Is your organization leaking sensitive Dynamic DNS data? Here’s how to find out

Ami Luttwak
August 6, 2021
Ami Luttwak
Is your organization leaking sensitive Dynamic DNS data? Here’s how to find out

At Black Hat on Wednesday, Wiz researchers disclosed a vulnerability in DNS hosting services that affects millions of corporate endpoints. AWS and Google have already patched the vulnerability, but many other DNS providers and their customers may still be at risk of leaking sensitive internal network data.

To protect themselves, organizations are advised to ensure their Dynamic DNS settings are configured correctly. To check if your organization is vulnerable, we’ve released the Dynamic DNS Checker, a free online tool that tests DNS configuration.

What is the vulnerability?

The Dynamic DNS Leak is a vulnerability affecting Windows endpoints that can expose Dynamic DNS traffic that should never leave an internal network. A malicious actor could exploit this vulnerability to learn your organization’s computer names, internal and external IP addresses, employee names and locations, and more.

For details on the vulnerability, check out our blog post here.

We're urging DNS providers to fix the underlying nameserver hijacking issue that leaves customers exposed (Amazon Route53 and Google have already done so). But ultimately, customers are responsible for configuring their DNS resolvers properly so dynamic DNS updates do not leave their internal network.  Every organization should take steps to prevent their data from leaking.

How can I check if I am vulnerable?

Our research team created a free tool to check if your domain is vulnerable. The tool checks the SOA record of your domain to see if it is misconfigured. If it is, the tool looks for suspicious domain names on the nameserver to alert customers of an active exploitation risk.

What can I do to fix it?

Organizations should properly configure their SOA records on public DNS providers to point to an invalid domain they own or to a valid internal Dynamic DNS server. Organizations who have their SOA records configured properly are not affected by this vulnerability.

In the figure below you can see a sample configuration that prevents this vulnerability from being exploited.

Suggested article