1. 1 Chapter 2 (Section 2.5) Application Layer - DNS Computer Networking: A Top Down Approach Featuring the Internet, 5 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2009. Textbook for ECE3076. A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in PowerPoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following:  If you use these slides (e.g., in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!)  If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Thanks and enjoy! JFK/KWR All material copyright 1996-2009 J.F Kurose and K.W. Ross, All Rights Reserved Modified for GT ECE6612 by Prof. John Copeland 2/25/13 06a DNS.ppt

2. 2 DNS: Domain Name System People: many identifiers:  SSN, name, passport # Internet hosts, routers:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., www.yahoo.com - used by humans Q: map between IP addresses and name ? Domain Name System: r distributed database implemented in hierarchy of many name servers r application-layer protocol host, routers, name servers to communicate to resolve names (address/name translation)  note: core Internet function, implemented as application-layer protocol  complexity at network’s “edge” 06a DNS.ppt

3. 3 DNS DNS is Hierarchical Why not centralize DNS? r single point of failure r traffic volume r distant centralized database r maintenance doesn’t scale! DNS services r Hostname to IP address translation r Host aliasing  Canonical and alias names r Mail server aliasing r Load distribution  Replicated Web servers: set of IP addresses for one canonical name 06a DNS.ppt

4. 4 Root DNS Servers com DNS servers org DNS serversedu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers Distributed, Hierarchical Database Client wants IP for www.amazon.com; 1 st approx: r Client queries a root server to find “com” DNS server r Client queries com DNS server to get “amazon.com” Authoritative DNS server r Client queries amazon.com DNS server to get IP address for “www.amazon.com” 06a DNS.ppt

5. 5 DNS: Root name servers r contacted by local name server that can not resolve Top_Level name (eats in www.macdonalds.eats) r Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name,...) r ICANN assigns domain names (www.icann.org) 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 06a DNS.ppt

6. 6 TLD and Authoritative Servers r Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp.  Network Solutions, Inc. maintains servers for com TLD  Educause maintains servers for edu TLD  [2007 - TLD servers share responsibilities] r Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail).  Can be maintained by organization or service provider  Every “Autonomous System” (AS) must have two (backup). r Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it.

7. 7 Local Name Server r Does not strictly belong to hierarchy r Each ISP (residential ISP, company, university) has one.  Also called “default name server” or “resolver” r When a host makes a DNS query, query is sent to its local DNS server  Acts as a proxy, forwards query into hierarchy.  Today a DNS proxy (resolver) is built into most DSL and cable-modem routers 06a DNS.ppt DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv.conf)

8. 06a DNS.ppt 8 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 3 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server Example $ nslookup gaia.cs.umass.edu answer 128.119.245.12 r Host at cis.poly.edu wants IP address for gaia.cs.umass.edu r Host sends a "recursion- requested" query request to dns.poly.edu. r [Host is doing a non- recursive search] r Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host.

9. 06a DNS.ppt 9 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server A3.NSLTD.COM local DNS server dns.poly.edu 1 2 4 5 6 authoritative DNS server NS1.umass.edu 3 Non-recursive queries norecurse or "iterated" query: r contacted server replies with name of server to contact r “I don’t know this name, but ask this server” $ nslookup -norecurse -v gaia.cs.umass.edu $ nslookup -norecurse -v gaia.cs.umass.edu A3.NSLTD.COM $ nslookup -norecurse -v gaia.cs.umass.edu NS1.umass.com answer 128.119.245.12

10. copeland$ dig +trace www.google.com. (may have to do from ecelinsrva.ece) ; > DiG 9.8.3-P1 > +trace www.google.com. ;; global options: +cmd.495753INNSe.root-servers.net..495753INNSc.root-servers.net..495753INNSa.root-servers.net.... (11 lines deleted) ;; Received 496 bytes from 128.61.244.254#53(128.61.244.254) in 13 ms... com.172800INNSh.gtld-servers.net. com.172800INNSj.gtld-servers.net. com.172800INNSe.gtld-servers.net.... (11 lines deleted) ; Received 504 bytes from 192.58.128.30#53(192.58.128.30) in 138 ms google.com.172800INNSns2.google.com. google.com.172800INNSns1.google.com. google.com.172800INNSns3.google.com. google.com.172800INNSns4.google.com. ;; Received 168 bytes from 192.55.83.30#53(192.55.83.30) in 56 ms www.google.com.300INA74.125.196.104 www.google.com.300INA74.125.196.105... (4 lines deleted) ;; Received 128 bytes from 216.239.36.10#53(216.239.36.10) in 64 ms “dig” with “+trace” will show the entire recursive lookup. 10

11. 06a DNS.ppt 11 DNS: caching and updating records r once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP)  cache entries timeout (disappear) after some time (usually 20 minutes)  TLD servers typically cached longer in local name servers Thus root name servers not often visited r update/notify mechanisms under design by IETF  RFC 2136  http://www.ietf.org/html.charters/dnsind-charter.html DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file.

12. 06a DNS.ppt 12 DNS records DNS: distributed db storing resource records (RR) r Type=NS  name is domain (e.g. foo.com)  value is hostname of authoritative name server for this domain RR format: (name, value, type, ttl) r Type=A ( AAAA for IPv6 )  name is hostname  value is IP address r Type=CNAME  name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com  value is canonical name r Type=MX  value is name of mailserver associated with name

13. 06a DNS.ppt 13 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header r identification: 16 bit # for query, reply to query uses same # r flags:  query or reply  recursion desired  recursion available  reply is authoritative

14. 14 DNS protocol, messages Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used *

15. 06a DNS.ppt 15 Inserting records into DNS r Example: just created startup “Network Utopia” r Register name networkuptopia.com at a registrar (e.g., Network Solutions)  Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary)  Registrar inserts two RRs into the.com TLD server: (networkutopia.com, dns1.acme.com, NS) (dns1.acme.com, 212.212.212.1, A) r Put in authoritative server Type A record for www.networkuptopia.com and Type MX record for networkutopia.com into dns1.acme.com (DNS service) DNS Hack #2 Register a domain like “myserver.ru”, have links in email like “www.usbank.com.273846.myserver.ru”. This can hide the real domain. A unique subnet can id the local resolver, and email recipient or Web page viewer.

16. >dig anyhost.nt.com +norecurse -q=any ; NO NS SPECIFIED ; > DiG 8.3 > anyhost.nt.com +norecurse -q=any ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11306 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 ;; QUERY SECTION: ;; anyhost.nt.com, type = A, class = IN ;; AUTHORITY SECTION: INSOAa.root-servers.net. nstld.verisign-grs.com. 2013022500 1800 900 604800 86400 SOA = Start of Authority Final Dot = Authoritative A.ROOT-SERVERS.NET. <- SPECIFY DNS NEXT TIME ;; Total query time: 4 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: default -- 130.207.230.5 ;; WHEN: Fri Feb 20 08:00:38 2009 ;; MSG SIZE sent: 28 rcvd: 156 16

17. >dig @C.ROOT-SERVERS.NET nt.com. +norecurse ; SPECIFY NAME SERVER ; > DiG 8.3 > @C.ROOT-SERVERS.NET nt.com. +norecurse ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26071 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 15 ;; QUERY SECTION: ;; nt.com, type = A, class = IN ;; AUTHORITY SECTION: com. 2D IN NS C.GTLD-SERVERS.NET. {TOP-LEVEL NS for.com} com. 2D IN NS L.GTLD-SERVERS.NET. com. 2D IN NS A.GTLD-SERVERS.NET. … ;; ADDITIONAL SECTION: A.GTLD-SERVERS.NET. 2D IN A 192.5.6.30 A.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:a83e::2:30 B.GTLD-SERVERS.NET. 2D IN A 192.33.14.30 B.GTLD-SERVERS.NET. 2D IN AAAA 2001:503:231d::2:30 ;; Total query time: 23 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: C.ROOT-SERVERS.NET 192.33.4.12 ;; WHEN: Fri Feb 20 08:06:09 2009 ;; MSG SIZE sent: 24 rcvd: 512 17

18. >dig @192.5.6.30 nt.com. +norecurse -q=any ; > DiG 8.3 > @192.5.6.30 nt.com. +norecurse -q=any ; (1 server found) ;; res options: init defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24266 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5 ;; QUERY SECTION: ;; nt.com, type = A, class = IN ;; AUTHORITY SECTION: {Authoritative Name Servers for domain nt.com} nt.com. 2D IN NS ns-guy2.nortelnetworks.com. nt.com. 2D IN NS ns-har2.nortelnetworks.com. ;; ADDITIONAL SECTION: ns-guy2.nortelnetworks.com. 2D IN A 47.237.0.21 ns-har2.nortelnetworks.com. 2D IN A 47.251.0.21 ;; Total query time: 58 msec ;; FROM: bigzilla.ece.gatech.edu to SERVER: 192.5.6.30 192.5.6.30 ;; WHEN: Fri Feb 20 08:07:40 2009 ;; MSG SIZE sent: 24 rcvd: 229 ------------------------------------------------- Next: dig @47.237.0.21 anyhost.nt.com. +norecurse -q=any 18

19. >whois nt.com Whois Server Version 2.0 Domain names in the.com and.net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: NT.COM Registrar: GODADDY.COM, INC. Whois Server: whois.godaddy.com Referral URL: http://registrar.godaddy.com Name Server: NS-GUY2.NORTELNETWORKS.COM Name Server: NS-HAR2.NORTELNETWORKS.COM Status: clientDeleteProhibited Status: clientRenewProhibited Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 20-jan-2009 Creation Date: 28-sep-1990 Expiration Date: 27-sep-2010 >>> Last update of whois database: Fri, 20 Feb 2009 13:33:26 UTC <<< 19

20. requesting host cis.poly.edu IP = 12.34.56.78 www.bigbank.com 33.22.11.44 root DNS server local DNS server dns.poly.edu 1 Spoofed Request for no.bigbank.com source IP = 12.34.56.78 2 Spoofed Response - source IP = 87.65.43.21 Auth. DNS for bigbank.com =66.66.66.66 3 4 5 authoritative DNS server dns.bigbank.com 8 TLD DNS server - IP = 87.65.43.21 www.bigbank.phisher.com 66.66.66.66 Future requests for all URLs in bigbank.com go to =66.66.66.66 DNS Cache Poisoning 20

21. wireshark Display of DNS Response ID is random nonce used to authenticate Response to Query 21

22. 06a DNS.ppt DNS protocol, spoofed messages Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used * * 16-bit ID is used to match responses to requests. To spoof, use 1 request and 65,536 responses, or use 256 requests and 256 responses (Birthday attack). 22

23. Local DNS NS-CNN.COM Hacker Time Lookup www.cnn.com www.cnn.com is 66.66.66.66 UDP Connection closed -> 66.66.66.66 cached www.cnn.com -> 64.236.90.21 (not noticed) Correct guess of <- ID Nonce Probable no. of hits = N / 65,354 DNS Cache Poisoning - Anticipated Attack 23 Sends a Request for a URL, and N fake Replies with random IDs www.cnn.com is 64.236.90.21

24. Local DNS NS-CNN.COM Hacker Time Lookup www.cnn.com www.cnn.com is 66.66.66.66 www..cnn.com is 66.66.66.66 www.cnn.com is 66.66.66.66 Local DNS -> caches www.cnn.com = 66.66.66.66 DNS Cache Poisoning – Bellovin Birthday Attack 24 www.cnn.com is 64.236.90.21 <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0.63 Total packets = 512 <- Sending 260 requests for same domain, cnn.com, and N Replies with fake Auth. N.S. IP address. with random IDs DNS Hack #3: Change DNS IP configured in local cache. DOS Attack * Local DNS sends 260 queries with different IDs. *

25. Fast-Flux DNS (Botnet Distributed Phishing) Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg4589.ru” Botnet hosts sent out email to lure victims to a Phishing Web site www.bny.com.bg4589.ru (IP 23.45.67.89 ) Problem: as soon as BNY Network Security person sees one of the emails, they do a DNS lookup (get 23.45.67.89), a “whois”, and shut the 23.45.67.89 host down. Solution: vary the IP address returned to one of a thousand botnet Web servers. Problem: BNY NetSec repeatedly does DNS lookups to get a complete list of botnet hosts. Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDoS) for several days against BNY NetSec. 25 DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown.

26. 06a DNS.ppt 26 requesting host joe.poly.edu root DNS server local DNS server dns.poly.edu 1 2 3 4 5 6 authoritative DNS server dns.urhcked.com 7 8 TLD DNS server Fast Flux DNS URL in Phish -> One of Many bots $ nslookup www.urhckd.com. answer 78.82.245.12 r Host at poly.edu wants IP address for www.urhckd.com r Host sends a "recursion- requested" query request to dns.poly.edu. r [Host is doing a non- recursive search] r Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. Fast Flux - many IP ’ s of bot Phishing sites. Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross $ nslookup www.urhckd.com. answer 53.119.24.124 Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns.poly.edu.

27. New Protocols supplement DNS and DHCP on LAN * In addition to network configuration (DHCP) and Name Resolution (DNS), it’s nice to have a list of servers available on your LAN. For example, be able to select from a list of printers. Link-Local: Rather than initially using the Network IP Address (host bits 0), randomly select one of 65,534 addresses in 169.254.x.x/16 (you don’t have to know the network address). Apple’s mDNS (UDP port 5353) is an open specification that lets a host announce a chosen Name (e.g., “Lab Printer”) in a multicast message to 224.0.0.251). Hosts running mDNS will all listen to this multicast address and add “Lab Printer” and its IP address and MAC address to the list of servers available. DNS-SD advertises Server Names and services. Microsoft’s NetBios Name Service (NBNS) is similar, but uses the Network Broadcast Address (host bits all 1). UPnP protocol Simple Service Delivery (SSDP) advertises services. The IETF is developing a similar Internet standard - Service Location Protocol (SLP). en.wikipedia.org/wiki/MDNS 2/26/10 27

28. DNSSEC – DNS Security Extensions en.wikipedia.org/wiki/DNSSEC 2/26/13 28 DNSSEC works by digitally signing records for DNS lookup using public- key cryptography. The correct DNSKEY record is authenticated via a chain of trust, starting with a set of verified public keys for the DNS root zone which is the trusted third party. New DNS record types were created or adapted to use with DNSSEC: RRSIG, DNSKEY, DS, NSEC, NSEC3, NSEC3PARAM. When DNSSEC is used, each answer to a DNS lookup will contain an RRSIG DNS record, in addition to the record type that was requested. The RRSIG record is a digital signature of the answer DNS resource record set. The digital signature can be verified by locating the correct public key found in a DNSKEY record. Stub resolvers (host software) are "minimal DNS resolvers that use recursive query mode to offload most of the work to a recursive name server.” A validating stub resolver can also potentially perform its own signature validation by setting the Checking Disabled (CD) bit in its query messages, for end-to-end DNS security for domains implementing DNSSEC.

29. Reverse DNS Lookups en.wikipedia.org/wiki/DNSSEC 2/26/13 29 Reverse DNS Lookups (e.g., nslookup 130.207.225.101) > nslookup 130.207.225.101 101.225.207.130.in-addr.arpa name = seiya.ece.gatech.edu. The “arpa” top-level domain is now only used for reverse lookups. ARPA has been redefined as standing for “ Address and Routing Parameter Area.” For looking up a IPv4 address, the dotted-decimal text string is reversed, and the domain name “in-addr.arpa” is added. Like normal name lookups, the recursion proceeds from right to left. If the block of addresses 130.207.0.0/16 are assigned to the Autonomous System (AS) gatech.edu, then Georgia Tech (OIT) is responsible for maintaining a database for x.y.207.130 (addresses 130.207.0.0 to 130.207.255.255). The domain for IPv6 addresses is ip6.arpa.

30. dig www.ece.gatech.edu [ MX records not shown] ; > DiG 9.6-ESV-R4-P3 > www.ece.gatech.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56886 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5 ;; QUESTION SECTION: ;www.ece.gatech.edu.INA ;; ANSWER SECTION: www.ece.gatech.edu.28800INA130.207.225.101 ;; AUTHORITY SECTION: ece.gatech.edu.28800INNSdns1.gatech.edu. ece.gatech.edu.28800INNSdns3.gatech.edu. ;; ADDITIONAL SECTION: dns1.gatech.edu.28800INA128.61.244.253 dns1.gatech.edu.28800INAAAA2610:148:1f00:f400::3 dns3.gatech.edu.28800INA168.24.2.35 ;; Query time: 37 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) {note: mail handlers (MTAs) not shown.} ;; WHEN: Mon Feb 25 12:50:39 2013 ;; MSG SIZE rcvd: 213 30

31. nslookup -q=ANY gatech.edu {note: use domain name only, for MX info} Server:192.168.1.1 Address:192.168.1.1#53 gatech.edu origin = brahma5.dns.gatech.edu mail addr = hostmaster.gatech.edu serial = 380555175 refresh = 10800 retry = 3600 expire = 2592000 minimum = 60 Name:gatech.edu Address: 130.207.160.29 gatech.edunameserver = dns1.gatech.edu. gatech.edunameserver = heath.dpo.uab.edu. {Backup DNS at U. Alabama} gatech.edunameserver = dns3.gatech.edu. gatech.edunameserver = dns2.gatech.edu. gatech.edumail exchanger = 10 mx1.gatech.edu. gatech.edumail exchanger = 10 mx2.gatech.edu. gatech.edutext = "MS=ms45592394" gatech.edutext = "MS=ms74949178" 31