±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35514
New Yesterday: 4 Visitors: 183

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

DNS Hijacking Detection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

TinyBrain
Senior Member
 

DNS Hijacking Detection

Post Posted: Feb 06, 19 11:23

If the DNS credentials provided by your ISP/MNO are compromised by hijacking (NetBIOS overwritten) it may helps to compare the e.g. financial institution ebanking IP has previously been stored to check. But at the current state if the internet connection is running how to detect the DNS hijacking? On e.g. RIPE rDNS or pre-delegated domains can be checked but too complicated for ordinary users.

What should a user do to check DNS hijacking before he/she provides login credentials including OTPs in a compromised but perfect similar looking fake site?

An easy way to check must be found for non-forensics profs.  
 
  

jaclaz
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 06, 19 14:42

- TinyBrain
If the DNS credentials provided by your ISP/MNO are compromised by hijacking (NetBIOS overwritten) it may helps to compare the e.g. financial institution ebanking IP has previously been stored to check. But at the current state if the internet connection is running how to detect the DNS hijacking? On e.g. RIPE rDNS or pre-delegated domains can be checked but too complicated for ordinary users.

What should a user do to check DNS hijacking before he/she provides login credentials including OTPs in a compromised but perfect similar looking fake site?

An easy way to check must be found for non-forensics profs.


You mean something *like* dig? Question

help.dyn.com/how-to-us...-dig-tool/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

TinyBrain
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 06, 19 15:03

dig seems to be a helpful tool for profs. Ordinary users are confused in general, they can click and no more. Its no solution to tell users to write down their DNS records received (they may already are compromised).

dig [hostname] +trace - good choice (dig cmd)

aremydnsentrieshijacked.ch should respond by green or red lights.

As you - jaclaz -all the time think sharper than any other I pre-act to avoid re-act.

sindmeinednseinträgerichtig.ch would be most appropriate for Swiss.  
 
  

jaclaz
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 06, 19 17:31

- TinyBrain
dig seems to be a helpful tool for profs. Ordinary users are confused in general, they can click and no more. Its no solution to tell users to write down their DNS records received (they may already are compromised).

dig [hostname] +trace - good choice (dig cmd)

aremydnsentrieshijacked.ch should respond by green or red lights.

As you - jaclaz -all the time think sharper than any other I pre-act to avoid re-act.



I am not sure to understand. Confused

A "GUI with a lot of bells and whistles" version of dig (or similar) may be welcome/useful, but a site like aremydnsentrieshijacked.ch seems to me not that good an idea.

I mean, if the hypothesis is DNS hijacking a smart DNS hijacker would hijack not only the record for the "financial institution ebanking IP" but also the "aremydnsentrieshijacked.ch" domain.

You would need:
1) a fixed IP hosting aremydnsentrieshijacked.ch
AND:
2) an "easy to remember" IP (such as Google DNS at 8.8.8.8) instructing users to access it by its IP address, thus by-passing the DNS
OR:
3) a program to access aremydnsentrieshijacked.ch only by its IP address by-passing the DNS as above

- TinyBrain


sindmeinednseinträgerichtig.ch would be most appropriate for Swiss.

... for German speaking Swiss, you mean, the French, Romansh and Italian would need other domains ....

If you want a single .ch domain it would probably need to have a neo-latin name, for the same reason it is actually .ch from Confederatio Helvetica:
en.wikipedia.org/wiki/...#Neo-Latin

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

badgerau
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 06, 19 22:10

Normal users with no technical expertise wont even know what DIG or Traceroute's are.

A simple recommendation is to use a service like OpenDNS, Quad9, or Cloudfare's 1.1.1.1 as these services scan at the DNS level.  
 
  

passcodeunlock
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 06, 19 23:10

If the user's computer is compromised 8.8.8.8 or 1.1.1.1 won't help you much either. One way avoiding any kind of DNS poisoning is connecting a trusted (safe) VPN and use that connection for connecting the bank's interface.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 
 
  

TinyBrain
Senior Member
 

Re: DNS Hijacking Detection

Post Posted: Feb 26, 19 14:56

Related to your proposal which trusted VPN would you use?  
 

Page 1 of 3
Page 1, 2, 3  Next