ICTD/PSD

July 2019

Addressing DNS Tunneling Vulnerability

in UNICEF Guest WiFi Networks

CONTENTS
REVISION HISTORY ........................................................................................................................................................ 2
SCOPE ........................................................................................................................................................................... 2
THE ISSUE WITH DNS TUNNELING ................................................................................................................................. 2
HOW TO EXPLOIT THE VULNERABILITY .......................................................................................................................... 2
FIX FOR U-WIFI V2 ......................................................................................................................................................... 3
FIX FOR U-WIFI V3 (FULL MERAKI / LIGHT) .................................................................................................................... 4
FIX FOR U-WIFI V3 (OPEN SYSTEMS) ............................................................................................................................. 5
REVISION HISTORY

DATE AUTHOR(S) DESCRIPTION

V0.1 July. 2019 Andras Grepaly - Initial draft, fixes for U-WiFi v2 with Cisco WLCs
V0.2 July. 2019 Simon Genin - Added fixes for U-WiFi v3 and minor corrections

SCOPE

This document details the steps required to correct a security hole in UNICEF Guest WiFi networks,
relying on splash login pages used with U-WiFi v2 and v3. The existing setups are vulnerable to DNS
tunneling applications, create VPN tunnels over port 53 (open by default to all destinations), bypassing
the authentication mechanism to access the Internet unrestricted.

All existing deployments of wireless networks in UNICEF field offices must conform to this guideline and
apply the require configuration changes.

THE ISSUE WITH DNS TUNNELING

DNS tunneling is a technique used to encapsulate data within DNS queries and replies and tunnel it to
any remote system and the Internet. In existing UNICEF Guest captive portals, DNS requests are not
blocked by default in the preauthentication phase. It is therefore possible to use a VPN application (for
example Psiphon) which would leverage this vulnerability, bypass the authentication mechanism and
allow users access the Internet unrestricted. The issue was reported first by UNICEF Sudan office on U-
WiFi v2 and successfully reproduced in UNICEF Budapest and New York offices.

HOW TO EXPLOIT THE VULNERABILITY

If your office implemented U-WiFi v2 or U-WiFi v3 as per standard, it is very likely to be impacted. To
verify if your network is vulnerable, you can follow these steps:

1. Connect to the Internet and download Psiphon Pro (IOS, Android, Windows)
2. Disable any phone mobile data connection
3. Connect to the UNICEF Guest SSID and wait to be redirected to the splash page.
4. Do not login. If using an Apple client, when IOS opens the splash page, you must click the top
right "Cancel” button and select "Use without Internet” to stay connected and access the app.
5. Launch the Psiphon app, making sure you are still on UNICEF Guest SSID (sometimes the OS
switches back to a known SSID)
6. From the Psiphon app, click "Start” to start the VPN
7. If the VPN is successfull, the phone launches a browser session and shows the end VPN public
IP. At this stage you should be able to browse any website, confirming the vulnerability.

Page 2 of 5
FIX FOR U-WIFI V2

This fix applies for most U-WiFi v2 cases, when configured as per standard procedure.

1. Log in to your Cisco Wireless Controller GUI

2. Go to Controller TAB > Internal DHCP Server > DHCP Scope. Click the scope and identify which
DNS servers are configured. In this example, we are considering default U-WiFi v2 settings and
Google DNS (8.8.8.8 and 8.8.4.4). Note that in some rare scenarios (emergency kits), DHCP for guest
is provided by Open Systems (verify from OS dashboard), however the same procedure applies.

3. Go to Security TAB > Access Control Lists > Access Control Lists

4. Create a new Access Control List by clicking New. Name it Pre-Auth-ACL.

5. Click the name of the newly created ACL. Add the following five rules, making sure to respect the
order:

Substitute the two DNS server IP addresses with the ones noted in step 2. Should you have 3 DNS
addresses, add one more rule for it. Keep the Deny rule as the last rule.

6. Go to WLANS TAB, click the UNICEF Guest SSID. Go to Security > Layer 3, and set the newly
created ACL as Preauthentication ACL for IPv4.

Page 3 of 5
7. Test that DNS based VPN has stopped working, while the captive portal is still functional.

8. Save the WLC configuration

FIX FOR U-WIFI V3 (FULL MERAKI / LIGHT)

1. Log in to your Cisco Meraki portal

2. Go to Security & SD-WAN > CONFIGURE > DHCP and verify what DNS servers are configured for
each scope:

Note: by default settings are set to Proxy to upstream DNS. In this case, the DNS IP can be found in
Security & SD-WAN > MONITOR > Appliance Status > Uplink Tab:

Page 4 of 5
3. Go to Security & SD-WAN > CONFIGURE > Firewall > Layer 3
Add entry allowing any protocol for each DNS configured in the network. Note that the Google DNS
added in the list are used by default for Guest WiFi traffic. The last DNS rule is used to block DNS
tunneling apps to reach any server on the Internet.

4. Save the layer 3 firewall configuration

5. Test that DNS based VPN has stopped working, while the captive portal is still functional.

FIX FOR U-WIFI V3 (OPEN SYSTEMS)

Issue a ticket to Mission Control requesting to only authorize Google DNS, then block all other DNS
servers on port 53:

Dear Mission Control,

Please create a firewall rule to block all DNS traffic on port 53 from our internal network but for
the Google DNS servers:

Source: 10.18.184.0/22
Destination: 8.8.8.8/32, 8.8.4.4/32
Service: DNS
Action: Allow
Description: Allow Google DNS for Guest WiFi

Source: 10.18.184.0/22
Destination: any
Service: DNS
Action: Block
Description: block any unauthorized DNS to avoid DNS tunneling

Page 5 of 5