1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

DNS poisoning attack

Discussion in 'General Network Security' started by coxhaus, Sep 13, 2018.

  1. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    What are you guys doing to prevent DNS poisoning attacks?

    I got hit the other night around midnight. The first night I lost DNS. My network was down all night.

    I thought I was doing enough by only allowing my network devices to access only ISP DNS servers. It stopped my network devices from accessing bad web pages and getting loaded up with bad code so my network was kind of off line because there was no valid DNS server available. I was drinking so I waited till the next day. All devices are pointed to my router so it is the focus point for DNS. I was able to ping outside on the internet but DNS was not working. That means I had to rebuild my router as something happened to my DNS. I flashed it twice and then setup the router again from scratch. This time I tightened up security a little more. I locked remote access down to a very small local network. I blocked all IPv6 traffic. I again locked my DNS access to only 2 DNS servers. All other DNS server will fail. I got hit the next night around midnight again. The network stopped for about 10 to 20 minutes. Then they went away this time so I am thinking I faired better. I did not need to rebuild the router this time.

    Once your PC accesses a bad web page from DNS poisoning it needs to be rebuilt from scratch because there is no way to tell what was loaded on the PC.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,368
    Location:
    UK
    Sorry, I don't understand how you've determined this is DNS poisoning rather than your ISP's DNS servers being offline. :confused:

    Anyway, I believe the solution to a poisoned upstream DNS server is to use DNSSEC. I'm not sure that would be applicable if you think your local DNS server has been compromised.
     
  4. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    It is possible ISP DNS was offline the second time. The first go around I had 8.8.8.8 in there so the ISP would have needed to have blocked google DNS. It was down for about 12 hours with no DNS access until I rebuilt the router. I rebuilt it because I did not trust it.

    This is why I am asking what people are doing. It could be people here are just running with any DNS and they don't care as long as it runs.

    It happened 2 nights in a row about the same time, the first time it never cam back but the second time it did. And don't forget I could ping any where out on the net. I did ping 8.8.8.8 with no problems.

    It is possible it would have run if I did not have blocks for other DNS servers. I did not test this.

    One other thing this makes me want to run a syslog server on my router. I am getting rid of my rack so I need to start thinking about this.
     
    Last edited: Sep 13, 2018
  5. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,760
    Location:
    Canada
    That'd be great if more than a very small number of zones were signed... Unfortunately the vast majority of zones aren't, so DNSSec can't protect you there.
     
  6. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    DNS poisoning is generally going to be on a client basis...

    To get at the network wide DNS - one has to get access to the router - and that is possible in some cases...

    Simple solution - don't use the default password on the router, and don't expose services on the router to the WAN.
     
  7. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    13,300
    Location:
    San Diego, CA
    And in the case where the DNS cache is suspect.... clear the cache...

    For the router/AP - just restart it, the cache is in memory..

    From my notes...

    Current Macs(OSX 10.11):

    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

    Windows 10/8/7/XP

    ipconfig /flushdns

    Ubuntu 14.04LTS

    sudo /etc/init.d/dns-clean start

    older stuff look below…

    Macintosh

    OSX 10.11

    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

    OSX 10.10 (10.10.3 thru 10.10.0)

    sudo discoveryutil udnsflushcaches

    OSX 10.9 – 10.5.2

    sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

    OSX 10.5.1 and earlier

    sudo lookupd -flushcache

    Linux Generic (depending on what you’re running)

    /etc/init.d/named restart

    /etc/init.d/nscd restart
     
    Internet Man likes this.
  8. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    I try to control the clients by not letting them talk out on the net using DNS. I force them to use the router DNS. Then I try to protect the router DNS.

    So what I am hearing is nobody really does any thing to try to protect their DNS. Sounds like I am doing more than most people. Flushing caches after the fact is too late.
     
  9. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    There seems to be 3 DNS attacks which are different. There is DNS poisoning, DNS redirecting and DNS hijacking. They all kind of have the same effect.

    They are all bad and can corrupt your network devices if you use a bad web site due to a fake DNS response.
     
  10. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    I still have something going on. I lost access to a web site. I tried a nslookup and the request timed out. I rebooted my router and it fixed it. The site worked fine right after the reboot. I asked and the site was not down.

    Any ideas?
     
    Last edited: Sep 15, 2018
  11. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,368
    Location:
    UK
    Was it just one web site that timed out or lots/all of them?

    Next time it happens direct nslookup to use different DNS servers to try and determine which ones have the problem and which ones don't. That way you'll know whether it's a problem with your equipment or the remote server. i.e.
    Code:
    nslookup problemsite.com 192.168.1.1
    nslookup problemsite.com 8.8.8.8
    nslookup problemsite.com 1.1.1.1
    nslookup problemsite.com 9.9.9.9
    nslookup problemsite.com 208.67.222.222
    You may have to disable your DNS-redirector depending on how that works.
     
    Last edited: Sep 15, 2018
  12. kvic

    kvic Part of the Furniture

    Joined:
    Aug 11, 2014
    Messages:
    2,255
    Location:
    22.4399N 114.2222E
    I recall you trust your ISP's DNS so much...perhaps that's the problem.

    I quite like my ISP's DNS simply because they won't care about the little amount to monetise from me. They have much bigger fishes to go after in the market. But I learned from this forum that some ISP's in certain markets do cheat on their users. So perhaps you should check out the DNS over TLS..DNS over HTTPS threads and set them up in your environment.

    Better yet I think you should setup your own DNS resolver (by running Unbound). There you could have DNSSEC (maybe few but better than none). And I'm sure you could squeeze in a few optimization while you have time.

    The whole thread sounds like a drama and I couldn't believe what's happening. Either your ISP changes behaviour recently or you messed up something yourself..lol
     
  13. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    3,964
    The main problem is that you didnt lock down your router. Asus can be configurable like mikrotik, if you use RMerlin's firmware. Ensure that you cannot use your router as a DNS from outside (check both IPV4 and ipV6 from WAN), also check through both that you cannot access remotely from WAN. Just requiring a password is not enough, anything thats exposed can be exploited.

    I would start with a tool like shodan. DNS poisoning happens because someone is intercepting your DNS, this is because if say your router or internet link has been compromised, DNS packets could be rerouted that it would not matter who your DNS server is. DNSSEC is one way to avoid it, the 2nd is to deny output/input on port 53 except to/from only your selected DNS provider on the WAN side. For example accept to DNSIP port 53 (TCP and UDP), accept from DNSIP port 53 (TCP and UDP), deny from port 53 (everyone else including your own router on WANs, place below the accept rule), deny out to port 53

    Also if you connect via another interface like both VLANS and PPPOE, then you have a total of 3 interfaces on the WAN side which each require rules to deny access and whitelist only required services. For example if your WAN port is ethernet, then you have the ethernet port, VLAN and PPPOE all needed to be secured.
     
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,368
    Location:
    UK
    @System Error Message The Asus router is already locked down. The router's DNS server only listens on the internal LAN interface, not any of the other interfaces. Additionally, the router's firewall drops all unsolicited incoming traffic, including DNS requests.
     
  15. System Error Message

    System Error Message Part of the Furniture

    Joined:
    Oct 14, 2014
    Messages:
    3,964
    The only other way other than malware or a router thats still hacked is if the ISP has been intercepting DNS requests and the ISP has been hacked, which the only solution would be DNSSEC.

    Interception is a serious issue, and it definitely happens if the ISP uses pap authentication and someone has a pppoe server on the same network that responds faster.
     
    Last edited: Sep 18, 2018 at 4:37 AM
  16. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    I know something is happening beyond my control. I noticed the other day using eBay I got a message on my Windows 10 using an Edge browser that my Adobe Reader was out of date I needed to update it here, click here. I blew the Window away using task manager. I know that Adobe Reader is controlled by Microsoft for the Edge browser. I think the DNS is awry. I need to pin it down. When it happens again I will try an immediate reboot to see what happens. I believe the targets sites will be large sites like eBay and others. They are looking at loading up the client computers with bad things.
     
  17. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,368
    Location:
    UK
    @coxhaus What router/OS are you running your local DNS server on, you haven't said?
     
  18. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    Cisco RV340 router. I am not sure whether it is the router or the ISP. I am working on pining it down.
     
  19. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    27,760
    Location:
    Canada
    Based on some of the symptoms you describe, this sound more like an hijacker/adware add-on on your computer. I would run it through Malwarebytes Antimalware. Those "Your Adobe/Flash/Acrobat" popups are very common with these types of adwares.
     
    sfx2000 likes this.
  20. coxhaus

    coxhaus Part of the Furniture

    Joined:
    Oct 7, 2010
    Messages:
    2,240
    Location:
    texas
    It only happens on eBay and only sometimes.

    I was running Spybot but it has an issue where it will periodically turn off your anti-virus in Windows 10 so I quit running it.
     
  21. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    6,368
    Location:
    UK
    There was some malware that infected Asus routers at the beginning of the year that redirected devices to a fake eBay site as well as a few others. It might be a variant of that. As Merlin said, Malwarebytes Antimalware should sort out any client infections. If you find it happening again do an nslookup on the suspect address and verify the IP returned.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!