Monitor your outbound DNS connections


Author: Paul Mah
作者:Paul Mah


翻译:endurer 2009-04-08第1版


Category: Infrastructure, security


Tags: DHCP, Monitor, Network, DNS, Trojan Horse, Server, Domain Names, Networking, Spyware, Spyware, Adware & Malware




Consider monitoring or filtering outbound DNS connections to better protect your network against certain phishing attacks and a new breed of trojans that masquerades as DHCP servers.





Johannes Ullrich, who is the CTO of the SANS Internet Storm Center, wrote recently on what appears to be a new rash of malware that attempts to directly threaten network services. Once a host has been infected, this trojan sets up a rogue DHCP server on the host machine. Because DHCP works on a broadcast mechanism in which the response supplied by the first server will be used by a querying client, it is possible for workstations renewing their DHCP lease to be tricked into utilizing the IP address of a malicious domain name server.


Johannes Ullrich是美国系统网络安全协会(SysAdmin, Audit, Network, Security,SANS)互联网风暴中心(Internet Storm Center)的首席技术官,最近写到一种新出现的恶意程序,这种程序试图直接威胁网络服务。这个木马程序一旦感染主机,就在主机上建立了一个流氓DHCP服务器。由于DHCP采用广播机制,在这种机制中,第一台服务器提供的响应将被提出查询的客户机采用,延长工作站的DHCP租期,将它们哄骗到利用恶意域名服务器的IP地址是可能的。

《endurer注:1、trick sb. into doing:哄骗某人做》

This is not the first time that such a trojan has appeared though. Indeed, this appears to be a variant of the Trojan.Flush.M, but it is modified to be harder to detect — it does not specify any DNS domain name and sets a relatively short DHCP lease time of one hour, among other changes.




The bottom line here is that it is relatively trivial for a single infected machine to undermine DHCP to corrupt the DNS settings of all workstations on the network, assuming that they are not configured with static IPs.




《endurer注:1、bottom line:末行数字,结果》


So how can one defend against this trojan as well as similar attacks?




Static IPs


The simplest way to defend against such trojans would surely be to hardwire the DNS settings for every workstation on the network. However, such a solution is impractical for networks larger than even a couple of dozen nodes at the most. Indeed, the increasing use of wireless networks in the enterprise — as well as laptops — serves only as additional deterrents due to the inconvenience of static settings in such circumstances.




《endurer注:1、a couple of:两个,几个
2、A couple of dozen prints were rolled off in no time.一下子就印好了几十张图片。
though most people are aware of only a couple of dozen of their names 虽然大部分的人只知道廿几个名称,
3、at the most:至多(表超过)》


Outbound DNS


A simpler way for larger corporations to defend against the vulnerability exposed by this trojan would be to monitor outbound DNS connections. This could mean logging down all DNS queries — which is also useful to track down suspicious traffic trends from phishing attacks. Of course, such a drastic measure comes with its own bag of user and possible managerial resistance due to its invasive nature.




《endurer注:1、log down:退出系统》


An even cleaner method would be to configure an internal DNS server tasked with all domain name queries. All other DNS queries not originating from this machine are to be barred. If the resources are not available to set up an internal DNS server, more sophisticated firewalls can be used to filter only DNS queries to addresses that are not in an approved list.




In the meantime, you might want to run a quick check that the IP of the malicious DNS server — at and – are not currently being queried on your network.


在此期间,您可能要在网络上执行一个快速检查,确定恶意DNS服务器IP地址——在64.86.133.51和63.243.173.162 ——目前没有被查询。


《endurer注:1、In the meantime:当时(同时,在两件事之间)》


Paul Mah is an independent tech writer, covering a range of topics from enterprise IT to mobile technology. Several times a week, he also indulges in teaching IT-related topics at a local polytechnic. You can reach him via his contact page at