Prevent DNS Hi-Jacking

Steve Gibson, of Gibson Research Corporation spoke recently to Leo Laporte on their regular “Security Now!” podcast in regards to a trojan that has been doing the rounds of the internet for quite some time.

This trojan – and others like it – infect networked computers via any number of known security exploits, and change the DNS servers that the infected machine looks up on the internet for the purposes of name resolution. The DNS servers the infected machines look up are set up to maliciously redirect you to websites, other than the one you are really looking to visit. They might look like the site you wanted – (eg: your banking website) – but really, they are hosted by the bad guys, seeking to steal your information.

There are a number of ways people – and ISPs – can alleviate this problem on their networks. Generally, this is a problem that should be addressed by ISPs.

It is as simple as blocking all outgoing DNS requests. This forces the client machines to use the local DNS server – (ie: the ISPs DNS server) – which should then be heavily fortified and rigourously secured by administrators at the ISP. They can then configure forward lookups outside of their network to DNS servers that they themselves trust.

That way, when a bad guy’s trojan comes along and configures your client machine to look up their “bad” DNS server, your ISP blocks your access to it by default, so you don’t get their “bad” information.

Any administrator worth their salt would have firewalling in both the inbound AND outbound directions to deal with this – and similar – kinds of attack.

It’s a fairly simple solution to a serious problem.