Is your organization leaking sensitive Dynamic DNS data? Here’s how to find out

At Black Hat on Wednesday, Wiz researchers disclosed a vulnerability in DNS hosting services that affects millions of corporate endpoints.

1 minutes read

At Black Hat on Wednesday, Wiz researchers disclosed a vulnerability in DNS hosting services that affects millions of corporate endpoints. AWS and Google have already patched the vulnerability, but many other DNS providers and their customers may still be at risk of leaking sensitive internal network data.

To protect themselves, organizations are advised to ensure their Dynamic DNS settings are configured correctly. To check if your organization is vulnerable, we’ve released the Dynamic DNS Checker, a free online tool that tests DNS configuration.

What is the vulnerability?

The Dynamic DNS Leak is a vulnerability affecting Windows endpoints that can expose Dynamic DNS traffic that should never leave an internal network. A malicious actor could exploit this vulnerability to learn your organization’s computer names, internal and external IP addresses, employee names and locations, and more.

For details on the vulnerability, check out our blog post here.

We're urging DNS providers to fix the underlying nameserver hijacking issue that leaves customers exposed (Amazon Route53 and Google have already done so). But ultimately, customers are responsible for configuring their DNS resolvers properly so dynamic DNS updates do not leave their internal network.  Every organization should take steps to prevent their data from leaking.

How can I check if I am vulnerable?

Our research team created a free tool to check if your domain is vulnerable. The tool checks the SOA record of your domain to see if it is misconfigured. If it is, the tool looks for suspicious domain names on the nameserver to alert customers of an active exploitation risk.

What can I do to fix it?

Organizations should properly configure their SOA records on public DNS providers to point to an invalid domain they own or to a valid internal Dynamic DNS server. Organizations who have their SOA records configured properly are not affected by this vulnerability.

In the figure below you can see a sample configuration that prevents this vulnerability from being exploited.

Continue reading

Black Hat 2021: How isolated is your AWS cloud environment?

Last November, Wiz Research mapped all the services in AWS that allow access from other accounts to see if any of them might inadvertently expose customers and discovered 3 vulnerabilities in different AWS services that allowed anyone to read or write into the accounts of other AWS customers.

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management