DNS Poisoning Getting Serious – Phishing from Open Recursive DNS Servers

A new generation of phishing attacks is being studied jointly by Google and Georgia Institute of Technology, it seems the bad guys are getting some smarter ideas.

They are using Open Recursive DNS servers to poison DNS queries and return false information, thus luring consumers to even more realistic phishing domains.

Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.

The study, set to be published in February, takes a close look at “open recursive” DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

The scary thing about this is, you could end up at Paypal.com or HSBC.com and the site could look exactly the same, but you could actually be connected to some Russian phishers web site…and you wouldn’t even know.

Unless of course you check the SSL certificate whilst using the https version, but come on – how many average Joes would do that?

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a “second secret authority” for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

“This is a crime with few witnesses,” said David Dagon, a researcher at Georgia Tech who co-authored the paper. “These hosts are like carnival barkers. No matter what you ask them, they’ll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads.”

Oh well, another scam to look out for and another threat to monitor. Something else for us to educate the masses about, and some more ammo for us to scare people with.

It’s not all bad – is it?

Source: PC World

Posted in: Networking Hacking Tools, Phishing

, ,

Latest Posts:

Socialscan - Command-Line Tool To Check For Email And Social Media Username Usage Socialscan – Command-Line Tool To Check For Email And Social Media Username Usage
socialscan is an accurate command-line tool to check For email and social media username usage on online platforms, given an email address or username,
CFRipper - CloudFormation Security Scanning & Audit Tool CFRipper – CloudFormation Security Scanning & Audit Tool
CFRipper is a Python-based Library and CLI security analyzer that functions as an AWS CloudFormation security scanning and audit tool
CredNinja - Test Credential Validity of Dumped Credentials or Hashes CredNinja – Test Credential Validity of Dumped Credentials or Hashes
CredNinja is a tool to quickly test credential validity of dumped credentials (or hashes) across an entire network or domain very efficiently.
assetfinder - Find Related Domains and Subdomains assetfinder – Find Related Domains and Subdomains
assetfinder is a Go-based tool to find related domains and subdomains that are related to a given domain from a variety of sources including Facebook and more.
Karkinos - Beginner Friendly Penetration Testing Tool Karkinos – Beginner Friendly Penetration Testing Tool
Karkinos is a light-weight Beginner Friendly Penetration Testing Tool, which is basically a 'Swiss Army Knife' for pen-testing and/or hacking CTF's.
Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.

35 Responses to DNS Poisoning Getting Serious – Phishing from Open Recursive DNS Servers

  1. goodpeople December 17, 2007 at 10:44 am #

    I don’t agree with Darknet. This is _very_ bad. Actually I think this is scarier than “Microsoft Euro Disney McLand”.

    Without DNS, there’s no Internet. If they manage to pollute DNS databases, and the article suggests that they already have, then I’m afraid that internetbanking will take a serious blow in popularity.

    On the other hand it presents a nice technological challenge. What will we see next.. webservers that connect back to the clients?

  2. Sir Henry December 17, 2007 at 10:48 am #

    Educating the average Joe on things like this is bound to get a blank/confused look in response. I agree, we have to get the word out there, but try explaining to you mom (who knows the internet as “clicking the blue e”) that she has to check SSL certs and what could happen is she doesn’t. To the layperson, if they see paypal or amazon, that is all they care about in the short term. What I would like to know is if there were some sort of DNS authentication probe out there that identified the good from the bad to assist all users.

  3. mumble December 17, 2007 at 11:36 am #

    There are steps that can be taken on the DNS server to prevent this type of attack, but short of DNSSEC, I can’t think of a single one which wouldn’t allow a malicious person to stop all traffic from X company to http://www.y-company.com... It wouldn’t be too hard to build an IDS setup for this, but again – this wouldn’t solve the core problem.

    For our clients – the best answer is to have them run their own recursive resolver using a known good copy of the root.hints file. Setting laptops to use a known-good or at least known-better recursive DNS and avoid the one given by DHCP might be good, but isn’t always possible – since some sites don’t allow DNS across the firewall – and that creates support problems. It’s possible to write a client program to handle this case, but it isn’t trivial.

    From what I can see, the people most at risk are home users, who sure as heck aren’t running their own resolver (present company excepted).

  4. Pedro Pinheiro December 17, 2007 at 2:06 pm #

    Barring being served by DHCP a malicious DNS server (which might be impossible to control when you’re out and about), what would be the overhead of DNS software admitting the authority of a certain IP for a query by polling more than one DNS upstream? This would require a greater percentage of servers to be compromised to affect the validity of the result.

  5. Pantagruel December 17, 2007 at 3:34 pm #

    I agree with goodpeople, this is more than just bad, this goes to the root of the internet and is about as bad no more crude oil for our fossil fuel driven society.

    Sir henry has a point, this goes way beyond what average Jane/Joe can grasp. It’s already hard enough to teach some people to find out why page A is a phishing attempt and page B isn’t, I do NOT want to start explaining why DNS poisoning is super bad.

    Pedro Pinheiro gets an A+ for vision, this indeed could amount to a dDos like situation where one DNS server is questioning another about the validity of the resolved address, second one in return will elicit a response and question towards another, etc…

    The big question is how can this be resolved and is there away to protect the DNS servers from future stuff like this. Eventhought the 0.4% doesn’t sound as much, it will get some people into trouble.

  6. cpj December 17, 2007 at 3:44 pm #

    wouldn’t it help to have the DNS servers ask each other if they get the same result? ie, if 1 out of 250 servers are corrupted, then it’s unlikely that 2 servers will agree if 1 of them is giving the wrong directions. so each request would cost twice as much bandwidth, but … safer?

    or is this difficult to implement?

  7. mumble December 17, 2007 at 3:55 pm #

    The problem described in the article amounts to feeding clients the equivalent of a bad /etc/resolv.conf file. This can be avoided in an enterprise environment by blocking DNS on the firewall, and forcing clients inside to use the company’s recursive resolver. Running your own resolver also prevents a lot of other attacks, such as upstream cache poisoning – so it’s a good idea anyway.

    The real Haich Eee Double hockeysticks is in the laptop world – where the darned things keep being moved around and attached to different networks. There’s nothing which will prevent malware from changing the DNS settings, and (as bad) there’s nothing preventing an evil-intentioned person from making the dns servers in the DHCP response do anything they want them to. Fixing the enterprise stuff as above will help by breaking DNS at work (turning it into a support call), but there’s no easy fix I can see.

    At first glance, I must admit I confused this flaw with another, almost as pernicious one.

  8. Sir Henry December 17, 2007 at 3:57 pm #


    I know that I will never be alone in regard to how frustratingly difficult it will always be to explain to the Average Joe what problems there are and how it can affect them.


    I see what you are saying with that. I just have to wonder if in the process of authenticating/identifying one another, that a poisoned list could somehow be shoved into the mix and thus propagate out amongst the rest. But, it is quite obvious that more discussions a

  9. Sir Henry December 17, 2007 at 3:58 pm #

    and brainstorming should occur to try and resolve a problem of this sort.

    (Yes, a continuance of my last comment since my son felt the need to hit “submit” for me.)

  10. Nobody_Holme December 17, 2007 at 6:25 pm #

    Surely routing all DNS queries through 3 of the DNS servers would be enough… take the majority result, and the likelyhood of getting 2 that have been poisoned is low…
    trying to figure out how to immunise my house from this…

  11. Darknet December 17, 2007 at 6:44 pm #

    mumble you are almost there in my books, I just force laptops to use OpenDNS wherever they are…safer for me and less headache :)

  12. Sir Henry December 17, 2007 at 7:04 pm #

    I am going to have to start doing that with my laptops. Thanks for the tip.

  13. cpj December 17, 2007 at 9:56 pm #

    thanks for the OpenDNS tip.. however, i wonder how reliable that service is, too. ahem, someone should poke around and see how hard it is to poison them. you would think a service that prides itself on providing accurate information would be harder to break than, say, more public DNS servers. or perhaps i’m naive.

  14. Sir Henry December 18, 2007 at 3:35 am #

    I have noticed a remarkable speed increase in resolution using OpenDNS. In addition to that, I told my wife about this issue (she is a little bit more than the average Joe in regard to technology so when I say DNS poison, she has a general idea) and her initial response was, “So, how the hell are they going to fix that?”. She wouldn’t even go to PayPal until I changed the DNS servers. I guess that is one way to educate people: scare the hell out of them.

  15. mumble December 18, 2007 at 5:25 am #

    Well… I was researching this, and in the course of looking for viable defenses came up with a few theoretical DNS attacks on unsecured wifi networks. I’m getting a sinking feeling that this is going to be Big Trouble in Little China…. I’m taking a lab day Wednesday to see if I can find some reasonable way to defend against some of this.

  16. mumble December 18, 2007 at 6:31 am #

    Damn. I was right. Everything old is new again….

    Wireless LANs are effectively a single broadcast domain. This means that DNS-ID spoofing is back with a new twist — you can be up to a half-mile away and still pull it off. All you need to do is sniff packets and wait for a DNS request to go out. You forge a response with the same ID which points to another machine, and has a very short TTL. The machine loads the page, which drops a payload. The user sees a bad page load + hits reload. Another DNS response goes out, gets the correct info this time, and the page loads correctly. With all the browser vulnerabilities, this is just not funny.

  17. goodpeople December 18, 2007 at 10:02 am #

    Scaring the hell out of people isn’t going to fix this. I’m afraid there is no easy fix for this one.

    I think we (as being the industry) need to come up with an alternative to dns. Querying 3 or 4 dns servers and taking the best result seems like a temporary fix. Only a matter of time before enough servers are poinsoned.

  18. Simson December 18, 2007 at 11:33 am #

    There is already an solution:

  19. goodpeople December 18, 2007 at 12:44 pm #

    Sorry Simson, but I fear that dnssec isn’t the solution. Not so difficult to implement for small resolvers that handle a few domains, but quite impossible to implement for larger nameservers..

    I’m afraid we need something else.

  20. Sir Henry December 18, 2007 at 3:23 pm #


    Although I was not implying a fix to the situation, one can agree that awareness, in any form, is one part of the equation. Apart from that, however, I would be most interested to find out your thoughts on a fix as you have most certainly identified those ideas which will not suffice.

  21. Pantagruel December 18, 2007 at 9:47 pm #

    Awareness is the best way to get people into thinking about their protection.
    The internet has taken a big flight over the past years, 10 years ago I had 14k4 dial-up which gradually evolved into 56k6, 8 years ago I was switched to ISDN dial-up (64k or 128 k bundled) and 6 years ago I switched to cable and 5 years ago I switched to ADSL. The latter has progressively getting faster for the same amount of money (20Mbit at this moment). This immense gain in bandwith has made the ‘always on’ user a consumer hungry for food to satisfy this bandwith (streaming movies, internet tv, vod,etc) without really thinking about the consequences.
    The average user will most likely rely on the DNS his/her ISP provides and not think for a second about alternate DNS (the mentioned OpenDNS is a good thing). Depending on the ISP the DNS setup will be in better or worse shape, but this is a hard thing to judge. I for one can not judge if my ISP has/will have or will likely start having DNS poisoning problems in the future.

  22. Sir Henry December 18, 2007 at 9:52 pm #

    Considering that my ISP is Comcast, I am all too happy to have switched to OpenDNS.

  23. goodpeople December 18, 2007 at 10:07 pm #

    @sir henry,

    Please don’t be offended by my comment. If you read some of my earlier comments on this site over the last few weeks, you’ll see that I think educating endusers is one of the, if not THE, most important thing in IT security

    We don’t need to argue about that.

    And the solution? The more I think of it, the more I reach the conclusion that there is no good answer for this one. No matter what technological tricks man comes up with, there is always someone smarter who comes up with a trick to circumvent it.

  24. goodpeople December 18, 2007 at 10:14 pm #


    to follow up on what you just wrote..

    and does it really matter? For downloading music and movies or playing online games this is not really a threat. For online banking and other financial transactions it is, but (at least here in the netherlands) banks and other financial institutions also have other security mechanisms in place.

  25. Sir Henry December 18, 2007 at 10:15 pm #


    No offense was taken, although I do appear to have misinterpreted your response. Such is a usual event when commenting in forums and tone cannot be ascertained. Please also do not misinterpret my response as one of terse nature. I find all discussions here as being highly collaborative and wanted to simply get your input on what you felt would be a viable alternative.

    As one can see, I have found a community here where my interests align in harmony with those present. I value your input (as well as the other people who comment) and am glad that my tone was called into question.

  26. Pantagruel December 19, 2007 at 12:18 am #


    For everyday use it poses no real thread, perhaps some minor problem but beyond the real dangers of DNS poisoning. No one gives anything for poisoned DNS as long as they can download their stuff.

    I am familair with the dutch system (Rabobank etc), this two way identify system works quite well. But even you should know that ABN AMRO quite recently released a mailing to their clients warning about websites posing as ABN’s internet banking site. They quite rigorously renewed their website to up the score. If you where to combine a good copy-cat website along with DNS poisoning you might just be able to fool enough average internet consumers into entering their data and allow some one else to do some alternate transactions. This exactly why we are suffering from the clumsy “3x times knocking campaign” (www.3xkloppen.nl) sending some people on a wild goose chase.

    Since more average users are using secured internet transactions for either banking or simple online shopping,the possible impact of poisoned DNS is big. Like mentioned before, unless you actually read the SSL certificate (I guess only the really paranoid do that) it will be even hard to detect a fraudulant SSL connection, you have just lost one of three checkpoints according to the campaign. Sadly the SSL connection and certificate are highly regarded upon so I think you actually lose more than just one check, since most people will simply not look beyond a fraude presenting itself through an SSL website.
    We aress is we haven’t seen the end of this one.e getting into repetition here, but again, educations is the key.
    My guess is we haven;t seen the last of this one.

  27. Simson December 19, 2007 at 12:04 pm #


    You will get a SSL-warning-popup-window if you visit a DNS poisioned SSL site, as long as the fake cert is not signed by a authorized company, and its quite difficult to create a valid signed certificate if you dont work at the company being faked.
    I only heard of one case where someone managed to create/obtain a valid fake cert.

    I dont think there will be any other solution than DNSSEC, however it will probably take another 3-5 years before “everyone” have installed DNSSEC. http://www.ccnso.icann.org/surveys/dnssec-survey-report-2007.pdf

    If there existed another easy solution to this problem, we would already have had it by now.

  28. Nobody_Holme December 19, 2007 at 3:37 pm #

    You could just spoof the real site’s authority…
    also, i suggest everyone runs a traceroute on paypal… i dont use it, but i ran one for reference so i could test if my DNS had been caught by this, and somewhere near denver it bounced back on itself before readching paypal itself. slightly worrying that everything in the southern end of the states and all of south america goes through the area where it deviated for me. On the upside, i dont use any version of paypal personally.

  29. Pantagruel December 19, 2007 at 4:12 pm #

    Thanks for the assistance Nobody_Holme (memo to self, get your math fixed ;) ). Indeed spoofing will make the scam complete.

    A traceroute is a nice idea, but since the ’round robin’ way to reach the desired host the output will be hard to interpret.

  30. Pedro Pinheiro December 19, 2007 at 6:13 pm #

    As they say in IT security, there’s not such thing as “safe”, things can only be made “safer” :-)

    The only way to get better security from man-in-the-middle attacks is to have one time only disposable keys for every transaction, ie, when you order your bank to make a transfer, they’ll ask for key #1385 and they’ll never ask for it again… if the process of generating those keys is really random (and the order by which they are asked also) you’ll have an almost safe system. Assuming that the key-list hasn’t been intercepted, of course. This can also be done by some sort of algorithm, although it’s more expensive and exploitable.

  31. goodpeople December 20, 2007 at 2:18 pm #


    I fear with you that we haven’t seen the last of this one. As for the Dutch banking systems, they are regarded as the safest in the world. So Dutch banks are willing to do whatever it takes to stay there.

  32. goodpeople December 20, 2007 at 2:25 pm #


    Considering the fact that it took them .., what was it.. 8 years?, to develop DNSSEC, I think 3-5 is a little optimistic. But let’s hope that this discussion speeds things up a little.

    Like I said before, dnssec isn’t so difficult to implement on small resolvers, but alot harder to implement on the larger ones.

  33. eM3rC January 6, 2008 at 10:25 pm #

    The internet is becoming a very insecure and scary place =\

  34. junheax March 13, 2008 at 11:17 pm #

    It’s a shame this discussion ended so suddenly… hopefully this will stir it a bit to see where it stands today…

    Yes, this is something that needs a proactive messures. Education is key but so far it has failed (most ISP DNS are vulnerable to poisoning as the run old versions of BIND).

    There are interim solutions until the Internet gets upgraded to DNSSEC such as running the lastest BIND version with anti-DNS forgery firewall rules or running OpenDNS that randomizes the ports to add a crypto security layer against forgery attacks.

    The problem as i see it is that this vulnerability affects web clients the most but it is only visible and fixable in DNS servers. A possible conflict of interests arises between web clients and ISPs as to the priority of fixing these bugs (especially -as pointed before- considering that the classic ISP client knows so little).

    So how to educate ISP clients (most home PC users) and tell them to tell their ISPs to keep their DNS software up to date? The answer to this has business and legal implications.

    Not something to take lightly. It would be ideal for anyone involved in computer law to give his or her opinion.


  35. Pantagruel March 14, 2008 at 10:08 am #

    Interresting read on DNS poisoning and BIND9


    and somewhat dated regarding preventing DNS spoofing



    Basically even BIND9 appears to suffer from this, so the final solution has yet to be found (regarding BIND that is).

    You are pointing into the right direction, but it’s little use trying to get internet users more aware of the way internet works. I for one have no need to explain my parent (typical mainstream internet users) the intricate details of package routing,DNS and such.
    For them it just has to work, regardless of the mechanism behind it.

    I for one think it’s an ISP task to keep their farm up to date and not for their clients to bother them about an out of date BIND version. They provide the gateway to the internet and should do their utmost to prevent this kind of stuff.
    On the other side the users should be made aware of the ease with which data can be stolen or harvested from them and not depend blindly on their ISP keeping up the latest in security
    Actually the browser provider (MS, Mozilla,Opera,etc) have the unique opportunity to enlighten their users by simply explaining at the first start up the advent of a) an up to date browser and b) secure DNS/etc (and not some dumb-ass dialog about what search engine to use)