Home / Blogs

DNS and Stolen Credit Card Numbers

Juha Holkkola

FireEye announced a new piece of malware yesterday named MULTIGRAIN. This nasty piece of code steals data from Point of Sale (PoS) and transmits the stolen credit card numbers by embedding them into recursive DNS queries.

While this was definitely a great catch by the FireEye team, the thing that bothers me here is how DNS is being used in these supposedly restrictive environments. Even the FireEye researchers state that in order to resolve hostnames in the corporate environment, the recursive DNS servers must be able to access the public Internet.

That's not really true, though.

The best protection against attacks like this is to block recursive queries to the public Internet. The great thing with going cold turkey is that one can still configure his DNS to be able to resolve all hosts inside the perimeter defence of the enterprise network.

Here's a simple two-step guide on how to do it:

  1. Install one or two DNS servers in each PoS site. Configure them as authoritative slaves for all (internal) corporate zones AND allow recursion on these same servers.
  2. Block DNS access to the public Internet.

When a recursive query is made to a DNS server that is also authoritative for the queried zone, the query will be replied from the memory. In cases where the DNS server is not authoritative for the queried zone — and the DNS server has no access to the public Internet — the resolution process will fail and no authoritative response will be provided to the client that made the query.

The great thing about this simple solution is that it works much better than the "monitor and review" recommendation made by the FireEye research team. After all, if the DNS servers in protective network environments can only function within the boundaries set by the perimeter defense, it becomes impossible to use attacks like MULTIGRAIN to transmit stolen data outside.

By Juha Holkkola, Co-Founder and Chief Technologist at FusionLayer Inc.

Related topics: Cyberattack, Cybercrime, Cybersecurity, DNS, DNS Security, Internet Protocol, Malware, Privacy


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


very true, but only for special networks, like POS ?! Marc Lampo  –  Apr 21, 2016 12:09 AM PDT

DNS is mostly seen as the protocol that translates names into addresses.
As such a mandatory service in most networks and DNS is more or less considered to be part of the furniture.

Hardly anybody expects a piece of furniture to be dangerous.
But the way DNS operates it is actually a connectionless transport protocol.
As such it allows data exfiltration, like card numbers, and infiltration out and in of any network where nodes are allowed to have public DNS resolving.

By no means new, and my own talk on the subject, in october 2014, was by no means the first (nor will it be the last) to warn and show safer approaches :
Designing DNS flows for security.

That's true Marco, my suggestion only works Juha Holkkola  –  Apr 21, 2016 12:36 AM PDT

That's true Marco, my suggestion only works well in restricted environments where access to the outside world is not needed. This is relatively common, though - PoS is a good example but there are also various kinds of management and government networks where DNS connectivity to the outside world isn't really needed.

Here's how I would draw the line myself. In environments where regular traffic (HTTP, FTP, etc.) is being considerably restricted or even blocked, allowing DNS traffic to the outside should be blocked by default. In case there is a good reason to allow the traffic the default-deny can and should be reconsidered, but I think default-deny is the best policy in restricted environments.

I think this is actually quite an important consideration because down the road we'll likely see a lot of new networks dedicated to IoT only. In these networks, there's not really much use for public DNS since the traffic is supposed to flow between a cloud and the dedicated IOT network. At the same time, though, there will surely be valuable tidbits of data that could be stolen and transmitted outside using DNS.

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Mobile Internet

Sponsored by Afilias Mobile & Web Services

DNS Security

Sponsored by Afilias


Sponsored by Verisign

IP Addressing

Sponsored by Avenue4 LLC

Promoted Posts

Buying or Selling IPv4 Addresses?

ACCELR/8 is a transformative IPv4 market solution developed by industry veterans Marc Lindsey and Janine Goodman that enables organizations buying or selling blocks as small as /20s to keep pace with the evolving demands of the market by applying processes that have delivered value for many of the largest market participants. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll