1

I ran across a site that talked about routing all cients requesting by IP to a "dead end." The clients accessing the site via ip it claimed were typically automated exploit tools and bots. Legitimate users type in the web address by it's domain question.

With this context in mind, I don't really understand how DNS really works. I thought it worked by sending an IP back to a client for the requested DNS (like a phone book.) The client then uses the IP to access the site. The information above seems to indicate I misunderstand this. Can someone clarify this?

http://technet.microsoft.com/en-us/magazine/2005.01.hackerbasher.aspx

Provided I understand the method it works like this:

There is a site with ip xxx.xxx.xxx.xxx and domain name www.somesite.com

I attempt to access the site with xxx.xxx.xxx.xxx and I get nothing, no response. I am most likely a bot or automated tool trying to do this (from a public side on port 80) I access the site with www.somesite.com and it shows me the site.

But if the server is being accessed by it's IP even when DNS is looked up, then the method doesn't make sense, since the server only sees a request by ip.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
Joshua Enfield
  • 3,454
  • 8
  • 42
  • 59

3 Answers3

6

Your understanding of DNS is correct. However, in addition to that, your browser tells the site which website hosted at a particular IP it is interested in, in the Host: header.

This is used to conserve IP addresses; e.g. if you:

  • connect to 1.2.3.4 and send Host: www.exampleA.com you get website A
  • connect to 1.2.3.4 and send Host: www.otherexample.com you get website B
  • connect to 1.2.3.4 and don't send a Host header, or send Host: 1.2.3.4, you get the "default" website.

That article basically reconfigures the default website to detect the latter case and trap tools that scan by IP address.

pjc50
  • 1,720
  • 10
  • 12
1

The exploit involves either changing your hosts file to point specific urls to dead-end addresses, or by setting up a local DNS or a proxy that re-routes the traffic to sites chosen by the writers of the exploit.

A lot of trojans and spyware install or enable local proxy servers these days, and that can allow the malware to re-route ALL traffic, regardless of whether it is by url or IP address. Doesn't really have anything to do with DNS.

Likewise DNS hijacking has been used by malware for a long time. One of the problems with DNS is that the connection is a low privilege connection, so there are practically no safeguards against malware running a man-in-the-middle attack on your DNS, and replacing the addresses of it's choosing.

Otherwise yes, DNS works by sending you an IP address when you send it a url.

Edit: Oh, sorry, I see what you're saying. No, the DNS returns the IP, which tells you where to go, but your browser (or whatever) tells the site where you think you're going. This is desired behaviour in situations where one IP address is hosting 20 urls through virtual hosts.

Satanicpuppy
  • 5,946
  • 1
  • 17
  • 18
  • Not quite what I meant, the act of routing requests to a dead end is not an exploit. It's a security measure to reroute clients requesting by ip to a dead end. – Joshua Enfield Apr 29 '10 at 16:05
1

Specifically for a webserver, you can configure the site to redirect to anywhere (including a dead end) based on the actual url entered.

For instance, take a look at VirtualHost Directive for Apache.

For how DNS works, there's lots of basic articles on it.

This has less to do with DNS than it does filtering http requests based on url.

hometoast
  • 215
  • 1
  • 9