Download presentation
Presentation is loading. Please wait.
Published byMagnus Patrick Modified over 8 years ago
1
Short Intro to DNS (part of Tirgul 9) Nir Gazit
2
What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System. ▫Recursive Queries to NS (Name Servers) – from top to bottom. ▫Authoritative Name Servers – assigned responsible for a specific domain. www.google.com Top Level Domain Sub Domains
3
DNS: Simplified Mechanism www.google.com? www.google.com? www.google.com? www.google.com? www.google.com? 173.194.67.147.com google.com
4
DNS Lookup DNS Records (RRs), 3 main types: ▫Hostname A IPAddress www.google.com A 173.194.67.147 Maps the hostname to an IP address. ▫Hostname NS Nameserver google.com NS ns.google.com Specifies an authoritative name server for the domain. ▫Hostname1 CNAME Hostname2 mail.google.com CNAME googlemail.l.google.com Alias of one hostname to another. The DNS lookup will continue by retrying the lookup with the new name.
5
DNS Lookup - continuing 2 Top Levels ▫Root servers (13 currently, called A to M) ▫TLD servers (.com,.net,.edu,…) Caching ▫Each DNS response (RR – Resource Record) contains a TTL value (Time To Live) for cache storage time. Glued Responds ▫Name Servers are identified by name (eg. ns.google.com). So we might get circular dependencies. ▫So, a Name Server might add an IP address as a “Glued RR” to help in the process.
6
DNS: Full Mechanism Resolve www.google.com? www.google.com? Resolve www.google.com? www.google.com? 173.194.67.147.com google.com com NS ns.com ns.com A 63.156.206.38 google.com NS ns.google.com ns.google.com A 216.239.32.10 www.google.com A 173.194.67.147 Resolve www.google.com?
7
DNS Poisoning Injecting fake DNS RRs. Method 1: by ‘glue’ RRs ▫Query: Resolve A www.facebook.com ▫Response: facebook.com NS google.com and google.com A 1.1.1.1.
8
DNS Poisioning (Method 1 Example) Resolve www.facebook.com? www.facebook.com? Resolve www.facebook.com? www.facebook.com? 31.13.72.23.com facebook.com com NS ns.com ns.com A 63.156.206.38 facebook.com NS ns1.facebook.com ns1.facebook.com A 69.171.239.12 www.facebook.com A 31.13.72.23 www.google.com A 1.1.1.1 Resolve www.google.com?
9
DNS Poisoning - continuing (continuing with…) Method 1 (Glue RRs) ▫Bailiwick Rule – allow answers only for subdomains. a.ns.facebook.com can’t answer for google.com. Method 2: send spoofed DNS response (DNS Injection).
10
DNS Injection
12
DNS Injection – can it work? According to RFC5452 – Requesting server must validate: ▫Same question section as in request. ▫Same (16-bit) ID field (chosen randomly). ▫Same dest IP address and port as the source in the request. ▫Same IP address of responding DNS server Response must arrive before the response of the authoritative NS.
13
DNS Injection as a method of censorship Thought to be used by the “Great Firewall of China”
14
Reality Check A true story (https://lists.dns- oarc.net/pipermail/dns-operations/2010- March/005260.html)https://lists.dns- oarc.net/pipermail/dns-operations/2010- March/005260.html ▫A Chilean DNS operator found that when accessing www.facebook.com, sometimes you get a bad IP instead of the correct one. ▫Caused by accessing root servers (F, I and J) that have anycast originating in China. Also happening when Korean (.kr) users try to access German (.de) sites. Today, happens mostly on the TLD level (not root level) – queried often, short TTL.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.