The Domain Name System or DNS is a service on the internet that turns names (such as routercheck.com) into IP addresses (e.g. the numbers that computers on the internet use to locate each other). It’s important because computers need IP addresses to communicate, but they’re too cumbersome for people to remember. DNS allows people to remember the easy to use names and then silently convert them into IP addresses when necessary.
You can think of the process as similar to what happens when you call someone on the phone. The phone system requires you to use that person’s phone number, but who remembers phone numbers anymore? To call someone you simply search your phone for the person’s name, and the phone takes care of the details of knowing the number. Before cellphones, this process was handled by telephone directories (or by 411 for the lazy).
On the internet, the process for converting names into IPs is handled by a DNS server. There are many DNS servers running on the internet – most from ISPs, but some are run as public services such as Google DNS or OpenDNS.
There are also bad DNS servers
Most of the DNS servers out there do a good job. Unfortunately, whenever there’s a possibility to make a buck off of some mischief, there will be people who’ll try it.
Consider this: let’s say that there’s a criminal who’s running a DNS server somewhere on the internet, and he convinces you to use it. He’s set it up so that whenever you type in the address of your bank’s website, instead of resolving to the correct IP address of your bank, his crooked DNS server resolves it to the IP address of a phony website he put together that looks just like your bank. Not knowing the difference, you interact with his crooked web site and in doing so, give him your banking information, password, … everything.
As crazy and as difficult as this scheme seems, it happens all of the time. And unfortunately, it’s far easier to pull off than it would seem.
What does this have to do with your router
This scheme is easy to pull off except for one slight issue. Remember when we said that the criminal was running his bad server and “he convinces you to use it“. Well, no one is really going to try to convince you to use their server. The reason for this is that normally, your computer decides which DNS server to use based on settings that you make in your router’s configuration. What!? You didn’t set anything up in your router’s configuration. Then probably, you’re using a DNS server that your ISP assigns for you.
And here’s where things get dangerous. If a hacker is successful in breaking into your router, the first thing he’s going to do is change the DNS server settings in your router to something that he controls. After that happens, every computer in your house is at risk.
Consequences of a malicious DNS server
When a hacker has changed the DNS server of a router, he can then carry out arbitrary man-in-the-middle attacks against users of the compromised router. Here is a list of several possible actions which can be carried out by redirecting certain DNS hostnames to an attacker server:
- Redirect users to phishing sites when opening a legitimate website
- Redirect users to browser exploits
- Block software upgrades
- Attacking software updaters which don’t use cryptographic signatures
- Replace advertisements on websites by redirecting adservers
- Replace executable files downloaded from the official download site of legitimate software vendors
- Hijack email accounts by stealing the password if the mail client doesn’t enforce usage of TLS/SSL with a valid certificate
This is really bad stuff. The worst part though is it’s all happening because of an issue with an easily overlooked place. If your computer gets a virus because your router points to a bad DNS server, no amount of cleaning is going to stop the virus from returning over and over again.
Transparent DNS Proxies
There are widely accepted “rules” for how a DNS server should operate, and most of them do so correctly. Malicious DNS servers used to try to fool you and steal information are clearly not playing by the rules.
And then there are some servers that operate in a gray area – not necessarily malicious, but not strictly behaving according to the rules. These are Transparent DNS Proxy Servers. These servers are often run by ISPs who believe that they’re doing their customers a favor by using them. Since an ISP is responsible for relaying all of their customers traffic to and from the internet, they’re in a unique position so that they can modify certain types of requests. A transparent proxy is a DNS server that the ISP will use for its customers requests even if the customers request suggest that a different server be used. Often, this is done in the name of ad revenue, something that really doesn’t benefit the end consumer at all.
RouterCheck and DNS
RouterCheck recognizes the importance of reliable DNS servers, and the fact that a router’s DNS server settings is often the most important target for a hacker. RouterCheck uses a proprietary system to identify whether the DNS server that your computer uses is problematic. RouterCheck should be used to check your router often to ensure that your routers settings continue to stay safe.
Free WiFi that’s available in a coffeeshop or other public place is a great way to save data on a cellphone plan. But doing so comes with risks that shouldn’t be taken lightly. If you’re getting your DNS from a public WiFi hotspot, you need to be careful and ensure that you not using a malicious server. It’s unlikely that the owner of the hotspot did something malicious, but a coffeeshop full of unsuspecting people could be an irresistible target for a hacker.
RouterCheck can be used to check the DNS servers for a public WiFi system, and can be finished checking before your coffee is even poured.
To read more about real life issues with DNS, please look here.