Jump to content


Photo
- - - - -

Rogue DNS servers


  • Please log in to reply
7 replies to this topic

#1 gloomer

gloomer

    Hakker addict

  • Members
  • 588 posts

Posted 18 March 2008 - 11:43 PM

I've had a recent interest in these..

I thought unless you were a root DNS server that you could not make changes to specific entries. Normal DNS servers run by ISP's are supposed to be Caching-only DNS servers.

Then how do people get rogue DNS servers working?

I've read quite a bit about them, but fail to see any proper implementation of them. Can they be run by let's say.. making a few configuration changes to BIND?

Thanks for pointing me in the right direction.

#2 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 19 March 2008 - 12:44 AM

Not quite sure I understand your question. Some service providers run caching-only nameservers in addition to nameservers that provide authoritative responses for one or more domains. Others run authoritative name servers without running caching-only nameservers at all. The root nameservers are only authoritative for resource records that refer to top-level domains. A rogue name server could be used for pharming if, for example, the target nameserver's cache contained poisoned NS records. Other possibilities include a malicious resolv.conf file, social engineering the registrar, race conditions against ID numbers in DNS headers, etc.

#3 gloomer

gloomer

    Hakker addict

  • Members
  • 588 posts

Posted 19 March 2008 - 12:55 PM

That's kinda what I'm getting at. Suppose I were able to have control over a home users network.

Changing the DNS to my rogue DNS servers, would be an efficient way to collect passwords. I just don't know where to start.

#4 Lord Wud

Lord Wud

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 423 posts
  • Location:New Jersey

Posted 19 March 2008 - 01:23 PM

well if by "have control over a home users network" you mean that you have the password for the router. you could just change the address of the dns servers to the ip you set for your own box. If you're just connected to the network you could try running a dhcp server that hands out info and hope your box responds faster then the router.

I read somewhere about a technique where you could set up a dns server on the internet somewhere and trick the user into going to a site that said dns server holds the authoritative records for. Then when responding to the dns query your server would send more then one record, and some dns servers will take these extra records and cache them. I don't know any specifics on how to go about it. maybe someone else does.

oh and by home users network you mean a router you own on an internet connection you pay for, right?

#5 gloomer

gloomer

    Hakker addict

  • Members
  • 588 posts

Posted 19 March 2008 - 02:41 PM

Wud, yes.. I think that is what I'm trying to get at. How DO you run a DNS server that LOOKS like it's going to www.arandomsite.com, but is really going to a different host.

Is that doable with some configuration messing with BIND?

"If the attacker also has control of a remote DNS server (or has installed his own DNS server somewhere else) he can also provide incorrect host resolution information and direct the customer to hosts of his choice."

I found this quote properly explains what I was trying to say. I just have poor explanations.

And yes, this is my router, and I pay for the internet connection.

I'm just curious how this all works.

#6 mirrorshades

mirrorshades

    aviatorglasses

  • Agents of the Revolution
  • 951 posts
  • Gender:Male

Posted 19 March 2008 - 02:55 PM

oh and by home users network you mean a router you own on an internet connection you pay for, right?

Don't ask, don't tell.

#7 Lord Wud

Lord Wud

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 423 posts
  • Location:New Jersey

Posted 19 March 2008 - 03:26 PM

How DO you run a DNS server that LOOKS like it's going to www.arandomsite.com, but is really going to a different host.



the easiest way to configure, and maintain bind is with webmin.

Just look into setting up a master zone.

Basically the way DNS works is that if a server already knows the answer to something it will give that answer to the clients. If it doesnt know then it will look it up.

When I worked for a small ISP here is a common problem that would happen, due to previous admins not having the foresight to avoid this.
Customer A would register a website and have it hosted with us.
At the registrar they would point the dns servers to ns1.isp.net and ns2.isp.net.
I would then configure a zone and A records for WWW and blank that pointed to our web server.

Customer B uses dsl with ns1.isp.net and ns2.isp.net as DNS servers. (by ip ofcourse)
Customer B becomes a customer of Customer A and frequents the website.

Customer A Finds a better deal and changes the records at the registrar to ns1.otherisp.net and ns2.otherisp.net
Customer A doesn't formally cancel, just stops paying the bill.
Customer A then uses the money they saved to pay a web designer to redo the whole site.

Now when Customer B goes to customer A's website they are still seeing the old site, Because ns1.isp.net and ns2.isp.net still hold the record the site, and the web server is still hosting the old site.
Customer A doesn't find out for a few months, because every other ISP is able to get to the new site just fine.


hope that helped clarify matters a bit.

#8 duper

duper

    Dangerous free thinker

  • Members
  • 816 posts
  • Location:NYC

Posted 20 March 2008 - 06:24 AM

Wud, yes.. I think that is what I'm trying to get at. How DO you run a DNS server that LOOKS like it's going to www.arandomsite.com, but is really going to a different host.


You wouldn't configure it any differently than the real DNS server. Their zone files would be almost exactly the same except for the IP addresses of the malicious servers..I also forgot to mention sea surfing a router's DNS config.




BinRev is hosted by the great people at Lunarpages!