According to researchers at Wiz, leveraging the DNS vulnerability they “wiretapped” the internal network traffic of about 15,000 organizations, including millions of devices. The exfiltrated data of valuable intel such as computer names, employee names and other details about organizations’ domains with entry points were exposed to the internet.
DNS vulnerabilities are increasingly critical because remote works are becoming overstretched and leaving new holes in the fabric of this decades-old protocol which puts billions of devices around the world at risk.
How managed DNS works & How the DNS bug was exploited to spy on DNS Traffic?
DNS host is responsible for hosting DNS records and domain registrar is where domain names are purchased. There are DNS hosting providers that also offer domain registration and vice versa, so the two services shouldn't be confused.
The DNS hosting providers offer a self-service platform that allow customers to update their domain name and the name servers. Also, customers can add domain name because it’s not supposed to have impact on the web traffic as they’re not the authoritative domain registrar.
The assumption is that there is total isolation between you and other customers. But Route53 doesn’t verify that I own, for instance, amazon.com because nothing that I register on my DNS is supposed to have any impact on other customers.
Now, here lies the loophole; the researchers discovered that registering certain "special" domains, specifically name of the name server itself, has unexpected effect on all other customers using the name server. It actually breaks the isolation between tenants and they successfully registered one type of special domain, but there could be many others.
Technically, they created a new “hosted zone” inside AWS name server ns-1611.awsdns-09.co.uk and named it “ns-852.awsdns-42.net”, and whenever a domain is added to Route53, four different DNS servers are selected to manage the domain. And any new nameserver registered by them on the platform falls under the management of the same server.
They now partially control the hosted zone, so they can point it to their IP address. Whenever a DNS client queries this name server about itself, which thousands of devices automatically does to update their IP address within their managed network, the traffic goes directly to their IP address.
After analyzing it, they learned that it was dynamic DNS traffic from Windows machines which were querying the hijacked name server about itself; the Dynamic DNS keeps DNS records automatically up to date when an IP address changes.
Thus, the dynamic DNS traffic that was “wiretapped” came from over 15,000 organizations, with several Fortune 500 companies, including 45 U.S. government agencies and 85 other international government agencies. The data exposed valuable intel like internal and external IP addresses, computer names, employee names and office locations.
The research team also released a tool that could allow organizations to test if their internal DDNS updates were being leaked to malicious actors. Meanwhile, Amazon and Google have both issued patches for their respective software.