In a nutshell, a domain name hijacking is a user who is intended to visit a website, unknowingly, hijacked to a phishing website, such as users ready to visit a well-known brand of the online store, hackers can be hijacked by domain name means to take it to the fake online store, while collecting user ID information and passwords.
This kind of crime is usually implemented by the DNS server's cache poisoning (cachepoisoning) or domain name hijacking. In recent months, hackers have shown the dangers of this type of attack. This March, Sansinstitute discovered a cache poisoning attack that changed direction for 1,300 famous brand names, including ABC, Americanexpress,citi and verizonwireless; January, Panix's domain was hijacked by an Australian hacker; in April, the IP address of Hushmail's primary domain name server was modified to connect to a hacker's shoddy web site.
Statistics for tracking domain hijacking events are not currently available. However, the anti-web fraud Working Group (APWG) considered that the problem was already serious and that the group had already taken domain name hijacking as the focus of its recent work.
Experts say cache poisoning and domain name hijacking has already attracted the attention of relevant organizations, and, with the growing number of online brands, the increasing turnover, the problem is also more prominent, there are reasons to worry, fraudsters will soon use this hacker technology to deceive a large number of users, so as to obtain valuable personal information, Causing confusion in the online marketplace.
Although, domain name hijacking is very complex to solve technically and organizationally. But in the current situation, we can still take some measures to protect the enterprise's DNS servers and domain names are not manipulated by the domain name crooks.
Break the dilemma
The DNS security problem is rooted in Berkeleyinternetdomain (BIND). Bind is full of security issues that have been widely reported over the past 5 years. ' If you use a DNS server based on BIND, follow the best practices for DNS management, ' said Kensilva, chief security officer at VeriSign.
Sans chief research officer Johannes said: "There are some fundamental problems with DNS, the most important thing is to persist in patching the DNS server to keep it up-to-date." ”
Nominum, chief scientist of the company, Paulmockapetris, the original author of the DNS agreement, said that upgrading to BIND9.2.5 or implementing DNSSEC would eliminate the risk of cache poisoning. However, it is difficult and time-consuming to complete such migrations without the interfaces provided by the DNS management devices from vendors such as Bluecatnetworks, Cisco, F5networks, Lucent, and Nortel. Some companies, such as Hushmail, chose to use open source Tinydns instead of bind. Alternative DNS software choices include products from Microsoft, Powerdns, Jhsoftware, and other vendors.
Regardless of which DNS you use, follow these best practices:
1. Run separate domain name servers on different networks to achieve redundancy.
2. Separate external and internal domain name servers (physically separate or run bindviews) and use forwarders (forwarders). The external domain name server should accept queries from almost any address, but forwarders are not accepted. They should be configured to accept only queries from internal addresses. Turn off recursive functionality on the external Domain name server (the process of locating DNS records downward from the root server). This restricts which DNS servers are connected to the Internet.
3. When possible, restrict dynamic DNS updates.
4. Restrict zone transfers to authorized devices only.
5. Use transaction signatures to digitally sign zone transfers and zone updates.
6. Hides the version of BIND running on the server.
7. Remove unnecessary services that are running on the DNS server, such as FTP, Telnet, and HTTP.
8. Use firewall services on the network perimeter and DNS servers. Restrict access to ports/services that are required by DNS functionality.
Let registrars take responsibility
The problem of domain name hijacking is an important part of the organization. Not long ago, a hacker fraud customer service Representative modified the IP address of Hushmail's primary domain name server. For the moment, Hushmail's ctobriansmith has been furious, and it's really annoying that hackers are so gullible about their domain registrar's customer service representatives.
"It really sucks for us," Smith said. I would like to see registrars develop and publish better security policies. However, I could not find a registrar to do so, since this incident, I have been looking for such registrars. ”
Nominum, chief scientist of the company, Paulmockapetris, the original author of the DNS agreement, said that upgrading to BIND9.2.5 or implementing DNSSEC would eliminate the risk of cache poisoning. However, it is difficult and time-consuming to complete such migrations without the interfaces provided by the DNS management devices from vendors such as Bluecatnetworks, Cisco, F5networks, Lucent, and Nortel. Some companies, such as Hushmail, chose to use open source Tinydns instead of bind. Alternative DNS software choices include products from Microsoft, Powerdns, Jhsoftware, and other vendors.
Regardless of which DNS you use, follow these best practices:
1. Run separate domain name servers on different networks to achieve redundancy.
2. Separate external and internal domain name servers (physically separate or run bindviews) and use forwarders (forwarders). The external domain name server should accept queries from almost any address, but forwarders are not accepted. They should be configured to accept only queries from internal addresses. Turn off recursive functionality on the external Domain name server (the process of locating DNS records downward from the root server). This restricts which DNS servers are connected to the Internet.
3. When possible, restrict dynamic DNS updates.
4. Restrict zone transfers to authorized devices only.
5. Use transaction signatures to digitally sign zone transfers and zone updates.
6. Hides the version of BIND running on the server.
7. Remove unnecessary services that are running on the DNS server, such as FTP, Telnet, and HTTP.
8. Use firewall services on the network perimeter and DNS servers. Restrict access to ports/services that are required by DNS functionality. (Responsible editor: ADMIN02)