Security: DNS spoofing - are your nameservers good?

Tips and Tricks for Networking

Moderator: jkerr82508

User avatar
viking60
Über-Berserk
Posts: 9284
Joined: 14 Mar 2010, 16:34

Security: DNS spoofing - are your nameservers good?

Postby viking60 » 06 May 2014, 23:57

DNS spoofing is a way for hackers to redirect web addresses to their servers by simply altering the IP.
So Google.com is IP 173.194.40.232. Computers do not understand "google.com" so they rely on the IP no. provided by nameservers.

it does not matter if you type 173.194.40.232 or "google.com" both will lead you to Google.com.

In 2008 there was a weaknes in the Domain Name Server system (DNS) that made it easy to replace the IP number so that "google.com" could theoretically be redirected to any computer.
Now this is really bad if you replace "google.com" with your Bank.

So how can we check if we are secure against this?
Simple:

Go here and click the button at the bottom of the page.

Since berserk often do not read documentations be warned that some routers may be crashed by this test - in that case you have a lousy router and should address the issue with your ISP. But the router will be fine and not harmed in any way - just power it off and on again.

Here are the data for my nameservers - I use OpenDns and DNScrypt:
Image
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Security: DNS spoofing - are your nameservers good?

Postby Snorkasaurus » 07 May 2014, 02:02

I don't understand DNSCrypt... doesn't your upstream DNS provider (and possibly anyone higher than them) still have the ability to see your DNS queries?

I have very little trust for OpenDNS and assume they they have more to gain by tracking my DNS queries than my ISP does. :-(

S.

User avatar
viking60
Über-Berserk
Posts: 9284
Joined: 14 Mar 2010, 16:34

Re: Security: DNS spoofing - are your nameservers good?

Postby viking60 » 07 May 2014, 09:02

The ISP will only see the encrypted DNS data:
It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.


If you do not trust OpenDns then you may show all your DNS queries to your ISP instead.

If you use Gooogle's nameserver I am pretty sure that all your surfing is saved and analyzed. Googles nameservers come up with Anti-Spoofing-safty=moderate

So I guess that your Internet traffic is seen by less people with DNScrypt whether you trust OpenDns or not. And it is healthy to be skeptical - I just don't see anything better. Dnscrypt comes up with; Anti-Spoofing=Excellent
Also, at the time of this writing, they are the ONLY DNS provider to provide some optional protection from DNS rebinding attacks. Everyone should, but only OpenDNS does.

Level3 looks good too...

But I guess this test can help us with that one:
https://www.grc.com/dns/dns.htm
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
viking60
Über-Berserk
Posts: 9284
Joined: 14 Mar 2010, 16:34

Re: Security: DNS spoofing - are your nameservers good?

Postby viking60 » 07 May 2014, 11:56

So far I have tested:

Google NS 8.8.8.8 and 8.8.4.4 - Result Anti-spoofing safety = Moderate
DNScrypt/Opendns NS 208.67.222.222 and 208.67.220.220 - Result Anti-spoofing safety = Excellent
Level3 NS 4.2.2.1 - 4.2.2.6 - Result Anti-spoofing safety = Excellent (fast)
Symantech NS 198.153.192.1 and 198.153.194.1 - Result Anti-spoofing safety = Excellent (slow)
Verio/NTT NS 129.250.35.250 and 129.250.35.251 - Result Anti-spoofing safety = Excellent
UltraDNS NS 156.154.70.1 and 156.154.71.1 - Result Anti-spoofing safety = Excellent

To change the DNS you can go to the network center of your distro and enter the DNS servers there or edit it directly in

Code: Select all

/etc/resolv.conf
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: Security: DNS spoofing - are your nameservers good?

Postby Snorkasaurus » 07 May 2014, 16:59

viking60 wrote:The ISP will only see the encrypted DNS data

Unfortunately the direct DNS provider sees the requests and any required subsequent requests are seen by their upstream provider.

viking60 wrote:If you do not trust OpenDns then you may show all your DNS queries to your ISP instead.

I tried OpenDNS a long time ago and was disgusted to see that they replace NX results with their own server... that is definitive DNS poisoning. :-(

viking60 wrote:If you use Gooogle's nameserver I am pretty sure that all your surfing is saved and analyzed. Googles nameservers come up with Anti-Spoofing-safty=moderate

I think a lot of people are completely unaware of the scale of additional metadata that can be pulled from just visiting a web site. For example, if you go to cnn.com you will also be contacting:
  • visualrevenue.com (tracking)
  • krxd.net (tracking)
  • optimizely.com (tracking)
  • facebook.com (tracking)
  • truste.com (site security monitoring)
  • dl-rms.com (tracking)
  • turner.com (parent company)
  • insightexpressai.com (tracking)
  • revsci.net (tracking)
  • outbrain.com (traffic amplifier/analyzer/marketing)
  • imrworldwide.com (tracking)
  • ugdturner.com (seems to be "Turner specific" tracking)
  • metrics.cnn.com (seems to be "Turner specific" tracking)
A DNS request is made for each of these and DNS logs can be used to piece together a profile of what you are looking at. Sadly, some companies seem to think that this is a justification for customizing what you see (also known as censorship).

viking60 wrote:So I guess that your Internet traffic is seen by less people with DNScrypt whether you trust OpenDns or not.

This makes a lot of sense on public networks... especially wireless ones! +1

viking60 wrote:And it is healthy to be skeptical - I just don't see anything better. Dnscrypt comes up with; Anti-Spoofing=Excellent

DNS over SSL (essentially what DNScrypt is) would be great if it were implemented right back to the root servers... unfortunately the structure of DNS means that the individual points along the way could track, but it would certainly limit eavesdropping by nearby "netestrians".

S.


Return to “Networking”