DNS Security


  • Garbage Person

    I just had a realization. Earlier today, I phoned a hosting company to get a DNS record updated for my client. I've never spoken to anybody at that company, ever. Nobody at my client shares my first name.

     My entire side of the conversation was this:

     "Hi, I'm Weng calling from <my client>. I need some DNS records updated."

    "admin.client.org needs to be pointed to 255.255.255.255, and registration.client.org needs to be pointed to 111.111.111.111."

    "Thanks."

     Not 5 minutes later, root servers started returning the updated IP.

     I think there might be a security hole big enough to drive a truck through in this production setup. This company doesn't even host the application (that's at another company) - they just control the DNS records.



  • Social engineering. You spoke the language, sounded like you knew what you were talking about.

    Service people (receptionists, tech support, etc) are trained to please people. They will not question you.

    It works even better in person if you wear a suit and tie and look impatient.

     



  • Not all of them :) Standard procedure in these cases where I work is: "Sure thing. Could you please let $known_contact from  $our_client  mail or forward your request and I'll get right to it."



  • @pnieuwkamp said:

    Not all of them :) Standard procedure in these cases where I work is: "Sure thing. Could you please let $known_contact from  $our_client  mail or forward your request and I'll get right to it."

    That's kind of the point here. He was able to alter the DNS record with extremely little information and validation.



  • @Weng said:

    Not 5 minutes later, root servers started returning the updated IP.

     I think there might be a security hole big enough to drive a truck through in this production setup. This company doesn't even host the application (that's at another company) - they just control the DNS records.

    This is why my employer insists on hosting their own DNS.  This is why they insist on having their domain registrations 'locked' at all times (well, except right before a transfer).  And, this is why they're careful about their registrar selection.

    And, yes, when we've tried other registrars (which we occasionally do from time to time, to get a feel for our options), we've occasionally had experiences like this.  Generally, it results in us moving the domain to a different registrar very quickly (at least once, we started the process with the registrar less than 24 hours later.)


Log in to reply