Security Issues with Domain Name Systems By: Abhishek Singh MS-011 Umang Sharma MS-019
Security Measures to prevent Attacks Flow of presentation Introduction to DNS Security Measures to prevent Attacks Attacks on DNS DNSSEC Conclusion
Scheme of Presentation Overview of DNS Attacks on DNS:- DNS Cache Poisoning DNS ID Spoofing Client Flooding DNS Dynamic Update Vulnerabilities Information Leakage Compromise of DNS server’s authoritative data DNSSEC--- Security Measures to Prevent Attacks on DNS. Conclusion.
Overview of DNS The “Domain Name System” Created in 1983 by Paul Mockapetris (RFCs 1034 and 1035), modified, updated, and enhanced by a myriad of subsequent RFCs What Internet users use to reference anything by name on the Internet The mechanism by which Internet software translates names to addresses and vice versa.
Overview of DNS Users generally prefer names to numbers Computers prefer numbers to names DNS provides the mapping between the two I have “x”, give me “y” DNS is NOT a directory service. Resolves Internet host names into IP addresses and vice versa.
DOMAIN HIERARCHY Domain is a part of hierarchy identified by a domain name. Zone is a collection of domain information contained in the domain database file Root domain is at the top of a domain hierarchy The root domain are top level domains and there are: Com- commercial organization Edu- Educational Organization
DOMAIN HIERARCHY CONTD.. Gov-Government Organization Mil- Military Organization Net- Networking Organizations Org- Non profit Organization Int – International Organization Domain name is written from most specific(machine name) to least specific (top machine name) to least specific (top-level domain) separated by dot Fully qualified domain name (FQDN) starts with machine name and ends top level domain.
DOMAIN HIERARCHY CONTD..
DNS ROOT NAME SERVER Contacted by local name server that cannot resolve name Root name server : contacts authoritive name server if name mapping not known Gets mapping Returns mapping to local name server
DNS SOFTWARE DNS software is the Berkeley Internet Name Domain(BIND) software BIND is a client/server architecture The client server is called the resolver Resolver queries the name server The server software is called the name server Name server responds to the resolvers queries
RESOLVER There are two types of resolver Lookups Occurs when client requests information about a machine from local Dns server -Recursive lookups -Iterative lookups Zone transfer occurs when Dns name server request from another dns name server .
DNS Resource Record
DNS Operation Steps The client need information about a machine and sends its request to local DNS name server Local DNS name server receives the request from the client and examines its cache to see if it knows the response then it forwards to the client If not , the local name server forwards the request to an authoritative DNS sever Once the local name server receives the response , it saves the response for future use Then local name server forwards the response to the client.
NAME SERVER There are three configurable type of name servers Primary name servers Also called an Authoritive server Responsible for maintaining accurate information about specific domain hierarchy -Secondary name server Receives or retrieves a complete information for given zone from a primary name server Answers queries about that zone with authority -Caching name server Cashes the response to the queries for later use Usually it is used with primary or secondary server
Attacks on DNS DNS Cache Poisoning DNS ID Spoofing Client Flooding DNS Dynamic Update Vulnerabilities Information Leakage Compromise of DNS server’s authoritative data
Attacks on DNS DNS Cache Poisoning DNS A receives a query that it does not have an answer to, so it asks DNS B. DNS B replies with wrong information or if it does not have the answer, it puts in the additional records section of the response records that do not relate to the answer. DNS A accepts the response of DNS B without performing any checks and puts corrupted records in its cache. Tools used to perform attacks- Cain & Abel.
Attacks on DNS:- DNS Cache Poisoning
DNS Cache Poisoning Attack
Security Measures to prevent DNS Cache Poisoning There are three checkpoints for it:- The port number used by DNS queries should not randomized. The ID number used for DNS queries should not randomized. The DNS server should be allowed to reply to recursive DNS queries originated from the outside.
Security Measures to prevent DNS Cache Poisoning Tools used to perform checks:- “porttest.dns-oarc.net” tool by DNS-OARC. “txidtest.dns-oarc.net” tool by DNS-OARC. “Cross-Pollination Scan” tool by IANA.
Attacks on DNS DNS ID Spoofing Machine X needs to know the IP of machine Y X assigns a random identification number (16 bits) to the request it sends to the DNS and expects this number to be present in the DNS reply An attacker using a sniffer, intercepts the DNS request and sends the reply to X containing the correct identification number but with an IP of his choice.
Attacks on DNS
Attacks on DNS DNS ID Spoofing without a sniffer (the Birthday Paradox) The identification number has 65535 possible values. An attacker sends n queries for www.cnn.com and the victim DNS sends n queries to ns.cnn.com The attacker sends n spoofed replies from ns.cnn.com to the victim DNS Because of the Birthday Paradox, the probability of one the n replies containing a correct identification number increases rapidly for small n.
Attacks on DNS Queries 100 200 400 650 750 Chances 0.0728 0.2621 0.7048 0.9604 0.9865
Tips for Preventing DNS Spoofing Maintain the DNS software Up-to-Date. Allow updates and zone transfers from trusted sources. Maintain a Separate DNS server for public services and for internal services. Use secure key for signing the updates received from other DNS server. This will avoid updates from untrusted sources.
Attacks on DNS Client Flooding: Client sends a DNS query. Attacker send thousands of responses made to appear as if originating from the DNS server. Client accepts responses because it lacks the capability to verify the response origin.
Attacks on DNS Information Leakage: Zone transfers can leak information concerning internal networks. Or an attacker can query one by one every IP address in a domain space to learn unassigned IP addresses. If a system trusts an entire IP network, rather than specify every host that it trusts, then that system may be vulnerable to an attack using an unassigned IP address.
Attacks on DNS Compromise of DNS server’s authoritative data: DNS server has some vulnerabilities not related to DNS. Attacker gets administrative privileges on DNS Server. Attacker modifies zone information for which the DSN server is authoritative.
DNSSEC DNSSEC: Domain Name System SECurity Extensions
DNSSEC TIMELINE 1993: Discussion of secure DNS begins 1994: First draft of possible standard published 1997: RFC 2065 published (DNSSEC is an IETF standard) 1999: RFC 2535 published (DNSSEC standard is revised) • 2005: Total rewrite of standards published
What DNSSEC Does! DNSSEC uses public key cryptography and digital signatures to provide: Data origin authentication “Did this DNS response really come from the .com zone?” Data integrity “Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed?” Bottom line: DNSSEC offers protection against spoofing of DNS data
DNSSEC MECHANISM DNSSEC is a mechanism enabling the validation and authentication of the origin and integrity of DNS data. DNSSEC mechanisms are based on asymmetric cryptography keys exchanged between the authoritative Name server and DNS client or resolver All keys generated are contained within the DNS zone with new RR types (resource record).
DNSSEC MECHANISM Each signed zone and RR is associated to two cryptography keys, also known as “key pair”: Confidential private key: This key is used to sign data authenticity and integrity by signing the Resource Records Sets. This key is confidential. Public key: This key is used to decrypt data that was encrypted with the private key to verify data authenticity and integrity
DNSSec brings benefits in two key points: Origin authentication Integrity checking
Conclusion DNS plays a vital role in Internet architecture , since present DNS specification did not include proper security and it is vulnerable to attacks , so we should used proper security measures to prevent all DNS attacks. Also the attacker and defender should work on same platform for better performance.
References:- http://blog.cloudshield.com/2009/02/05/security-issues-with-dns/ http://www.sans.org/reading_room/whitepapers/dns/security-issues-dns_1069 http://compsec101.antibozo.net/papers/dnssec/dnssec.html
Thank You.