A DNS service must be managed. In a corporate environment, internal server names should not become known externally, so internal DNS servers are required.
- DNS lookup history is an important intrusion detection mechanism. Review lookup requests to discover if malicious sites are being accessed.
At home, you want a vendor who pays careful attention to keeping the DNS service maintained and who you trust. You are not required to use the DNS servers your ISP maintains; there are other options. Configure your clients to use more managed, more secure DNS servers.
If you are using your router to provide IP and DNS addresses on your home network, consider providing more secure DNS servers.
| Google Public DNS | 8.8.8.8 | 8.8.4.4 |
| OpenDNS | 208.67.222.222 | 208.67.220.220 |
Windows assigns DNS settings for each network adapter. If you switch from a wireless connection to a wired connection, you may be using different DNS settings.
Some hotels assume that you do not specify DNS settings. Their DHCP solution delivers DNS servers that you are required to use. That is, specifying DNS settings breaks some hotel Internet usage.
The ESET SysInspector utility reveals the DNS settings you are currently using.
It is possible for a DNS server itself to be attacked, such as in the NetNames breach. This has much the same effect as changing the DNS setting. The domain name goes to a different destination.
10-Nov-2011: Seven accused in $14 million click-hijacking scam (by Elinor Mills) illustrates how this DNS-settings-changing payload can be monetized.
The Rove botnet changed client settings to use malicious DNS servers. See the DNS Changer Working Group (dcwg.org) for more information. The IP addresses used were:
| Between this IP… | … and this IP |
| 77.67.83.1 | 77.67.83.254 |
| 85.255.112.1 | 85.255.127.254 |
| 67.210.0.1 | 67.210.15.254 |
| 93.188.160.1 | 93.188.167.254 |
| 213.109.64.1 | 213.109.79.254 |
| 64.28.176.1 | 64.28.191.254 |
Aggressive Virus Defense 