Use DNAT rules to prevent DNS hijacking.

If you’ve worked in technology for any period of time, you’ve likely heard of NAT and DNAT orNetwork Address Translation and Destination Network Address Translation.. You might already know it’s versatile and useful across contexts for routing traffic and simplifying (or complicating) things nicely. Perhaps you know more about it but I am still learning.

Thanks to stumbling upon Bob Jackson’s HandymanHowTo.com, I’ve learned something worth sharing, worth adding to our collective bag of tricks.  While there is no perfect or single solution in the battle to protect our families, friends, and clients from malware, DNAT can be one of many useful tools for helping detect and prevent malware before it spreads and/or does its bidding by using our own infrastructure against us.

For example, a LAN (from our private network) to WAN (to the Internet) DNAT rule can be made to rewrite any rogue DNS queries on a network.  This is common malware behavior. It’s typical for malware, once successfully installed inside a network, to hijack DNS to communicate with external command and control servers and execute whatever other nasty list of deeds it’s designed for.

The first malware for Macs in 2018 was MaMi, which did precisely this. Malware like it will evolve over time to add more complexity but one thing it does very well is hijack DNS.

Here’s a use case scenario: suppose a computer on a network is infected with malware that tries to write its own custom DNS configuration. Or maybe even someone decides to try and hard code something other than the preferred DNS servers to work around content filtering, for example (pesky kids). A DNAT rule will re-write the unsanctioned DNS server address to the proper one and then forward queries to the proper DNS servers. Pretty cool.

This can also be extended to alert us when the rule is triggered using advanced DNS management tools, like a low-cost enterprise solution that can  be as little as $5 a month.

As I said, this isn’t a silver bullet nor should it be considered the only solution to have in place on your network, but it’s a very nice addition to a defense-in-depth strategy, meaning having multiple good ideas in place to reduce the likelihood of falling victim to the nasty world of malware flying around out there.

Thanks for reading.