DESCRIPTION:
Security researchers found a new class of DNS vulnerabilities impacting major DNS-as-a-Service (DNSaaS) providers that could allow attackers to access sensitive information from corporate networks. [...]

SUMMARY:
The information collected this way would make threat actors' job of breaching an organization's network a lot easier as it will give them "a bird's eye view on what's happening inside companies and governments" and provide them with "nation-state level spying capability."

The researchers haven't found evidence that the DNS vulnerability they uncovered was previously exploited in the wild before, but, as they explain, anyone with knowledge of the issues and the skills to abuse it "could have collected data undetected for over a decade."

"The impact is huge.

"Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable."

What makes things even worse, while two of the major DNS providers (Google and Amazon) have already fixed these DNS flaws, others are still likely vulnerable, exposing millions of devices to attacks.

As Microsoft explained, this flaw is "a known misconfiguration that occurs when an organization works with external DNS resolvers."

Redmond advises using separate DNS names and zones for internal and external hosts to avoid DNS conflicts and network issues, and provides detailed documentation on how to properly configure DNS dynamic updates in Windows.tex