Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CIS3360: Security in Computing Chapter 6 : Network Security II Cliff Zou Spring 2012.
CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
DNS: Domain Name System
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
4343 X2 – Outline The Domain Name System The Web.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
COMP 431 Internet Services & Protocols
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
@Yuan Xue A special acknowledge goes to J.F Kurose and K.W. Ross Some of the slides used in this lecture are adapted from their.
CSE 461 Section. Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Ip addressing: dhcp & dns
Security Issues with Domain Name Systems
Everything You need to know
DNS Security.
Chapter 9: Domain Name Servers
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Principles of Computer Security
CS 3700 Networks and Distributed Systems
IMPLEMENTING NAME RESOLUTION USING DNS
Practical Censorship Evasion Leveraging Content Delivery Networks
DNS Cache Poisoning Attack
Domain Name System (DNS)
DNS security.
Information Security CS 526 Omar Chowdhury
Chapter 19 Domain Name System (DNS)
Computer Networks: Domain Name System 1.
Domain Name System (DNS)
Distributed Peer-to-peer Name Resolution
Introduction to the DNS system
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
DNS: Domain Name System
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Ip addressing: dhcp & dns
The Application Layer: Sockets, DNS
Introduction to the DNS system
COMPUTER NETWORKS PRESENTATION
Presentation transcript:

Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18 4/18/2018 Attacking DNS Lecture 18 © 2002 These slides where produced by Bill Manning (ISI), Ed Lewis (NAI labs) and Olaf M. Kolkman (RIPE NCC). Slides adapted from Olaf Kolkman, RIPE slideset 1 February 2003

Start of Authority (SOA) To conclude last class, I mentioned the SOA type but didn’t know its precise purpose Idea is to give global parameters for the domain you are asking about Returned by name to server info about all sites of that nameserver Indicates who to ask for this domain March 2017

DNS Types Type = A / AAAA Type = NS Name = domain name Value = IP address A is IPv4, AAAA is IPv6 Type = NS Name = partial domain Value = name of DNS server for this domain “Go send your query to this other server” Query Name: www.ccs.neu.edu Type: A Resp. Name: www.ccs.neu.edu Value: 129.10.116.81 Query Name: ccs.neu.edu Type: NS Resp. Name: ccs.neu.edu Value: 129.10.116.51

DNS Types, Continued Type = CNAME Type = MX Name = hostname Value = canonical hostname Useful for aliasing CDNs use this Type = MX Name = domain in email address Value = canonical name of mail server Query Name: foo.mysite.com Type: CNAME Resp. Name: foo.mysite.com Value: bar.mysite.com Query Name: ccs.neu.edu Type: MX Resp. Name: ccs.neu.edu Value: amber.ccs.neu.edu

Domain Squatting Cybersquatting is to register a domain in anticipation of that domain being desirable to another organization Intent to sell tot hat organization for big profit For example, You can register “hurricane2013.com”, or “hurricane-in-Texas.com” if you think there will be a big one in Texas in the near future. Sell it for big profit if it is true! Domain name purchase is cheap! Many organizations have to buy all related domain names to prevent cybersquatting http://en.wikipedia.org/wiki/Cybersquatting March 2017

Typosquatting Register all possible typo domain names for another organization Should a user accidentally enters an incorrect website address, he may be led to an alternative website owned by a cybersquatter. Could lead to phishing attack (malicious), or increase web visits (not very malicious) For example, for “bankofamerica.com”, a cybersquatter could register: “bankamerica.com”, “bankoamerica.com”, “bankofamerican.com”, “bankfoamerica.com”, …… Domain name purchase is cheap! March 2017

Resolving process & Cache 4/18/2018 Resolving process & Cache Question: www.ripe.net A root-server www.ripe.net A ? Ask net server @ X.gtld-servers.net (+ glue) www.ripe.net A ? Caching forwarder (recursive) Resolver 192.168.5.10 www.ripe.net A ? gtld-server Ask ripe server @ ns.ripe.net (+ glue) Add to cache www.ripe.net A ? 192.168.5.10 Glue records identify IP address of referred servers ripe-server February 2003

Aliasing and Load Balancing One machine can have many aliases www.reddit.com david.choffnes.com www.foursquare.com alan.mislo.ve www.huffingtonpost.com *.blogspot.com One domain can map to multiple machines www.google.com

Content Delivery Networks DNS responses may vary based on geography, ISP, etc

DNS Query Format Operates over UDP, destination port is 53 MAC Header IP Header Trans. ID Flags # Queries Source port = 1100 Dest port = 53 16 bit increasing number # Answers # Authorities Additional Resource Records Queries: Name, Type, Class March 2017

Matching Responses A DNS resolver (or recursive nameserver) uses the following values to match responses: The source port (selected at startup) The transaction ID The asked query March 2017

Attacking DNS integrity Our goal will be compromise the integrity of a recursive name server Simplest attack strategy: root-server gtld-server Adversary needs to be between client and some server in the chain ripe-server Creates response that points to their server and sends it to client, client will ignore legitimate response (the trans will be closed) March 2017

Exercise 1 What natural defenses does DNS provide? How does the distributed nature of DNS help? root-server gtld-server Adversary needs to be between client and some server in the chain ripe-server Creates response that points to their server and sends it to client, client will ignore legitimate response (the trans will be closed) March 2017

Exercise 1 Client may not ask query May ask different server May not be able to respond before server root-server How to overcome these limitations? gtld-server ripe-server March 2017

Cache Poisoning root-server gtld-server ripe-server google.com? Client listens to (and caches) the first response google.com 123.123.123.123 March 2017

Cache Poisoning root-server gtld-server ripe-server What does an adversary need to execute this attack? root-server gtld-server ripe-server March 2017

Cache Poisoning root-server gtld-server ripe-server What does an adversary need to execute this attack? root-server gtld-server Query knowledge, timing, trans ID., source port ripe-server March 2017

Gaining knowledge The source port is a predictable value that is chosen at server initialization Transaction ID in early servers was an incrementing value Lets assume that it’s a random 16-bit value March 2017

Cache Poisoning root-server gtld-server ripe-server google.com? Client listens to (and caches) the first response with correct TID google.com 123.123.123.123 TID = 1 google.com 123.123.123.123 TID = 2 google.com 123.123.123.123 TID = 3 google.com 123.123.123.123 TID = 4 March 2017

Gaining knowledge The source port is a predictable value that is chosen at server initialization Transaction ID in early servers was an incrementing value Lets assume that it’s a random 16-bit value Race for attacker to send correct TID before legitimate response How many responses required? Approximately 216 How to know when query will be made and to what domain? March 2017

Cache Poisoning root-server gtld-server ripe-server google.com? google.com google.com google.com google.com google.com 67.218.93.152 google.com? gtld-server ripe-server Client listens to (and caches) the first response with correct TID March 2017

Gaining knowledge Attacker can initiate query if on the DNS server internal network or the DNS server accepts outside requests Do DNS servers accept outside queries? Still needs to learn source port and TID March 2017

Number of open DNS resolvers March 2017

How will the attacker get his entry into the cache? 2 ways 1. Tell resolver that NS for victim is at adversary’s IP Issue query: subdomain.attacker.example IN A Attacker’s response: Answer: (no response) Authority Section: attacker.example. 3600 IN NS ns.target.example. Additional Section: ns.target.example. IN A w.x.y.z Adversary says “authoritative server for my domain is ns.target.example and oh by the way here is the IP for it (adversary’s IP) March 2017

How will the attacker get his entry into the cache? 2 ways 2. Redirect the NS record to the adversary’s domain Issue query: subdomain.attacker.example IN A Answer: (no response) Authority section: Target.example. 3600 IN NS ns.attacker.example. Additional section: Ns.attacker.example. IN A w.x.y.z The attacker has inserted an unrelated piece of information that will be cached by the server (that target.example.’s ADNS is ns.attacker.example.) March 2017

Impact of poisoning Don’t have to claim a single address, can immediately take over a while domain Main barrier to attack is the recursive resolver not having a cached record Exercise: how can we make this attack more difficult (without changing DNS)? Don’t accept external queries Randomize source port Randomize TID (not really helpful) March 2017

TLS to the rescue TLS should provide authentication when we connect to a webserver If we are redirected to a bad site that claims to be google.com they won’t have a valid certificate… March 2017

Subverting TLS CA Chase.com chase.com… Certificate request for chase.com chase.com? Valid certificate for chase.com Evil address Attacker can now freely execute attacker against other hosts March 2017

Subverting TLS Attack extends if the CA sends an email to verify hostname Works against any domain validated certificate March 2017

TLS Attack This attack is easy to iterate You can ask for new certificates as the cache clears and try until successful Does not work to get extensively validated certs Some CAs restrict the usage of domain validated certs (don’t allow authentication) Browsers use cert pinning to prevent this Need more extensive defenses to strengthen DNS March 2017

DNS Defense Seems to require updates to DNS that make it more security aware Want to learn from BGP/IPv6 deployment, don’t want to require large scale replacement of internet infrastructure March 2017

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.