Security Attacks Using DNS Vulnerabilities Talk by Faisal Ahmad Khan BUITEMS Cyber Security Week December 5-7, 2017
DNS: Domain Name System People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) - used for addressing datagrams “name”, e.g., www.yahoo.com - used by humans Q: map between IP addresses and name ? Domain Name System: distributed database implemented in hierarchy of many name servers application-layer protocol host, routers, name servers to communicate to resolve names (address/name translation) note: core Internet function, implemented as application-layer protocol complexity at network’s “edge”
DNS DNS is Hierarchical DNS services Why not centralize DNS? single point of failure traffic volume distant centralized database Maintenance DNS services Hostname to IP address translation Host aliasing Canonical and alias names Mail server aliasing Load distribution Replicated Web servers: set of IP addresses for one canonical name 06a DNS.ppt
Distributed, Hierarchical Database Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu yahoo.com amazon.com pbs.org Client wants IP for www.amazon.com; 1st approx: Client queries a root server to find “com” DNS server Client queries com DNS server to get “amazon.com” Authoritative DNS server Client queries amazon.com DNS server to get IP address for “www.amazon.com” 06a DNS.ppt
DNS: Root name servers contacted by local name server that can not resolve Top_Level name (eats in www.macdonalds.eats) Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name, ...) ICANN assigns domain names (www.icann.org) 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 06a DNS.ppt
TLD and Authoritative Servers Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. Network Solutions, Inc. maintains servers for com TLD Educause maintains servers for edu TLD Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). Can be maintained by organization or service provider Every “Autonomous System” (AS) must have two (backup). Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it.
Local Name Server Does not strictly belong to hierarchy Each ISP (residential ISP, company, university) has one. Also called “default name server” or “resolver” When a host makes a DNS query, query is sent to its local DNS server Acts as a proxy, forwards query into hierarchy. Today a DNS proxy (resolver) is built into most DSL and cable-modem routers DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv.conf) 06a DNS.ppt
authoritative DNS server Example root DNS server Host at cis.poly.edu wants IP address for gaia.cs.umass.edu Host sends a "recursion-requested" query request to dns.poly.edu. Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 local DNS server dns.poly.edu 7 6 1 8 authoritative DNS server dns.cs.umass.edu requesting host cis.poly.edu $ nslookup gaia.cs.umass.edu answer 128.119.245.12 gaia.cs.umass.edu 06a DNS.ppt
Non-recursive queries root DNS server A3.NSLTD.COM norecurse or "iterated" query: contacted server replies with name of server to contact “I don’t know this name, but ask this server” local DNS server dns.poly.edu authoritative DNS server NS1.umass.edu 3 4 2 5 1 6 requesting host cis.poly.edu gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM $ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com answer 128.119.245.12 06a DNS.ppt
“dig” with “+trace” will show the entire recursive lookup. copeland$ dig +trace www.google.com. ; <<>> DiG 9.8.3-P1 <<>> +trace www.google.com. ;; global options: +cmd . 495753 IN NS e.root-servers.net. . 495753 IN NS c.root-servers.net. . 495753 IN NS a.root-servers.net. . . . (11 lines deleted) ;; Received 496 bytes from 128.61.244.254#53(128.61.244.254) in 13 ms . . . com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. ; Received 504 bytes from 192.58.128.30#53(192.58.128.30) in 138 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. ;; Received 168 bytes from 192.55.83.30#53(192.55.83.30) in 56 ms www.google.com. 300 IN A 74.125.196.104 www.google.com. 300 IN A 74.125.196.105 . . . (4 lines deleted) ;; Received 128 bytes from 216.239.36.10#53(216.239.36.10) in 64 ms
DNS: caching and updating records once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP) cache entries timeout (disappear) after some time (usually 20 minutes) TLD servers typically cached longer in local name servers Thus root name servers not often visited update/notify mechanisms under design by IETF RFC 2136 http://www.ietf.org/html.charters/dnsind-charter.html DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file. 06a DNS.ppt
RR format: (name, value, type, ttl) DNS records DNS: distributed db storing resource records (RR) RR format: (name, value, type, ttl) Type=A (AAAA for IPv6) name is hostname value is IP address Type=CNAME name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com value is canonical name Type=NS name is domain (e.g. foo.com) value is hostname of authoritative name server for this domain Type=MX value is name of mailserver associated with name 06a DNS.ppt
DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header identification: 16 bit # for query, reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative 06a DNS.ppt
DNS protocol, messages * Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used
Inserting records into DNS Example: just created startup “Network Utopia” Register name networkuptopia.com at a registrar (e.g., Network Solutions) Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary) Registrar inserts two RRs into the .com TLD server: (networkutopia.com, dns1.acme.com, NS) (dns1.acme.com, 212.212.212.1, A) Put in authoritative server Type A record for www.networkuptopia.com and Type MX record for networkutopia.com into dns1.acme.com (DNS service) DNS Hack #2 Register a domain like “myserver.ru”, have links in email like www.usbank.com.273846.myserver.ru. 06a DNS.ppt
>whois nt.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: NT.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS-GUY2.NORTELNETWORKS.COM Name Server: NS-HAR2.NORTELNETWORKS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-jan-2009 Creation Date: 28-sep-1990 Expiration Date: 27-sep-2010 >>> Last update of whois database: Fri, 20 Feb 2009 13:33:26 UTC <<< 16
DNS Cache Poisoning root DNS server 3 www.bigbank.com 33.22.11.44 3 TLD DNS server - IP = 87.65.43.21 4 1 Spoofed Request for no.bigbank.com source IP = 12.34.56.78 5 local DNS server dns.poly.edu 2 Spoofed Response - source IP = 87.65.43.21 Auth. DNS for bigbank.com =66.66.66.66 8 Future requests for all URLs in bigbank.com go to =66.66.66.66 authoritative DNS server dns.bigbank.com requesting host cis.poly.edu IP = 12.34.56.78 www.bigbank.phisher.com 66.66.66.66 17
wireshark Display of DNS Response ID is random nonce used to authenticate Response to Query 18
DNS protocol, spoofed messages <- 32 bits -> * Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used * 16-bit ID is used to match responses to requests. To spoof, use 1 request and 65,536 responses, or use 256 requests and 256 responses (Birthday attack). 06a DNS.ppt 19
DNS Cache Poisoning - Anticipated Attack Sends a Request for a URL, and N fake Replies with random IDs Lookup www.cnn.com Time www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Correct guess of <- ID Nonce Probable no. of hits = N / 65,354 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 UDP Connection closed -> 66.66.66.66 cached www.cnn.com -> 64.236.90.21 (not noticed) www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 64.236.90.21 Local DNS NS-CNN.COM Hacker 20
DNS Cache Poisoning – Bellovin Birthday Attack <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup www.cnn.com Time * www.cnn.com is 66.66.66.66 www..cnn.com is 66.66.66.66 <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Local DNS -> caches www.cnn.com = 66.66.66.66 www.cnn.com is 66.66.66.66 www.cnn.com is 64.236.90.21 * Local DNS sends 260 queries with different IDs. DOS Attack Local DNS NS-CNN.COM Hacker DNS Hack #3: Change DNS IP configured in local cache. 21
Fast-Flux DNS (Botnet Distributed Phishing) Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg4589.ru” Botnet hosts sent out email to lure victims to a Phishing Web site www.bny.com.bg4589.ru (IP 23.45.67.89 ) Problem: as soon as BNY Network Security person sees one of the emails, they do a DNS lookup (get 23.45.67.89), a “whois”, and shut the 23.45.67.89 host down. Solution: vary the IP address returned to one of a thousand botnet Web servers. Problem: BNY NetSec repeatedly does DNS lookups to get a complete list of botnet hosts. Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDoS) for several days against BNY NetSec. DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown. 22
authoritative DNS server Fast Flux DNS URL in Phish -> One of Many bots root DNS server Host at poly.edu wants IP address for www.urhckd.com Host sends a "recursion-requested" query request to dns.poly.edu. [Host is doing a non-recursive search] Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. local DNS server dns.poly.edu 7 6 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. requesting host joe.poly.edu authoritative DNS server dns.urhcked.com $ nslookup www.urhckd.com. answer 78.82.245.12 $ nslookup www.urhckd.com. answer 53.119.24.124 06a DNS.ppt 23 Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross
Five DNS Hacks DNS Hack #0 – modify /etc/resolv.conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e.g., http://www.usbank.com.customer.dhs5134.hk DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 24