DNS and Stolen Credit Card Numbers

Wednesday April 20, 2016

FireEye announced a new piece of malware yesterday named MULTIGRAIN. This nasty piece of code steals data from Point of Sale (PoS) and transmits the stolen credit card numbers by embedding them into recursive DNS queries.

While this was definitely a great catch by the FireEye team, the thing that bothers me here is how DNS is being used in these supposedly restrictive environments. Even the FireEye researchers state that in order to resolve hostnames in the corporate environment, the recursive DNS servers must be able to access the public Internet.

That's not really true, though.

The best protection against attacks like this is to block recursive queries to the public Internet. The great thing with going cold turkey is that one can still configure his DNS to be able to resolve all hosts inside the perimeter defence of the enterprise network.

Here's a simple two-step guide on how to do it:

  1. Install one or two DNS servers in each PoS site. Configure them as authoritative slaves for all (internal) corporate zones AND allow recursion on these same servers.
  2. Block DNS access to the public Internet.

When a recursive query is made to a DNS server that is also authoritative for the queried zone, the query will be replied from the memory. In cases where the DNS server is not authoritative for the queried zone — and the DNS server has no access to the public Internet — the resolution process will fail and no authoritative response will be provided to the client that made the query.

The great thing about this simple solution is that it works much better than the "monitor and review" recommendation made by the FireEye research team. After all, if the DNS servers in protective network environments can only function within the boundaries set by the perimeter defense, it becomes impossible to use attacks like MULTIGRAIN to transmit stolen data outside.

By Juha Holkkola, Co-Founder and Chief Technologist at FusionLayer Inc.Juha Holkkola is the Co-Founder and Chief Technologist at FusionLayer Inc. An inventor with several patents in the US and Europe, he is an advocate of technology concepts with tangible operational impact. Juha is an active proponent of emerging technology trends such as cloud computing, hybrid IT and network functions virtualization, and a regular speaker at various industry events.