The Internet works, because of clever glues that keep the ecosystem working. One of these clever glues is the Domain Name System – DNS.
What is the DNS?
Every computer that will communicate with others on the Internet must have a unique numerical identifier called the Internet Protocol (IP) number. The Internet protocol number can either be Version 4, referred to as IPV4 or Version 6, referred to as IPV6. (for the purists: IPV5 was experimental so also were IPV1 to IPV3.)
“IP numbers can be very difficult to remember for humans. To make it simpler for humans, Domain Names were invented. This means we can type http://www.google.com which is the domain name for google, instead of http://126.96.36.199 which happens to be the IP address of google.
When you type in the Domain name, the browser or computer converts the domain name into the IP address, and then fetches the information for you, from the resulting IP Address. The computer is able to make the conversion, by consulting a database of Domain Names and the corresponding IP addresses that is out there on the Internet. This database is the Domain Name System Server. (DNS Server).
Every computer has the IP address of the DNS Server that it consults when it wants to look up a domain name. There lies the problem!!
By changing the IP address of the DNS Server as stored in the Computer, it is possible to spoof the system into talking to a rogue DNS Server that returns the wrong IP address, thereby redirecting the unsuspecting user to the wrong website.
Imagine you trying to check your balance in your bank account. You enter the domain name of your bank into your browser, get to the website, you are prompted for username and password, and voila, you are told your password is invalid. Of course, you reached some rogue website. Meanwhile, some rogues are using the valid credentials to login to the real website, busy cleaning out your hard earned pension and savings! So much for a very small remotely exploitable hole in DNS.
The hole was exploited!!
Over a year ago, some crafty scammers in Estonia (Yes, Not Nigeria!!) created the “Internet Doomsday” virus which changed the DNS Server addresses on infected PCs to their own DNS servers, thereby netting about $14 million in bogus advertising revenue. Of course, they got caught!
After U.S. and Estonian authorities busted the criminals in November 2011, a US Federal Judge ordered that the FBI should use temporary servers in place of the criminals’ servers, giving those infected, the chance to clean their servers.
More work for more people
Every challenge is an opportunity, that is what my teacher said. IN response to the Virus, the DNS Changer working group (http://www.dcwg.org) was created (by the FBI working through that Judge of course!), to help mitigate the effect of the Virus.
Of course, the FBI wants your help. https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS I am not sure if the crime is terrorism, and whether the smart Estonians will be sent to gitmo!
End of the FBI Grace
The temporary FBI servers will shut down at 12:01 a.m. EDT on Monday, meaning anyone using a computer still infected with the virus will likely lose Internet access.
Imagine No Facebook, no Twitter and Google for you? Now, that is what I call DISASTER!
Are you Infected?
You can check if you are infected, by visiting the site http://dns-ok.us A DNS Resolution = GREEN means that you are not infected.
Can ISPs help?
Internet Service Providers (ISPs) can help their subscribers who may have been infected, by noting the DNS requests going to the FBI Temporary Servers (Actually the Estonian IP Addresses and redirecting these requests to Public DNS Servers like the Google DNS Server with the IP address 188.8.131.52.
I fixed my gateway running the Mikrotik RouterOS with the following commands:
add address=184.108.40.206/24 disabled=no list=dnschanger
add address=220.127.116.11/20 disabled=no list=dnschanger
add address=18.104.22.168/21 disabled=no list=dnschanger
add address=22.214.171.124/24 disabled=no list=dnschanger
add address=126.96.36.199/20 disabled=no list=dnschanger
add address=188.8.131.52/20 disabled=no list=dnschanger
/ip firewall nat
add action=add-src-to-address-list \
chain=dstnat disabled=no \
add action=dst-nat chain=dstnat disabled=no \
dst-address-list=dnschanger dst-port=53 \
If you are an ISP, you can do the same (Just copy and paste) and help some folks out there. If you are an end-user, just ensure your ISP is clued in on this. You can tell them about this blog post 😉
Security is a never-ending game. There are still many malwares and virus out there. It is important to take care, especially while browsing social websites.
Back to the question that is the caption of this blog … The survival of your Internet connection is entirely in your hand. If you read this blog, you now know what to do, and all should be well. Good luck and browse safe!