Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Slides:



Advertisements
Similar presentations
ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Advertisements

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom
Dangers on the Internet
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Security and Information Assurance for the DNS Dan Massey USC/ISI.
Domain Name System: DNS
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)
Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
DNS: Domain Name System
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Network Protocols Chapter 25 (Data Communication & Networking Book): Domain Name System (DNS) 1.
Chapter 17 Domain Name System
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
DNS Antidote Abhishek Madav( ) Suhas Tikoo( ) Urjit Khadilkar( )
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
Summary DNS DNS Alexandra Tolbert Benefits How It Works Basics Katherine Barrios DNS Parts Phillip Nelson.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to
Information-Centric Networks Section # 3.1: DNS Issues Instructor: George Xylomenos Department: Informatics.
4343 X2 – Outline The Domain Name System The Web.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
COMP 431 Internet Services & Protocols
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Ip addressing: dhcp & dns
Understand Names Resolution
IMPLEMENTING NAME RESOLUTION USING DNS
Practical Censorship Evasion Leveraging Content Delivery Networks
Internet Applications
Chapter 19 Domain Name System (DNS)
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Ip addressing: dhcp & dns
INTERNET APPLICATIONS
Presentation transcript:

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN

Sep 2008ALAC Webinar 2 Intended web experience Type a URL: Browser asks DNS to find IP address of this host If DNS finds the IP address then –It passes this IP address to browser –Browser connects to the site –If page exists, browser downloads page –Else browser displays page not found Else if host does not exist –DNS returns a name error to browser –Browser displays an error Server not found (or similar)

Sep 2008ALAC Webinar 3 Response Modification alters this experience Type a URL: Browser asks DNS to find IP address of this host If DNS finds the IP address then –business as usual (well, maybe…) Else if DNS response is name error then –Respond in a way that is self-beneficial –Commonly done without notice and consent to user or domain registrant Even when notice is provided, full disclosure of the security implications are not identified –The registrant does not benefit from and in some instances is harmed by the alteration

Sep 2008ALAC Webinar 4 DNS Protocol Violation? RFC 1035 says name error is "only meaningful in responses from an authoritative name server " –The response is thus more than an error indication –Response expresses content that the authoritative name server expects the client to receive DNSSEC goes through great pains to provide authenticated denial of existence of DNS records –Why would we bother if non-existence was unimportant!!!

Sep 2008ALAC Webinar 5 Who can make such changes Entrusted Agents –A DNS operator who provides authoritative name service on behalf of a registrant –Registrars, ISPs, trusted 3rd parties, registrants IT Third parties –any DNS operator of any name server that processes the response along the return path from the authority name server to the client that issued the request

Sep 2008ALAC Webinar 6 Form 1: Synthesized DNS response An Entrusted agent operating as a zone authority –Receives a name query from a client –Determines the name does not exist in the zone file –Returns a name exists response containing an IP address mapping the entrusted agent chooses –Common implementation is to include a wildcard entry in the registrant's zone file All names not found resolve to an IP address the agent chooses

Sep 2008ALAC Webinar 7 Iterative resolver Client Root Name Server What is the IP address of ww.example.com? Ask one of these COM name servers What is the IP address of ww.example.com?.example.com does not exist synthesize DNS response return Answers Section with IP address = a.b.c.d What is the IP address of ww.example.com ww.example.com is at IP = a.b.c.d COM Name Server What is the IP address of ww.example.com? Ask example.com's name service provider ww.example.com's IP = a.b.c.d example.com's Entrusted Agent example.com zone file Synthesized DNS Response (Simplified)

Sep 2008ALAC Webinar 8 Form 2: "On the fly" response modification A third party NS operator –Examines DNS responses messages it attempts to resolve for a client –When it encounters a non-existent domain response the resolver Silently alters the response code from non-existent to name found Inserts an IP address mapping the third party chooses

Sep 2008ALAC Webinar 9 Iterative resolver Client Root Name Server What is the IP address of ww.example.com? Ask one of these COM name servers What is the IP address of ww.example.com? What is the IP address of ww.example.com ww.example.com is at IP = w.x.y.z COM Name Server What is the IP address of ww.example.com? Ask example.com's name service provider example.com's Entrusted Agent example.com zone file NXDomain Response Modification(Simplified) response says NXDomain: synthesize DNS response return Answers Section with IP address = w.x.y.z ww.example.com is non-existent domain

Sep 2008ALAC Webinar 10 Who has the means, motive and opportunity? WhoHowWhy Sponsoring registrarEntrusted agent (EA)Promote business Promote services Advertise Affiliate advertising "Enhance the user experience" Public DNS provider Third party NS operator ISP Third party NS operator or EA Web (proxy) operators Third party NS operator "for fee" DNS provider Third party NS operator or EA Domain registrantEAEnforce a policy Remedial Education Attackers"own" a DNS serverFun, fame, fortune…

Sep 2008ALAC Webinar 11 How are users affected? A modified DNS response –Signals a different state of the zone to the user than the registrant intended The non-existence of a name is not conveyed to the user The user concludes the host is operated by the registrant –Can result in inconsistent responses The response a user receives depends on the resolver it asks –Can cause address mapping conflicts when multiple NS operators alter responses An authority may add a host that has been redirected Resolvers caching a modified response for this name will return a different address from the one now in the authority zone file

Sep 2008ALAC Webinar 12 How are domain registrants affected? A modified DNS response –Alters the content the domain authority intended to have delivered Would you tolerate undisclosed modification of any other application content? Why should DNS messages be treated differently from mail, IMs or voice? –Has business and brand implications Redirection hosts benefit from the domain registrant's brand, reputation, site and link popularity, and sponsored link agreements… Operational instabilities Security implications ->

Sep 2008ALAC Webinar 13 Security Implications A modified DNS response –Subverts a "parent trusts the subdomain" security assumption common to web applications Applications assume that any host in my domain is trustworthy –Wrests security of hosts from the registrant A host is named in your domain but secured by "someone else How can I test and audit for (regulatory) compliance and policy conformance if I dont know or operate the hosts where my NXDOMAINs are redirected –Creates opportunities for attack via a host you cannot secure Phishing via false site injection Redirect hosts can intercept, monitor and analyze traffic (extract data) Redirect hosts can intercept cookies to acquire personal, credit or bank data –Facilitates attacks against brand Arent 3 rd level labels you don't control as dangerous as 2 nd level labels

Sep 2008ALAC Webinar 14 Other issues A Records today, what about tomorrrow? –Assumption is that most NXDomain responses are for web sites so they lead to "eyeballs" –Imagine a future of modified DNS responses that includes MX, NAPTR, SRV and other resource records Dueling rewrites –DNS responses can be processed by many third parties –Any party downstream from a synthesized response can rewrite the response –Interesting problem for error resolution marketeers Is this the tip of the iceberg? –How long before responses from other application servers are in play?

Sep 2008ALAC Webinar 15 SSAC Recommendations Synthesized responses at any level in the DNS have unanticipated and undesirable consequences for the registrant and user Registrants should choose an entrusted agent that asserts it will not modify DNS responses in its terms of service Registrants should study ways to provide end-to-end authenticated proof of non-existence of subdomains (DNSSEC) Entrusted agents should not inject DNS wildcards in a zone without informed consent and without fully informing the domain registrant of the risks this practices exposes Entrusted agents should provide opt-out mechanism that allows clients to receive the original DNS answers to their queries. Third parties should disclose that they practice NXDomain response modification and should provide opportunities for users to opt out