Presentation is loading. Please wait.

Presentation is loading. Please wait.

Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18

Published byCornelia Malone Modified over 6 years ago

Similar presentations

Presentation on theme: "Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18"— Presentation transcript:

1 Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18
4/18/2018 Attacking DNS Lecture 18 © 2002 These slides where produced by Bill Manning (ISI), Ed Lewis (NAI labs) and Olaf M. Kolkman (RIPE NCC). Slides adapted from Olaf Kolkman, RIPE slideset 1 February 2003

2 Start of Authority (SOA)
To conclude last class, I mentioned the SOA type but didn’t know its precise purpose Idea is to give global parameters for the domain you are asking about Returned by name to server info about all sites of that nameserver Indicates who to ask for this domain March 2017

3 DNS Types Type = A / AAAA Type = NS Name = domain name
Value = IP address A is IPv4, AAAA is IPv6 Type = NS Name = partial domain Value = name of DNS server for this domain “Go send your query to this other server” Query Name: Type: A Resp. Name: Value: Query Name: ccs.neu.edu Type: NS Resp. Name: ccs.neu.edu Value:

4 DNS Types, Continued Type = CNAME Type = MX Name = hostname
Value = canonical hostname Useful for aliasing CDNs use this Type = MX Name = domain in address Value = canonical name of mail server Query Name: foo.mysite.com Type: CNAME Resp. Name: foo.mysite.com Value: bar.mysite.com Query Name: ccs.neu.edu Type: MX Resp. Name: ccs.neu.edu Value: amber.ccs.neu.edu

5 Domain Squatting Cybersquatting is to register a domain in anticipation of that domain being desirable to another organization Intent to sell tot hat organization for big profit For example, You can register “hurricane2013.com”, or “hurricane-in-Texas.com” if you think there will be a big one in Texas in the near future. Sell it for big profit if it is true! Domain name purchase is cheap! Many organizations have to buy all related domain names to prevent cybersquatting March 2017

6 Typosquatting Register all possible typo domain names for another organization Should a user accidentally enters an incorrect website address, he may be led to an alternative website owned by a cybersquatter. Could lead to phishing attack (malicious), or increase web visits (not very malicious) For example, for “bankofamerica.com”, a cybersquatter could register: “bankamerica.com”, “bankoamerica.com”, “bankofamerican.com”, “bankfoamerica.com”, …… Domain name purchase is cheap! March 2017

7 Resolving process & Cache
4/18/2018 Resolving process & Cache Question: A root-server A ? Ask net X.gtld-servers.net (+ glue) A ? Caching forwarder (recursive) Resolver A ? gtld-server Ask ripe ns.ripe.net (+ glue) Add to cache A ? Glue records identify IP address of referred servers ripe-server February 2003

8 Aliasing and Load Balancing
One machine can have many aliases david.choffnes.com alan.mislo.ve *.blogspot.com One domain can map to multiple machines

9 Content Delivery Networks
DNS responses may vary based on geography, ISP, etc

10 DNS Query Format Operates over UDP, destination port is 53 MAC Header
IP Header Trans. ID Flags # Queries Source port = 1100 Dest port = 53 16 bit increasing number # Answers # Authorities Additional Resource Records Queries: Name, Type, Class March 2017

11 Matching Responses A DNS resolver (or recursive nameserver) uses the following values to match responses: The source port (selected at startup) The transaction ID The asked query March 2017

12 Attacking DNS integrity
Our goal will be compromise the integrity of a recursive name server Simplest attack strategy: root-server gtld-server Adversary needs to be between client and some server in the chain ripe-server Creates response that points to their server and sends it to client, client will ignore legitimate response (the trans will be closed) March 2017

13 Exercise 1 What natural defenses does DNS provide?
How does the distributed nature of DNS help? root-server gtld-server Adversary needs to be between client and some server in the chain ripe-server Creates response that points to their server and sends it to client, client will ignore legitimate response (the trans will be closed) March 2017

14 Exercise 1 Client may not ask query May ask different server
May not be able to respond before server root-server How to overcome these limitations? gtld-server ripe-server March 2017

15 Cache Poisoning root-server gtld-server ripe-server google.com?
Client listens to (and caches) the first response google.com March 2017

16 Cache Poisoning root-server gtld-server ripe-server
What does an adversary need to execute this attack? root-server gtld-server ripe-server March 2017

17 Cache Poisoning root-server gtld-server ripe-server
What does an adversary need to execute this attack? root-server gtld-server Query knowledge, timing, trans ID., source port ripe-server March 2017

18 Gaining knowledge The source port is a predictable value that is chosen at server initialization Transaction ID in early servers was an incrementing value Lets assume that it’s a random 16-bit value March 2017

19 Cache Poisoning root-server gtld-server ripe-server google.com?
Client listens to (and caches) the first response with correct TID google.com TID = 1 google.com TID = 2 google.com TID = 3 google.com TID = 4 March 2017

20 Gaining knowledge The source port is a predictable value that is chosen at server initialization Transaction ID in early servers was an incrementing value Lets assume that it’s a random 16-bit value Race for attacker to send correct TID before legitimate response How many responses required? Approximately 216 How to know when query will be made and to what domain? March 2017

21 Cache Poisoning root-server gtld-server ripe-server google.com?
google.com google.com google.com google.com google.com google.com? gtld-server ripe-server Client listens to (and caches) the first response with correct TID March 2017

22 Gaining knowledge Attacker can initiate query if on the DNS server internal network or the DNS server accepts outside requests Do DNS servers accept outside queries? Still needs to learn source port and TID March 2017

23 Number of open DNS resolvers
March 2017

24 How will the attacker get his entry into the cache? 2 ways
1. Tell resolver that NS for victim is at adversary’s IP Issue query: subdomain.attacker.example IN A Attacker’s response: Answer: (no response) Authority Section: attacker.example IN NS ns.target.example. Additional Section: ns.target.example. IN A w.x.y.z Adversary says “authoritative server for my domain is ns.target.example and oh by the way here is the IP for it (adversary’s IP) March 2017

25 How will the attacker get his entry into the cache? 2 ways
2. Redirect the NS record to the adversary’s domain Issue query: subdomain.attacker.example IN A Answer: (no response) Authority section: Target.example IN NS ns.attacker.example. Additional section: Ns.attacker.example. IN A w.x.y.z The attacker has inserted an unrelated piece of information that will be cached by the server (that target.example.’s ADNS is ns.attacker.example.) March 2017

26 Impact of poisoning Don’t have to claim a single address, can immediately take over a while domain Main barrier to attack is the recursive resolver not having a cached record Exercise: how can we make this attack more difficult (without changing DNS)? Don’t accept external queries Randomize source port Randomize TID (not really helpful) March 2017

27 TLS to the rescue TLS should provide authentication when we connect to a webserver If we are redirected to a bad site that claims to be google.com they won’t have a valid certificate… March 2017

28 Subverting TLS CA Chase.com chase.com…
Certificate request for chase.com chase.com? Valid certificate for chase.com Evil address Attacker can now freely execute attacker against other hosts March 2017

29 Subverting TLS Attack extends if the CA sends an to verify hostname Works against any domain validated certificate March 2017

30 TLS Attack This attack is easy to iterate
You can ask for new certificates as the cache clears and try until successful Does not work to get extensively validated certs Some CAs restrict the usage of domain validated certs (don’t allow authentication) Browsers use cert pinning to prevent this Need more extensive defenses to strengthen DNS March 2017

31 DNS Defense Seems to require updates to DNS that make it more security aware Want to learn from BGP/IPv6 deployment, don’t want to require large scale replacement of internet infrastructure March 2017

Download ppt "Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT 745 Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.

CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CIS3360: Security in Computing Chapter 6 : Network Security II Cliff Zou Spring 2012.

CIS3360: Security in Computing Chapter 6 : Network Security II Cliff Zou Spring 2012.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g., www.yahoo.com.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)

Domain Name System (DNS)
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
DNS: Domain Name System

DNS: Domain Name System

Similar presentations

Ads by Google