In recent years, use of DNS (Domain Name System) has increasingly spread such that nowadays many services (including various protocols, applications, technologies etc.) are using the DNS for address resolution. That is, services using DNS rely on a valid DNS server setting for providing the service-requesting entity with appropriate functionalities, or the like. Accordingly, the DNS, particularly the DNS server setting, has become an attractive target for attacks on the proper functioning of such services using DNS. By way of manipulating the DNS server setting being utilized by a specific service for address resolution, an attacker tries to misdirect the service to a fraudulent address (instead of the actually intended address for service provisioning) without its knowledge or consent.
As one example scenario in this regard, attacks on users over the Internet have become popular, by which users are misdirected to fraudulent Web sites without their knowledge or consent. Such attacks are often referred to as “pharming” attacks.
In such pharming attacks, the DNS server setting is manipulated, which can generally be done at any point in the DNS resolving chain from the first DNS resolver to the root DNS server. For example, such pharming attacks can be implemented on a client device by locally manipulating the DNS server setting, or on some device keeping the DNS server setting, such as a DHCP (Dynamic Host Configuration Protocol) server device, by setting a rogue DNS server address.
That is, in a local network environment, the DNS server setting potentially being subject to such pharming attack can be configured in a client device or another local-area device such as a local-area DHCP server device like e.g. a router in the local network environment, e.g. a home or SOHO-type router, or a (wireless) base station or access point in the local network environment.
Herein, attacks on devices keeping a DNS server setting, such as DNS server devices (including DNS forwarder devices), are mainly addressed, including but not limited to DNS server devices (and DNS forwarder devices) in a local network environment. For example, local-area DHCP server devices typically grant IP (Internet Protocol) addresses to client devices and advertise default gateway addresses and DNS server addresses, and may comprise e.g. home routers, SOHO-type routes (SOHO: Small-Office, Home-Office), (wireless) base stations or access points, or any other type of network element including a DHCP server or a DHCP server functionality. When an attacker gains access to and spoofs such local-area DHCP server device, e.g. using a default password, a software vulnerability or the like, the attacker can change the device configuration or even patch his own software thereon, thereby manipulating the DNS server setting.
Typically, today there are (mainly) two ways on how attackers are trying to make money by hacking or hijacking a DNS server setting e.g. on DHCP server devices (while additional ways of making money by such attacks might still be conceivable): 1) attacks against online banking and 2) search hacking or hijacking. In both attacks, the attacker typically changes the DNS server address to be advertised over DHCP to point to a DNS server controlled by the attacker, or injects a local DNS server setting to a local DNS server (if such exists). By controlling where a specific URL (such as an URL for online-banking like e.g. myonlinebank.fi) points to, the attacker can perform a Man-in-the-Middle attack or set up a phishing site. By controlling search engine request or many other such pages, the attacker can change the online advertisement shown to the user to advertisements of his own and earn the affiliate revenue.
In practice, such pharming attacks on local-area devices such as local-area DHCP server devices, like home or SOHO pharming attacks, are feasible for various reasons. This is mainly because such local-area DHCP server devices like home and SOHO routers tend to be managed/administered in a less professional/expedient way than DHCP servers or routers in larger networks. Namely, such local-area DHCP server devices like home and SOHO routers are often old and not maintained properly, and they tend to have factory default passwords, a management interface open towards a local area network or the Internet, the possibility to change UPnP (Universal Plug-and-Play) settings even from the Internet-facing interface to allow traffic in, and so on. Further, such local-area DHCP server devices like home and SOHO routers typically have an operating system of some outdated version, such as e.g. an obsolete Linux version, which is no longer updated and hence subject to security vulnerabilities. In view thereof, integrity of local-area DNS server setting can be corrupted by way of malware in an infected local-area device or by an attacker from outside the local-area environment, i.e. from the Internet.
Thereby, for example, local-area network equipment including DHCP server devices represent an attractive target for pharming attacks and can quite easily be exploited for creating serious risks (by getting involved in a large-scale network of hacked/hijacked routers).
Such risks get even more aggravated by the situation that people managing/administering local-area network equipment including DHCP server devices are typically less experienced or even less qualified than professional system administrators responsible for network equipment including DHCP server devices in larger networks. That is, for average-skill people managing/administering local-area network equipment including DHCP server devices, it is very difficult, if not impossible, to check if their local-area DHCP server devices have been hacked/hijacked.
Similar principles as described above for pharming attacks in local network environments can be also adopted in any DNS-related attacks in different scenarios.
Accordingly, there is a demand to enable an integrity check of a DNS server setting, thus detecting DNS hacking or hijacking. Such integrity check should preferably be easy to use, without requiring specific system administration skills.