locked
IPv6 DNS Hijacking RRS feed

  • Question

  • I’ve searched and haven’t been able to find a reason this couldn’t happen.

    IPv6 is the preferred protocol for DNS or at least it seems that way running nslookup on a computer with both IPv6 and IPv4, the computer resolves DNS with the IPv6 protocol.

    Assume an organization has not configured IPv6 on their win7/vista clients and is using a 3rd party DHCP service for IPv4 such as a router.  If an internal attacker on the network sets up an IPv6 infrastructure using stateless addressing and adds a configuration for a rogue DNS server, could he redirect internal traffic to establish a DoS or worse redirection to an internal malicious website?  I understand he could do the same with IPv4 but it wouldn’t bring down clients who already have an IP address.

    I have absolutely no intention of doing this unless I need to confirm in a test enviroment and I am only asking to further my own understanding.  Is this a real threat for organizations who are not utilizing an authorized DHCP server?


    If it doesnt work enable everything, blame software errors and rebuild
    • Moved by Joson Zhou Tuesday, January 4, 2011 6:35 AM (From:Security)
    Friday, December 31, 2010 4:52 PM

Answers

  • Hi,

     

    Thanks for posting here.

     

    This is a good assuming and so that we always suggest deploying active directory and authorizing DHCP servers to prevent this situation.

     

    Authorizing DHCP servers

    http://technet.microsoft.com/en-us/library/cc781697(WS.10).aspx

     

    Meanwhile, granting appropriate permissions for accounts and deploying network access protecting could also prevent it.

     

    Network Access Protection

    http://technet.microsoft.com/en-us/network/bb545879

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 4, 2011 9:23 AM
  • Hi,

     

    Thanks for update.

     

    >One further question regarding Authorized DHCP Servers as IPv6 doesnt get mention in the article you linked. 

    This authorization mechanism is included all DHCP protocol service in AD environment, also  include IPv6 DHCP service.

     

    >If a client recieves a trusted IPv4 address will it prefer the trusted IPv4 address over an untrusted IPv6 address?

    IPv6 address will only be used for IPv6 commutation, so I belive there is no relate with IPv4.

     

    > If not than the remaining options would be NAP, Disable IPv6 or configure an IPv6 network...  Correct?

    It is not recommended to disable IPv6, you could acquire the explanation form the link below

     

    http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

     

    Meanwhile, I ‘d also uggest reading the article below:

     

    DHCP Security

    http://technet.microsoft.com/en-us/library/dd296625(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, January 5, 2011 8:50 AM

All replies

  • Hi,

     

    Thanks for posting here.

     

    This is a good assuming and so that we always suggest deploying active directory and authorizing DHCP servers to prevent this situation.

     

    Authorizing DHCP servers

    http://technet.microsoft.com/en-us/library/cc781697(WS.10).aspx

     

    Meanwhile, granting appropriate permissions for accounts and deploying network access protecting could also prevent it.

     

    Network Access Protection

    http://technet.microsoft.com/en-us/network/bb545879

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, January 4, 2011 9:23 AM
  • Hi Tiger Li,

    Thanks for your response, I wasn't totally sure a client could have it's DNS hijacked like this.  I was aware precautions could be taken to prevent this type of attack but I wasnt 100% sure if a client would use a rouge IPv6 DNS server instead of a domain IPv4 server based simply on protocol preference.  I'm considering seting up a test enviroment to demonstrate countermeasures and the actual vulnerability.  Thanks for your help.

    One further question regarding Authorized DHCP Servers as IPv6 doesnt get mention in the article you linked.  If a client recieves a trusted IPv4 address will it prefer the trusted IPv4 address over an untrusted IPv6 address?  If not than the remaining options would be NAP, Disable IPv6 or configure an IPv6 network...  Correct?


    If it doesnt work enable everything, blame software errors and rebuild
    Tuesday, January 4, 2011 3:26 PM
  • Hi,

     

    Thanks for update.

     

    >One further question regarding Authorized DHCP Servers as IPv6 doesnt get mention in the article you linked. 

    This authorization mechanism is included all DHCP protocol service in AD environment, also  include IPv6 DHCP service.

     

    >If a client recieves a trusted IPv4 address will it prefer the trusted IPv4 address over an untrusted IPv6 address?

    IPv6 address will only be used for IPv6 commutation, so I belive there is no relate with IPv4.

     

    > If not than the remaining options would be NAP, Disable IPv6 or configure an IPv6 network...  Correct?

    It is not recommended to disable IPv6, you could acquire the explanation form the link below

     

    http://blogs.technet.com/b/netro/archive/2010/11/24/arguments-against-disabling-ipv6.aspx

     

    Meanwhile, I ‘d also uggest reading the article below:

     

    DHCP Security

    http://technet.microsoft.com/en-us/library/dd296625(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, January 5, 2011 8:50 AM
  • This is incorrect information.  The only thing that "authorizing" a DHCP server does is allow a DHCP server to run in Active Directory.  There is nothing stopping you from bringing in your own rogue DHCP server from home and plugging it into the network.  Then you will have two DHCP servers running.  And all hell will break loose.

    IPv4 and IPv6 both need to be protected from this.  IPv6 information can be assigned with either DHCPv6 or Router Advertisements (RA).

    The fix is to use layer 2 security measures, such as DHCP snooping, RA Guard, and the like.  This will prevent DHCP requests from being responded to by any server except the one you designate.




    • Proposed as answer by Brain2000 Thursday, January 21, 2016 5:42 PM
    • Edited by Brain2000 Thursday, January 21, 2016 5:47 PM
    Thursday, January 21, 2016 5:42 PM