Block domain hijacking from two major aspects

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

In a nutshell, a domain name hijacking is a user who is intended to visit a website, unknowingly, hijacked to a phishing website, such as users ready to visit a well-known brand of the online store, hackers can be hijacked by domain name means to take it to the fake online store, while collecting user ID information and passwords.

This kind of crime is usually implemented by the DNS server's cache poisoning (cached poisoning) or domain name hijacking. In recent months, hackers have shown the dangers of this type of attack. This March, SANS Cato discovered a cache poisoning attack that changed direction for 1,300 famous brand names, including ABC, Anglo Express, Citi and Verizon Wireless; January, Panix's domain was hijacked by an Australian hacker; in April, the IP address of Hushmail's primary domain name server was modified to connect to a hacker's shoddy web site.

Statistics for tracking domain hijacking events are not currently available. However, the anti-web fraud Working Group (APWG) considered that the problem was already serious and that the group had already taken domain name hijacking as the focus of its recent work.

Experts say cache poisoning and domain name hijacking has already attracted the attention of relevant organizations, and, with the growing number of online brands, the increasing turnover, the problem is also more prominent, there are reasons to worry, fraudsters will soon use this hacker technology to deceive a large number of users, so as to obtain valuable personal information, Causing confusion in the online marketplace.

Although, domain name hijacking is very complex to solve technically and organizationally. But in the current situation, we can still take some measures to protect the enterprise's DNS servers and domain names are not manipulated by the domain name crooks.

Break the dilemma

The root cause of DNS security problems is Berkeley Internet Domain (BIND). Bind is full of security issues that have been widely reported over the past 5 years. "If you use a DNS server based on BIND, follow the best practices for DNS management," said Ken Silva, chief security officer at VeriSign.

Sans chief research officer Johannes said: "There are some fundamental problems with DNS, the most important thing is to persist in patching the DNS server to keep it up-to-date." ”

"Upgrading to bind 9.2.5 or implementing DNSSEC will eliminate the risk of cache poisoning," said Paul Mockapetris, chief scientist of the Nominum company and the original author of the DNS agreement. However, it is difficult and time-consuming to complete such migrations without interfaces from the DNS management devices of vendors such as BlueCat NX, Cisco, F5 NX, Lucent, and Nortel. Some companies, such as Hushmail, chose to use open source Tinydns instead of bind. Alternative DNS software choices include products from Microsoft, Powerdns, JH software, and other vendors.

Regardless of which DNS you use, follow these best practices:

1. Run separate domain name servers on different networks to achieve redundancy.

2. Separate the external and internal domain name servers (physically separate or run the bind views) and use forwarders (forwarders). The external domain name server should accept queries from almost any address, but forwarders are not accepted. They should be configured to accept only queries from internal addresses. Turn off recursive functionality on the external Domain name server (the process of locating DNS records downward from the root server). This restricts which DNS servers are connected to the Internet.

3. Limit Dynamic DNS updates when possible.

4. Restrict zone transfers to authorized devices only.

5. Digitally sign zone transfers and zone updates using transaction signatures.

6. Hide the version of bind running on the server.

7. Remove unnecessary services that run on the DNS server, such as FTP, Telnet, and HTTP.

8. Use firewall services on the network perimeter and DNS servers. Restrict access to ports/services that are required by DNS functionality.