DNS poisoning attack

[coxhaus]

What are you guys doing to prevent DNS poisoning attacks?

I got hit the other night around midnight. The first night I lost DNS. My network was down all night.

I thought I was doing enough by only allowing my network devices to access only ISP DNS servers. It stopped my network devices from accessing bad web pages and getting loaded up with bad code so my network was kind of off line because there was no valid DNS server available. I was drinking so I waited till the next day. All devices are pointed to my router so it is the focus point for DNS. I was able to ping outside on the internet but DNS was not working. That means I had to rebuild my router as something happened to my DNS. I flashed it twice and then setup the router again from scratch. This time I tightened up security a little more. I locked remote access down to a very small local network. I blocked all IPv6 traffic. I again locked my DNS access to only 2 DNS servers. All other DNS server will fail. I got hit the next night around midnight again. The network stopped for about 10 to 20 minutes. Then they went away this time so I am thinking I faired better. I did not need to rebuild the router this time.

Once your PC accesses a bad web page from DNS poisoning it needs to be rebuilt from scratch because there is no way to tell what was loaded on the PC.

 

[ColinTaylor]

Sorry, I don't understand how you've determined this is DNS poisoning rather than your ISP's DNS servers being offline.

Anyway, I believe the solution to a poisoned upstream DNS server is to use DNSSEC. I'm not sure that would be applicable if you think your local DNS server has been compromised.

 

[coxhaus]

It is possible ISP DNS was offline the second time. The first go around I had 8.8.8.8 in there so the ISP would have needed to have blocked google DNS. It was down for about 12 hours with no DNS access until I rebuilt the router. I rebuilt it because I did not trust it.

This is why I am asking what people are doing. It could be people here are just running with any DNS and they don't care as long as it runs.

It happened 2 nights in a row about the same time, the first time it never cam back but the second time it did. And don't forget I could ping any where out on the net. I did ping 8.8.8.8 with no problems.

It is possible it would have run if I did not have blocks for other DNS servers. I did not test this.

One other thing this makes me want to run a syslog server on my router. I am getting rid of my rack so I need to start thinking about this.

 

[RMerlin]

Anyway, I believe the solution to a poisoned upstream DNS server is to use DNSSEC.

That'd be great if more than a very small number of zones were signed... Unfortunately the vast majority of zones aren't, so DNSSec can't protect you there.

 

[sfx2000]

DNS poisoning is generally going to be on a client basis...

To get at the network wide DNS - one has to get access to the router - and that is possible in some cases...

Simple solution - don't use the default password on the router, and don't expose services on the router to the WAN.

 

[sfx2000]

And in the case where the DNS cache is suspect.... clear the cache...

For the router/AP - just restart it, the cache is in memory..

From my notes...

Current Macs(OSX 10.11):

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

Windows 10/8/7/XP

ipconfig /flushdns

Ubuntu 14.04LTS

sudo /etc/init.d/dns-clean start

older stuff look below…

Macintosh

OSX 10.11

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

OSX 10.10 (10.10.3 thru 10.10.0)

sudo discoveryutil udnsflushcaches

OSX 10.9 – 10.5.2

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

OSX 10.5.1 and earlier

sudo lookupd -flushcache

Linux Generic (depending on what you’re running)

/etc/init.d/named restart

/etc/init.d/nscd restart​

 

[coxhaus]

I try to control the clients by not letting them talk out on the net using DNS. I force them to use the router DNS. Then I try to protect the router DNS.

So what I am hearing is nobody really does any thing to try to protect their DNS. Sounds like I am doing more than most people. Flushing caches after the fact is too late.

 

[coxhaus]

There seems to be 3 DNS attacks which are different. There is DNS poisoning, DNS redirecting and DNS hijacking. They all kind of have the same effect.

They are all bad and can corrupt your network devices if you use a bad web site due to a fake DNS response.

 

[coxhaus]

I still have something going on. I lost access to a web site. I tried a nslookup and the request timed out. I rebooted my router and it fixed it. The site worked fine right after the reboot. I asked and the site was not down.

Any ideas?

 

[ColinTaylor]

Was it just one web site that timed out or lots/all of them?

Next time it happens direct nslookup to use different DNS servers to try and determine which ones have the problem and which ones don't. That way you'll know whether it's a problem with your equipment or the remote server. i.e.

nslookup problemsite.com 192.168.1.1
nslookup problemsite.com 8.8.8.8
nslookup problemsite.com 1.1.1.1
nslookup problemsite.com 9.9.9.9
nslookup problemsite.com 208.67.222.222

You may have to disable your DNS-redirector depending on how that works.

 

[kvic]

I recall you trust your ISP's DNS so much...perhaps that's the problem.

I quite like my ISP's DNS simply because they won't care about the little amount to monetise from me. They have much bigger fishes to go after in the market. But I learned from this forum that some ISP's in certain markets do cheat on their users. So perhaps you should check out the DNS over TLS..DNS over HTTPS threads and set them up in your environment.

Better yet I think you should setup your own DNS resolver (by running Unbound). There you could have DNSSEC (maybe few but better than none). And I'm sure you could squeeze in a few optimization while you have time.

The whole thread sounds like a drama and I couldn't believe what's happening. Either your ISP changes behaviour recently or you messed up something yourself..lol

 

[System Error Message]

The main problem is that you didnt lock down your router. Asus can be configurable like mikrotik, if you use RMerlin's firmware. Ensure that you cannot use your router as a DNS from outside (check both IPV4 and ipV6 from WAN), also check through both that you cannot access remotely from WAN. Just requiring a password is not enough, anything thats exposed can be exploited.

I would start with a tool like shodan. DNS poisoning happens because someone is intercepting your DNS, this is because if say your router or internet link has been compromised, DNS packets could be rerouted that it would not matter who your DNS server is. DNSSEC is one way to avoid it, the 2nd is to deny output/input on port 53 except to/from only your selected DNS provider on the WAN side. For example accept to DNSIP port 53 (TCP and UDP), accept from DNSIP port 53 (TCP and UDP), deny from port 53 (everyone else including your own router on WANs, place below the accept rule), deny out to port 53

Also if you connect via another interface like both VLANS and PPPOE, then you have a total of 3 interfaces on the WAN side which each require rules to deny access and whitelist only required services. For example if your WAN port is ethernet, then you have the ethernet port, VLAN and PPPOE all needed to be secured.

 

[ColinTaylor]

@System Error Message The Asus router is already locked down. The router's DNS server only listens on the internal LAN interface, not any of the other interfaces. Additionally, the router's firewall drops all unsolicited incoming traffic, including DNS requests.

 

[System Error Message]

@System Error Message The Asus router is already locked down. The router's DNS server only listens on the internal LAN interface, not any of the other interfaces. Additionally, the router's firewall drops all unsolicited incoming traffic, including DNS requests.

The only other way other than malware or a router thats still hacked is if the ISP has been intercepting DNS requests and the ISP has been hacked, which the only solution would be DNSSEC.

Interception is a serious issue, and it definitely happens if the ISP uses pap authentication and someone has a pppoe server on the same network that responds faster.

 

[coxhaus]

I know something is happening beyond my control. I noticed the other day using eBay I got a message on my Windows 10 using an Edge browser that my Adobe Reader was out of date I needed to update it here, click here. I blew the Window away using task manager. I know that Adobe Reader is controlled by Microsoft for the Edge browser. I think the DNS is awry. I need to pin it down. When it happens again I will try an immediate reboot to see what happens. I believe the targets sites will be large sites like eBay and others. They are looking at loading up the client computers with bad things.

 

[ColinTaylor]

@coxhaus What router/OS are you running your local DNS server on, you haven't said?

 

[coxhaus]

Cisco RV340 router. I am not sure whether it is the router or the ISP. I am working on pining it down.

 

[RMerlin]

Based on some of the symptoms you describe, this sound more like an hijacker/adware add-on on your computer. I would run it through Malwarebytes Antimalware. Those "Your Adobe/Flash/Acrobat" popups are very common with these types of adwares.

 

[coxhaus]

It only happens on eBay and only sometimes.

I was running Spybot but it has an issue where it will periodically turn off your anti-virus in Windows 10 so I quit running it.

 

[ColinTaylor]

It only happens on eBay and only sometimes.

There was some malware that infected Asus routers at the beginning of the year that redirected devices to a fake eBay site as well as a few others. It might be a variant of that. As Merlin said, Malwarebytes Antimalware should sort out any client infections. If you find it happening again do an nslookup on the suspect address and verify the IP returned.