A feature of modern server infrastructures is being exploited to allow bad actors to disguise their intended endpoint behind “safe” domain names that do not appear on blocklists.
This means that schools relying on DNS filters, and particularly those employing a BYOD policy, have a vulnerability whereby students may be able to circumvent the filter and access dangerous sites completely undetected.
Research by ADAMnetworks (who collaborated closely with Smoothwall during the discovery phase) shows that this is already happening, and the issue is likely to be exacerbated by the wide availability of AI tools that can provide the necessary steps to do so in seconds.
To account for the shortage of IP addresses, in modern internet infrastructures, many websites are grouped under one IP address. Cloudflare, for example, which accounts for about a third of the internet, may assign sites which are safe like shopify.com, lego.com and mclaren.com the same IP address at any one time. Unfortunately there’s nothing that stops other sites also being hosted on that same IP that aren’t as safe.
When deciding whether to allow access to websites, DNS filters look at domain names and check them against a blocklist of known “bad” sites. If the requested domain is on the list, access will be blocked. If it’s not, the filter passes the query through and returns an IP address that the browser can connect to - granting access to the site.
ADAMnetworks has found that bad actors are able to use this flaw when designing malware or VPNs to disguise the domain they intend to reach behind safe domains. This means they are able to benefit from the reputational trust the associated IPs carry, and pass through to dangerous sites without detection.
The true nature of the site being visited is only revealed at the SSL Inspection stage, where the SNI (Server Name Indication) declares the real hostname to which the client wants to connect. This is a layer that DNS filters do not and cannot access.
A mail analogyI want to send a letter to some “bad guys”. My postman has already flagged the address as malicious and refuses to deliver letters there. I know my postman only looks at the address on the outside of the envelope, so I hide the real letter, along with instructions on how to forward to the malicious address, within another envelope that has a “safe” address inside the same building displayed on it.
My postman is none the wiser, and the letter arrives at the right location anyway, because the “good guys” and the “bad guys” share the same front door.
For a more in-depth, technical explanation of the issue, visit: underminr.ai
Schools and colleges relying on DNS filters to prevent students accessing dangerous parts of the internet should review their provision immediately. The way the modern internet functions means these filters are highly unlikely to provide the level of protection required to comply with the DfE’s Filtering and Monitoring Standards, or Keeping Children Safe in Education.
Learn more about different filters and what’s suitable for education settings: Web Filtering Solutions: What Schools, Colleges and MATs Need to Know.
Smoothwall Filter is immune to this form of attack because it inspects the content, context and construction of web pages (including the SNI), at the point of request, in real time.
For schools with a BYOD policy, Smoothwall Filter on-premise will also protect networks from this type of circumvention. Even without “SSL inspection”, SNI filtering will prevent access to unwanted sites.