The security hole found in Google DNS service is so wide that it could lead to an untold number of compromised accounts being opened in Australia, according to new research.
The researchers, who work for cybersecurity firm CrowdStrike, have discovered that when an administrator opens an infected website, the domain name is automatically forwarded to a second, less-secure host, which then passes it to an attacker using a specially crafted DNS query.
While that sounds like an innocuous scenario, the researchers said it could allow an attacker to easily hijack an entire internet traffic stream.
“There is a risk that an attacker could hijack the DNS request from the first host, and the DNS response would then go to the second host,” the researchers wrote in a blog post.
“This means an attacker who could intercept the request could send DNS queries from a remote host to the target.”
The researchers have identified the attack by monitoring DNS requests and the subsequent DNS response.
The second, more secure host in the attack, then forwards the DNS requests to the first, less secure host, so that the attacker can execute the DNS queries themselves.
“Our results suggest that DNS forwarding could potentially allow an attack to hijack any DNS request made to an un-privileged host,” they wrote.
“A malicious DNS request can allow an adversary to send an arbitrary DNS query to any un-protected host, bypassing DNS protections.”
CrowdStrike is one of several companies that have been working on mitigating DNS attacks and is one source of new insight into the flaw.
“It’s a big deal,” says Kevin Gallagher, chief research officer at cybersecurity firm SecureWorks.”DNS is a critical component in a lot of internet services, and if it can be compromised, you’re in real trouble.”
Gallagher says that if DNS were to be compromised it could open a whole new attack vector.
“The problem with DNS is that if you’re trying to get a remote user to go to a website and they’re compromised, they can potentially get compromised themselves,” Gallagher says.
“The next thing you can do is take that user to a remote server where they could use the same credentials to get in.”
The flaw was discovered in April, when the researchers started looking at the behaviour of the DNS server used to forward DNS requests, and saw the DNS servers in use for the entire internet.
“They’re all in the same place, all looking at a common domain name,” Gallagher said.
“It looks like they’re using a common DNS server, which means that they’re all trying to forward traffic to the same address.”
A second, smaller DNS server also appears to be responsible for the hijacking, and when it opens, the malicious DNS query is sent to the other less-privilege host.
“This is a massive security hole,” Gallagher warned.
“We’ve never seen anything like this before.”
The DNS server that was being used by the second less-secured host is known as a “dual DNS server”.
This is because the second server is also the DNS service for a different domain, which also appears in the DNS output.
“If the second DNS server doesn’t know that this second host is the target of the attack and they don’t know the DNS domain name, they’ll have this DNS query that’s not encrypted,” Gallagher added.
The second DNS host, in turn, forwards the second request to the DNS host that was already configured for the attack.
This allows the DNS hijacker to open a new connection to the attacker.
“When you open the second connection, the attacker basically gets access to the entire traffic stream and gets the DNS query, and they get to send the query to the targeted server,” Gallagher explained.
The attack can be triggered by malicious requests to a specific address or by DNS queries that were incorrectly handled.
Gallagher said that if the second domain server in the cluster was compromised, that could also have a serious impact on the attack itself.
“Because the second site has access to your DNS server it’s very easy for it to have a malicious DNS response and be able to send malicious DNS queries to any of the un-securable hosts,” Gallagher wrote.
The DNS attack is likely to be harder to detect in Australia than it is in the US, where the security gap was revealed to the world in June.
Gallagher and co-author Ben Gazzaratti, of security firm SecuriSec, have said they’ve seen more DNS traffic from Australia than anywhere else in the world.
“That’s a huge number of attacks, and Australia’s been particularly hard hit,” Gallagher told ABC News.
“When we looked at the DNS attack, the majority of the attacks we identified were from Australia.”
Gallagher believes that Australia will be the next target.
“With all of the issues around Australian security, the fact that we have this issue with DNS, the lack