AWS Route 53 plugs security hole, but other managed DNS platforms are potentially vulnerable, researchers warn
UPDATED Security researchers have discovered a new class of DNS vulnerability that affects multiple DNS-as-a-Service (DNSaaS) providers.
Researchers from cloud security firm Wiz.io discovered that non-standard implementation of DNS resolvers, when combined with quirks in the provision of DNS services, could lead to information leakage from corporate networks using the affected services.
The research was presented during a session at the Black Hat USA conference on Wednesday (August 5).
Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable, but providers of DNS and their clients are particularly at risk and shown to be flawed in tests by Wiz.io.
Leaking sensitive info
The complexity of DNS and its multiple implementations prompted Wiz.io to investigate the security of DNS-as-a-Service offerings, including AWS Route 53.
To their surprise, the researchers discovered that if they registered a nameserver to itself on AWS Route 53 they saw Dynamic DNS traffic that ought to be restricted to internal networks.
Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries through vulnerable setups. Information potentially exposed includes internal IP addresses, computer names, and external IP addresses.
“Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies,” Wiz.io reports.
Computer names can hint at the role of a user within an organization, while internal IP addresses expose the enterprise network setup. External IP addresses expose the geographic locations of computers.
Snooping made easy
During their Black Hat USA presentation, Wiz.io claimed that the scope and ease of exploitation posed by the vulnerability made “NSA spying as easy as registering a domain”.
More specifically, it was possible for anyone to register hosted zones on AWS associated with Route53 name servers, exposing corporate DNS queries as a result.
Wiz.io discovered that a large credit union was running a subsidiary in Iran, while a mining firm maintained an office in the Ivory Coast – both apparent violations of the US Office of Foreign Assets Control regulations.
In addition, internal IPv6 addresses and (worse) NTLM / Kerberos authentication tickets are sometimes exposed.
Wiz.io examined six major DNSaaS providers, discovering three were vulnerable to the nameserver registration-based exploit.
AWS Route 53 has resolved the issues with its implementation, while the disclosure process remains ongoing between Wiz.io and the other two (as-yet unnamed) providers.
Google's services, at least, are in the clear.
"Google has blocked related domain names to protect customers from this issue and we have not seen any evidence of malicious abuse on our platform," a spokesperson told The Daily Swig. "We are appreciative of Wiz.io’s work and the broader community’s efforts to identify potential exploits like this one.”
Corporate clients of any provider can address the issue themselves by modifying the default Start of Authority (SoA) record in their DNS setup.
This story was updated to add comment from Google