Hiya, Today I am going to walk you through discovering and potentially leveraging open DNS servers in an effort to show you why you should be careful with the DNS blocking tools that have steadily become popular.
I am NOT affiliated, sponsored, represent, or paid by any security firm or corporation. I do not officially represent any entity while posting under my USN.
I am a normal guy that wants to bring as much security information to this forum as I have time to do. I understand that it isn’t really the focus of this site but the more eyes and DIYs that can see it the better.
What I am doing is for education. BE WARNED that what is being done is POTENTIALLY ILLEGAL and can result in CRIMINAL CHARGES. NEVER pentest or modify a computer system WITHOUT CONSENT.
We will be tackling this with free tools in windows.
I will try to keep this short.
Taking a look
Today’s internet is full of devices that are becoming popular in regards, to security and privacy. Some of these devices show in the form of DNS filtering agents. This is because other than adblockers this is the easiest way to protect an entire network.
Devices and software like:
- Bitdefender Box
Have more or less the same features, and one of the biggest and most useful are there abilities to block DNS queries based on a reputation system that has definitions we call “lists”. Of course we have been doing things like this for years on our personal computers. Modification of the ‘hosts’ file is in essence what these devices do only on a much broader scale. So what is the big deal with these kinds of devices and why might there be a problem?
The issue stems from availability without much education. I have covered DNS basics and even went over the setup of a Pi-hole in a previous guide (I promise to fix the pictures). Basically, convenience is our enemy here and when installing these devices more privacy/hobbyist minded individuals make modifications to these systems (with some just being vulnerable to being with) that promote bad internet hygiene and expose them to more risk.
I am going to be picking on pi-hole today. I should get it out of the way that in this case pi-hole as a product is safe and its defaults are also safe. The issue stems from its misconfiguration by individuals and its widespread adoption by DIYers combined with a lack of understanding on how DNS works.
To start lets go over why an open DNS server that is, a DNS server that can be used publicly is bad. I have an example myself but for a more bulleted list we can look here https://securitytrails.com/blog/most-popular-types-dns-attacks. Now to reiterate it should be noted that even the pi-hole staff and much of the people ‘in the know’ do NOT want you to open DNS to the public. DNS servers exposed to the public and ran by amatures is such a bad idea that there are several lists available exposing them.
Abusing DNS is bad, and I’ve said it four different ways already. If you didn’t read any of the links I posted it boils down to these potential problems.
- DDoS of the DNS service
- Poisoning DNS servers
- Hijacking DNS requests
- Amplification (reflection) attacks utilizing public DNS servers to overwhelm a specific domain
- Waste of bandwidth
You can read what CISA thinks about amplification attacks here. They are the easiest and most abused aspect of public DNS servers. In most of my guides I try to educate and most of the cases involve some examples. However, I understand that is not enough for some people. To some security articles are nothing more than a pentester or security professional soap boxing on a public forum.
So let’s break into public DNS servers. First we want to make it appeal to the masses. Lets really drive home how easy it is to disrupt people and break privacy.
What if we imposed rules? Hm. How about.
- It has to be with free tools
- They don’t need to be installed
- They don’t require a user account
That’s a little rough. No burp suite, no nmap no normal pentesting kit tools. However if we stick to those rules in theory anyone with a PC can do it.
To start Let’s think critically. We do need SOME info. How about something simple? How about we go with a name? Most of these products brand themselves so we will start with “pihole”.
Now how about we plug this into a website that scans IoT things?
Oh my, even without a user account.
Ok, So shodan lets us dive in. What does the request actually look like? What else may have been detected on this server? I mean, what if they are hosting a public FTP server that we can access as well? The possibilities are scary and are only limited to web hostable content.
Neat, so they are running pihole on port 8089 on this specific IP address. Let’s try to go to it.
Sad face. It looks like its responding however.
What if we tacked on something? What if we did a little URL modification? Say for example we attempted to access the admin page of the unit? That has a default path of I think
Yikes! and its out of date! Not only is it public but let’s not forget that products can have CVEs.
As we can see though this one requires login at least. Maybe we can use it as a DNS server? Lets see if it accepts outside connections.
To do this on Linux you can use the ‘dig’ command. However, for windows we can use ‘nslookup’.
Something like <command> <domain I want> <server I want to use>
Let’s take a look.
Nope, no open resolver. Just an open web interface. Still bad, but we are looking for quick targets. Let’s move on and try a few more.
Wow. Words cannot communicate how ridiculous this is.
Anyone fancy changing there upstream DNS server to your own so you can re-route traffic?
Or maybe you want to stop the service? Maybe shut down the device?
Danger Zone indeed!
Other than hijacking there DNS requests to a server you run, or making their lives miserable but disabling DNS resolution. Or otherwise peeking on their lives, or man maybe even getting to know there work schedule by monitoring the DNS request graph.
Can it actually resolve public DNS though? Or did they just remove the password on the admin CP?
Wow. We can even abuse it via DNS itself.
According to the command list it appears that installers are utilizing
pihole -a -p
to change the -admin -password and simply leaving the field blank. This would effectively disable the password requirement that the pihole actually FORCES during install by randomly generating a password that is displayed to you.
Let’s take a moment to remember our honorable mentions, like the knockoff products that customize the existing code of existing products. In the pi-holes example “Adgone” and “Rootswitch” after investigation not only provide public resolves based off of the product but themselves charge customers for access to there public resolver as part of a product stack that they ripped off.
It’s important to understand the risks and consequences of this. In a broad sense.
Some DIYers setup these devices and consciously know they are exposing it to the internet. This allows them to customize phones or laptops when they are not on the LAN to use the filter settings they setup. However there are MUCH better ways to do this. Others simply have no idea. There routers could be port forwarding port 53 (DNS) and 80 or 443 (HTTP/s) by default and the intent was just to use it like normal. Some going further may have believed the forwards necessary for functionality.
In either case this is not limited to the pi-hole. Or even privacy/security/filtering products like this, or the ones mentioned. You should always be aware that a network is just that. A collection of devices working together. All parts of a network should be examined. Routers should be checked. Firewalls in network devices need to be examined.
If you don’t I’ll do it for you on my lunch break.
Things we did today.
- Found your devices admin panel
- Broke into your device
- Found out if I could use your device for bad things
- Found out you work 10-6pm EST
- Followed you on instagram
- Took note of the number of devices on your network
- Took note of your device names
- Found the local address of the other servers you run on your network
Stay safe, know what you are buying and how to set it up. If you don’t find someone who does. Check your devices. Typing this literally took longer than it took me to find 271 exposed devices and I managed to find 13 I could admin access before I finished writing this sentence.
Hope you learned something. Thanks for reading!