1 Chapter 2 (Section 2.5) Application Layer - DNS Computer Networking: A Top Down Approach Featuring the Internet, 5 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July Textbook for ECE3076. A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:  If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!)  If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Modified for GT ECE6612 by Prof. John Copeland 2/25/13 06a DNS.ppt

2 DNS: Domain Name System People: many identifiers:  SSN, name, passport # Internet hosts, routers:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., - used by humans Q: map between IP addresses and name ? Domain Name System: r distributed database implemented in hierarchy of many name servers r application-layer protocol host, routers, name servers to communicate to resolve names (address/name translation)  note: core Internet function, implemented as application-layer protocol  complexity at network’s “edge” 06a DNS.ppt

3 DNS DNS is Hierarchical Why not centralize DNS? r single point of failure r traffic volume r distant centralized database r maintenance doesn’t scale! DNS services r Hostname to IP address translation r Host aliasing  Canonical and alias names r Mail server aliasing r Load distribution  Replicated Web servers: set of IP addresses for one canonical name 06a DNS.ppt

4 Root DNS Servers com DNS servers org DNS serversedu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers Distributed, Hierarchical Database Client wants IP for 1 st approx: r Client queries a root server to find “com” DNS server r Client queries com DNS server to get “amazon.com” Authoritative DNS server r Client queries amazon.com DNS server to get IP address for “ 06a DNS.ppt

5 DNS: Root name servers r contacted by local name server that can not resolve Top_Level name (eats in r Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name,...) r ICANN assigns domain names ( 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 06a DNS.ppt

6 TLD and Authoritative Servers r Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp.  Network Solutions, Inc. maintains servers for com TLD  Educause maintains servers for edu TLD  [ TLD servers share responsibilities] r Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail).  Can be maintained by organization or service provider  Every “Autonomous System” (AS) must have two (backup). r Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it.

7 Local Name Server r Does not strictly belong to hierarchy r Each ISP (residential ISP, company, university) has one.  Also called “default name server” or “resolver” r When a host makes a DNS query, query is sent to its local DNS server  Acts as a proxy, forwards query into hierarchy.  Today a DNS proxy (resolver) is built into most DSL and cable-modem routers 06a DNS.ppt DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv.conf)

06a DNS.ppt 8 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server Example $ nslookup gaia.cs.umass.edu answer r Host at cis.poly.edu wants IP address for gaia.cs.umass.edu r Host sends a "recursion- requested" query request to dns.poly.edu. r [Host is doing a non- recursive search] r Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host.

06a DNS.ppt 9 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server A3.NSLTD.COM local DNS server dns.poly.edu authoritative DNS server NS1.umass.edu 3 Non-recursive queries norecurse or "iterated" query: r contacted server replies with name of server to contact r “I don’t know this name, but ask this server” $ nslookup -norecurse -v gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM $ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com answer

copeland$ dig +trace (may have to do from ecelinsrva.ece) ; > DiG P1 > +trace ;; global options: +cmd INNSe.root-servers.net INNSc.root-servers.net INNSa.root-servers.net.... (11 lines deleted) ;; Received 496 bytes from #53( ) in 13 ms... com INNSh.gtld-servers.net. com INNSj.gtld-servers.net. com INNSe.gtld-servers.net.... (11 lines deleted) ; Received 504 bytes from #53( ) in 138 ms google.com INNSns2.google.com. google.com INNSns1.google.com. google.com INNSns3.google.com. google.com INNSns4.google.com. ;; Received 168 bytes from #53( ) in 56 ms (4 lines deleted) ;; Received 128 bytes from #53( ) in 64 ms “dig” with “+trace” will show the entire recursive lookup. 10

06a DNS.ppt 11 DNS: caching and updating records r once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP)  cache entries timeout (disappear) after some time (usually 20 minutes)  TLD servers typically cached longer in local name servers Thus root name servers not often visited r update/notify mechanisms under design by IETF  RFC 2136  DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file.

06a DNS.ppt 12 DNS records DNS: distributed db storing resource records (RR) r Type=NS  name is domain (e.g. foo.com)  value is hostname of authoritative name server for this domain RR format: (name, value, type, ttl) r Type=A ( AAAA for IPv6 )  name is hostname  value is IP address r Type=CNAME  name is alias name for some “canonical” (the real) name is really servereast.backup2.ibm.com  value is canonical name r Type=MX  value is name of mailserver associated with name

06a DNS.ppt 13 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header r identification: 16 bit # for query, reply to query uses same # r flags:  query or reply  recursion desired  recursion available  reply is authoritative

14 DNS protocol, messages Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used *

06a DNS.ppt 15 Inserting records into DNS r Example: just created startup “Network Utopia” r Register name networkuptopia.com at a registrar (e.g., Network Solutions)  Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary)  Registrar inserts two RRs into the.com TLD server: (networkutopia.com, dns1.acme.com, NS) (dns1.acme.com, , A) r Put in authoritative server Type A record for and Type MX record for networkutopia.com into dns1.acme.com (DNS service) DNS Hack #2 Register a domain like “myserver.ru”, have links in like “ This can hide the real domain. A unique subnet can id the local resolver, and recipient or Web page viewer.

>dig anyhost.nt.com +norecurse -q=any ; NO NS SPECIFIED ; > DiG 8.3 > anyhost.nt.com +norecurse -q=any ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 ;; QUERY SECTION: ;; anyhost.nt.com, type = A, class = IN ;; AUTHORITY SECTION: INSOAa.root-servers.net. nstld.verisign-grs.com SOA = Start of Authority Final Dot = Authoritative A.ROOT-SERVERS.NET. <- SPECIFY DNS NEXT TIME ;; Total query time: 4 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: default ;; WHEN: Fri Feb 20 08:00: ;; MSG SIZE sent: 28 rcvd:

nt.com. +norecurse ; SPECIFY NAME SERVER ; > DiG 8.3 nt.com. +norecurse ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 15 ;; QUERY SECTION: ;; nt.com, type = A, class = IN ;; AUTHORITY SECTION: com. 2D IN NS C.GTLD-SERVERS.NET. {TOP-LEVEL NS for.com} com. 2D IN NS L.GTLD-SERVERS.NET. com. 2D IN NS A.GTLD-SERVERS.NET. … ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET. 2D IN A A.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:a83e::2:30 B.GTLD-SERVERS.NET. 2D IN A B.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:231d::2:30 ;; Total query time: 23 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: C.ROOT-SERVERS.NET ;; WHEN: Fri Feb 20 08:06: ;; MSG SIZE sent: 24 rcvd:

nt.com. +norecurse -q=any ; > DiG 8.3 nt.com. +norecurse -q=any ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5 ;; QUERY SECTION: ;; nt.com, type = A, class = IN ;; AUTHORITY SECTION: {Authoritative Name Servers for domain nt.com} nt.com. 2D IN NS ns-guy2.nortelnetworks.com. nt.com. 2D IN NS ns-har2.nortelnetworks.com. ;; ADDITIONAL SECTION: ns-guy2.nortelnetworks.com. 2D IN A ns-har2.nortelnetworks.com. 2D IN A ;; Total query time: 58 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: ;; WHEN: Fri Feb 20 08:07: ;; MSG SIZE sent: 24 rcvd: Next: anyhost.nt.com. +norecurse -q=any 18

>whois nt.com Whois Server Version 2.0 Domain names in the.com and.net domains can now be registered with many different competing registrars. Go to for detailed information. Domain Name: NT.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: Name Server: NS-GUY2.NORTELNETWORKS.COM Name Server: NS-HAR2.NORTELNETWORKS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-jan-2009 Creation Date: 28-sep-1990 Expiration Date: 27-sep-2010 >>> Last update of whois database: Fri, 20 Feb :33:26 UTC <<< 19

requesting host cis.poly.edu IP = root DNS server local DNS server dns.poly.edu 1 Spoofed Request for no.bigbank.com source IP = Spoofed Response - source IP = Auth. DNS for bigbank.com = authoritative DNS server dns.bigbank.com 8 TLD DNS server - IP = Future requests for all URLs in bigbank.com go to = DNS Cache Poisoning 20

wireshark Display of DNS Response ID is random nonce used to authenticate Response to Query 21

06a DNS.ppt DNS protocol, spoofed messages Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used * * 16-bit ID is used to match responses to requests. To spoof, use 1 request and 65,536 responses, or use 256 requests and 256 responses (Birthday attack). 22

Local DNS NS-CNN.COM Hacker Time Lookup is UDP Connection closed -> cached -> (not noticed) Correct guess of <- ID Nonce Probable no. of hits = N / 65,354 DNS Cache Poisoning - Anticipated Attack 23 Sends a Request for a URL, and N fake Replies with random IDs is

Local DNS NS-CNN.COM Hacker Time Lookup is is is Local DNS -> caches = DNS Cache Poisoning – Bellovin Birthday Attack 24 is <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs DNS Hack #3: Change DNS IP configured in local cache. DOS Attack * Local DNS sends 260 queries with different IDs. *

Fast-Flux DNS (Botnet Distributed Phishing) Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg4589.ru” Botnet hosts sent out to lure victims to a Phishing Web site (IP ) Problem: as soon as BNY Network Security person sees one of the s, they do a DNS lookup (get ), a “whois”, and shut the host down. Solution: vary the IP address returned to one of a thousand botnet Web servers. Problem: BNY NetSec repeatedly does DNS lookups to get a complete list of botnet hosts. Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDoS) for several days against BNY NetSec. 25 DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown.

06a DNS.ppt 26 requesting host joe.poly.edu root DNS server local DNS server dns.poly.edu authoritative DNS server dns.urhcked.com 7 8 TLD DNS server Fast Flux DNS URL in Phish -> One of Many bots $ nslookup answer r Host at poly.edu wants IP address for r Host sends a "recursion- requested" query request to dns.poly.edu. r [Host is doing a non- recursive search] r Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. Fast Flux - many IP ’ s of bot Phishing sites. Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross $ nslookup answer Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu.

New Protocols supplement DNS and DHCP on LAN * In addition to network configuration (DHCP) and Name Resolution (DNS), it’s nice to have a list of servers available on your LAN. For example, be able to select from a list of printers. Link-Local: Rather than initially using the Network IP Address (host bits 0), randomly select one of 65,534 addresses in x.x/16 (you don’t have to know the network address). Apple’s mDNS (UDP port 5353) is an open specification that lets a host announce a chosen Name (e.g., “Lab Printer”) in a multicast message to ). Hosts running mDNS will all listen to this multicast address and add “Lab Printer” and its IP address and MAC address to the list of servers available. DNS-SD advertises Server Names and services. Microsoft’s NetBios Name Service (NBNS) is similar, but uses the Network Broadcast Address (host bits all 1). UPnP protocol Simple Service Delivery (SSDP) advertises services. The IETF is developing a similar Internet standard - Service Location Protocol (SLP). en.wikipedia.org/wiki/MDNS 2/26/10 27

DNSSEC – DNS Security Extensions en.wikipedia.org/wiki/DNSSEC 2/26/13 28 DNSSEC works by digitally signing records for DNS lookup using public- key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. New DNS record types were created or adapted to use with DNSSEC: RRSIG, DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM. When DNSSEC is used, each answer to a DNS lookup will contain an RRSIG DNS record, in addition to the record type that was requested. The RRSIG record is a digital signature of the answer DNS resource record set. The digital signature can be verified by locating the correct public key found in a DNSKEY record. Stub resolvers (host software) are "minimal DNS resolvers that use recursive query mode to offload most of the work to a recursive name server.” A validating stub resolver can also potentially perform its own signature validation by setting the Checking Disabled (CD) bit in its query messages, for end-to-end DNS security for domains implementing DNSSEC.

Reverse DNS Lookups en.wikipedia.org/wiki/DNSSEC 2/26/13 29 Reverse DNS Lookups (e.g., nslookup ) > nslookup in-addr.arpa name = seiya.ece.gatech.edu. The “arpa” top-level domain is now only used for reverse lookups. ARPA has been redefined as standing for “ Address and Routing Parameter Area.” For looking up a IPv4 address, the dotted-decimal text string is reversed, and the domain name “in-addr.arpa” is added. Like normal name lookups, the recursion proceeds from right to left. If the block of addresses /16 are assigned to the Autonomous System (AS) gatech.edu, then Georgia Tech (OIT) is responsible for maintaining a database for x.y (addresses to ). The domain for IPv6 addresses is ip6.arpa.

dig [ MX records not shown] ; > DiG 9.6-ESV-R4-P3 > ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ; ;; ANSWER SECTION: ;; AUTHORITY SECTION: ece.gatech.edu.28800INNSdns1.gatech.edu. ece.gatech.edu.28800INNSdns3.gatech.edu. ;; ADDITIONAL SECTION: dns1.gatech.edu.28800INA dns1.gatech.edu.28800INAAAA2610:148:1f00:f400::3 dns3.gatech.edu.28800INA ;; Query time: 37 msec ;; SERVER: #53( ) {note: mail handlers (MTAs) not shown.} ;; WHEN: Mon Feb 25 12:50: ;; MSG SIZE rcvd:

nslookup -q=ANY gatech.edu {note: use domain name only, for MX info} Server: Address: #53 gatech.edu origin = brahma5.dns.gatech.edu mail addr = hostmaster.gatech.edu serial = refresh = retry = 3600 expire = minimum = 60 Name:gatech.edu Address: gatech.edunameserver = dns1.gatech.edu. gatech.edunameserver = heath.dpo.uab.edu. {Backup DNS at U. Alabama} gatech.edunameserver = dns3.gatech.edu. gatech.edunameserver = dns2.gatech.edu. gatech.edumail exchanger = 10 mx1.gatech.edu. gatech.edumail exchanger = 10 mx2.gatech.edu. gatech.edutext = "MS=ms " gatech.edutext = "MS=ms " 31