1. Presented by: Syed Nasir Mehdi PhD Computer Science and Engineering Biocom Lab snasirmehdi@ hanyang.ac.kr 1 INCREASED DNS FORGERY RESISTANCE THROUGH 0X20 BIT ENCODING DAVID DAGON MANOS ANTONAKAKIS PAUL VIXIE TATUYA JINMEI WENKE LEE

2.  Introduction  Background  DNS Nomenclature  DNS Poisoning  Basic DNS Poisoning Model  DNS Ox20 Bit Encoding Queries  Analysis  Ox20 Probing  Related Work  Future Work  Conclusion 2 OUTLINE

3.  Main Goal: To make DNS queries more resistant to poisoning attacks:  What it entails: Creation of DNS light-weight forgery-resistance technology  How :  Preservation of case encoding of DNS Queries by Authority Servers bit- for-bit and upon return the verification of the same and caching by recursive server.  Constraints:  No Radical Changes. DNS Infrastructure should remain intact  Protocol Stability. DNS Protocol should remain intact  Backward Compatible. Other technologies that rely on existing DNS standards should remain intact  Example: www.example.com, recursive DNS servers would instead query for wwW.eXamPLe.cOM 3 INTRODUCTION

4.  DNS  Stub Resolver(Client)  Resolver(Name Server)  Recursive Resolver(NS Client)  Authoritative Servers(SOA)  Zone(.net,.org)  Delegation  Caching  RR  Root(13)  WHOIS(Registrant,nameserver TTL) 4 DNS OVERVIEW

5.  Attackers can iteratively Observe cache values over time  OR be forced to do lookups  Guess the 16 bit ID-field  Birthday Attacks  Exploit weak random number generation.  Berstein suggests UDP ports+ID  Kaminsky class(IN A answer+NS update)  No of guesses attacker can make.  Port randomization to grow the key space. 5 DNS POISONING

6. Definition 1: DNS server is forgery resistant where TTL (caching period) ≫ △ t, and the chance of an attack being successful within △ t time is low. Assumption 1. If attack is not 10% likely to succeed within Tmax, we deem the DNS server is forgery resistant. 6 DNS POISONING MODEL

7.  DNSSEC DNS servers, King Kaminsky-class advocate the Importance of RTT.  Calculate tA,tB, tC and Then calculate RTT= tC-tB. Verify tC-tB ≈ tC −tA  If domain cached, Avg response time<100ms  If not cached, 400ms.  Answer’s TTL (caching period) 7 RTT

8. 8 RTT OBSERVATIONS  Randomly select 5000 servers, with hosts open recursive.

9.  α = Number of Different DNS IDs 2¹ 6  β = Number of Source Ports (conceptually 2¹ 6 )  γ = Number of Ports excluded 1024 as per kernel resources  θ = Number of authority servers and recursive IPs.  attacker has to spoof the correct authority source address apart from query ID and port.  = 1/ α ∗ (β − γ) ∗ θ  With 3 authority servers, =1/ 2¹ 6 ∗ (2¹ 6 − 1024) ∗ 3≈1 12.7B  = n/α ∗ (β − γ) ∗ θ  Observations: 1.not every recursive DNS server can implement port randomization, since it poses unique engineering challenges.+ sockets selection 2.Some DNS servers are more important targets e.g ISP  We therefore need additional DNS protection measures 9 RTT OBSERVATIONS

10.  Cached Query Resolver-OR  RTT: SOA-OR  First Query: Resolver-SOA 10 RTT OBSERVATIONS

11. 11 DNS OX20 BIT ENCODING QUERIES

12. 12 ANALYSIS

13. 13 OX20 PROBING

14. 14 PROBING..

15. 15 PROBING

16.  3 weeks non stop internet scan  75 million name servers  7 million queries .3% who don’t support  Under high volumes they return identical queries/s for same Domain  DNS fingerprinting scans <0.28%, behave this way, load balancers or hardware accelerators  99.7% support 0x20 encoding scheme without changing their code base. 16 MORE OBSERVATIONS

17.  TSIG or SIG(0) and TKEY for message integrity  Domain Name System (DNS) Cookies”  IETF draft on DNS forgery resilience discusses many aspects of DNS poisoning  DoX, a peer-to-peer DNS replacement, motivated by DNS poisoning  TCP SYN Cookies proposed by DJ Bernstein and Eric Schenk in 1996 as a means to stop resource exhaustion DDoS attacks on TCP stacks, Most related, similar the DNS encoding scheme 17 RELATED WORK

18.  Approach adopted 1.Require no radical changes to the DNS infrastructure; 2.Make no major changes to the existing protocol 3. Be backwards compatible, so that even just a few DNS servers can elect to adopt it  With small exceptions (≈ 0.3%) the world’s authority servers appear to already preserve the encoding scheme.  DNS-0x20 encoding does not provide strong guarantees for transaction integrity, it just raises the bar.  DNS messages can have an additional 12-bits of state, perhaps a reason of slow adoption of other comprehensive DNS security schemes. 18 CONCLUSION

19.  There may be key management issues to consider.  Stateless encoding schemes for domain names using ox20 bitset of queries,  Modifications and implementation for embedded devices  Update deployed embedded DNS systems  Policy options for DNS-0x20 recursive servers  Capacity of the covert channel that DNS ox20 creates 19 FUTURE WORK

20.  This material was based upon work supported in part by the National Science Foundation under Grant No. 0627477 and the Department of Homeland Security under Contract No. FA8750-08- 2-0141. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation and the Department of Homeland Security. 20 ACKNOWLEDGEMENTS