A New Class of DNS Vulnerabilities Affecting Many DNS-as-Service Platforms

The presentation discusses a vulnerability in Route 53 DNS service that allowed the speaker to register a malicious DNS server and receive dynamic DNS traffic from millions of endpoints. This led to the creation of a nation-state intelligence capability that mapped thousands of companies and government agencies.

• The speaker discovered a vulnerability in Route 53 DNS service that allowed them to register a malicious DNS server and receive dynamic DNS traffic from millions of endpoints
• The dynamic DNS traffic allowed the speaker to map thousands of companies and government agencies, including their external and internal IPs, office locations, and computer names
• The speaker was able to leverage this intelligence to ask interesting questions, such as identifying companies with offices in forbidden countries
• The vulnerability was fixed by Amazon in February 2021, but other DNS service providers may also be susceptible to this attack

The speaker was able to map a top services company with over 40,000 endpoints spread around the world, including all of their office branches and home locations of their employees. They were also able to zoom in on specific office locations and identify 600 endpoints reporting to them. This illustrates the extent of the intelligence capability created through the vulnerability in Route 53 DNS service.

We present a novel class of DNS vulnerabilities that affect multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM / Kerberos tickets. The root cause of the problem is the non-standard implementation of DNS resolvers that, when coupled with specific unintended edge cases on the DNS service provider's side, cause major information leakage from internal corporate networks. In this research, we detail a specific vulnerability that is common across many major DNS service providers that leads to information leakage in connected corporate networks. Specifically, we show how Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries. The security risk is high. If an organization's DNS Updates are leaked to a malicious 3rd party, they reveal sensitive network information that can be used to map the organization and make operational goals. Internal IP addresses reveal the network segments of the organization; computer names hint at the potential content they may hold; external IP addresses expose geographical locations and the organization's sites throughout the world; and internal IPv6 addresses are sometimes accessible from the outside and allow an entry point into the organization. The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received DNS Updated from 992,597 Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. Exploiting the weakness is very easy. A single attacker with a single cloud account can get information on thousands of organizations in one step. There are several possible mitigations to this problem. We will review the solutions for both DNSaaS providers and managed networks.