I’ve recently read two interested papers dealing with DNS-related attacks. First, Andrew Hay pointed over to a paper from the HoneyNet Project titled Know Your Enemy: Fast-Flux Service Networks. The HonetyNet Project is uniquely poised to do some things that most of us cannot autonomously do: monitor and trend threats. This position has allowed them to see Fast-Flux attacks first-hand, where DNS entries are changed dynamically to hide the source of malware downloads and controls. I’d be willing to bet this concept has been in use for quite some time, only many researchers fire off one or two lookups, report to the resulting domains, and that’s it. They likely never see the changes, and thus never realized they were not really doing much good.
I also see that Trusteer has a paper hosted describing cache poisoning against BIND 9 by leveraging predictable transaction IDs to update DNS caching servers surrepticiously. While this seems a bit exotic, I wouldn’t consider it too exotic. In fact, getting an outbound connection by an internal user shouldn’t be a huge problem, and that could be a big payoff if you can poison some major DNS entries. I think the biggest problem is just making sure you’re attacking a BIND 9 DNS caching server. I’ll dive into this paper more than my casual glance tonight. Considering our malware prevalence today, I think this can be easily leveraged by existing maldoers, but may require a bit more targeting than blanket blind malware. I’m interested if the paper goes into countermeasures or how to combat this.
Lastly, this paper hosted by InfosecWriters is an excellent primer on DNS and DNS security. I recently read a DNS paper that was really well written, and I think this was it. I’m not sure where I got the link from, however.