This article looks at how an attacker can intercept and read emails sent from one email provider to another by performing a DNS MX record hijacking attack.
While our research on the state of email delivery securityindicates that this attack is less pervasive than the TLS downgrade attack, it is equally effective at defeating email in-transit encryption. This article explains how this attack works, how it can be mitigated and to what extent it also affects the security of a website.
Before delving into how this attack works and countermeasures, I will briefly summarize DNS and DNS MX records for the readers who are not familiar with this aspect of the Internet. If you are familiar with this topic, you can skip the next two sections.
Understanding DNS records
DNS records are used to translate a domain address, let’s say www.elie.net, into an Internet address, which are commonly known as IP addresses. This translation is needed because computers only know how to communicate with an IP address and not a domain address. This translation is also helpful because it allows multiple servers and IP addresses to have the same domain address, which allows redundancy and scalability.
It also helps make the Internet faster by allowing big services and CDNs to host the same content in many different countries on various servers and return the IP address of the closest server to the client when they look up the domain address. This technique is called geoIP load balancing.
Understanding DNS MX records
DNS MX records are a specific form of DNS record that allows us to know which IP address to use when sending an email to a given domain. As visible in the diagram above, when Alice wants to send an email to Bob (firstname.lastname@example.org), her server (smtp.source.com) needs to resolve the IP address of Bob’s mail provider server. To do this, her mail server asks the DNS server for the MX record for the domain, destination.com. The server will reply with the IP address that Alice’s server will connect to to deliver the email to Bob. In our example, Bob’s server has the IP address 126.96.36.199.
DNS MX record hijacking
DNS hijacking attacks work as follows. The attacker poses as or compromises the DNS server used by Alice’s mail server to find out where to deliver Alice’s email to Bob. Instead of returning the legitimate IP address, the DNS server returns the IP address of a server owned by the attacker, as illustrated in the diagram above. Alice’s server believes this IP address is the legitimate one for Bob’s server and delivers the email to the rogue server. The attacker reads the email and to make the attack invisible, forwards the email to the real server.
This attack is possible because DNS was not designed with security in mind and as a result, there is no default security mechanism baked into it to authenticate that the request was sent by the rightful owner of the domain.
This shortcoming will eventually be fixed with the deployment of DNSSEC and DANE. This deployment and other ways to mitigate this type of attack are discussed at the end of this post.