CIT 480: Securing Computer Systems DNS Security
Topics How DNS Works DNS Caching Pharming DNS Cache Poisoning DNS Cache Defenses DNSSEC 2 2
Domain Name System (DNS) The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation Savings DNS http://208.77.188.166 My Example Blog Spot http://www.example.com www.example.com 208.77.188.166 3 3
Domain Name System DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(MX) record: mail server of a domain Name server (NS) record: authoritative server for a domain Example DNS entries from http://www.maradns.org/tutorial/recordtypes.html 4 4
Name Servers Domain names: Hierarchy of authoritative name servers Two or more labels, separated by dots (e.g., cs166.net) Rightmost label is the top-level domain (TLD) Hierarchy of authoritative name servers Information about root domain Information about its subdomains (A records) or references to other name servers (NS records) The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc. Root and TLD servers change infrequently. DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record.
DNS Tree ... ... com edu brown.edu google.com stanford.edu A brown.edu 128.148.128.180 A xxx.brown.edu 128.148.###.### A xxx.brown.edu 128.148.32.### A cs.brown.edu 128.148.32.110 A google.com 66.249.91.104 A xxx.google.com ########### google.com stanford.edu microsoft.com resource records ... A xxx.com ########### A xxx.edu ########### Amicrosoft.com 207.46.232.182 A xxx.microsoft.com ########### A stanford.edu 171.67.216.18 A xxx.stanford.edu 171.67.###.### ... cs.brown.edu
Internet Corporation for Assigned Names and Numbers Non-profit organization at USC that Manages root DNS servers Allocates IP addresses Originally created and run by US government Controversial in EU, China, UN Independent as of Sept 30, 2009 Alternative to ICANN Multiple DNS trees with their own roots Name resolution varies based on geography
Top Level Domains Suffix Purpose Example com Commercial organizations (businesses) intel.com edu Educational organizations (universities) nku.edu gov Government organizations kentucky.gov mil Military organizations army.mil net Networking organizations (ISPs) sprint.net org Noncommercial organizations ietf.org int International organizations nato.int info Informational sites cat.info at Country code for Austria austria.at … uk Country code for United Kingdom bbc.co.uk us Country code for United States gov.state.ky.us Generic TLDs (gTLDs) ccTLDs
Name Resolution Zone: collection of connected nodes with the same authoritative DNS server, e.g. nku.edu. Resolution method when answer not in cache: Where is www.example.com? Try com nameserver Try example.com nameserver 208.77.188.166 Client ISP DNS Server root name server com example.com
DNS Query Packet Image from http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
DNS Response Packet Image from http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
Authoritative Name Servers Control of the DNS is distributed among authoritative name servers (ANSs) ANS are responsible for specific domains. Can designate other ANS for subdomains. ANS can be master or slave Master contains original zone table. Slaves are replicas, automatically updating. Fault tolerance + load balancing. Set Authoritative Answer (AA) flag in responses.
DNS Lookup Activity dig www.nku.edu dig +trace www.nku.edu What is the IP address? What are the nameservers for nku.edu? dig +trace www.nku.edu List each element of the DNS tree queried. What does the first result from each tree element tell you? Lookup www.google.com in the same ways.
Dynamic Resolution Many large providers have more than one authoritative name server for a domain Problem: need to locate the instance of domain geographically closest to user Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service Content distribution networks like Akamai already do adaptive DNS routing
DNS Caching Too much network traffic required to traverse DNS tree for each query Root zone would be rapidly overloaded. DNS servers cache results for a specified amount of time Specified by ANS reply's time-to-live (TTL) field. Domain admin determines TTL based on how often changes. OS and browsers maintain resolvers and DNS caches View DNS servers in Windows with ipconfig /displaydns View DNS servers Linux with cat /etc/resolv.conf Privacy issues: DNS cache reveals which sites you visited. DNS queries are typically issued over UDP on port 53 16-bit query identifier (QID) in payload ties response to request. Responses whose QIDs do not match pending requests are ignored.
DNS Caching Step 1: query yourdomain.org Local NS Resolver cache Authoritative Name Server Local Machine Application Resolver cache query query Step 2: receive reply and cache at local NS and host Local NS Resolver cache Authoritative Name Server Local Machine Application Resolver cache answer answer
DNS Caching (con'd) Step 3: use cached results rather than querying the ANS Local NS Resolver cache Local Machine 1 Application Resolver cache query Local Machine 2 Application Resolver cache answer Step 4: Evict cache entries upon TTL expiration
Pharming: DNS Hijacking Changing IP associated with a server maliciously http://www.example.com My Premium Blog Spot userID: password: www.example.com Normal DNS 74.208.31.63 Pharming attack Phishing: the different web sites look the same. 208.77.188.166
Pharming Attack Vectors Malware modifies host name resolution. Rewrite addresses in local hosts file. Rewrite addresses of DNS servers. Attacker subverts DHCP server, configures it to return malicious DNS servers. Target DHCP server on home router. Target DHCP server at ISP or corporate network.
DNS Cache Poisoning Send DNS servers false responses that will be cached. Fake response maps valid name to malicious IP address. Fake response has new authoritative nameserver, which is controlled by threat, in glue records. False responses must have Same UDP destination port as query UDP source port. Same Question as a pending request. QID that matches that of pending request. DNS server accepts first response to question. If malicious response first, then its result is used + cached. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 20 20
QID Guessing Network sniffer if on same subnet. Wait for request and observe QID from packet. Some servers have predictable QIDs Lure user to click on link to site whose domain you control. When attacker DNS server is contacted, record QID. Increment QID to match QID of next query. Mass guessing Send multiple responses with different QIDs to same query. Birthday paradox math requires a few hundred responses. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 21 21
DNS Cache Poisoning Prevention Use random identifiers for queries Attacker must brute force 16-bit QID, which requires thousands of responses, but is doable. Port randomization for DNS requests Attacker must guess 16-bit port as well as query. Harder, but successful attacks observed. Deploy DNSSEC Signed updates cannot be spoofed, but Not yet deployed widely. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 22 22
DNSSEC Guarantees: Digital signatures of DNS replies. Authenticity of DNS answer origin. Integrity of reply. Does not protect confidentiality. Digital signatures of DNS replies. Uses a chain of trust model like SSL. Trust anchors built into OS give starting point like root CA certificates in web browsers. 23
DNS Signing 24
DNSSEC Deployed at root in 2010 Political issues Allows use of root servers as trust anchors. .com uses DNSSEC since 2011. .br, .pr, .se, and some other ccTLDs use DNSSEC. Political issues Concern about US control over root servers. Some governments might ban DNSSEC-based encryption key distribution to enable surveillance. 25
Key Points DNS maps names to IP addresses DNS caching DNS tree structure and how names are paths. Name resolution process. Pharming attacks take control of DNS servers to map names of legitimate sites to malicious ones. DNS caching Multiple levels: OS, browser, ISP, etc. Threat can poison caches by sending malicious responses to query with correct Question and QID of original query. DNSSEC protects integrity of responses. Blocks DNS cache poisoning attacks.
References Steve Friedl, An Illustrated Guide to the Kaminsky DNS Vulnerability, http://unixwiz.net/techtips/iguide-kaminsky-dns- vuln.html, 2008. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.