As the last one, "DNS attack prevention popular science series", and today we have a conversation DNS hijacking. First look at the concept of DNS hijacking? DNS hijacking that is, through some kind of technical means, tampering correct mapping between domain names and IP addresses so that domain name is mapped to the wrong IP address, it can be considered to be a DNS hijack DNS redirection attacks. DNS hijacking usually can be used as pharming, such as display additional information when a user accesses the page to earn income; also be used as phishing, such as displaying fake version of the site a user visits and illegally steal users' personal information.
That DNS hijacking in the end how much harm it? Let's look at two real big events:
DNS hijacking Memorabilia
Event 1, "AWS route53 BGP routing spill"
events hazards: According to incomplete statistics, DNS hijacking led to multiple users of Ethernet Square purse is emptied transfer within two hours, for a total of at least $ 13,000 of assets stolen by hackers.
Event reduction: The event occurred in April 24, 2018. Hackers for four assigned to AWS, this should serve as a space AWS route53 DNS server IP address service (205.251.192.0/23, 205.251.194.0/23, 205.251.196.0/23, 205.251.198.0/23 ) issued false BGP routing, resulting in leakage of two hours during BGP, DNS queries should AWS route53 DNS servers have been redirected to a malicious hacker DNS server. Hackers hijack DNS and the goal is clear, the malicious DNS server responds only to myetherwallet.com query, the query other domain names are returned SERVFAIL. Once the user does not pay attention to "the site unsafe" prompt and log in to your Ethernet access myetherwallet.com Square wallet, hackers can easily access the user's private key and then steal users' digital currency assets. DNS normal circumstances, and circumstances of the DNS hijacking, please refer to the diagram below attack ( from cloudflare blog ):
normal:
BGP after leak:
Event 2, "Banco do Brasil fishing event"
Event Hazard: Hackers induced the victim had wanted to visit the site of normal bank access to phishing sites and malicious code to steal bank account information victims.
Event reduction: The event occurred in 2018. Hackers use D-Link router vulnerabilities, intrusion of at least 500 home router. Hackers change the DNS on the victim router configuration after the invasion, the victim's DNS requests are redirected to malicious hackers build their own DNS server. After the invasion of hackers to change the DNS on the victim router configuration, DNS requests are redirected to the victims of hackers build their own malicious DNS server, ultimately induce the victim had wanted to visit the site of normal bank access to phishing sites and malicious theft victims Bank account's password information.
图片参考:bankinfosecurity
上面两个案例都是触目惊心啊。接下来我们来介绍一下黑客们是怎么做到DNS劫持的?
DNS解析原理
介绍劫持原理前,你需要先了解典型的DNS解析流程。
客户端发起递归DNS请求,本地递归DNS(大多数情况下为运营商DNS)或者公共DNS通过迭代查询请求多级的DNS权威服务器,并最终将查询结果返回给客户端。可以看到,一次完整的DNS查询:
• 链路长。查询过程包含多次,多级的网络通信。
• 参与角色多。查询过程涉及客户端,DNS递归服务器,权威服务器等角色。 在一次完整DNS查询链路的各个环节,其实都有可能被DNS劫持,下面的章节会逐一分析各种类型的DNS劫持。
DNS劫持分类
我们按照客户端侧--递归DNS服务器--权威DNS服务器的路径,将DNS劫持做如下分类:
【一、本地DNS劫持】
客户端侧发生的DNS劫持统称为本地DNS劫持。本地DNS劫持可能是:
- 黑客通过木马病毒或者恶意程序入侵PC,篡改DNS配置(hosts文件,DNS服务器地址,DNS缓存等)。
- 黑客利用路由器漏洞或者破击路由器管理账号入侵路由器并且篡改DNS配置。
- 一些企业代理设备(如Cisco Umbrella intelligent proxy)针对企业内部场景对一些特定的域名做DNS劫持解析为指定的结果。
【二、DNS解析路径劫持】
DNS解析过程中发生在客户端和DNS服务器网络通信时的DNS劫持统一归类为DNS解析路径劫持。通过对DNS解析报文在查询阶段的劫持路径进行划分,又可以将DNS解析路径劫持划分为如下三类:
• DNS请求转发
通过技术手段(中间盒子,软件等)将DNS流量重定向到其他DNS服务器。
案例:
图片来自《巫俊峰, 沈瀚. 基于旁路抢答机制的异网DNS管控实践. 电信技术[J]》
• DNS请求复制
利用分光等设备将DNS查询复制到网络设备,并先于正常应答返回DNS劫持的结果。
案例:一个DNS查询抓包返回两个不同的应答。
• DNS请求代答
网络设备或者软件直接代替DNS服务器对DNS查询进行应答。
案例:一些DNS服务器实现了SERVFAIL重写和NXDOMAIN重写的功能。
【三、篡改DNS权威记录】
篡改DNS权威记录 我们这里指的黑客非法入侵DNS权威记录管理账号,直接修改DNS记录的行为。
案例:
黑客黑入域名的管理账户,篡改DNS权威记录指向自己的恶意服务器以实现DNS劫持。
黑客黑入域名的上级注册局管理账户,篡改域名的NS授权记录,将域名授权给黑客自己搭建的恶意DNS服务器以实现DNS劫持。
黑客黑入域名的上级注册局管理账户,篡改域名的NS授权记录,将域名授权给黑客自己搭建的恶意DNS服务器以实现DNS劫持。(以上参考fireeye博客)
DNS劫持应对策略
DNS劫持在互联网中似乎已经变成了家常便饭,那么该如何应对各种层出不穷的DNS劫持呢?如果怀疑自己遇到了DNS劫持,首先要做的事情就是要确认问题。
如何确认DNS劫持
查看路由器DNS配置是否被篡改。
可以使用一些全网拨测的工具确认DNS劫持和其影响范围。在此隆重介绍一下,阿里的DNS域名检测工具于国庆后已经正式上线,地址是:https://zijian.aliyun.com/#/domainDetect 
Reply View tool by DNS DNS server response, DNS resolution to confirm whether or not to be redirected.
Whatismydnsresolver • http://whatismydnsresolver.com/
mobile terminal can install some DNS related test tools for troubleshooting:
• Andrews & dns the ping
• IOS IOS iNetTools
DNS hijacking prevention
• Install anti-virus software, Trojan and malware defense; router management account password periodically modify and update the firmware.
• Select the strength of strong security technology domain registrar and give your own domain name authority data locked to prevent data from being tampered domain authority.
• choose to support DNSSEC domain name resolution service provider, and to implement their own domain name DNSSEC. DNSSEC possible to secure communications between the server and the authoritative DNS recursive DNS server has not been tampered. Ali Cloud DNS DNS resolution as a professional services company, has been continuously improved grinding product features, DNSSEC functionality already in development and will soon release will be on the line.
• using encryption technology in the DNS client and last mile communications recursive DNS server, such as DNS-over-TLS, DNS- over-HTTPS like.
The "DNS attack prevention popular science series" has ended, we welcome you to pay attention to the feedback of DNS attack prevention own views. Other articles in this series offer address:
Series 1 "Your DNS server is really secure it,"
Series 2 - "DNS server how anti-DDoS attack"
Series 3 - "How to ensure the safe operation of DNS"
series 4-- " suffered DNS cache poisoning how to do. "