All your DNS were belong to us: AWS and Google Cloud shut down spying vulnerability

Until February this year, Amazon Route53's DNS service offered largely unappreciated network eavesdropping capabilities. And this undocumented spying option was also available at Google Cloud DNS and at least one other DNS-as-a-service provider.

In a presentation earlier this week at the Black Hat USA 2021 security conference in Las Vegas, Nevada, Shir Tamari and Ami Luttwak from security firm Wiz, described how they found a DNS name server hijacking flaw that allowed them to spy on the dynamic DNS traffic of other customers.

"We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," explained Tamari in a blog post. "Essentially, we 'wiretapped' the internal network traffic of 15,000 organizations (including Fortune 500 companies and government agencies) and millions of devices."

To do so, all that was required was to register a new domain on Route53 with the same name as AWS's official DNS server. More specifically, they created a new "hosted zone" within AWS name server ns-1611.awsdns-09.co.uk that they called ns-852.awsdns-42.net.

"Whenever a domain is added to Route53, four different DNS servers are selected to manage the domain," explained Tamari. "We made sure that any nameserver we register on the platform falls under the management of the same server."

After repeating this process on some 2,000 name servers on AWS, they had partial control of the hosted zone and pointed it to their own IP address. That way, when a DNS client queries the name server about itself – a common occurrence in dynamic DNS setups – they capture that dynamic DNS traffic.

Tamari and Luttwak found a variety of sensitive data during their experiment, including computer names, employee names, office locations, and information about organizations' exposed web resources. For example, they claim they identified a company that appeared to be violating US trade sanctions. Malicious adversaries could use this data to help launch network attacks.

• 'Anomalous surge in DNS queries' knocked Microsoft's cloud off the web last week
• BT promises firmware update for Mini Whole Home Wi-Fi discs to prevent obsessive Big Tech DNS lookups
• Fortinet's security appliances hit by remote code execution vulnerability
• Apple, Microsoft, PayPal among 35 organizations compromised by evil twin dependencies attack

According to Tamari, Amazon and Google have fixed this issue in their respective DNS services, but other DNS service providers may still be vulnerable. The researchers said three of the six DNS-as-a-service providers they'd found were vulnerable.

The researchers attribute the vulnerability to the way Microsoft's dynamic DNS (RFC 2136) algorithm works in Windows.

"Microsoft machines use a unique algorithm to find and update the master DNS server on IP address changes," explained Tamari. "Eventually the algorithm will query the hijacked nameserver for its own address." And that sends the dynamic DNS traffic to the malicious IP address.

Microsoft, however, does not plan to revise its algorithm, Tamari said, because Redmond does not consider this to be a vulnerability. Rather the company sees it as a known misconfiguration issue when customers work with external DNS resolvers.

Microsoft did not immediately respond to a request for comment.

Tamari said it's up to organizations to configure their DNS resolvers to prevent dynamic DNS updates from leaving their network.

"Google has blocked related domain names to protect customers from this issue and we have not seen any evidence of malicious abuse on our platform," a company spokesperson said in a statement emailed to The Register. "We are appreciative of Wiz.io's work and the broader community’s efforts to identify potential exploits like this one."

Amazon did not immediately respond to a request for comment. ®