Avoid private DNS record leakage

Posted November 12, 2015 by David Redekop to DNS Feature

The nature of mobile devices that roam from site to site, often means that private DNS records unintentionally leak out to the public Internet. For example:

DNS record OK to be public visible DNS record that should remain secret
MailServer.YourCompany.com YourSecretServer.YourCompany.local
As long as your devices stay on your business network, network information leakage isn’t a concern. However, let’s say a mobile device is setup at the office with an application that references YourSecretServer.YourCompany.local and then it is taken home by a team member.

As soon as the app is launched at home, the home router is asked:

Hi, where is YourSecretServer.YourCompany.local?

And, of course, it sends that request upstream to your Internet Service Provider. Even though it cannot answer it, the DNS request (the question above) has been sent across the Internet in clear-text and therefore subject to surveillance of the most trivial kind.

To avoid this type of DNS leakage, DNSthingy firmware never allows DNS queries to be sent to the Internet unless they are part of the Mozilla Public Suffix list found at:

publicsuffix.org

In any and all foreign premises where DNSthingy answers DNS queries, when the query for YourSecretServer.YourCompany.local is asked, DNSthingy simply answers with NXDOMAIN, meaning it does not exist.

That’s how we prevent DNS record leakage in all of our current firmware versions.