A flaw in the Windows automatic DNS suffix appenditure feature could allow a malicious owner of specific domain names to control the web browsing of anyone that uses the feature. UPDATE: Web browsers seem to have built in checking for this error so the problem only applies to programs that use the nslookup utility to make their DNS queries. This includes user writen scripts.
For those not familiar with it you usually set the feature up here:
It is quite a useful feature allowing people to type host names into the address field of browsers so the system will automatically append the ".com.au" to the end of the address. Companies can put their whole domain name in, for example "company.com.au" and users can then browse individual hosts by typing just "billing" or “sales" as needed without typing the whole address “billing.company.com.au”
This feature doesn't just relate to web browsers. If you want to telnet to a particular host like a mail server or router, you are saved from typing the fully qualified name every time. You might not use this feature on your home computer but it is probably used at your work.
To understand how the flaw works you need to look at how a windows machine stages a DNS query. Here is and example of a DOS DNS query with my comments in blue:
C:\nslookup <----- this is the DOS DNS query tool
> set d2 <----- this puts the tool into detailed mode
> apple.com.au <----- this is a request to resolve the name apple.com.au to an IP address
Server: home.gateway <----- This is the name server that gets queried
Address: 192.168.1.254
------------ <----- between theses lines is the first query
SendRequest(), len 37
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
apple.com.au.com.au, type = A, class = IN <----- notice that the first query is "apple.com.au.com.au"
------------
between these next lines is the response. Notice that there is no ANSWERS section, only an authority record.
------------
Got answer (102 bytes):
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
apple.com.au.com.au, type = A, class = IN
AUTHORITY RECORDS:
-> au.com.au
type = SOA, class = IN, dlen = 53
ttl = 2560 (42 mins 40 secs)
primary name server = ns1.ev1servers.net
responsible mail addr = hostmaster.au.com.au <--- notice that the owner of au.com.au doesn't respond with an ANSWER. He doesn't know of a host called "apple.com.au.com.au"
serial = 1153903967
refresh = 16384 (4 hours 33 mins 4 secs)
retry = 2048 (34 mins 8 secs)
expire = 1048576 (12 days 3 hours 16 mins 16 secs)
default TTL = 2560 (42 mins 40 secs)
------------
So now windows asks a different question.
------------
SendRequest(), len 30
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
apple.com.au, type = A, class = IN <----- this is the second query.
------------
Notice this time that the response gets an ANSWERS section.
------------
Got answer (143 bytes):
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 3, additional = 1
QUESTIONS:
apple.com.au, type = A, class = IN
ANSWERS: <----- this time we get an answer
-> apple.com.au
type = A, class = IN, dlen = 4
internet address = 17.254.3.121
ttl = 58391 (16 hours 13 mins 11 secs)
AUTHORITY RECORDS:
-> apple.com.au
type = NS, class = IN, dlen = 19
nameserver = nserver.apple.com
ttl = 85841 (23 hours 50 mins 41 secs)
-> apple.com.au
type = NS, class = IN, dlen = 11
nameserver = nserver2.apple.com
ttl = 85841 (23 hours 50 mins 41 secs)
-> apple.com.au
type = NS, class = IN, dlen = 15
nameserver = nserver.asia.apple.com
ttl = 85841 (23 hours 50 mins 41 secs)
ADDITIONAL RECORDS:
-> nserver.asia.apple.com
type = A, class = IN, dlen = 4
internet address = 203.120.14.5
ttl = 3589 (59 mins 49 secs)
------------
Non-authoritative answer:
Name: apple.com.au
Address: 17.254.3.121
The most important thing to note is that DNS in windows will go with the first correct answer it gets. And the first query goes to the “au.com.au” domain
If the owner of au.com.au actually had a host called apple.com.au.com.au then your computer would be directed to that host instead of the real Apple Australia site.
This is where the dangerous part comes in. You can configure a DNS so that if a query for a host comes in that does not exist in the DNS, for example "missspelledhost.company.com.au" then it is redirected to one particular host like "www.company.com.au". This is called wildcarding.
If the owner of au.com.au did this then he gets to control the browser of any user with "com.au" setup in their domain suffix preferences that is making are DNS request for an Australian web site. I'll say it again, if a user types in a fully qualified domain name of any Australian site into the browser they would only see the au.com.au site. Get ready for a page full of advertisements. It is also important to note that this isn't a theoretical exploit. A variation of this wildcarding occurred only yesterday but it only related to MX (mail exchanger) records.
This problem also occurs for every nations domian system. Fortunately, ".com" is owned by CNET and they do not use this wildcarding. They are a large company with a reputation to uphold and so are unlikely utilise this Windows flaw to gain traffic. The same cannot be said for the other nations. In Australia, "au.com.au" seems to be owned or managed by a very young man who appears to specialise in SEO. This isn't a Good Thing.
There are many purchasable domain name combinations that can exploit this flaw. eg
nz.com.au
net.com.au
com.com.au
It also works in other countries:
nz.co.nz
au.co.nz
net.co.nz
The combinations of registrable names that can exploit the flaw number in the thousands.
Microsoft will need to attend to this flaw quickly. The simple fix is for them to change process so that the entered name is asked first and then only query with the suffix appended if that one fails. Domain name registrars can also kelp by preventing these names from being registered or delisting ones that are already registered. You can rest assured that Blackhat SEO's are registering every available combination of topleveldomain.topleveldomain right now.