Nation-state spying 🔎via DNS

A new DNS attack method that involves registering a domain with a specific name can be leveraged for what researchers described as “nation-state level spying.”

The attack method was identified on Amazon Route 53, a cloud DNS web service offered to AWS users. The findings were presented in BLACK HAT Conference

Route 53 provides roughly 2,000 DNS servers that have names such as ns-852.awsdns-42.net. Registering a domain with such a name and adding it in Route 53 to the DNS server with the same name had some interesting results if they linked the domain to the IP address of a server they controlled.

“Whenever a DNS client queries this name server about itself which thousands of devices do automatically to update their IP address within their managed network more on that in a minute, that traffic goes directly to our IP address,” Received DNS traffic from 15000 including Fortune 500 organization

This issue is related to an algorithm used by Windows devices to find and update the master DNS server when IP addresses change. Giving a bird eye view on DNS traffic inside those organization

To demonstrate the potential impact of such an attack, they used the harvested data to map the location of employees of a major services company based on traffic received from more than 40,000 computers.

This issue has been informed to tech giants, Amazon and Google implemented fixes. Microsoft was also notified, but the tech giant said it was a “known misconfiguration that occurs when an organization works with external DNS resolvers,” rather than a vulnerability.

Organizations can prevent such data leakage by ensuring that DNS resolvers are properly configured to prevent dynamic DNS updates from leaving the internal network.