How hard-coding your DNS can improve your security

I’ve long recommended hard-coding your DNS settings as a performance and reliability enhancement–here’s my guide for that–but it turns out it can be a security enhancement too.

Botnets targetting routers aren’t new at all, but there’s a particularly nasty one named Moose running around right now. Among other things, it changes routers’ DNS settings to point to rogue DNS servers that allow the attackers to steal your social media credentials, furthering the bot.

But if you hard-code your DNS, the DNS settings on your router don’t matter. Someone can change them all they want, but your machines will keep using the servers you selected. The bot can still infect your router, but by overriding the router’s DNS settings, you limit the damage the bot can do.

And, while I don’t know for certain if it helps against Moose, it’s a good practice to move your network off 192.168.0.x and 192.168.1.x, since so much malware assumes routers live at 192.168.0.1 or 192.168.1.1. Finding the router complicates the code, and since more than 90% of home routers live at those two addresses, it’s easiest to just try those two addresses and keep the code compact, simple, and fast. If you’re not the low-hanging fruit, you’re less likely to get infected.

A full mitigation, of course, is to run DD-WRT on your routers. Or better yet, run DD-WRT on your access points and set up Pfsense as your router. An Asrock D1800M makes an ideal Pfsense box, since it consumes very little power and has three PCI Express expansion slots to hold extra network cards. Team it up with a surplus Intel Pro/1000 card off Ebay if you need multiple ports–just make sure you’re getting a PCIe card, not a PCI or PCI-X card. Of course, these two things are more complex, and potentially more costly, than changing a few network settings.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux