A DNS vulnerability impacting popular DNS-as-a-Service (DNSaaS) providers was found enabling cybercriminals to rip off sensitive information from corporate networks.

What happened?

Researchers from the cloud security firm Wiz disclosed a new class of DNS vulnerability at the Black Hat security conference. The flaws could allow intelligence harvesting simply by using a domain registration technique.
  • Hackers could intercept a small part of dynamic DNS traffic traveling via managed DNS providers such as Amazon and Google.
  • To exploit the flaw, attackers were required to register a domain and hijack a DNSaaS provider's nameserver to wiretap dynamic DNS traffic streaming from the targeted customer’s network.
  • The wiretapped dynamic DNS traffic was coming from more than 15,000 organizations, such as Fortune 500 firms, including 45 U.S. and 85 international government agencies.
  • This method allowed researchers to access a variety of data including sensitive information about target organizations, their employees. Even nation-state spying was possible.

Additional insights

There is no evidence that this vulnerability has ever been exploited in the wild by an attacker, however, any person with knowledge of the flaw could have obtained information for over a decade without being detected.
  • Experts examined six major DNSaaS providers. Out of those, three were exposed to nameserver registration. 
  • According to the experts, all cloud providers, domain registrars, and website hosts providing DNSaaS could be vulnerable.
  • Moreover, the exploitation of the vulnerability is so easy that an attacker with a single cloud account can obtain sensitive information from thousands of organizations.


According to Microsoft, this flaw results due to some sort of misconfiguration issue with external DNS resolvers. There are mitigation steps available that can be followed by managed DNS services providers. Google and Amazon have fixed these DNS flaws, however, some other providers are still likely vulnerable and exposed.

Cyware Publisher