T 5.155 Exploitation of dynamic DNS updates

Dynamic updates are used to modify, add or delete data of the domain name space in an automated manner. In connection with DHCP in particular, dynamic updates play an important role. If a host is assigned an IP address by the DHCP server, this information must also be updated in the domain name space. In general, this is achieved by using dynamic updates.

However, there is the risk of possible misuse of dynamic updates. Domain information is changed in an automated manner; the security is thus based on the trustworthiness of those computers which are allowed to carry out dynamic updates as well as on the rules defining what may be modified. If dynamic updates of any source are accepted, each host can change the domain information as they wish. An attacker can thus manipulate all services requiring DNS. Furthermore, a combination with attacks such as phishing, infection with malicious software (malware) etc. is very unlikely.

Example:

• An attacker has found out that the DNS servers of a company unconditionally accept dynamic updates due to an error in the configuration. The attacker exploits this knowledge and manipulates the domain information in such a way that the company's entire e-mail traffic is routed via his mail server. Thus, the attacker obtains business-critical information which he sells to competitors of the company attacked. In addition, he manipulates the domain information in such a manner that any connection to the company's Intranet and web server is redirected to the attacker's web server. There, the attacker tries to infect the computers with malware and integrate them into his bot network. Afterwards, redirection to the originally desired Intranet and/or web server takes place in order to remain undetected. Thus, not only the company's internal computers, but also computers that want to access the web server from outside were compromised.