Network Communication / IPv6 DNS Takeover

Description

IPv6 DNS Takeover is a security vulnerability that arises from the misconfiguration or lack of proper security measures in IPv6-enabled networks. The Domain Name System (DNS) is a critical component of the Internet, translating human-readable domain names into IP addresses. In the context of IPv6, the adoption of this new protocol introduces potential risks if not implemented securely.

Risk

The primary risk associated with IPv6 DNS Takeover is the unauthorized manipulation of DNS records, leading to the redirection of legitimate traffic to malicious destinations. Attackers can exploit misconfigurations in IPv6 DNS settings to manipulate the resolution of domain names, allowing them to redirect users to fraudulent websites, intercept sensitive communications, or conduct man-in-the-middle attacks. This can result in unauthorized access to sensitive information, loss of data integrity, and compromise of network security.

Solution

• Firewall rules can be placed to block IPv6 traffic. These rules can be set to Block to prevent the attack:
  • (Inbound) Core Networking – Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)
  • (Inbound) Core Networking – Router Advertisement(ICMPv6-ln)
  • (Outbound) Core Networking – Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)
• If WPAD is not being used, then it must be disabled using group policy by disabling the WinHttpAutoProxySvc service
• Enabling LDAP signing, LDAP Channel binding, as well as SMB signing can also prevent this attack to a certain extent
• Assigning Administrative users to Protected groups can prevent delegation and impersonation