Short Intro to DNS (part of Tirgul 9) Nir Gazit
What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System. ▫Recursive Queries to NS (Name Servers) – from top to bottom. ▫Authoritative Name Servers – assigned responsible for a specific domain. Top Level Domain Sub Domains
DNS: Simplified Mechanism com google.com
DNS Lookup DNS Records (RRs), 3 main types: ▫Hostname A IPAddress A Maps the hostname to an IP address. ▫Hostname NS Nameserver google.com NS ns.google.com Specifies an authoritative name server for the domain. ▫Hostname1 CNAME Hostname2 mail.google.com CNAME googl .l.google.com Alias of one hostname to another. The DNS lookup will continue by retrying the lookup with the new name.
DNS Lookup - continuing 2 Top Levels ▫Root servers (13 currently, called A to M) ▫TLD servers (.com,.net,.edu,…) Caching ▫Each DNS response (RR – Resource Record) contains a TTL value (Time To Live) for cache storage time. Glued Responds ▫Name Servers are identified by name (eg. ns.google.com). So we might get circular dependencies. ▫So, a Name Server might add an IP address as a “Glued RR” to help in the process.
DNS: Full Mechanism Resolve Resolve com google.com com NS ns.com ns.com A google.com NS ns.google.com ns.google.com A A Resolve
DNS Poisoning Injecting fake DNS RRs. Method 1: by ‘glue’ RRs ▫Query: Resolve A ▫Response: facebook.com NS google.com and google.com A
DNS Poisioning (Method 1 Example) Resolve Resolve com facebook.com com NS ns.com ns.com A facebook.com NS ns1.facebook.com ns1.facebook.com A A A Resolve
DNS Poisoning - continuing (continuing with…) Method 1 (Glue RRs) ▫Bailiwick Rule – allow answers only for subdomains. a.ns.facebook.com can’t answer for google.com. Method 2: send spoofed DNS response (DNS Injection).
DNS Injection
DNS Injection – can it work? According to RFC5452 – Requesting server must validate: ▫Same question section as in request. ▫Same (16-bit) ID field (chosen randomly). ▫Same dest IP address and port as the source in the request. ▫Same IP address of responding DNS server Response must arrive before the response of the authoritative NS.
DNS Injection as a method of censorship Thought to be used by the “Great Firewall of China”
Reality Check A true story ( oarc.net/pipermail/dns-operations/2010- March/ html) oarc.net/pipermail/dns-operations/2010- March/ html ▫A Chilean DNS operator found that when accessing sometimes you get a bad IP instead of the correct one. ▫Caused by accessing root servers (F, I and J) that have anycast originating in China. Also happening when Korean (.kr) users try to access German (.de) sites. Today, happens mostly on the TLD level (not root level) – queried often, short TTL.