DNS Hijacking Detec...
 
Notifications
Clear all

DNS Hijacking Detection

17 Posts
6 Users
0 Likes
1,481 Views
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

If the DNS credentials provided by your ISP/MNO are compromised by hijacking (NetBIOS overwritten) it may helps to compare the e.g. financial institution ebanking IP has previously been stored to check. But at the current state if the internet connection is running how to detect the DNS hijacking? On e.g. RIPE rDNS or pre-delegated domains can be checked but too complicated for ordinary users.

What should a user do to check DNS hijacking before he/she provides login credentials including OTPs in a compromised but perfect similar looking fake site?

An easy way to check must be found for non-forensics profs.

 
Posted : 06/02/2019 10:23 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If the DNS credentials provided by your ISP/MNO are compromised by hijacking (NetBIOS overwritten) it may helps to compare the e.g. financial institution ebanking IP has previously been stored to check. But at the current state if the internet connection is running how to detect the DNS hijacking? On e.g. RIPE rDNS or pre-delegated domains can be checked but too complicated for ordinary users.

What should a user do to check DNS hijacking before he/she provides login credentials including OTPs in a compromised but perfect similar looking fake site?

An easy way to check must be found for non-forensics profs.

You mean something *like* dig? ?

https://help.dyn.com/how-to-use-binds-dig-tool/

jaclaz

 
Posted : 06/02/2019 1:42 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

dig seems to be a helpful tool for profs. Ordinary users are confused in general, they can click and no more. Its no solution to tell users to write down their DNS records received (they may already are compromised).

dig [hostname] +trace - good choice (dig cmd)

aremydnsentrieshijacked.ch should respond by green or red lights.

As you - jaclaz -all the time think sharper than any other I pre-act to avoid re-act.

sindmeinednseinträgerichtig.ch would be most appropriate for Swiss.

 
Posted : 06/02/2019 2:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

dig seems to be a helpful tool for profs. Ordinary users are confused in general, they can click and no more. Its no solution to tell users to write down their DNS records received (they may already are compromised).

dig [hostname] +trace - good choice (dig cmd)

aremydnsentrieshijacked.ch should respond by green or red lights.

As you - jaclaz -all the time think sharper than any other I pre-act to avoid re-act.

I am not sure to understand. ?

A "GUI with a lot of bells and whistles" version of dig (or similar) may be welcome/useful, but a site like aremydnsentrieshijacked.ch seems to me not that good an idea.

I mean, if the hypothesis is DNS hijacking a smart DNS hijacker would hijack not only the record for the "financial institution ebanking IP" but also the "aremydnsentrieshijacked.ch" domain.

You would need
1) a fixed IP hosting aremydnsentrieshijacked.ch
AND
2) an "easy to remember" IP (such as Google DNS at 8.8.8.8) instructing users to access it by its IP address, thus by-passing the DNS
OR
3) a program to access aremydnsentrieshijacked.ch only by its IP address by-passing the DNS as above

sindmeinednseinträgerichtig.ch would be most appropriate for Swiss.

… for German speaking Swiss, you mean, the French, Romansh and Italian would need other domains ….

If you want a single .ch domain it would probably need to have a neo-latin name, for the same reason it is actually .ch from Confederatio Helvetica
https://https://en.wikipedia.org/wiki/Languages_of_Switzerland#Neo-Lati n">en.wikipedia.org/wiki/Languages_of_Switzerland#Neo-Latin https://en.wikipedia.org/wiki/Languages_of_Switzerland#Neo-Latin

jaclaz

 
Posted : 06/02/2019 4:31 pm
(@badgerau)
Posts: 96
Trusted Member
 

Normal users with no technical expertise wont even know what DIG or Traceroute's are.

A simple recommendation is to use a service like OpenDNS, Quad9, or Cloudfare's 1.1.1.1 as these services scan at the DNS level.

 
Posted : 06/02/2019 9:10 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If the user's computer is compromised 8.8.8.8 or 1.1.1.1 won't help you much either. One way avoiding any kind of DNS poisoning is connecting a trusted (safe) VPN and use that connection for connecting the bank's interface.

 
Posted : 06/02/2019 10:10 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

Related to your proposal which trusted VPN would you use?

 
Posted : 26/02/2019 1:56 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

The one I run ?! )

 
Posted : 26/02/2019 5:15 pm
(@tinybrain)
Posts: 354
Reputable Member
Topic starter
 

Did you implement STE?

 
Posted : 26/02/2019 5:43 pm
(@athulin)
Posts: 1156
Noble Member
 

An easy way to check must be found for non-forensics profs.

The easiest way is probably to use something like Zonemaster at https://zonemaster.iis.se/. (Many larger DNS providers have similar tools. Look around) It checks that each DNS server returns the same data as the others that are configured to serve a particular zone. However, it's not a tool for clueless users. The user have to know the concept of a DNS zone, and also know what the relevant zone is for each test to make.

It does not test other parts of a DNS infrastructure, such as local DNS gateways or proxies that could have been poisoned. In such situations … well, to verify that DNS responses are correct, you must already know them. That suggests you need a second channel for 'correct DNS responses'. Which in turn has to be secure. Or … have a DNS infrastructure that just doesn't change except under very strict protocols.

But then we're getting into threat modelling.

In the general case, DNSSEC could be used to a) discover that a DNS response is not authoritative, and b) report it as an incident. Basically, DNSSEC responses are signed digitally. No, I don't say it's all that easy to get in place, but it does address several aspects of DNS-related security. It helps against the MITM scenario, if you cross all the t's and dot all the i's, and don't stumble over anything basic.

This has nothing to do with forensics. It's basic IT support/management and opsec.

Any forensic aspect of this would probably be expertise in the DNS products used in any particular environment such as log interpretation, management interfaces, monitoring software, and so on.

 
Posted : 26/02/2019 8:46 pm
Page 1 / 2
Share: