1.
DNS and You
A primer
K. Reid Wightman
Digital Bond Labs

2.
Two talks in one
• DNS squatting and malware
• DNS in deployment

3.
But first - Terminology
• DNS – Domain Name System
• Resolve hostname, like ‘digitalbond.com’ to IP
like 45.33.22.182
• DNS contains many record types
• NS, Name Server
• MX, Mail eXchange
• A, Name records
• PTR, Reverse name records
• There are others, but less interesting to this talk

4.
More Terminology
• Typosquatting
– Mistyping a domain name, many types
– Transpositions: Gogole.com instead of google.com
– Ommissions: gogle.com
– Insertions/repetitions: gooogle.com
– Replacements: goofle.com
• Homoglyphs: go0gle.com (GO0GLE.COM)
• Bitsquatting
– Bit error in a computer or router without ECC
– Googme.com < ‘l’ and ‘m’ are 1 bit difference,
0b01101100 versus 0b01101101

5.
On bitsquatting
• Fantastic talk on the topic at Defcon 19
– https://www.youtube.com/watch?v=lZ8s1JwtNas
– (Or, Artem Dinaburg, blog post at
http://dinaburg.org/bitsquatting.html )
• Fantastic followup on the topic at Defcon 23 with
more exploitation
– https://www.youtube.com/watch?v=4b5disac9g4
– (Or, look at Luke Young’s site: http://bitfl1p.com )
• Neat technique for big content distribution
networks (Facebook, Akamai, etc)

6.
Squatting Motivations
• Phishing
• Advertising revenue
• Offer/install Malware (adware/spyware, RATs,
etc)
• Sell the domain for $$$ to trademark holder

7.
Manufacturer Survey
• 11 Mfrs in survey

8.
Survey of 11 Industrial Mfrs
Basic Stats
• Focused on just ‘industrial’ domains
• 433 ‘squat’ domains
Replacement
Insertions
Bitsquatting
Omission
Repetition
Transposition
Homoglyph

9.
Survey of 11 Industrial Mfrs
‘MX’ Records
• 195/433 domains have MX records
• Of these, 22 accepted email to arbitrary users at
the domain
– Tested by emailing ‘joe.engineer@domain’ and
‘zatoichi@domain’ from custom source address
– This means someone may intercept your email if a
client typos an address
• What happens to these emails?
– One case of phishing!
– Not targeted though

10.
Phishing Example: SlEMENS.COM
• Sent emails to the slemens.com domain,
received phish to custom source address
– Incredibly unlikely that this was coincidence
– This was only example out of all domains tested
• This domain’s website previously hosted
malware; now it is just a park
– Note: domain owner is private, domain registered via
fabulous.com
– Note 2: domain register has not changed between
malware hosting and phishing (same privacy shield in
place)

11.
Survey of 11 Mfrs
‘A’ (and ‘AAAA’) Records
• Only tried ‘www.typodomain.com’
• 254 ‘live’ hosts
• 42% (107 hosts) advertising/for sale
• 11% (28 hosts) ‘suspicious redirect’ (changes daily)
• 4% (10 hosts) hosting direct malware downloads
– Malware usually targets user-agent string (Windows, OS X)
– Many sites use redirection network, target changes frequently
– Tracking cookies often used to determine behavior
– New/’0-day’ discovered for OS X
• 4% (10 hosts) hosting RAT pre-installers (popup window saying, ‘call
tech support/you have a virus’)
• 1% (2 hosts) hosting pornography
• 1% (2 hosts) ‘legit redirect’ (redirects to intended host)
• Remainder: ‘Under construction’ or Legit Business with similar name

12.
Siemsns.com redirect (1)

13.
Siemsns.com redirect (2)

14.
Siemsns.com redirect (3)

15.
More on Malware Hosting
• Windows Malware generally found on VirusTotal
– All ‘Adware/Spyware/RAT’
– No apparent ICS target (yet)
• OS X Malware:

16.
(Brief Update on that Malware)

17.
The Future of Squatting
• Prediction: clone websites hosting malware
– Already (sort of) happened to Schneider Electric, but
website is gone now (was at schneide-electric.com
[note missing ‘r’]).
– Domain /was/ owned
by individual in China
(Shenzhen)
– Domain now owned
by Schneider Electric
(good job!)

18.
Limitations
• For A records, can be difficult/impossible to know
‘who’ or ‘why’
– Ex: load one squat domain 5 times, get 5 different
redirects/payloads
– Many squats serve up pages based on User-Agent,
Referer, possibly more targeted info (country of
origin?)
• Could host interesting files for deep links, e.g.
support.industry.siemsns.com/path/to/software/
update

19.
Challenge
• Legally, it is difficult to ‘clean up’ a squatter
– Have to prove harm/trademark violation
– Legal options take a long time
– Legal options take lawyers, cost €€€
– Buying domain from squatter will probably cost €€€
• Often cheaper to just register all
bitsquat/typosquat domains
– Costs only a few k€ per year to do this
– May save a Big Problem in the future

20.
Tools & Tips
• Dnstwist to quickly see who owns domains
similar to yours
– https://github.com/elceef/dnstwist
– Usage: ‘dnstwist.py <domainname>’ to display all
squats
• Scour vendor sites for domain name typos
– We built a tool based on Scrapy
– Uses dnstwist to build bit-error/typo list, scrapes
website for links to bogon domains
– Watch https://github.com/digitalbond/scripts/

21.
Further Research
• Rent redirect time
– 11% of sites have changing redirects
– Majority of malware/helpdesk sites add to this number
– Domain owners sometimes ‘rent time’
– Research idea: rent time and see how many potential
victims we could get

22.
One down, one to go!
• DNS squatting and malware
• DNS in deployment

23.
DNS in Deployment
• Two sub-areas to this topic
– Internal network map leaking
– Data exfiltration via DNS
• Let’s dive in

24.
DNS Network Mapping
• DNS Zone Transfer *still* an issue
– Allows internet-users to retrieve hostname list
– 2014, ‘blindly’ coordinated with dow.com to
reconfigure their servers
• ~50,000 computer names+IP addresses being leaked
• Interior network layout revealed
– Can differentiate interior servers, cellular-hosted servers,
internet-facing servers
– Spend enough time, determine field site naming convention
• 1990s are calling us home

25.
DNS Network Mapping
• Hostnames often reveal purpose
– vpn.yourcompany.com: what could this be?
– *gw.yourcompany.com: gateways and perimeters
– dc*.yourcompany.com: domain controllers?
– Numbering conventions often reveal purpose
separation (10.0.0.0/8 vs 192.168.0.0/16 vs
172.16.0.0/20)
– etc
• IPv6 is often misconfigured
– Few firewalls block access
– Having these records exposed may be a problem

26.
DNS Network Mapping
• Example 1: dow.com
– Zone transfer returned 50,785 hosts
– Note: Dow has ~51,000 employees. Hmmmm.
192.168.0.0/16 (39790)
10.0.0.0/8 (5868)
172.16.0.0/20 (2437)
External IPv4 (1118)
External IPv6 (1572)

27.
Further Reading
• Rob Fuller (Twitter: @mubix) runs Deep Magic
– Indexes tons of DNS info
– http://www.deepmagic.com
– Great talks on DNS zone transfer and other issues by
Rob, look him up

28.
DNS for Data Exfiltration
• For attackers: wonderful way to get data out of
an ‘isolated’ network
• For defenders: painful thing to block

29.
DNS is Recursive
• Example: we want to know what computer is
‘mail.google.com’
– First, ask local DNS server
– Assuming it is not cached, local DNS must find the
answer

30.
DNS is Recursive
Client
Workstation
Corporate DNS
Server
ISP DNS Server
Google DNS
Server
COM DNS
Server
google.com
mail
mail.google.com
Root DNS
Server com
1
2
3,4
5,6 7

31.
DNS is Recursive
• …so you actually sent a request (via the local
DNS server) to a Google server
• You controlled the request data (‘mail’)
• Google controlled the response data (ip address)

32.
Tunneling Data
• Bad guys can run a special DNS server, meant
for bidirectional communication
– Ex: we own a domain for this purpose
– Special subdomain runs IP over DNS tunnel
– Queries == encoded data
– Responses == encoded data
– Great for free Internet access (expired prepaid 3G SIM
card, in-flight WiFi, or expensive hotel WiFi often
vulnerable)

33.
DNS Tunneling

34.
Tunneling
foobarbazbax.
evildomain.com
ICS LAN
Client
Workstation
Local DNS
Server
Corporate DNS
Server
ISP DNS Server
Hacker DNS
Server
COM DNS
Server
evildomain.com
foobarbazbax.evildomain.com

35.
Other DNS Exfiltration
• IP over DNS tunnel:
– Iodine, http://code.kryo.se/iodine/
• Generic ‘data over DNS’ tool (like netcat, but
uses DNS instead of IP) by Ron Bowes:
– dnscat2, https://github.com/iagox86/dnscat2
• Metasploit even includes DNS tunnels
– See payloads/windows/*/*dns, reverse shells and
meterpreter payloads available

36.
Challenge
• Blocking DNS entirely is best security option
• Next best: prevent your control system from
‘looking up’ external domains
– Most DNS servers can be configured to only forward
DNS requests for a fixed list of domains
– Example: Control zone DNS forwards requests for
corpdomain.com to corporate DNS, and rejects
queries for any other domain.
• Opportunity: IDS rules testing…

37.
Blocking External Lookups
foobarbazbax.
evildomain.com
ICS LAN
Client
Workstation
Forward
corpdomain.com
Reject *
Corporate DNS
Server
evildomain.com request never forwarded

38.
Q&A
Contact:
Email: wightman@digitalbond.com
Twitter: @ReverseICS