Download presentation
Presentation is loading. Please wait.
Published byBuck Flynn Modified over 9 years ago
1
TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
2
Overview o History o How It Works o DNS Packet Structure o DNS Features o DNS Security Evolution, Early Days o Current DNS Issues o Bailiwick Defined o Bailiwick Defined o BIND 9.6 Or Later o BIND 9.6 Or Later o Guilty Parties o DNS Exploit, Dan Kaminiski o DNS Exploit, Dan Kaminiski o BIND 8 Or Earlier o BIND 8 Or Earlier o Kaminski's Results o What Can Save Us?
3
History Pre-DNS o Hosts file Stanford Research Institute (SRI) FTP
4
History Continued 1983 o Paul Mockapetris, Inventor o RFCs 882 & 883 1984 o Berkeley & UNIX o Berkeley & UNIX 1985 1985 o Kevin Dunlap, Digital Equipment Corporation (DEC) o Kevin Dunlap, Digital Equipment Corporation (DEC) o Berkeley Internet Name Domain (BIND) 1987 o RFCs1034 &1035 1990s o BIND ported to Windows NT
5
How it Works Distributed Databases o Local machine Hosts file Linux - /etc/hosts Mac - /private/etc/hosts Windows - %SystemRoot%\system32\drivers\etc\ Local cache Active memory Browser cache
6
How It Works Continued Distributed Databases o Not on local machine UDP request 100 bytes ISP DNS responds ISPs ISP DNS responds Core DNS responds
7
DNS Packet Structure
8
DNS Features Name server responds with all sub-domains o microsoft.com, o microsoft.com, o secure.microsoft.com o update.microsoft.com Compression (~3x) Redundancy Round-robin assignment Entry expiration (3,600 seconds) o 3,600 second default o Defined by name server The "big 13 root servers" contain main DNS entries always o.com,.net,.tv,.info,.gov,.mil, etc. o http://www.isoc.org/briefings/020/zonefile.shtml
9
DNS Security Evolution, Early Days No bad guys in 1983 Transaction ID (TID) o Incremental counting integer o Random TID Port 53 o Incoming port 53 o Port 53 outgoing o Random outgoing port, Dan Bernstein
10
Current DNS Issues DNS Poisoning o First response wins o No TCP o Transaction IDs – 16-bits o Ports – 16-bits DNS Controllers o ICANN o US Commerce Department o US Commerce Department o Verisign o Verisign o 13 core servers
11
Bailiwick Defined o "The neighborhood of the domain" Bailiwicked Domain Attack o In Bailiwick microsoft.com update.microsoft.com security.microsoft.com All acceptable DNS entries o Not in Bailiwick google.com yahoo.com These entries are thrown away
12
BIND 9.6 Or Later Example of current version of BIND
13
Guilty Parties Guilty Parties o Any DNS not randomizing ports o OpenWRT software Secure Services o OpenDNS o djbdns o Simple router software
14
DNS Exploit, Dan Kaminski Cache miss at ISP o Find DNS IPs for example.com ns1.example.com (1.1.1.1) ns2.example.com (1.1.1.2) o Send query of bogus machine aaa.example.com o ISPs DNS queries example.com for fake comp Note UDP outgoing port from ISP (7649) o Send 100 UDP packets with random TIDs to ISP at port 7649 with your IP 1.1.1.100 as location for example.com
15
BIND 8 Or Earlier Example of older versions of BIND
16
Kaminski's Results Repeat the exploit for any domain In 30 seconds, you control the entire domain Works because Works because o New IPs are in bailiwick o New IPs replace old ones at ISP o Make TTL really big Maximum of 2,147,483,647 seconds 68+ Years Never expires o Nothing appears wrong URL bar is http://www.google.com Displayed site is google.com
17
What Can Save Us? SSL certificates o Cannot be duplicated o Must be examined If available, force HTTPS Most sites don't support either solution Test your ISP o entropy.dns-oarc.net/test
18
Questions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.