Domain Name poisoning attacks and Sophos XG Protection

I have written about DNS security and Sophos XG firewall protection but didn't include Domain Name poisoning attacks in the DNS security because it is nothing to do with DNS traffic. It is extra web protection for Sophos XG users. The Domain name poisoning causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to the attacker's computer. 

The Sophos Firewall is offering a feature called "Pharming protection". Pharming protection protects users against domain name poisoning attacks by repeating DNS lookups before connecting. 

Enabling or Disabling this at:  Go to Protect > Web > General Settings > Advanced Settings > Enable pharming protection

Let Check how will it protect you:

www.bing.com will resolve you with many IPs as 

Non-authoritative answer:

Name:    dual-a-0001.a-msedge.net

Addresses:  2620:1ec:c11::200

          13.107.21.200

          204.79.197.200

Aliases:  www.bing.com

          a-0001.a-afdentry.net.trafficmanager.net

But somehow A hacker has overwritten my host file and redirected this traffic on a fake IP as example 1.1.1.1

C:\Users\deepak>ping www.bing.com

Pinging www.bing.com [1.1.1.1] with 32 bytes of data:

Reply from 1.1.1.1: bytes=32 time=8ms TTL=59

Reply from 1.1.1.1: bytes=32 time=7ms TTL=59

Reply from 1.1.1.1: bytes=32 time=11ms TTL=59

Reply from 1.1.1.1: bytes=32 time=9ms TTL=59

Now "Pharming Protection" Feature is not enabled on my Sophos XG firewall

Fig 1.1-Sophos Dashboard

as I am trying to access the www.bing.com and I got this error message

My traffic is redirecting toward the fake bing.com Server (1.1.1.1) which is fake IP for the www.bing.com and hacker will success to get your traffic and maybe you entered username and password also. 

Now I am going to enable the "Pharming Protection" on the Sophos XG Firewall and test the same again:

Trying to access the www.bing.com again:

This website is working fine but still, my system's local DNS is resolving bing.com to 1.1.1.1

How to Pharming Protection is Working?

• I typed www.bing.com into the browser and hits enter.
• The host will use its host's file or DNS cache or the configured DNS servers to resolve the www.bing.com to IP address 1.1.1.1.
• The host will create a TCP session to 1.1.1.1 IP address and will send an HTTP GET (80) or Client Hello (443).
• The Firewall's web proxy service will look in the host field of the HTTP GET packet or the SNI (server name identifier) field of the Client Hello packet and determine whether the user is allowed to reach this host based on the URL filtering configuration.
• If they are allowed to reach this host, the firewall will then re-resolve the host www.bing.com using its configured DNS Servers.
• The proxy will then make the request to the IP that the XG Firewall has resolved for www.bing.com and serve the web page.

What is Configured DNS server can't resolve Domain Name:

• In case the proxy cannot resolve www.bing.com, XG Firewall will use the IP address resolved by the host in step 2 and serve the web page. however, UTM will send a Host not found error page.

In the next article, I will discuss an issue with "Pharming Protection" and Bridge mode of Sophos XG Firewall.

An Article By Deepak Kumar 
Linkedin: https://www.linkedin.com/in/engdeepak/
Twitter: https://twitter.com/Deepakkhw