Академический Документы
Профессиональный Документы
Культура Документы
and attacks
Himani Singh
Agenda
DNS introduction
Type of DNS severs
DNS protocols
DNS Attacks
DNS Intro
Domain Name System
DNS is a naming system that maps an easily
Example Implementations
Berkeley Internet Name Domain system (BIND)
Microsoft server from NT 4.0, 2003 and 2008
RFCs 882, 883, 1034 and 1035
DNS Intro
Domain Name Systems architecture is a
database and a set of protocols.
The database
Contains the data for any resource (or service)
including host names and domain names.
Is hierarchical
Is distributed over multiple servers.
The protocol defines the mechanism for
Query
the database
Update the database
Replicate the information among the servers to
keep identical records
DNS Database
The hierarchical system of DB is like a tree where
consist of labels
e.g, mail.fortinet.com
DNS resource information is stored in the database in
FQDN
A fully qualified domain name (FQDN) identifies the host
Fortinet=>organization name.
Sub domain:
An additional name an organization can create to
divide their domain into departments, locations, etc.
cs.yale.edu or support.fortinet.com
Host or Resource name:
Identify a specific resource or service
http://www.fortinet.com.
Com
Edu
Org
Net
Gov
Mil
Arpa
xx
Commercial organizations
Educational
Non-profit organizations
Networks (he backbone of the Internet)
Government ( non Military)
Military government
Reverse DNS
Country codes like us, au, ca,
http://csis.pace.edu/~marchese/CS865/Lectures/Chap5/Chapter5a.htm
Type
RR type, 2 octal
Class
RR Class, 2 octal
TTL
RDLENGTH
RDATA
https://www.ietf.org/rfc/rfc1035.txt
Description
Host
authoritative
name server
canonical name
for an alias
Value Class
1
Internet (IN)
Data
Host IP address/owner name
F11
IN
Owner name
Internet (IN)
Make a start of
zone authority. It
needs in all zone
file.
WKR
Internet (IN)
Internet (IN)
Main exchange
Internet (IN)
MX
TXT
Test string
15
16
Internet (IN)
10.1.1.11
SOA
PTR
Internet (IN)
SRI-NIC.ARPA. MX
0 SRI-NIC.ARPA
Used to be Txt, but now this record more
often carries machine-readable data
the zone.
This record contains information about the
Owner
Minimum TTL
Class and Type
Retry time a secondary server will wait before retrying
Authoritative server (primary server), serial number (updated number),
Reverse lookup
A reverse lookup is a query of the DNS for domain names when the IP address is known.
4.0.10.18.IN-ADDR.ARPA.
PTR GW.LCS.MIT.EDU.
subdomains)
A zone stores information about all names that end
with the zone root domain name in a file called the
zone file
A zone file contains multiple Resource Records; the first
record is the Start of Authority (SOA)
SOA contains the primary DNS nameserver
A zone file may contain other zone information if added
zone file
IN
SOA
MIL.
EDU.
SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
870611
;serial
1800
;refresh every 30 min
300
;retry every 5 min
604800
;expire after a week
86400)
;minimum of a day
NS
A.ISI.EDU.
NS
C.ISI.EDU.
NS
SRI-NIC.ARPA
86400
NS
SRI-NIC.ARPA.
86400
NS
A.ISI.EDU.
86400
86400
NS
NS
SRI-NIC.ARPA.
C.ISI.EDU.
SRI-NIC.ARPA.
A
A
MX
HINFO
26.0.0.73
10.0.0.51
0 SRI-NIC.ARPA.
DEC-2060 TOPS20
ACC.ARPA.
A
HINFO
MX
26.6.0.65
PDP-11/70 UNIX
10 ACC.ARPA.
USC-ISIC.ARPA.
CNAME
C.ISI.EDU.
73.0.0.26.IN-ADDR.ARPA. PTR
SRI-NIC.ARPA.
65.0.6.26.IN-ADDR.ARPA. PTR
ACC.ARPA.
51.0.0.10.IN-ADDR.ARPA. PTR
SRI-NIC.ARPA.
52.0.0.10.IN-ADDR.ARPA. PTR
C.ISI.EDU.
103.0.3.26.IN-ADDR.ARPA. PTR
A.ISI.EDU.
A.ISI.EDU. 86400 A
26.3.0.103
C.ISI.EDU. 86400 A
10.0.0.52
Zone transfer
Zone transfer is achieved by copying the
.com
example.co
m
NorthA.example.com
Asia.example.co
m
Sale.NorthA.example.com
west.asia.example.co
m
East.asia.example.co
m
Non-Authoritative
This is not a delegated server for its existing zone but it have record
Caching
If DNS server receive a request for a record that he dont have, it does
When a nameserver doesn't have the contents of a zone, but knows how to find
the owner, it's said todelegateservice of that zone to another nameserver.
Request/ response
Zone
file
Primary
Server
Update on the
based SOA serial
number
Secondary
Zone
file
respond to query.
zone that contains only the resource records that identify the
DNS servers that are authoritative for a DNS domain name
Forward DNS
A forward, Proxy, Client or Remote server simply forwards
requests to another DNS server.
It does store the cache and respond fast.
Useful in slow networks.
DNS Protocol
Protocol
Mostly done by UDP, TCP Port 53
Request response system
Response in one message
Type of messages
Queries
Responses
Updates
Query
Query can be send by
Client to DNS server
Between two servers
There are two types of DNS queries :
Recursive
Mostly DNS client makes this kind of query. DNS
server can response with local information or
make request to another server.
Iterative
Respond with the best local information either
local zone files or caching.
If the DNS serve is not authoritative for that name,
this response is called as referral.
Query
When a DNS server receive a query for a
expired
If neither a Master nor a Slave then it will act as
configured
If caching and recursive queries are allowed, server will
ISP local
recursiv
e Name
Server
(recursio
n
desired=
1)
8
2 IP for www.abc.com
3. Referral to next server who may
know
4 IP for www.abc.com
5. Still do not know, one of authoritative
server
.
Name server
Com
Name serer
6 . IP for www.abc.com
7 IP is 1.2.3.4
Example.com
Recursive
Resolver
1. ISP's nameserver knows that it's not
authoritative forabc.com, so it can't look it up in
its local zone database. It also doesn't find the
name it its cache of recently-seen data,
DNS protocol
Header (12 byte)
Question (variable)
Answer(variable )
Authority (variable)
Additional(variable)
RDLength (2 byte)
DNS request
and
response
DNS Answer
To support DNSSEC
Support for DNSSEC OK (DO) EDNS header bit so
Name System.
DNSSEC was created to protect DNS with
internet attacks like DNS cache poisoning
It is a set of extensions of DNS and
provides
Origin the authentication of DNS data
Data integrity ( not privacy)
Authenticated denial of existence
DNS attacks
DNS DDoS Attacks
The percentage of DNS attacks(72%) is little less than
Http(82%)
DNS attacks includes
DNS cache poisoning attack
attacker injects the malicious DNS data into the recursive DNS
servers
redirect all incoming traffic to a server of their choosing
UDP Flood
DNS exploits
Man in the middle :Attacker one or more authoritative
internet domain.
Server will keep in the cache or pass to
cache server
In the case of success, subscriber link is
redirected o fake server/location.
User may not suspect because url seems to correct.
This fake record can be spade to other DNS server
5.
6.
7.
It was in 1997, Four people including Kashpureff started the DNS service called AlterNIC.
Use recursive name server to alter the cache.
Resolver( evil) asked for the very limited query from the recursive server so that
rescursive-server will go to that alternative server to resolve that query.
Now AlterNic server will send the answer, but at the same time it will send the additional
records with completely unrelated resource record to DNS recursive address. Suppose
the Rrecord is for www.fooback.com
DNS Recursive server will keep that data on its cache and pass to any host that does the
query.
Host will go to fake Website, that was resolved by AlrerNic, or any other attacker controlled
DNS
Solution:
1.
BIND patch that will not accept the unrelated recourse records.
1
4
3
Cache Server
Resolver
Addit
io
2
nal in
forma
tion
Alternate
server
AlterNIC
it is done
deliver it.
Question session match Question
QueryID match QueryID
Send the normal query and check the QueryID
Now
BD is 99.7%
Possibility that n people will have same bday is more.
p(n) = (364/365)* (363/365) * (366-n)/365
So if we have 20 people that having the same Bday is about 40%.
hijack the authority records
Same as before but rather then putting A record, it adds a delegates
Kaminsky attack
inster a location.
Singing certificate I know who and I am not
Amplification
Send the small query that can result into larger data. The simple
Example query
dig ANY abc.com @208.67.220.220
Response<<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 9.7.3 ANY sjsu.edu
@208.67.220.220 TXT= query
;; global options: +cmd
--many lines are deleted
; Query time: 14 msec
;; Query time: 1 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Aug 13 17:01:06 2014
http://securityaffairs.co/wordpress/3184/cyber-crime/anonymous-dns-amplification-attacks-for-operation-globalblackout.html
Solutions
Any cast -- network addressing and routing methodology in which datagram's
RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which
authoritative servers respond to high volumes of malicious queries. The RRL mechanism
is part of BIND 9.10, and was available as a software build option in BIND 9.9.4.
A DDoS system
if the request has a pattern like same source, same name, class and type, that is most
likely is a attack( in a normal scenario once a query is made, that will be cashed on nonauthoritative servers and will not be sending it again and again)
Solutions
Very short TTL and heavy response
Message size
Watch for bigger message and close
DNS query types (such as ANY) to be re-transmitted using TCP.
Force to use TCP connection.
RFC 2827(bcp38 )
Our ISP should follow the best practice 38(BP38) on the network,
Reference
Dan Kaminsky'sBlack Hat presentation(PowerPoint)
Excellent reading.
DNS and BIND, O'Reilly The definitive book on DNS.
TCP/IP Illustrated, Volume 1: The Protocols , W. Richard
Stevens the definitive book on TCP/IP.
DNS Cache Poisoningat Wikipedia
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm
l
http://securityaffairs.co/wordpress/3184/cybercrime/anonymous-dns-amplification-attacks-foroperation-global-blackout.html
DNS Cache Poision
http://en.wikipedia.org/wiki/AlterNIC
https://ripe66.ripe.net/presentations/164-ripe66-dns.pdf