A new class of DNS vulnerabilities affecting many DNS-as-Service platforms

Conference:  Defcon 29



The presentation discusses the creation of an intelligence capability through DNS traffic analysis, which allows for the mapping of thousands of organizations and millions of endpoints. The vulnerability in DNS registration and dynamic DNS updates is exploited to gain access to this data.
  • DNS traffic analysis can provide a wealth of information on organizations, including external and internal IP ranges, computer names, and network mapping
  • A vulnerability in DNS registration and dynamic DNS updates allows for the hijacking of name servers and access to millions of endpoints
  • The resulting intelligence capability can map thousands of organizations and provide valuable insights, such as identifying foreign assets control violations or subsidiaries in restricted countries
The speaker provides an example of mapping a top services company with over 40,000 endpoints spread around the world, including office branches and home locations of employees. The presentation also highlights the ability to zoom in on specific office locations and detect endpoints reporting from Iran, which could indicate a violation of sanctions.


We present a novel class of DNS vulnerabilities that affects multiple DNS-as-a-Service (DNSaaS) providers. The vulnerabilities have been proven and successfully exploited on three major cloud providers including AWS Route 53 and may affect many others. Successful exploitation of the vulnerabilities may allow exfiltration of sensitive information from service customers' corporate networks. The leaked information contains internal and external IP addresses, computer names, and sometimes NTLM hashes. The number of organizations vulnerable to this weakness is shocking. Over a few hours of DNS sniffing, we received sensitive information carried by DNS update queries from ~1M Windows endpoints from around 15,000 potentially vulnerable companies, including 15 Fortune 500 companies. In some organizations, there were more than 20,000 endpoints that actively leaked their information out of the organization. We will review possible mitigations to this problem and solutions for both DNSaaS providers and managed networks. REFERENCES: I. Microsoft Windows DNS Update algorithm explained - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 II. An excellent blog post by Matthew Bryant on hijacking DNS Updates abusing a dangling domain issue on Guatemala State's Top Level Domain - https://thehackerblog.com/hacking-guatemalas-dns-spying-on-active-directory-users-by-exploiting-a-tld-misconfiguration/