Hijacking DNS as a Cheap Content Filter
Restricting access to specific Internet web services is a
challenge shared by all network administrators. Whether the reason for
restricting access is based on security, bandwidth, or productivity, installing
and maintaining proxy and content filter applications may be outside the budget
of a small IT department.
The solution provided here offers a cumbersome approach for a small investment: $0.
All web services, such as HTTP, FTP, IRC, IM, NNTP and SMTP are predominantly called by name when end users want to access them. An internal DNS server usually hosts records for only the internal namespace. All external (Internet) namespace is generally forwarded to an ISP’s or other DNS server.
DNS hijacking on the LAN allows an administrator to redirect all Internet requests for a domain or server to an internal server or to nowhere (127.0.0.1).
If an administrator wanted to hijack and redirect all users’ connections to google.com, he’d only need to add a Primary Lookup Zone for the domain name.
The steps for Server 2003 are as follows:
- Open the DNS console
- Expand your server
- Right-click Forward Lookup Zones and select New Zone.
- Click Next on the Wizard welcome page.
- Create a Primary Forward Lookup Zone. Do NOT integrate the zone with Active Directory if the option appears.
- Type the name of the zone: google.com
- Accept the default file name for the zone and click Next.
- Click Next.
- Click Finish.
Your DNS server is now authoritative for google.com. Instead of forwarding your clients’ DNS queries to the ISP DNS server, the server returns any records it holds in its own database. If the requested record does not exist, the DNS server tells the client that the name does not exist.
Create host records for the default namespace (i.e. google.com) and any hosts that you want to redirect (e.g. www.google.com). If you simply want the connections to die, saving any Internet bandwidth that would have otherwise been used, set the IP Address for each host record to 127.0.0.1. This will cause a client machine to attempt to connect to itself instead of the requested server. In most cases, this simply returns an error to the application that requested the Internet Server
Mail can be redirected by creating an MX record in the Zone you’ve chosen to hijack.
GETTING FANCY – REDIRECTION TO A BANNED ACCESS PAGE
An administrator can redirect all web requests to hijacked servers to an internal web page that reiterates the network policy. For example, when a user browses to www.google.com, he instead reaches a web page that proclaims, “You attempted to access an inappropriate web page. This action has been logged.”
If you want to get really sophisticated, you can use ASP.NET to build a neat page that reads the HTTP request and user token to personalize the page. If you are a masochist, you can tie it to a SQL database and log all transgressions.
CREATING THE BANNED ACCESS PAGE
- Install the Windows Web Service (Add/Remove Programs>Add/Remove Windows Components>Application Server)
- In C:\inetpub\wwwroot drop a web page saying nasty stuff to your end users. Name it default.html.
- Use this server’s IP address instead of 127.0.01 for all records you’d like to hijack.
BAD SOLUTION – GOOD PRICE
This solution is not scalable, dynamic or easy to maintain. But it is free. And it works.
If the client knows the IP Address of the remote server, he can still connect directly by IP Address.
If the client changes his DNS Server to an Internet DNS server, it bypasses the entries for the hijacked domains. However, if the client is on an Active Directory domain, he will lose access to the domain controllers and Active Directory.
Clients can use a web proxy to view desired web content. External web proxies do not rely on the internal DNS server for name resolution.
TAKING IT FARTHER
While this technique is seldom used in a corporate environment, I’ve seen a few instances of domain hijacking of instant messenger domains. Applications like Yahoo Instant Messenger and AOL Instant Messenger connect to servers with known names. Administrator break the ability to connect to the outside service by hijacking the names.