Invented by Daavid Hentunen, WithSecure Oyj

The market for integrity checks of DNS server settings is a critical aspect of ensuring the security and reliability of the internet. DNS, or Domain Name System, is responsible for translating human-readable domain names into IP addresses that computers can understand. It plays a crucial role in connecting users to websites and other online services. However, DNS server settings can be vulnerable to various attacks, such as DNS cache poisoning, DNS hijacking, and DNS amplification attacks. These attacks can lead to serious consequences, including redirecting users to malicious websites, intercepting sensitive information, and disrupting online services. To prevent such attacks and maintain the integrity of DNS server settings, organizations and individuals need to regularly check and verify the configuration and security of their DNS servers. This is where the market for integrity checks of DNS server settings comes into play. There are several key players in this market, offering a range of solutions and services to ensure the integrity of DNS server settings. These solutions typically involve scanning and analyzing DNS server configurations, checking for vulnerabilities, and identifying any misconfigurations or security weaknesses. One popular approach is to use automated tools that perform comprehensive scans of DNS server settings. These tools can detect common misconfigurations, such as open recursive resolvers or outdated software versions, which can leave DNS servers vulnerable to attacks. They can also identify any unauthorized changes or modifications made to the DNS server settings. Another approach is to utilize managed DNS services provided by reputable vendors. These services often include built-in integrity checks and security measures, ensuring that DNS server settings are continuously monitored and protected. They may also offer additional features such as DDoS protection, DNSSEC (Domain Name System Security Extensions) implementation, and threat intelligence feeds. The market for integrity checks of DNS server settings is driven by the increasing awareness of the importance of DNS security and the growing number of cyber threats targeting DNS infrastructure. With the rise of sophisticated attacks and the potential for significant damage, organizations are investing in proactive measures to safeguard their DNS server settings. Moreover, regulatory requirements and industry standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR), also emphasize the need for robust DNS security practices. Compliance with these regulations often necessitates regular integrity checks of DNS server settings. In conclusion, the market for integrity checks of DNS server settings is a vital component of ensuring the security and reliability of the internet. With the increasing sophistication of cyber threats and the growing importance of DNS security, organizations and individuals are investing in solutions and services that can effectively detect and prevent attacks on DNS infrastructure. By regularly checking and verifying the integrity of DNS server settings, we can mitigate risks, protect users, and maintain the stability of the online ecosystem.

The WithSecure Oyj invention works as follows

The invention provides measures to enable/realize an integrity check of DNS server settings, thus enabling/realizing the detection of DNS hacking and hijacking. These measures can include, for example, triggering a DNS Resolution operation by a device configured to provide service, using a DNS Server Setting, wherein the DNS Server Setting is used to perform DNS Resolution or DNS Forwarding in service Provisioning. Acquiring the IP Address of a DNS Server Device, configured to perform DNS Resolution in service Provisioning, by reading a DNS message that includes the IP Address of the DNS device as part of this triggered DNS Resolve operation by the device.

Background for Integrity check of DNS server settings

In recent years, the use of DNS has increased to such an extent that today many services (including protocols, applications, and technologies) are using it. DNS is used for address resolution. Services that use DNS depend on valid DNS server settings to provide the service-requesting entity the appropriate functionality, or something similar. In this way, DNS servers, and in particular the DNS server settings, have become a target for attacks against the proper operation of services that use DNS. An attacker can misdirect a service by manipulating its DNS server settings.

As an example, Internet attacks are becoming more common, where users are redirected to fraudulent sites without their consent or knowledge. These attacks are sometimes referred to by the term ‘pharming’. attacks.

In such pharming, the DNS server settings are manipulated. This can be done anywhere in the DNS resolving chains, from the first DNS resolver up to the root DNS servers. Such pharming can be carried out on a client by manipulating the DNS settings locally, or by a device that keeps the DNS server settings, like a DHCP server, by setting a rogue DNS address.

That is, a local network can configure the DNS server settings that are potentially vulnerable to a pharming attack in a client or other local area devices such as a local DHCP server, e.g. A router is used in the local network, for example. “A home or SOHO router or (wireless base station) access point or base station in the local network.

Here, the main focus is on attacks against devices that keep a DNS server settings, such as DNS Server devices (including DNS Forwarder devices), including but not restricted to DNS Server devices (and DNS Forwarder devices) within a local network. Local-area DHCP servers, for example, typically assign IP (Internet Protocol), advertise default gateway and DNS server addresses to client devices, and can include e.g. Home routers, SOHO routes (SOHO is short for Small-Office and Home-Office), wireless base stations, access points or other network elements that include a DHCP or DHCP functionality. An attacker can spoof a local-area DHCP device by gaining access, e.g. The attacker can manipulate the DNS server settings by using a default or software vulnerability.

There are two main ways that attackers try to make money today by hacking or hijacking DNS server settings, e.g. On DHCP servers (although other ways to make money are still possible): 1) attacks on online banking, and 2) hacking or hijacking of search engines. In both attacks the attacker changes the DNS address advertised via DHCP so that it points to a DNS controlled by the attacker or injects a setting for a local DNS (if one exists). Controlling the URL of a URL (such an URL for online banking like e.g. By controlling where a specific URL (such as an URL for online-banking like e.g. The attacker can earn affiliate revenue by controlling the search engine request, or other pages of this type.

In practice, such pharming on local devices as local DHCP servers, or SOHO pharming, is possible for several reasons. This is mainly because such local-area DHCP server devices like home and SOHO routers tend to be managed/administered in a less professional/expedient way than DHCP servers or routers in larger networks. Local-area DHCP servers like SOHO and home routers tend to be old and poorly maintained. They also have factory defaults and a management interface that is open to a local network or Internet. These local-area DHCP servers, like SOHO and home routers, are often old, not maintained properly, have factory default passwords, a management interface that is open to a local area network or the Internet, allow you to change UPnP (Universal Plug-and Play) settings from an internet facing interface, etc. An outdated Linux version that is not updated, and therefore vulnerable to security issues. Due to this, the integrity of local area DNS server settings can be corrupted either by malware on an infected device in the local area or by an outside attacker. “from the Internet.

Thereby, local-area networks, including DHCP servers, represent an attractive target to pharming and can be easily exploited to create serious risks (by becoming involved in a network of hacked/hijacked devices).

Such risks get even more aggravated by the situation that people managing/administering local-area network equipment including DHCP server devices are typically less experienced or even less qualified than professional system administrators responsible for network equipment including DHCP server devices in larger networks. That is, for average-skill people managing/administering local-area network equipment including DHCP server devices, it is very difficult, if not impossible, to check if their local-area DHCP server devices have been hacked/hijacked.

The same principles that were described for pharming in local network environments could be applied to any DNS-related attack in different scenarios.

Accordingly, it is necessary to enable an integrity test of the DNS server settings, in order to detect DNS hacking and hijacking. This integrity check should be simple to use and not require specific system administration knowledge.

Various exemplifying manifestations of the invention aim to address at least part the above issues or problems.

The appended claims describe “various aspects” of embodiments that illustrate the invention.

The present invention provides a method for checking the integrity of DNS server settings. This includes triggering a DNS Resolution operation by a device that is configured to provide service using the DNS Server Setting, reading the DNS message containing the DNS Server Device’s IP address, and evaluating the integrity of DNS server settings used in the service provisioning.

The present invention provides an example of an apparatus that includes a memory to store computer code and a processor to read and run the code. The processor is configured for the apparatus to perform the following: Triggering a DNS Resolution operation by a Service Device configured to provide a Service using the DNS Server Setting, wherein DNS resolution is performed by the DNS Server setting in service Provisioning; Acquiring the IP Address of a DNS Server Device, which is configured for DNS Resolution in service Provisioning, by reading a DNS message containing the IP address included in the DNS address, including the DNS address, by reading the DNS address, by a DNS, by a DNS, by the triggered by the service provisioning provisioning provisioning provisioning provisioning provisioning the DNS, by the service, by a DNS, by the DNS, by a DNS, by a DNS, by a DNS, by triggered by reading the DNS, by reading the address, as part of the DNS, the DNS, the DNS, the DNS, in the triggered DNS, the DNS, the address, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the DNS, the Internet, the DNS, the DNS, the DNS, the DNS, the DNS,

The present invention provides an apparatus that includes means for triggering DNS resolution operations by a device configured to provide service, using the DNS Server setting. This device is configured to perform DNS Resolution in service Provisioning.

The present invention provides a computer-executable program code that, when executed on a computing device, causes the computer to execute a method including: triggering a DNS Resolution operation by a device configured to provide service, using the DNS Server Setting, wherein this setting is used to perform DNS Resolution in service Provisioning; acquiring the address of a DNS Server Device, which is configured for DNS Resolution in service Provisioning, by reading an IP address included in a DNS Message as part of triggered DNS Resolve

According to one example aspect of the invention, a computer-executable program code product is provided. When the computer code is executed on a machine or when the computer program is run (e.g. A computer that is part of an apparatus, according to one of the apparatus-related examples of the invention above, can be configured to perform the method in accordance with the method-related example of the invention.

The computer program product may comprise or may be embodied as a (tangible/non-transitory) computer-readable (storage) medium or the like, on which the computer-executable computer program code is stored, and/or the program is directly loadable into an internal memory of the computer or a processor thereof.

The following paragraphs describe “Further development and/or modification of the aforementioned examples aspects of the invention with reference to the drawings.

By illustrating embodiments of the invention, integrity checks of DNS server settings are enabled/realized. This enables/realizes detection of DNS hacking and hijacking. The integrity of any DNS server setting, used by any service, in any scenario can be verified without the need for specific system administration knowledge.

Click here to view the patent on Google Patents.