Watch your DNS!

Computers on the Internet have IP addresses. Like 208.77.188.166. We are used to locate them based on names or Web addresses. Like www.example.com. DNS (Domain Name System) is what translates Web address into an IP address. Seems pretty easy and straightforward. But DNS is absolutely central to the integrity of the Internet and there seems to be a serious weakness that may cause us a lot of headache.

Fake DNS servers. Under normal conditions you get access to the DNS servers when you log in to youe ISP (Internet Service Provider). It is in the very interest of the ISPs not to mess with DNS system and provide the proper references to DNS servers to their clients. But there is nothing that would stop me from setting up a free WiFi network providing fake DNS references. Then any computer joining such network would go to fake DNS servers to resolve any name a user types in the address bar of the Web browser. And as a result users would be redirected to fake servers. After typing in www.MyBank.com I would be first redirected to a different server that could execute a man in the middle attack, forwarding my requests to the real MyBank servers, but sitting there in the middle to capture everything I send and receive (including passwords). Bruce Schneier has a great commentary on these type of attacks.

OK but most of us already know we should not be joining unknown networks for that very reason. So should we feel secure then? What else should be checked? Your very own Internet router at home. This happened to me before. Hijacked firmware. I bought a used Linksys WAP54G on an Internet auction. The access point arrived with default factory settings on and I configured it to match my network. Sometime later I noticed an unknown, but active MAC address in the logs of my firewall. Tracing it down I realized I had an unknown guest attached to my WiFi network. Weird, I thought, as I was running WPA2 security with AES and a long password, a virtually unbreakable combination, even in the light of the new findings in this area. "OK, smart guy, I will change you the password and you will be out" - I thought. And 5 seconds after I changed the password, he was back in. Scary. Repeated the step again and he was again logged into my network. The password simply must have had been relayed somewhere just when I was changing it. The source of the problem? The access point was not a brand new, factory sealed, and it simply arrived with a hijacked firmware. I do not know what exactly was this firmware doing. I panicked. Unscrewed the antennas, to get the intruder out at the physical layer and upgraded the access point to the new firmware downloaded directly from the Linksys.COM site. He never came back again. I found him because I was browsing the logs from my firewall. How many of you regularly do that?

Hijacked router firmware can also be your closest source of fake DNS. With all the consequences described above. So make sure you update your gear before you plug it in to your network. Even if it had come factory sealed... You will be secure... not only feel secure. Unless you have a D-Link router like the DIR-655 using firmware 1.21, where D-Link introduced a feature hijacking the DNS system for marketing purpose. According to http://www.ubersource.com/?p=17, it "hijacked google.ca and sent me instead to it’s own domain at bsecure.com where it attempted to sell me a security software subscription at a discount or a trial". This is very scary. Vendors are now using the DNS service to fool the users and redirect them to sites and services they do not want to go to. It should be considered a crime. Like changing road signs to make travelers visit shops and services they never wanted. Who should we trust now? Certainly not D-Link after seeing practices like that. I have to rethink this twice, as I have already put a lot of money into a D-Link based security infrastructure of my home network. And now I lost the trust I had in them. For good...