dns

37 Articles

This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse

April 24, 2026 by 13 Comments

The author of the BlueHammer exploit, which was released earlier this month and addressed in the last Patch Tuesday, continues to be annoyed with the responses from the Microsoft security research and vulnerability response team, and has released another Windows zero-day attack against Windows Defender.

The RedSun exploit targets a logic and timing error in Windows Defender, convincing it to install the target file in the system, instead of quarantining the file and protecting the system. Not, generally, what you would hope would happen.

Since the RedSun attack requires local access in the first place, it seems unlikely Microsoft will release an out-of-sequence patch for it, however with public code available, we can probably expect to see malware leveraging it to establish higher permissions on an infected system.

Releasing exploits out of spite feels like a return to the late 1990s, and I almost don’t hate it.

University Domains Hijacked

Reported in Bleeping Computer, a group tracked as “Hazy Hawk” has been hijacking unmaintained DNS records of universities and government institutions to serve ad click spam.

The attack seems simple and doesn’t even require compromising the actual institution, using dangling DNS “CNAME” records. A “CNAME” entry in DNS acts essentially as an alias, pointing one domain name at another, which can be used to provide content from an official domain that is hosted on a cloud service where the IP address of the service might change.

A DNS “A” (or “AAAA” if you speak IPv6) record points a hostname – like “foo.example.com” – to an IP address – like “1.1.1.1”. A “CNAME” record points a hostname to another hostname, like “foo.some_cloud_host.com”. Scanning “high value” domains (like Ivy League universities) for “CNAME” records which point to expired domains (or domains on cloud hosted providers which no longer exist) lets anyone able to register that domain (or create an account with the proper naming scheme on the cloud host) to post any content they wish, and still appear to be the original name.

At least 30 educational institutions have been impacted, along with several government agencies including the CDC.

Continue reading “This Week In Security: Annoyed Researchers, Dangling DNS, And Hacks That Could Have Been Worse”

The D In DNS Stands For DOOM

March 31, 2026 by 6 Comments

As literally everything ought to be able to play DOOM in some fashion, [Adam Rice] recently set out to make the venerable DNS finally play the game after far too many decades of being DOOM-less. You may be wondering how video games and a boring domain records database relate to each other. This is where DNS TXT records come into play, which are essentially fields for arbitrary data with no requirements or limitations on this payload, other than a 2,000 character limit.

Add to this the concept of DNS zones which can contain thousands of records and the inkling of a plan begins to form. Essentially the entire game (in C#) is fetched from TXT records, loaded into memory and run from there. This is in some ways a benign form of how DNS TXT records can be abused by people with less harmless intentions, though [Adam] admits to using the Claude chatbot to help with the code, so YMMV.

The engine and WAD file with the game’s resources are compressed to fit into 1.7 MB along with a 1.2 MB DLL bundle, requiring 1,966 TXT records in Base64 encoding on a Cloudflare Pro DNS zone. With a free Cloudflare account you’d need to split it across multiple zones. With the TXT records synced across the globe, every caching DNS server in the world now has a copy of DOOM on it, for better or worse.

You can find the project source on GitHub if you want to give this a shake yourself.

Thanks to [MrRTFM] for the tip.

This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real

September 5, 2025 by 7 Comments

Something rather significant happened on the Internet back in May, and it seems that someone only noticed it on September 3rd. [Youfu Zhang] dropped a note on one of the Mozilla security mailing lists, pointing out that there was a certificate issued by Fina for 1.1.1.1. That IP address may sound familiar, and you may have questions.

First off, yes, TLS certificates can be issued for IP addresses. You can even get a numeric TLS certificate for your IP address, via Lets Encrypt. And second, 1.1.1.1 sounds familiar because that’s CloudFlare’s public DNS resolver. On that address, Cloudflare notably makes use of DoH, a charming abbreviation for DNS over HTTPS. The last important detail is that Cloudflare didn’t request or authorize the certificate. Significant indeed.

This is a high-profile example of the major weakness of the TLS certificate system. There are over 300 trusted certificate authorities in the Microsoft Root Certificate Program, Financijska agencija (Fina) being one of them. All it takes is for one of those trusted roots to issue a bad certificate, to compromise that system. That it took four months for someone to discover and point out the problem isn’t great. Continue reading “This Week In Security: DNS Oops, Novel C2s, And The Scam Becomes Real”

This Week In Security: Zimbra, DNS Poisoning, And Perfctl

October 4, 2024 by 6 Comments

Up first this week is a warning for the few of us still brave enough to host our own email servers. If you’re running Zimbra, it’s time to update, because CVE-2024-45519 is now being exploited in the wild.

That vulnerability is a pretty nasty one, though thankfully requires a specific change from default settings to be exposed. The problem is in postjournal. This logging option is off by default, but when it’s turned on, it logs incoming emails. One of the fields on an incoming SMTP mail object is the RCPT TO: field, with the recipients made of the to, cc, and bcc fields. When postjournal logs this field, it does so by passing it as a bash argument. That execution wasn’t properly sanitized, and wasn’t using a safe call like execvp(). So, it was possible to inject commands using the $() construction.

The details of the attack are known, and researchers are seeing early exploratory attempts to exploit this vulnerability. At least one of these campaigns is attempting to install webshells, so at least some of those attempts have teeth. The attack seems to be less reliable when coming from outside of the trusted network, which is nice, but not something to rely on.

New Tool Corner

What is that binary doing on your system? Even if you don’t do any security research, that’s a question you may ask yourself from time to time. A potential answer is WhoYouCalling. The wrinkle here is that WYC uses the Windows Event Tracing mechanism to collect the network traffic strictly from the application in question. So it’s a Windows only application for now. What you get is a packet capture from a specific executable and all of its children processes, with automated DNS capture to go along. Continue reading “This Week In Security: Zimbra, DNS Poisoning, And Perfctl”

This Week In Security: Drama At The C-Level, Escape Injection, And Audits

May 24, 2024 by 6 Comments

There was something of a mystery this week, with the c.root-servers.net root DNS server falling out of sync with it’s 12 siblings. That’s odd in itself, as these are the 13 servers that keep DNS working for the whole Internet. And yes, that’s a bit of a simplification, it’s not a single server for any of the 13 entities — the C “server” is actually 12 different machines. The intent is for all those hundreds of servers around the world to serve the same DNS information, but over several days this week, the “C” servers just stopped pulling updates.

The most amusing/worrying part of this story is how long it took for the problem to be discovered and addressed. One researcher cracked a ha-ha-only-serious sort of joke, that he had reported the problem to Cogent, the owners of the “C” servers, but they didn’t “seem to understand that they manage a root server”. The problem first started on Saturday, and wasn’t noticed til Tuesday, when the servers were behind by three days. Updates started trickling late Tuesday or early Wednesday, and by the end of Wednesday, the servers were back in sync.

Cogent gave a statement that an “unrelated routing policy change” both affected the zone updates, and the system that should have alerted them to the problem. It seems there might room for an independent organization, monitoring some of this critical Internet Infrastructure.

Continue reading “This Week In Security: Drama At The C-Level, Escape Injection, And Audits”

Mailblocks Makes Your Phone Work More Like The Post, Kinda?

December 23, 2023 by 3 Comments

Phones can be distracting, with notifications popping up all the time to snare our attention and maybe even ruin our lives. [Guy Dupont] wishes to be no slave to the machine, and thus built a solution. Enter Mailblocks.

The concept is simple. It’s a physical mailbox which [Guy] can put his phone in. All notifications on the phone are blocked unless he puts his phone into the box. When the phone is inside and the box is closed, the little red flag goes up, indicating “DOPAMINE” is available, and [Guy] can check his notifications.

To achieve this, [Guy] is running a custom DNS server. It redirects all the lookups for push notifications on Android so they go nowhere. Placing the phone in the mailbox turns the re-directions off, so the phone can contact the usual servers and get its notifications as normal.

It’s a novel way of fighting against the constant attention suck of modern smartphones. Rather than being bombarded by notifications in real time, [Guy] instead has to take a significant intentional physical action to check the notifications. It cuts the willpower required and the interruptions to his work in a fell swoop.

We’ve featured [Guy’s] innovative and outside-the-box projects before, too. His smart pants were an absolute tour de force, I might add.

Continue reading “Mailblocks Makes Your Phone Work More Like The Post, Kinda?”