Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 3 subscribers
  • Views 553 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DHCP threats affect DNS security

DouglasFoster

As I have been working through DNS security issues recently, I have been reminded that one part of the defense is to ensure that you are talking to the right DNS server.   DHCP compromise can undermine all of your traffic, including DNS.

Nightmare scenarios:

Infected PC

  • One PC near you has become infected with an attacker's remote control software.   
  • Attacker installs a DHCP server, firewall, and routing software, among other tools. 
  • Attacker configures the device NIC with two addresses:
    • one for 192.168.1.x from your DHCP pool, and
    • one for 10.10.10.1/24 for the network he is creating.
  • Your PC boots.   Instead of taking the correct DHCP response from your server your PC accepts the alternative offer for 10.10.10.2/24, with 10.10.10.1 as your gateway and your DNS server.
  • All of your traffic now goes through his device.  (Layer 2 traffic can bypass him, but any TCP traffic needs to be routed through him to get anywhere at all.
  • His firewall software can use NAT to redirect any traffic anywhere he wants.   Alternatively, he can store it locally, rewrite it, or drop it.  Same for any replies.
  • He can rewrite (unencrypted) DNS traffic to give you an altered answer, even if you are hard-coded for a server other than the one in his DHCP offer.
  • If the attacker tries to do HTTPS inspection of your traffic, you will see a certificate error.   But if you click past the certificate error, he owns your HTTPS traffic as well. 

Public WiFi

An identical situation can occur with public WiFi.   The attacker configures his device to match the WPA2 configuration of the public WiFi.   (I have been told that the technology to do this is really cheap).   As long as his signal is stronger than any other access point, your PC will latch onto it.   You are in a public setting, so you will certainly be configured for DHCP and you will only see a DHCP offer from him.

How to defend against this:

Public WiFi

  • Don't use public WiFi at all.   Use the hotspot on your cell phone.   It has the same vulnerability, but the WPA2 password is not published, so it cannot be easily mimicked.
  • If you do use public WiFi:
    • Don't enable auto-connect.
    • Use encrypted sessions for all of your traffic.
    • Do enable DNS over HTTPS in your browser to protect your DNS queries.
    • Do not click through any certificate errors.

Local Network

  • (Obvious)  Keep the bad guys from getting in.  Use SMTP filtering and web filtering to the max.
  • Use only manageable switches that implement DHCP snooping. 
    • You tell the switch which ports/addresses are legitimate DHCP servers, and the switch blocks any DHCP offers from other ports.
    • These switches can also keep track of DHCP leases, and block traffic from any device that is trying to use someone else's address assignment.


This thread was automatically locked due to age.
Unfiltered HTML