Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Similar presentations


Presentation on theme: "DNS Security Issues SeongHo Cho DPNM Lab., POSTECH"— Presentation transcript:

1 DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Future Internet

2 Contents Introduction Overview of the DNS Protocol Attacks
DNS cache poisoning DNS spoofing Related data attack Unrelated data attack DNS ID hacking Server Attacks DNSSEC Relevance and How to Protect? Conclusion

3 Introduction The accuracy of the information contained within the DNS is vital to many aspects of IP based communications. The Threats are due in part of the lack of authenticity and integrity checking of the data Two ways DNS can be hacked: By using protocol attacks (attacks based on how DNS is actually working) By using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services)

4 Overview of the DNS Translating a host’s name into its IP address
Internet is an IP network. Every host is affected an IP address that must be known to any other host willing to communicate. It would be impossible for a human being to remember all the IP addresses. It would be possible to create mapping between IP addresses and names.

5 Overview of the DNS DNS provides a way to know the IP address of any host DNS is a hierarchical service. Indeed a name has a structure. A host is a leaf on the tree. Any other node is called a “domain”. Servers are called “authoritative” for a domain when they can map the IP addresses with the host names of all the hosts in the domain. Servers are responsible for finding any name-ip mapping.

6 Overview of the DNS Recursive Query Iterative Query
A host wants the answer or an error message. The queried host must do whatever it takes to find the answer: query other servers until it gets the information, or until the name query fails. Iterative Query A host asks the server for an answer if the server knows it. If it dose not, then the host will receive a “referral” Recursive queries are usually made by client host so that they don’t have to take care of the whole search process, whereas local DNS servers usually make iterative requests.

7 Protocol Attacks Client Misdirection
Making a client host go where he was not willing to. Is the basic purpose of DNS hacking in general.

8 1. DNS Cache Poisoning An attack considering of making a DNS server cache false information Usually, a wrong record will map a name to a wrong IP address. A hacker will try to make a DNS answer something he wants for a specific request.

9 2. DNS Spoofing The action of answering a DNS request that was intended for another server (a “real” DNS server). This can be in a server-server exchange (a DNS server asks another for a mapping) This can be in a client-server dialog (when a client asks a DNS server for a mapping) The hacker “spoofs” the DNS server’s answer by answering with the DNS server’s IP address in the packet’s source-address field. But this is not enough to spoof a DNS reply. DNS uses ID number to identify queries and answer. The hacker needs to find the ID the client is waiting for. The hacker will try to impersonate the DNS reply so that the requesting client is misdirected.

10 3. Unrelated Data Attack The simplest and the most widely used
1. The hacker asks the victim DNS for a nonexistent name mapping in a domain for which he controls the DNS. The hacker uses a “recursive” query so that the remote DNS server will make further inquiries by itself. 2. The remote DNS, which is not aware of such mapping, will go and ask the DNS server responsible for the required domain. (Remember this server is under the control of the hacker.) 3. The hacker will answer, and add in the answer anything he wants to be cached in the victim DNS’ cache. That way, he will have poisoned the cache of the remote DNS server. This problem has been fixed in BIND, by forbidding anything that is not related to the original request to be cached.

11 3. Unrelated Data Attack The simplest and the most widely used

12 4. Related Data Attack Hacker has to make the “extra” information related to the original query. The attack is exactly the same as an “unrelated data attack” By adding MX, CNAME or NS records, which point to unrelated data. These three records are not a real “mapping” between IP address and a hostname. They point to some other useful information The information in these records is “related” to the original request, but they can point to totally different information the hacker wants to be cached. This problem has also been fixed in BIND, by rejecting all the “out of zone” information. These attacks are quite old and won’t work anymore on BIND. DNS spoofing, via the DNS ID hacking technique.

13 5. DNS ID Hacking Normal Dialog
The client will send a query to the DNS server using a specific ID number. The server will reply using the same ID number. This is the number the hacker to find.

14 5. DNS ID Hacking On a LAN Not on the same LAN
Getting the ID is pretty easy All the hacker has to do is sniff the network for the initial query and answer quicker than the DNS The late reply from the real DNS server will be discarded. Not on the same LAN The hacker has four options to try to guess the ID. 1. Test all the possible values of the ID flag (or as many random values as you can before NS replies)  Quite an obsolete method and useless 2. Flood the DNS server to buy some more time for trying different ID numbers.  The hacker can even hope it will crash the server 3. Send a few hundred replies at the same time to increase his chances to find the good ID.  The hacker can do several times one after the other with different ranges until the server replies

15 5. DNS ID Hacking Not on the same LAN
The hacker has four options to try to guess the ID. 4. Use a vulnerability in the server, knowing that some of them just increase the ID number from one request to another.  The hacker knows the range of IDs currently used by the victim server. All he has to do now is to make a request to the host name he wants to poison the cache of our victim with, and fake the answer using an increased value of the stolen ID

16 Server Attacks Two kinds of attacks cam aim at the server
Attacks taking advantage of bugs in DNS Software implementation (buffer overflows in BIND for instance) or in any other running service on the DNS server machine. Attack by Denial of Service (using flooding for instance). The advice is to update as often as possible and to be aware of any newly discovered bug. Many sites (like or will catalog all the existing bugs, exploits and fixes. some are even specialized on BIND.

17 DNSSEC In 1994, the IETF formed a working group to provide security extensions to the DNS protocol. These extensions are commonly referred to as DNSSEC extensions. These extensions are designed to be interoperable with non-security aware implementations of DNS. The WG defined a new set of RRs to hold the security information that provides strong security to DNS zones. DNSSEC must provide backwards compatibly and must have the ability to co-exist with non-secure DNS implementations. DNS Objectives The objectives of DNSSEC are to provide authentication and integrity to the DNS. Authentication and integrity of information held within DNS zones is provided through the use of cryptographic signatures generated through the use of public key technology.

18 DNSSEC DNSSEC scope Key Distribution
The public key distribution service supports several different types of keys and several different types of key algorithms. Data Origin Authentication DNSSEC makes use of digital signature technology to sign DNS RRSet. The digital signature contains the encrypted hash of the RRSet. The hash is a cryptographic checksum of the data contained in the RRSet. The hash is signed using a private key usually belonging to the originator of the information. DNS Transaction and Request Authentication DNS transaction and request authentication provides the ability to authenticate DNS requests and DNS message headers.

19 Relevance and How to protect?
Most of those issues have been addressed with patches. But according to menandmice.com, the threat is still real DNSSEC is a proposition for secure DNS transactions RFC 2535: This appears to be a very good solution, which solves most of the protocol problems. However, due to backward compatibility reasons, this will not be implemented for quite some time. current network administrators should think about other ways of securing their network against those threats.

20 Relevance and How to protect?
A good idea of DNS architecture is “Split DNS architecture”. The principle is as follows: “splitting” the DNS system in two parts, one will be responsible for advertising the name-to-address mappings we are authoritative for, and the other is there to resolve the requests coming from the internal or, more generally, the “trusted” hosts. if the external DNS is hacked, at least it won’t affect the service provided to the internal hosts.

21 Conclusion The original DNS protocol specifications did not include security. Without security, the DNS is vulnerable to attacks. The IETF added security extensions to the DNS, known as DNSSEC. DNSSEC provides authentication and integrity to the DNS. Hardening DNS by detecting and protecting against potential attacks rather than preventing attacks through cryptographic means

22 Questions ?


Download ppt "DNS Security Issues SeongHo Cho DPNM Lab., POSTECH"

Similar presentations


Ads by Google