The Domain Name System (DNS) is a foundational technology of the internet — quietly translating human-friendly domain names into IP addresses that machines use to communicate. Because DNS resolvers are trusted implicitly by client devices and applications, an attacker who subverts the resolver a network uses can redirect traffic, inject malicious content, and undermine virtually all services that rely on internet connectivity.

Overview of the Threat

Infoblox researchers uncovered a sophisticated long-running threat campaign in which an adversary has compromised routers, altered their DNS settings, and established what the researchers call a “shadow DNS network” hosted within Aeza International (AS210644) — an autonomous system tied to bulletproof hosting infrastructure. This shadow DNS effectively replaces legitimate ISP resolvers for all devices behind the compromised routers, giving the actor complete control over DNS responses for those clients.

The threat actor has paired this alternate DNS infrastructure with an HTTP-based Traffic Distribution System (TDS) that fingerprints clients and redirects them based on rules defined by the actor. Together, these components form a stealthy two-stage system that has operated undetected for years.

---

How the Shadow DNS Network Works

Router Compromise and DNS Redirection

The initial compromise vector involves taking control of consumer and small enterprise routers — particularly older devices that may lack robust security controls. Once compromised, the router’s DNS configuration is modified so that all DNS queries from local clients are instead forwarded to attacker-controlled resolvers hosted by Aeza International. This operation is effectively invisible to end users because it modifies a trusted component of their network stack.

Every device on a compromised router thus unknowingly uses the attacker’s DNS infrastructure rather than the legitimate ISP’s resolvers. Because many home and office networks rely on the router to propagate DNS settings via DHCP, the redirection affects all connected devices automatically.

Shadow Resolver Characteristics

The malicious resolvers exhibit several unusual and deliberate characteristics:

• Selective Resolution: Popular and high-traffic domains such as Google or Facebook are often resolved correctly, reducing suspicion. However, lesser-known or strategically targeted domains may be returned with malicious IPs that direct traffic to attacker-controlled infrastructure.
• Rapid Cache Expiry: Answers from these resolvers carry an extremely low TTL (e.g., 20 seconds), forcing repeated lookups and ensuring that clients constantly communicate with the attacker-controlled system.
• Adaptive Response Logic: The resolver changes its response based on multiple inputs, including the domain requested, geographic location of the router, frequency of queries, and randomization.
• EDNS0 Filtering: A clever anti-investigation trick prevents most scanners and security tools from eliciting correct responses. The resolver only responds to DNS queries without EDNS0 — a protocol extension included by default in most modern DNS queries. Queries with EDNS0 enabled return malformed responses, stymying scanning and discovery.

# Example of how to bypass EDNS0 restriction
dig +noedns @89.208.105.113 example.com

---

The HTTP-Based Traffic Distribution System (TDS)

DNS manipulation alone does not complete the threat. Once a client is directed to an IP address under the attacker’s control (for example, via a manipulated DNS response), the HTTP TDS can further process and redirect that client’s traffic.

Fingerprinting and Redirect Logic

When the client reaches a malicious IP address, the HTTP server:

1. Fingerprints the client to determine whether the request is coming from a machine behind a compromised router.
2. Serves an obfuscated JavaScript payload that makes additional DNS lookups (for example, querying domains that should not resolve like gettranslate[.]ir). If these lookups fail, the script redirects the browser back to legitimate pages (e.g., Google).

This multilayer check ensures only clients behind compromised routers proceed down the malicious path. Successful requests may then be directed to affiliate marketing pages, ad networks, or other destination URLs controlled by the actor.

Affiliate Marketing as a Cover

The actor’s publicly observed activity appears geared toward affiliate marketing — funneling traffic through “smartlinks,” a common industry mechanism that first fingerprints the client and then routes them to an advertising or affiliate partner. While affiliate marketing may seem benign, the underlying infrastructure here can and has been used to deliver malicious content, scams, and potentially more harmful payloads.

---

Why This Threat Is Highly Effective

1. Implicit Trust in DNS: Users and devices implicitly trust DNS. By altering resolver settings, the actor can influence nearly every internet connection a device makes.
2. Stealth Techniques: The use of EDNS0 filtering and selective response logic makes detection through conventional scanning difficult.
3. Persistent Infrastructure: Because the infrastructure has been in operation for years and uses bulletproof hosting, takedown efforts are unlikely without sustained intelligence and coordination with global network operators.
4. Beyond Advertising: Although affiliate marketing is the visible payload, this infrastructure could theoretically be used for adversary-in-the-middle attacks (AiTM), software update tampering, denial of service, or other malicious ends.

---

Implications and Defensive Considerations

This threat highlights a broader class of attacks where network infrastructure is subverted to control the flow of traffic, not just individual endpoints. Protecting against such campaigns requires:

• Enabling secure DNS resolution (DoH/DoT) to avoid reliance on router-provided resolver settings wherever possible.
• Monitoring DNS resolution patterns across your network for anomalous behavior.
• Updating router firmware and replacing outdated hardware that may be vulnerable to compromise.

---

Final Thoughts

Controlling DNS resolution gives an attacker vast power to influence internet usage. The Aeza shadow DNS and TDS campaign is a clever combination of classic DNS hijacking and dynamic HTTP-based traffic distribution, cloaked with anti-analysis techniques and persistent infrastructure. Understanding and mitigating such threats is essential for defenders operating in environments where trust in network infrastructure may be misplaced.