Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: DNS hijacking

  1. #1
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default DNS hijacking

    I moved a thread:
    https://forums.untangle.com/threat-p...tml#post242006

    Quote Originally Posted by f1assistance View Post
    Would you consider these "spoofing attacks" a concern within the destination nameserver's domain, or within the domain making the query, or anywhere between the two domains having this transmission (i.e., across the interweb)?
    I think the greatest threat is not across the interwebs.

    On the other side of my router, there is a network (subnet) comprised of my ISP's customers, my neighbors.
    In the case of CGNAT, that subnet can be HUGE.

    This depends on a lot of things of course, but I think that is the best opportunity for spoofing a legitimate public DNS server, from the comfort of my "neighbor's home". DNSSEC mitigates that - It is more difficult for the bad guys to have the certificate, too.

    The EASIEST attack is on an endpoint device, and hijack DNS from there - point to a bogus server, that serves up a set of bogus IP addresses, and those IPs have a bogus website of, say a bank.

    I am no expert, and paranoia may have more influence than facts, but that is the way I see it.
    And it is not very costly to implement DNSSEC, at all.

    By locking down my DNS requests as much as possible to my dnsmasq resolver instance, and enabling DNSSEC, I get to participate in the same chain of trust that the top level zones have established.
    Last edited by Jim.Alles; 05-22-2020 at 06:21 PM.
    f1assistance and Valvaris like this.
    If you think I got Grumpy

  2. #2
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,400

    Default

    Quote Originally Posted by Jim.Alles View Post
    I moved a thread:
    https://forums.untangle.com/threat-p...tml#post242006



    I think the greatest threat is not across the interwebs.

    On the other side of my router, there is a network (subnet) comprised of my ISP's customers, my neighbors.
    In the case of CGNAT, that subnet can be HUGE.

    This depends on a lot of things of course, but I think that is the best opportunity for spoofing a legitimate public DNS server, from the comfort of my "neighbor's home". DNSSEC mitigates that - It is more difficult for the bad guys to have the certificate, too.

    The EASIEST attack is on an endpoint device, and hijack DNS from there - point to a bogus server, that serves up a set of bogus IP addresses, and those IPs have a bogus website of, say a bank.

    I am no expert, and paranoia may have more influence than facts, but that is the way I see it.
    And it is not very costly to implement DNSSEC, at all.

    By locking down my DNS requests as much as possible to my dnsmasq resolver instance, and enabling DNSSEC, I get to participate in the same chain of trust that the top level zones have established.
    So just to clarify, from your particular domain, you're concerned your ISP's devices (i.e., domain), possibly starting from the modem [which all your traffic traverses], either has been or could be compromised in the manner which could/would allow 'the bad guys' (within/without) to intercept/change the requests...and this is why you believe the need to implement DNSSEC from each of the endpoints and not deploy such from a central device within your control (e.g., your perimeter firewall), which in most cases is also your DHCP server, within your protected domain. Correct?

    Edit: I know you realize the importance of TRUST in your ISP domain and how devastating it would be for the service they provide (i.e., bandwidth), to lose or bring into question weather they can be or should be trusted to transport and hand-off the totality of your packets, right?
    Last edited by f1assistance; 05-23-2020 at 03:45 AM.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  3. #3
    Untanglit
    Join Date
    May 2020
    Posts
    15

    Default

    I would love to see NTPsec and DNSSec Support in Untangle since this is my go to device.

    PC ---> SW ---> FW (Untangle) ---> Modem ---> Internet

    As I understand how this works if all Clients / Servers use a central Point for DNSsec it should be safe...

    The other part is to insure that clients / server have there DNS Settings enforced in a way that can not be changed.

    Another factor is Applications - Well known fact is that Google Applications tend to resolve to Google DNS and Andoroid TV OS even if manualy set to a specific DNS Server still calls to Google DNS. So that traffic needs to get dropped by the Firewall... So more and more devices hit the Internal Network the more load comes to the Firewall.

    Sincerely
    Val.
    f1assistance likes this.

  4. #4
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,400

    Default

    In an attempt of packet path control outside my protected domain, I've purchased/own my modems as another layer of perceived security. Part of my delusional thinking; that one cannot secure what you don't physically control... D'oh!
    Last edited by f1assistance; 05-23-2020 at 06:46 AM.
    Jim.Alles and Valvaris like this.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  5. #5
    Untanglit
    Join Date
    May 2020
    Posts
    15

    Default

    Hello @f1assistance,

    the same goes for me as I understand your statement but that is the true thing about DNSSec. If for example your Untangle is the DNS Server the Modem just has traffic to pass thru. That can not be modified otherwise the DNSSec traffic is "bogus" and the private-key and public-key do not match.

    Here is a nice Video that explains the cryptographic chain of DNSSec: https://www.youtube.com/watch?v=_8M_vuFcdZU

    Secure query example:

    Untangle (DNSSec) <===== Modem (???) ====> DNS Authorative and bla bla bla...

    ATM i have setup Untangle to Uplink the DNS to Cloudflare that can handle DNSSec validation but since I can not enforce Untangle to just communicate with DNSSec it does that with DNS and DNSSec...

    If you would like to test DNSSec. there are two ways to check that I know of:

    Link to Internet.nl -> https://internet.nl -> and Start Test at the Right panel

    or

    Link to Uni-due.de -> https://dnssec.vs.uni-due.de/ -> DNSSec validation

    Sincerely
    Val.
    Last edited by Valvaris; 05-23-2020 at 04:47 AM.
    f1assistance likes this.

  6. #6
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,400

    Default

    Quote Originally Posted by Valvaris View Post
    Hello @f1assistance,

    the same goes for me as I understand your statement but that is the true thing about DNSSec. If for example your Untangle is the DNS Server the Modem just has traffic to pass thru. That can not be modified otherwise the DNSSec traffic is "bogus" and the private-key and public-key do not match.

    Here is a nice Video that explains the cryptographic chain of DNSSec: https://www.youtube.com/watch?v=_8M_vuFcdZU

    Secure query example:

    Untangle (DNSSec) <===== Modem (???) ====> DNS Authorative and bla bla bla...

    ATM i have setup Untangle to Uplink the DNS to Cloudflare that can handle DNSSec validation but since I can not enforce Untangle to just communicate with DNSSec it does that with DNS and DNSSec...

    If you would like to test DNSSec. there are two ways to check that I know of:

    Link to Internet.nl -> https://internet.nl -> and Start Test at the Right panel

    or

    Link to Uni-due.de -> https://dnssec.vs.uni-due.de/ -> DNSSec validation

    Sincerely
    Val.
    Okay, so I watched the video (twice) and I think I'm broken...maybe a couple more reviews and I might have a grasp.
    A couple things immediately came to mind:
    1) SSL Inspector clearly seems 'potentially' problematic and a power I do NOT want to wield...within my domain.
    2) DoH a smart idea, but still raises the question, where does one want to have as their local (recursive) DNS Server to reside; Untangle (local), ISP, or other?
    3) DNSSEC sooner rather than later!
    4) And completely (of sorts) off topic; Until this moment, I'd never considered or contemplated the idea of IPv6 only sites...and I now know they do exist and I am unable to visit them. D'oh!
    Valvaris likes this.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  7. #7
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by Valvaris View Post
    I would love to see NTPsec and DNSSec Support in Untangle since this is my go to device.
    If you have a DNS provider configured that supports DNSSEC, DNSSEC is easy.

    https://forums.untangle.com/off-topic/43037-dnssec-w-opendns.html

    All of the 'standard' disclaimers apply, support isn't going to bail you out if you kill dnsmasq. Bring your own handcuff key and file.

    Oh, the good news is that since this particular advanced, unsupported configuration is entered through the NGFW GUI, it is part of the configuration magic, is backed-up, and does survive upgrades.
    Last edited by Jim.Alles; 05-23-2020 at 10:12 AM.
    f1assistance and Valvaris like this.

  8. #8
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by f1assistance View Post
    So just to clarify, from your particular domain,
    In-line from here

    you're concerned
    Not a major concern

    your ISP's devices (i.e., domain), possibly starting from the modem [which all your traffic traverses], either has been or could be compromised
    No it doesn't need to be compromised, just requires access to another one on the same subnet. DSL is point-to-point to the DSLAM, so it might be trickier. Let's assume CATV for this discussion, as the attack surface is much larger (my neighborhood)

    in the manner which could/would allow 'the bad guys' (within/without) to intercept/change the requests...and this is why you believe the need to implement DNSSEC
    So far, so good

    from each of the endpoints
    Nah. DNSSEC is not readily available for endpoint devices. And dnsmasq is not set up to deal with it on the client side. DoH is taking over that 'space' - I just want to direct the DNS requests from those devices to the dnsmasq instance in the domain that I control. Dnsmasq is the endpoint for the chain of trust, as far as DNS goes. And I have settled on OpenDNS to provide the upstream DNS servers. Oh, did you know it was bought by Cisco? More on that in another post.

    Of, course, this is somewhat delusional taken by itself, due to 3G/4G/5G network access on the mobile devices. So to clarify my main interest is to protect bandwidth usage, and what people do with my bandwidth on my IP address - they can do whatever they want with the bandwidth they pay for.

    The glaring security risk of the two types of networks on many individual devices is beyond the scope in my domain. If that were a concern, there would be a guard at my front door, with a Faraday-shielded lockbox, and mobile devices would be deposited there, and the people would then be swept for other emissions. Even if it were a concern (and it is not part of the paranoia) I don't have the resources to mitigate that. So it must be ignored. Unless I am troubleshooting something on the network, then I can put a device into airplane mode, and turn Wi-Fi back on.


    and not deploy such from a central device within your control (e.g., your perimeter firewall), which in most cases is also your DHCP server, within your protected domain.

    As stated above, that is exactly where I have already deployed it.
    f1assistance and Valvaris like this.
    If you think I got Grumpy

  9. #9
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by f1assistance View Post
    I know you realize the importance of TRUST in your ISP domain and how devastating it would be for the service they provide (i.e., bandwidth), to lose or bring into question weather they can be or should be trusted to transport and hand-off the totality of your packets, right?
    My philosophy in dealing with tech and it's infrastructure, in a short fiction:

    Technical troubleshooting is often referred to as a can of worms. We can get training for dealing with the can of worms. So we have confidence as technicians to remove the lid, untangle the worms and clean up the mess. The problem I have found is that the can itself is actually the lid to the snake pit. And if you go to far, and you are not careful, you'll have a real challenge on your hands. An experienced "Ninja" can deal with that, without getting too badly hurt. But what most tech ninjas don't realize is that the concrete floor of the snake pit is the lid to the dragon's lair.

    There is always a deeper story. Evil exists. Technology isn't going to save us.

    Oh, did I mention Cisco bought OpenDNS, and has left my personal, single-IP address account alone as they are merging things into Cisco Umbrella? I get the domain filtering that I see as a value-add to DNS service, for free still.

    The reality is that Cisco bought a huge data-set. And when the service to me is 'free'; I (my digital persona) is the product.
    Last edited by Jim.Alles; 05-23-2020 at 10:14 AM.
    f1assistance and Valvaris like this.

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,020

    Default

    Quote Originally Posted by Valvaris View Post
    The other part is to insure that clients / server have there DNS Settings enforced in a way that can not be changed.

    Another factor is Applications - Well known fact is that Google Applications tend to resolve to Google DNS and Andoroid TV OS even if manualy set to a specific DNS Server still calls to Google DNS. So that traffic needs to get dropped by the Firewall...
    I have long had the blocking rules set up for DNS.

    But you don't have to just drop the other request's you can forward them to dnsmasq on NGFW to be handled.

    See this thread:
    https://forums.untangle.com/networking/43034-using-port-forwarding-capture-rogue-dns-lookups.html#post241439
    Valvaris likes this.
    If you think I got Grumpy

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2