Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Attacks Using DNS Vulnerabilities

Published byKory Webster Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Attacks Using DNS Vulnerabilities"— Presentation transcript:

1 Security Attacks Using DNS Vulnerabilities
Talk by Faisal Ahmad Khan BUITEMS Cyber Security Week December 5-7, 2017

2 DNS: Domain Name System
People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) - used for addressing datagrams “name”, e.g., - used by humans Q: map between IP addresses and name ? Domain Name System: distributed database implemented in hierarchy of many name servers application-layer protocol host, routers, name servers to communicate to resolve names (address/name translation) note: core Internet function, implemented as application-layer protocol complexity at network’s “edge”

3 DNS DNS is Hierarchical DNS services
Why not centralize DNS? single point of failure traffic volume distant centralized database Maintenance DNS services Hostname to IP address translation Host aliasing Canonical and alias names Mail server aliasing Load distribution Replicated Web servers: set of IP addresses for one canonical name 06a DNS.ppt

4 Distributed, Hierarchical Database
Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu yahoo.com amazon.com pbs.org Client wants IP for 1st approx: Client queries a root server to find “com” DNS server Client queries com DNS server to get “amazon.com” Authoritative DNS server Client queries amazon.com DNS server to get IP address for “ 06a DNS.ppt

5 DNS: Root name servers contacted by local name server that can not resolve Top_Level name (eats in Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name, ...) ICANN assigns domain names ( 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 06a DNS.ppt

6 TLD and Authoritative Servers
Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. Network Solutions, Inc. maintains servers for com TLD Educause maintains servers for edu TLD Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). Can be maintained by organization or service provider Every “Autonomous System” (AS) must have two (backup). Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it.

7 Local Name Server Does not strictly belong to hierarchy
Each ISP (residential ISP, company, university) has one. Also called “default name server” or “resolver” When a host makes a DNS query, query is sent to its local DNS server Acts as a proxy, forwards query into hierarchy. Today a DNS proxy (resolver) is built into most DSL and cable-modem routers DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv.conf) 06a DNS.ppt

8 authoritative DNS server
Example root DNS server Host at cis.poly.edu wants IP address for gaia.cs.umass.edu Host sends a "recursion-requested" query request to dns.poly.edu. Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 local DNS server dns.poly.edu 7 6 1 8 authoritative DNS server dns.cs.umass.edu requesting host cis.poly.edu $ nslookup gaia.cs.umass.edu answer gaia.cs.umass.edu 06a DNS.ppt

9 Non-recursive queries
root DNS server A3.NSLTD.COM norecurse or "iterated" query: contacted server replies with name of server to contact “I don’t know this name, but ask this server” local DNS server dns.poly.edu authoritative DNS server NS1.umass.edu 3 4 2 5 1 6 requesting host cis.poly.edu gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM $ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com answer 06a DNS.ppt

10 “dig” with “+trace” will show the entire recursive lookup.
copeland$ dig +trace ; <<>> DiG P1 <<>> +trace ;; global options: +cmd IN NS e.root-servers.net. IN NS c.root-servers.net. IN NS a.root-servers.net. (11 lines deleted) ;; Received 496 bytes from #53( ) in 13 ms . . . com IN NS h.gtld-servers.net. com IN NS j.gtld-servers.net. com IN NS e.gtld-servers.net. ; Received 504 bytes from #53( ) in 138 ms google.com IN NS ns2.google.com. google.com IN NS ns1.google.com. google.com IN NS ns3.google.com. google.com IN NS ns4.google.com. ;; Received 168 bytes from #53( ) in 56 ms IN A IN A (4 lines deleted) ;; Received 128 bytes from #53( ) in 64 ms

11 DNS: caching and updating records
once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP) cache entries timeout (disappear) after some time (usually 20 minutes) TLD servers typically cached longer in local name servers Thus root name servers not often visited update/notify mechanisms under design by IETF RFC 2136 DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file. 06a DNS.ppt

12 RR format: (name, value, type, ttl)
DNS records DNS: distributed db storing resource records (RR) RR format: (name, value, type, ttl) Type=A (AAAA for IPv6) name is hostname value is IP address Type=CNAME name is alias name for some “canonical” (the real) name is really servereast.backup2.ibm.com value is canonical name Type=NS name is domain (e.g. foo.com) value is hostname of authoritative name server for this domain Type=MX value is name of mailserver associated with name 06a DNS.ppt

13 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header identification: 16 bit # for query, reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative 06a DNS.ppt

14 DNS protocol, messages * Name, type fields for a query RRs in response
to query records for authoritative servers additional “helpful” info that may be used

15 Inserting records into DNS
Example: just created startup “Network Utopia” Register name networkuptopia.com at a registrar (e.g., Network Solutions) Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary) Registrar inserts two RRs into the .com TLD server: (networkutopia.com, dns1.acme.com, NS) (dns1.acme.com, , A) Put in authoritative server Type A record for and Type MX record for networkutopia.com into dns1.acme.com (DNS service) DNS Hack #2 Register a domain like “myserver.ru”, have links in like 06a DNS.ppt

16 >whois nt.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to for detailed information. Domain Name: NT.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: Name Server: NS-GUY2.NORTELNETWORKS.COM Name Server: NS-HAR2.NORTELNETWORKS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-jan-2009 Creation Date: 28-sep-1990 Expiration Date: 27-sep-2010 >>> Last update of whois database: Fri, 20 Feb :33:26 UTC <<< 16

17 DNS Cache Poisoning root DNS server 3
3 TLD DNS server - IP = 4 1 Spoofed Request for no.bigbank.com source IP = 5 local DNS server dns.poly.edu 2 Spoofed Response - source IP = Auth. DNS for bigbank.com = 8 Future requests for all URLs in bigbank.com go to = authoritative DNS server dns.bigbank.com requesting host cis.poly.edu IP = 17

18 wireshark Display of DNS Response
ID is random nonce used to authenticate Response to Query 18

19 DNS protocol, spoofed messages
< bits > * Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used * 16-bit ID is used to match responses to requests. To spoof, use 1 request and 65,536 responses, or use 256 requests and 256 responses (Birthday attack). 06a DNS.ppt 19

20 DNS Cache Poisoning - Anticipated Attack
Sends a Request for a URL, and N fake Replies with random IDs Lookup Time is is is Correct guess of <- ID Nonce Probable no. of hits = N / 65,354 is is is is is is UDP Connection closed > cached -> (not noticed) is is is Local DNS NS-CNN.COM Hacker 20

21 DNS Cache Poisoning – Bellovin Birthday Attack
<- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs Lookup Time * is is <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 is is is is is is Local DNS -> caches = is is * Local DNS sends 260 queries with different IDs. DOS Attack Local DNS NS-CNN.COM Hacker DNS Hack #3: Change DNS IP configured in local cache. 21

22 Fast-Flux DNS (Botnet Distributed Phishing)
Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg4589.ru” Botnet hosts sent out to lure victims to a Phishing Web site (IP ) Problem: as soon as BNY Network Security person sees one of the s, they do a DNS lookup (get ), a “whois”, and shut the host down. Solution: vary the IP address returned to one of a thousand botnet Web servers. Problem: BNY NetSec repeatedly does DNS lookups to get a complete list of botnet hosts. Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDoS) for several days against BNY NetSec. DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown. 22

23 authoritative DNS server
Fast Flux DNS URL in Phish -> One of Many bots root DNS server Host at poly.edu wants IP address for Host sends a "recursion-requested" query request to dns.poly.edu. [Host is doing a non-recursive search] Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. 2 3 TLD DNS server 4 5 Fast Flux - many IP’s of bot Phishing sites. local DNS server dns.poly.edu 7 6 1 8 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu. requesting host joe.poly.edu authoritative DNS server dns.urhcked.com $ nslookup answer $ nslookup answer 06a DNS.ppt 23 Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross

24 Five DNS Hacks DNS Hack #0 – modify /etc/resolv.conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e.g., DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 24

Download ppt "Security Attacks Using DNS Vulnerabilities"

Similar presentations

DNS – Domain Name system Converting domain names to IP addresses since 1983.

DNS – Domain Name system Converting domain names to IP addresses since 1983.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Term B10.
1 EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

1 EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
Domain Name System (or Service) (DNS) Computer Networks Computer Networks Spring 2012 Spring 2012.

Domain Name System (or Service) (DNS) Computer Networks Computer Networks Spring 2012 Spring 2012.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.

2: Application Layer1 FTP, SMTP and DNS. 2: Application Layer2 FTP: separate control, data connections r FTP client contacts FTP server at port 21, specifying.
EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 5 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts, routers: –IP address (32 bit) - used for addressing datagrams –“name”, e.g., gaia.cs.umass.edu.
2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.

2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach, 4 th edition. Jim Kurose, Keith Ross Addison-Wesley, July 2007.
Application Layer12-1 2010 session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.

Application Layer session 1 TELE3118: Network Technologies Week 12: DNS Some slides have been taken from: r Computer Networking: A Top Down Approach.
CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT 745 Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.

CPSC 441: DNS1 Instructor: Anirban Mahanti Office: ICT Class Location: ICT 121 Lectures: MWF 12:00 – 12:50 Notes derived.
Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

Application Layer 2-1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.

Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.
Chapter 2 Application Layer

Chapter 2 Application Layer
2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.

2: Application Layer1 Chapter 2 Application Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CIS3360: Security in Computing Chapter 6 : Network Security II Cliff Zou Spring 2012.

CIS3360: Security in Computing Chapter 6 : Network Security II Cliff Zou Spring 2012.
CS 4396 Computer Networks Lab

CS 4396 Computer Networks Lab
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g., www.yahoo.com.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,

Similar presentations

Ads by Google