DNS Spoofing how do I protect myself from this?

Discussion in 'other security issues & news' started by Konata Izumi, May 15, 2010.

Thread Status:
Not open for further replies.
  1. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    -http://www.youtube.com/watch?v=Aak6-B3JORE-
    DNS Spoofing how do I protect myself from this?
    o_O
     
    Last edited by a moderator: May 16, 2010
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Most DNS services are immune to DNS poisoning. I wouldn't worry about this.
     
  3. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Is it possible to not use any DNS services at all?
    If its possible, is it recommended to not use a DNS service?
    Would it be safer to do that?
     
  4. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Mostly you can't

    Realize that arp poisoning man-in-the-middle attacks like that occur on the same network segment. If you're behind a router then it means your attacker is likely behind your same router (though depending on your ISP security it is a possible attack on the other side of the router from someone on that network segment)

    If you are in a business environment then implement 802.1x port authentication or configure your switches for static MAC addresses.

    You're really not likely to run into this attack on you're home network. The exception to that is on a wireless connection, where you are also vulnerable to spoofed AP man-in-the-middle attacks (different details, same results). Configuring in your DNS server addresses (rather than using those from DHCP) may provide a slight bit of help. But ultimately if you are on an unsecured and compromised local network segment then you're kind of open to being monitored.
     
  5. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    Possible, but not practical. There's a good reason for DNS. You would need the IP addresses of every single server you wish to ever contact entered in your hosts file. And that is only good until someone changes IP address. You could set up your own DNS server, but that still has to resolve addresses upstream so it's just as vulnerable to spoofing/poisoning.
     
  6. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Thanks.

    I've switched to OpenDNS which is a bit slower than my ISP's dns service...
     
  7. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    I use OpenDNY myself. But be aware that using it is not going to really protect you from the attack in that video. If your local network segment is compromised to the point that someone can use Ettercap, then they can use it to look at your DNS requests also. Ettercap does ARP spoofing that put the eavesdropper in the middle of your data flow across a switch (if it's a hub and not a switch than straight sniffing is trivial).

    What's the network and the threat? Businesses worried about in-house spoofing can lock down switch ports. If it's a university situation you might want to consider a vpn. For a home network you would probably have to upgrade your switch to something business class.
     
    Last edited: May 15, 2010
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    See, they've done nothing to prevent DNS spoofing. In fact, they've chosen an "alternative" "secure" DNS implementation from the (in)famous DJB precisely in order to make it possible for them to continue their Google hijacking and "typo fixing" practice - which has been generating them advertising $$$$ for years. They are spoofing DNS - they fail to return proper NXDOMAIN for nonexistant domains - to earn money.
     
  9. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    Ok. I'll switch to Google Public DNS then?
     
  10. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    All of those things can easily be disabled if you choose. If you do so you still get the content filtering (again if you choose to have it enabled and configured) but you will lose stats. OpenDNS is the most configurable third-party DNS provider I've tried.
     
  11. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, if you are not concerned about the privacy issues... :D Then there's Comodo but they are doing the same thing as OpenDNS. So, Google at least provides a proper DNS service. Without all the blacklists fluff etc., but a proper DNS.

    Myself, I've set up my own recursive DNS server (using BIND for that) and using it for quite some time. It uses DNSSEC for the zones where it's available etc. Less privacy concerns wrt ISP and all. You can easily set up your own as well, will run under Windows too.
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Nope. They've been evading straight and honest answers for years. You cannot easily disable it. Fact being, you cannot disable their "typo fixing" without losing all their DNS filtering lists (then you can go and use Google public DNS and save yourself the hassle) - and you cannot disable the Google hijacking at all.

    See here and here and see the incredible OpenDNS hypocrisy here. They dare to criticise Google for what they've been doing for years without any opt-out? Ugh. 'Nuf said.
     
  13. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    First off, the DNS spoofing with ettercap in the video in the OP is just a side effect of the MAC spoofing attack. If some one is doing that on your local network there is really no defense. You need to control your local network.

    There is a wide choice of alternate DNS providers you may choose, and reasons for doing so (speed, security, manageability, etc.). I use OpenDNS because of the filtering, management and statistics. If you want strict DNS compliance with OpenDNS you have to go into Advanced Settings and disable those settings.

    Other DNS services you can try are...

    http://www.dyndns.com/services/dynguide/

    http://code.google.com/speed/public-dns/

    http://www.dnsadvantage.com/

    http://www.comodo.com/secure-dns/ (rebranded dnsadvantage)

    http://www.scrubit.com/

    http://dnsresolvers.com/

    If you are looking purely for speed (no management or filtering), the Level 3 DNS server tend to be among the fastest (http://www.topbits.com/public-dns-servers.html)

    You can check out each for the features you want. To measure speed try the GRC DNS Benchmark Utility:
    http://www.grc.com/dns/benchmark.htm
     
  14. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    That is incorrect. I use the service and I have disabled all those things including their Google proxy. It is done very simply all from one page (Advanced Configuration), though you have to un-check all the options on that page, like 5 or 6. Unchecking "Enable OpenDNS proxy" disables their Google proxy (what you call "hijacking"). I have since re-enabled most options because I do like the management and statistics.

    Thing is they don't force anyone to use it. I've tried other third-party DNS servers and for me OpenDNS has the least intrusive filter, and the best management control, and they are the only free service that I've run across that provides statistics. Personally I have no issues with the trade-offs to get those advantages.
     
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Once again, disabling the proxy did zilch wrt hijacking the google.com DNS zone by OpenDNS last time I tried. See here for what I mean.

    I won't bother trying again, because the deafening almost two years lasting silence on the threads I've referred to above has been really enough for me. Also, their latest DNSCurve tragicomedy for details of which see this blogpost by Paul Vixie - just will quote a short part of it:

    and cf. that with the OpenDNS announcement.

    What a load of nonsense and complete misunderstanding of the security issues. Or not? How about the hypocrisy point again. See, DNSSEC prevents their fishy redirect practices business, the DNSCurve placebo does not. Another grand OpenDNS failure. :thumbd:
     
  16. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What if there is at least one computer on your network that you do not control and is in the hands of a risky surfer who clicks on email attachments and surfs dangerous sites?

    Is there any way you can set up to protect yourself from these MITM issues?
    Dual routers and a hardware firewall?
     
  17. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    You can set up computers individually to use OpenDNS, do not rely on the router, this is especially true for mobile laptops.

    https://store.opendns.com/setup/computer/

    Unless you're talking about an internal network attack, in which case you should have your software firewall (windows firewall/etc) set to public location/strict/etc/
     
  18. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    I seriously don't see how's OpenDNS or any DNS service for that matter that doesn't implement DNSSEC protect against MITM. (The other issue being that - even w/ servers that do implement and support DNSSEC - you need to have the DNS records actually signed to be protected against this).
     
  19. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I've actually been gathering information on how to security config BIND and DNSSEC.

    I got time. I won't have my machine anytime soon, so... :cool:

    I do like the approach, but not only to act as a merely DNS server, but also has a black-hole to block access to malicious domains. Way better than a HOSTS file, because there isn't the problem that big HOSTS files have.
     
  20. mvario

    mvario Registered Member

    Joined:
    Sep 16, 2008
    Posts:
    339
    Location:
    Haddonfield, IL
    If the untrusted computer is on your network segment then there isn't much you can do.

    First off, if we're discussing the video and Ettercap then let's not talk about DNS. The DNS spoofing is just a result of the underlying Ettercap attack which is based on MAC address spoofing. If you haven't used Ettercap, it is basically a packet sniffer. But where traditional sniffers capture traffic on a hub, or from a mirrored port on a switch, Ettercap can capture across a switch by sending ARPs with the spoofed MAC address of the target to the switch so that the switch will send the intruder the packets that were intended for the target.

    If someone is on your local segment the only way to prevent this is to use a business grade switch and implement 802.1x authentication, or to statically map ports to MAC addresses (or get them off your segment by implementing VLANs).

    Otherwise you need to get the untrusted host off of your segment. A firewall is not going to help you. You mentioned dual routers, and depending on how you set up the network architecture that could work... the goal is to get the untrusted host onto their own network segment, but you need to make sure all their computer shares the segment with is their side of their router. A business class multiport router could also be configured for separate local networks/segments.

    Of course they could try IP spoofing, but that is much more difficult, whereas a man-in-the-middle attack with MAC spoofing with Ettercap is trivial for a computer located on the same segment.
     
  21. T-RHex

    T-RHex Registered Member

    Joined:
    Jun 10, 2009
    Posts:
    97
    (A little late to the party, I know...)

    So what does one do with a netbook? Who knows what the network topography might be that it connects to, or who else is sharing the network?

    Other than having a software firewall, would it be recommended to use a specific DNS server IP assigned in the network connection setup? Or use a service like OpenDNS? Or are you saying there's no point because someone on the same network segment might be spoofing records anyway and there is no protection against that?

    (If I've mangled something tech-wise, please forgive my still-burgeoning security knowledge.)
     
  22. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Thanks Mvario.

    Since learning about MITM and how they work I realized the weakness of my network with all computers behind a single router.
    I wasn't aware there were routers that could split the switch into two logical network segments.

    I've used ettercap but haven't used all of the plug-ins nor have I looked at the packets to see what is going on.
     
Loading...
Thread Status:
Not open for further replies.