Black Hat Briefings: Hosted DNS configuration flaws risk leaking corporate network topologies

John Leyden 05 August 2021 at 15:43 UTC

AWS Route 53 plugs security hole, but other managed DNS platforms are potentially vulnerable, researchers warn

Security researchers have discovered a new class of DNS vulnerability that affects multiple DNS-as-a-Service (DNSaaS) providers.

Researchers from cloud security firm Wiz.io discovered that non-standard implementation of DNS resolvers, when combined with quirks in the provision of DNS services, could lead to information leakage from corporate networks using the affected services.

The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).

Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable, but providers of DNS and their clients are particularly at risk and shown to be flawed in tests by Wiz.io.

Leaking sensitive info

The complexity of DNS and its multiple implementations prompted Wiz.io to investigate the security of DNS-as-a-Service offerings, including AWS Route 53.

To their surprise, the researchers discovered that if they registered a nameserver to itself on AWS Route 53 they saw Dynamic DNS traffic that ought to be restricted to internal networks.

Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries through vulnerable setups. Information potentially exposed includes internal IP addresses, computer names, and external IP addresses.

Catch up with the latest DNS-related security news and analysis

“Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies,” Wiz.io reports.

Computer names can hint at the role of a user within an organization, while internal IP addresses expose the enterprise network setup. External IP addresses expose the geographic locations of computers.

Snooping made easy

During their Black Hat USA presentation, Wiz.io claimed that the scope and ease of exploitation posed by the vulnerability made “NSA spying as easy as registering a domain”.

More specifically, it was possible for anyone to register hosted zones on AWS associated with Route53 name servers, exposing corporate DNS queries as a result.

Wiz.io discovered that a large credit union was running a subsidiary in Iran, while a mining firm maintained an office in the Ivory Coast – both apparent violations of the US Office of Foreign Assets Control regulations.

RECOMMENDED Black Hat 2021: WARCannon simplifies web-wide vulnerability research

In addition, internal IPv6 addresses and (worse) NTLM / Kerberos authentication tickets are sometimes exposed.

Wiz.io examined six major DNSaaS providers, discovering three were vulnerable to the nameserver registration-based exploit.

AWS Route 53 has resolved the issues with its implementation, while the disclosure process remains ongoing between Wiz.io and the other two (as-yet unnamed) providers.

Corporate clients of any provider can address the issue themselves by modifying the default Start of Authority (SoA) record in their DNS setup.

READ MORE Black Hat USA: Credential leak detection tool Scrapesy aims to reduce incident response times