Hijacking DNS as a Cheap
Restricting access to specific Internet web services is a
challenge shared by all network administrators. Whether the reason for
restricting access is based on security, bandwidth, or productivity, installing
and maintaining proxy and content filter applications may be outside the budget
of a small IT department.
The solution provided here offers a cumbersome approach
for a small investment: $0.
All web services, such as HTTP, FTP, IRC, IM, NNTP and
SMTP are predominantly called by name when end users want to access them. An
internal DNS server usually hosts records for only the internal namespace. All
external (Internet) namespace is generally forwarded to an ISP’s or other DNS
DNS hijacking on the LAN allows an administrator to
redirect all Internet requests for a domain or server to an internal server or
to nowhere (127.0.0.1).
If an administrator wanted to hijack and redirect all
users’ connections to google.com,
he’d only need to add a Primary Lookup Zone for the domain name.
The steps for Server 2003 are as follows:
- Open the DNS console
- Expand your server
- Right-click Forward Lookup Zones and select New
- Click Next on the Wizard welcome page.
- Create a Primary Forward Lookup Zone. Do NOT integrate
the zone with Active Directory if the option appears.
- Type the name of the zone: google.com
- Accept the default file name for the zone and click Next.
- Click Next.
- Click Finish.
Your DNS server is now authoritative for google.com.
Instead of forwarding your clients’ DNS queries to the ISP DNS server, the
server returns any records it holds in its own database. If the requested
record does not exist, the DNS server tells the client that the name does not
Create host records for the default namespace (i.e.
google.com) and any hosts that you want to redirect (e.g. www.google.com).
If you simply want the connections to die, saving any Internet bandwidth that
would have otherwise been used, set the IP Address for each host record to
127.0.0.1. This will cause a client machine to attempt to connect to itself
instead of the requested server. In most cases, this simply returns an error to
the application that requested the Internet Server
Mail can be redirected by creating an MX record in the Zone
you’ve chosen to hijack.
GETTING FANCY – REDIRECTION TO A BANNED ACCESS PAGE
An administrator can redirect all web requests to
hijacked servers to an internal web page that reiterates the network policy.
For example, when a user browses to www.google.com,
he instead reaches a web page that proclaims, “You attempted to access an
inappropriate web page. This action has been logged.”
If you want to get really sophisticated, you can use
ASP.NET to build a neat page that reads the HTTP request and user token to
personalize the page. If you are a masochist, you can tie it to a SQL database
and log all transgressions.
CREATING THE BANNED ACCESS PAGE
- Install the Windows Web Service (Add/Remove
Programs>Add/Remove Windows Components>Application Server)
- In C:\inetpub\wwwroot drop a web page saying
nasty stuff to your end users. Name it default.html.
- Use this server’s IP address instead of 127.0.01 for
all records you’d like to hijack.
BAD SOLUTION – GOOD PRICE
This solution is not scalable, dynamic or easy to
maintain. But it is free. And it works.
If the client knows the IP Address of the remote server,
he can still connect directly by IP Address.
If the client changes his DNS Server to an Internet DNS
server, it bypasses the entries for the hijacked domains. However, if the
client is on an Active Directory domain, he will lose access to the domain
controllers and Active Directory.
Clients can use a web proxy to view desired web content.
External web proxies do not rely on the internal DNS server for name
TAKING IT FARTHER
While this technique is seldom used in a corporate
environment, I’ve seen a few instances of domain hijacking of instant messenger
domains. Applications like Yahoo Instant Messenger and AOL Instant Messenger
connect to servers with known names. Administrator break the ability to connect
to the outside service by hijacking the names.