Black Hat Briefings: Hosted DNS configuration flaws risk leaking corporate network topologies
Security researchers have discovered a new class of DNS vulnerability that affects multiple DNS-as-a-Service (DNSaaS) providers.
Researchers from cloud security firm Wiz.io discovered that non-standard implementation of DNS resolvers, when combined with quirks in the provision of DNS services, could lead to information leakage from corporate networks using the affected services.
Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable, but providers of DNS and their clients are particularly at risk and shown to be flawed in tests by Wiz.io.
The complexity of DNS and its multiple implementations prompted Wiz.io to investigate the security of DNS-as-a-Service offerings, including AWS Route 53.
To their surprise, the researchers discovered that if they registered a nameserver to itself on AWS Route 53 they saw Dynamic DNS traffic that ought to be restricted to internal networks.
Microsoft Windows endpoints reveal sensitive customer information when performing DNS update queries through vulnerable setups. Information potentially exposed includes internal IP addresses, computer names, and external IP addresses.
