Last Friday, I played with DNS records. I know nothing about configuring a DNS. However, as an engineer, it is worth to (i have to) know more about DNS, not just in theory. I took a look at the record types in DNS, and I discovered that there is a trick which can confuse the DNS client. Let’s first take a look at the following DNS record type (from wiki),
| Code | Defining RFC | Description | Function |
| CNAME | RFC 1035 | Canonical name record | Alias of one name to another: the DNS lookup will continue by retrying the lookup with the new name. This helps when running multiple services (like an FTP and a webserver; each running on different ports) from a single IP address. Each service can then have its own entry in DNS (like ftp.example.com. and www.example.com.). Network administrators also use CNAMEs when running multiple HTTP servers on the same port, with different names, on the same physical host. This however requires host headers support for the two sites to both listen on the default port (port 80). |
Let’s assume that we have a domain name (DN) whois.evil.org and we want it to be resolved as iam.evil.org, in the same zone file, the record can look like this
whois.evil.org CNAME iam.evil.org
When a client querying where whois.evil.org is, the DNS will discover this record, and try to resolve iam.evil.org for the client, or just return iam.evil.org back to the client. CNAME record also works to point the domain outside your zone (in this case, the zone is evil.org). For example, if we have a DN whereis.evil.org which resolved to hell.net, then our record can look like this
whereis.evil.org CNAME hell.net.
Ending with dot “.” means that the value is a fully qualified domain name (FQDN). The DNS server may return hell.net to the client if it cannot help to resolve it. Then what if I change the value hell.net to localhost? ie.
whereis.evil.org CNAME localhost.
localhost is a famous “domain name”, it will take you back home. Depends on what kinds of software you are using, it will have different outcome. The current approach of using CNAME record in this post is not aggressive enough, is it possible to harm the user? I am still thinking about this. Let me know if you have any great idea or existed attack using the similar technique.
Thanks Greg! Greg pointed me to this interesting trick.
