October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security
October 15, 2002Serguei A. Mokhov, 2 Contents Intro to DNS and Security
October 15, 2002Serguei A. Mokhov, 3 DNS Domain Name System –a distributed naming service for the entire Internet (including WWW) –provides unified host-name-to-network-address and vice-versa lookup needed for remote computing $ ping yahoo.com Pinging yahoo.com [ ] with 32 bytes of data: Reply from : bytes=32 time=113ms TTL=244
October 15, 2002Serguei A. Mokhov, 4 DNS Other capabilities: –Info about Name Servers –Canonical host names –Mail Exchange (MX) records
October 15, 2002Serguei A. Mokhov, 5 DNS Hierarchy root org net com mydomainamazonyahoo www
October 15, 2002Serguei A. Mokhov, 6 DNS Tools in UNIX Tools –host –dig –nslookup (deprecated)
October 15, 2002Serguei A. Mokhov, 7 DNS Tools Example haida.mokhov [~] % host -a www Trying " ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3704 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4 ;; QUESTION SECTION: ; IN ANY ;; ANSWER SECTION: IN CNAME spider.cs.concordia.ca. ;; AUTHORITY SECTION: cs.concordia.ca IN NS clyde.concordia.ca. cs.concordia.ca IN NS Jerome.McRCIM.McGill.EDU. cs.concordia.ca IN NS pollen.cs.concordia.ca. cs.concordia.ca IN NS manitou.cs.concordia.ca. cs.concordia.ca IN NS alcor.concordia.ca. ;; ADDITIONAL SECTION: alcor.concordia.ca IN A clyde.concordia.ca IN A pollen.cs.concordia.ca IN A manitou.cs.concordia.ca IN A Received 243 bytes from #53 in 3 ms
October 15, 2002Serguei A. Mokhov, 8 Name Serves Manage certain part of the name space Help clients to find info within the hierarchy DNS Query - returns list of name servers –One of the NS resolves client’s query –If name not found, pass on to another NS –The one that has the answer, sends it back, and the previous NS caches it for the future.
October 15, 2002Serguei A. Mokhov, 9 DNS Threats Recall from firewalls and the rest (D. Probst): –Filtering DNS: How does one prevent DNS contamination (corruption)? Mail can be rerouted, passwords captured, etc. We need separate DNS for inside and outside. –Tunneling over DNS is used to gain command-line access to remote utilities. With a proxy-based firewall, deny external DNS access to anything other than your proxy server. If you are using a packet filter, your options for blocking a DNS tunnel are limited.
October 15, 2002Serguei A. Mokhov, 10 DNS Cache Poisoning Was more actual in the past: –A NS doesn’t have a name for a requested host –Asks another NS, another NS may have been weak and compromised, or for some other reason had invalid name for the host requested. –Our NS would cache the wrong name, and this can propagate over –So, real amazon.com might have been redirected to elsewhere, get the consequences...
October 15, 2002Serguei A. Mokhov, 11 DNS Cache Poisoning Attack types: DNS spoofing, host name spoofing One of the reasons: earlier versions of bind simply had bugs; servers trusted by Solution: –DNS triple:
October 15, 2002Serguei A. Mokhov, 12 Host Name Spoofing PTR records Mapping IP to a domain name All the transactions a legitimate –DNS server according to the protocol tries to resolve a query using legitimate DNS Server, but the PTR deliberately was made to point elsewhere.
October 15, 2002Serguei A. Mokhov, 13 DNS Spoofing In combo with hostname spoofing: –Messing up the PTR –And forcing the NS to have invalid resource record (RR) in their cache.