DNS Hijack Reporter
Recently there has been a spate of DNS Hijacking attacks, primarily targeting North Africa and the Middle East (Sea Turtle, DNSpionage, Global DNS Hijacking Campaign). The US Department of Homeland Security even issued an alert on DNS Hijacking earlier this year on January the 24th, 2019. What seems clear to me, is that we can no longer just have blind faith in our DNS providers, we must trust, but verify(Doveryai, no proveryai).
So today I want to introduce you to DNS Hijack Reporter, a lightweight monitoring tool designed by myself (Jacob Wilkin) and Andreas Georgiou. DNS Hijack Reporter aims to notify you if your DNS records are hijacked. In this blogpost I will briefly go over what DNS Hijacking is and explain how the tool functions.
DNS Hijacking is the act of compromising the domain name record and redirecting its resolution to a server controlled by an attacker. It can be done in 2 main ways, either via the compromise of the DNS record controllers account, or via the compromise of the 3rd party DNS provider itself.
To understand this, we first need to know what a normal DNS resolution looks like. In the image below you can see how when a user wants to visit www.domain.com, it first asks a DNS server where www.domain.com is located. The DNS server will have an A or CNAME record which points to an IP or hostname. In this example it has an A record and replies with 10.10.10.1, then the user visits this site directly with the address provided.
Now what happens when your DNS records have been hijacked is this. Your users want to visit www.domain.com, but attackers have compromised your DNS record and updated it with an IP address they control. This causes users to visit the attacker-controlled server where they can relay the legitimate site, effectively man in the middling the connection. This allows them to sniff traffic, steal sessions, compromise credentials and inject browser exploits.
Now the issue you have is that typically you have no warning that this type of attack has taken place. Either via your compromised account or a compromised DNS provider, your records have been silently updated without your knowledge.
DNS Hijack reporter aims to prevent this from happening. If running it, when your DNS record is changed, this lightweight tool will notify you via email that a DNS Hijacking attack is taking place.
It works by setting up a small script called client.py on each of your public facing servers. You configure this to poll every X minutes an external service which returns your current external IP address. You also configure it with the expected host name (www.domain.com, mail.domain.com etc) that should point to this server.
After retrieving it’s public IP address, it sends this, and it’s expected host name to the server.py application. The server.py application then polls the authoritative DNS server for that host name to find what it points to. If a mismatch is detected an email notification is then generated to the set email address, notifying them of the potential DNS Hijacking attack.
You can of course also run server.py and client.py on the same host. Here is an example of what it looks like when it is running and detects a mismatched record.
Now you might have noticed that since this method works by detecting the mismatch between the servers public IP address and what the DNS record is configured too, it will only work on servers where a single IP is matched to a single host name.
If you have multiple IP’s per host name, say some sort of CDN like Akamai configured or something like Cloudflare to prevent DDOS attacks. Then you won’t be able to get the IP from the DNS records. However, you could still be at risk from DNS Hijacking if your DNS is changed to point from the CDN/Cloudflare domains to an attacker-controlled IP.
In this situation you need to run client.py with the ‘ — cname’ option, which will cause it on setup to save the current CNAME record, which should be pointing to a third-party provider. It will then notify if this CNAME record changes.
Please remember that this project is a work in progress, and I welcome any feedback on how to improve it. Remember to turn DNS Hijack Reporter off before editing your DNS records, then only restart it after 24–48 hours to allow for propagation. Otherwise you will receive a lot of false positive emails.
Also remember that this is just a notification tool for reporting if you are hijacked. To help prevent it in the first-place look into using a DNS provider which offers a registry lock service and set up multi-factor authentication for your DNS management account. Both of these will add additional barriers for attackers.
For details on how to install and setup DNS Hijack Reporter, see the GitHub page. It’s free, open-source and very simple to use.
I hope you never have your DNS Hijacked, but if you do, now you will know about it!
