Hello, welcome to the Thursday, June 24th, 2021 edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

According to an article in dark reading, researchers at cloud security company,

this I have discovered a novel way to attack

software as a service providers that offer DNS, for example, Amazon's Route 53, but pretty

much all of the major cloud providers do have a DNS service that they offer and

apparently multiple of them are vulnerable.

We'll have to wait for a talk at the upcoming Black Hat conference for additional details,

but the dark reading article has a number of details and apparently one problem here is that it's possible

to get AWS, for example, to register a host name that matches an existing name server. If

you're owning a domain, then you typically register that domain via registra and if you want to run your own

name servers well then the NS records have also to be registered with your registra

and you more or less can often call these name servers whatever you would like they They don't have to necessarily be within your domain,

and often they are not in your domain. And this appears to be one of the problems here at least,

where it is possible to register the host name of an existing name server record and then pointed to your IP address.

The end effect here is that if a victim is looking up a domain that is hosted with this

particular name server, well, there's a good chance that your IP address is being returned

and then you will be able to intercept the requests

and of course gain whatever intelligence you typically can get from these requests.

In particular, of course, with Windows.

Some Windows clients are still sending DNS update requests to the domain server that's responsible for their own domain,

which then may tell you more about intricate client configuration issues.

...