agenda - cs.boisestate.edu
TRANSCRIPT
1/30
Agenda
▶ DNS Fundamentals
▶ DNS Security
▶ Summary
2/30
Basic Terminologies
▶ DNS: Domain Name System. A system designed to makecomputers easier to use for human beings. DNS maps domainnames to IP addresses, like a phonebook map people’s namesto their phone numbers - it’s easy to remember (people’s andcomputer’s) names than their numbers.
▶ DNS nameserver: A server that stores the DNS records, suchas address (A) records, name server (NS) records, and mailexchanger (MX) records for a domain name and respondswith answers to queries against its database. (port 53)
▶ DNS resolver: Used to be a “local server” that stores acentral database of DNS nameservers and manages DNSrequests for all the clients on your network. Sometimes peoplealso use it to represent the client side of DNS, i.e., acomponent of your OS, which is responsible for initiating thequeries. Today: Not necessarily local.
3/30
Basic Terminologies
▶ DNS hierarchy: An inverted tree structure to manage theDNS database system.
▶ DNS caching: After your computer or a local DNS serverobtains the query results from another DNS server, it willstore the results in its cache for certain period of time.
4/30
DNS Hierarchy
. (Root)
.com .net .edu .gov .fr
google example
Top‐Level Domains (TLDs)
Second‐Level Domains
Root Domain
Top-level domain: TLD;
Generic top-level domain (gTLD);
Country code top-level domain (ccTLD);
Fully qualified domain name (FQDN); A FQDN = host name +domain name.
5/30
DNS Root Servers
https://www.iana.org/domains/root/servers
6/30
DNS Message Format
Two types of DNS messages are used in DNS protocol: queriesand replies, (same format). Each message consists of a header andfour sections: question, answer, authority, and additional.
61
Local DNS Server10.0.2.69
User Machine10.0.2.68
Attacker10.0.2.70
Figure 18.5: Environment setup for the experiment
IP Header
UDP Header
Transaction ID (id) Flags
Number of Question Records (qdcount) Number of Answer Records (ancount)
Number of Authority Records (nscount) Number of Additional Records (arcount) DNS Hea
der
Records: qd, an, ns, ar
DNS Data
Figure 18.6: DNS packet
7/30
DNS Queries
▶ Recursive queries: the DNS client requires that the DNSserver respond to the client with either the requested resourcerecord or an error message stating that the record or domainname does not exist. The DNS server cannot just refer theDNS client to a different DNS server. Thus, if a DNS serverdoes not have the requested information when it receives arecursive query, it queries other servers until it gets theinformation, or until the name query fails.
▶ Iterative queries: when a DNS client allows the DNS server toreturn the best answer it can give based on its cache or data.If the queried DNS server does not have an exact match forthe queried name, the best possible information it can returnis a referral.
8/30
DNS Recursive and Iterative Queries
9/30
DNS Recursive Queries
If not, ask the local DNS server
for answer
If not, ask the other DNS servers on the Internet for answer
DNS Servers on the Internet
Local DNS ServerUser Machine
Do I know the IP address for
www.example.com? If so, just use it.
Do I know the IP address for www.example.com? If so, return the answer.
10/30
DNS Iterative QueriesLocal D
NS Se
rver
ROOT Server
.NET Server
example.net Server
Step 1. What is the IP address of www.example.net?
Step 2. What is the IP address of www.example.net?
Step 3. What is the IP address of www.example.net?
11/30
Useful DNS Tools - dig
▶ Name resolution: dig boisestate.edu;
▶ Reverse lookup: dig -x 132.178.214.91
▶ Find a domain’s mail server: dig boisestate.edu MX
▶ Find a domain’s authoritative name server: dig boisestate.eduNS
▶ What if you don’t have dig on your computer or your mobilephone: Kloth.net
12/30
Useful DNS Tools
▶ nslookup
▶ whois
13/30
DNS Security
▶ DNS spoofing - impact: temporary
▶ DNS cache poisoning - impact: permanent (or until ttlexpires)
▶ DNS pharming - impact: permanent
▶ DNS amplification/reflection - impact: temporary
14/30
DNS Spoofing
Answering DNS request that intended for another server (a realDNS server).
▶ Spoofs the DNS server’s answer by answering with the DNSserver’s IP address in the packets source-address field
▶ client-server exchange or server-server exchange.
15/30
DNS Cache Poison
▶ Making a DNS server cache false information
▶ e.g., try to make the ns.defense.gov DNS to answer with theIP of the hacker’s computer to any query about the IP oftelnetaccess.defense.gov.
▶ Affect more than one individual - affect a large number ofpeople.
16/30
DNS Cache Poison: Remote Attacks
▶ Local DNS attack: we assume that the attacker and the DNSserver are on the same LAN. The attacker can observe theDNS query message.
▶ When the attacker and the DNS server are not on the sameLAN, the cache poisoning attack becomes much morechallenging.
▶ Remote DNS attack.
17/30
DNS Pharming
▶ Change the DNS server setting on a victim’s computer.
▶ Or change the DNS server setting on the DHCP server.
▶ DHCP: Dynamic Host Configuration Protocol.
18/30
DNS Pharming - Exercise
▶ Two files in Linux: /etc/hosts and /etc/resolv.conf
▶ Attacker can change either one.
▶ Exercise: change /etc/hosts, so that when typingwww.cnn.com in the browser, it goes to www.fakenews.com.
▶ Exercise: change /etc/hosts, so that when typingwww.chase.com in the browser, it goes to cs.boisestate.edu.
▶ Take-away: Lock your screen when you leave your computer.
19/30
DNS Amplification/Reflection
A type of DoS attack
Image sources: https://blog.opendns.com/2014/03/17/dns-amplification-attacks/
20/30
DNS Amplification/Reflection
Three factors that make DNS amplifcation/reflection possible:
▶ Forgeability of source addresses of DNS messages.
▶ Availability of open resolvers: A DNS resolver is open if itprovides recursive name resolution for clients outside of itsadministrative domain.
▶ Asymmetry of DNS requests and responses: “ANY requestsask the DNS resolver for ALL information that it currentlyknows about the domain which may include where the mailservers are (MX records), what the IP addresses are (Arecords) and so on. Attackers use this type of query tomaximize the size of the response sent to the victim.” Seemore at: https://blog.opendns.com/2014/03/17/dns-amplification-attacks/
21/30
Summary
▶ DNS database: inverted tree structure.
▶ DNS queries: recursive, iterative.
▶ DNS attacks: DNS spoofing, DNS cache poison, DNSpharming, DNS Amplification.
22/30
References
A large portion of the material is adapted from:
▶ Security Issues with DNS - SANS Institute
▶ Top Five DNS Security Attack Risks and How to Avoid Them- Infoblox
▶ What Are Domain Name System (DNS) Resolvers and HowDo They Work? http://smallbusiness.chron.com/
domain-name-system-dns-resolvers-work-76639.html
▶ Computer Security - A Hands-on Approach by Wenliang Du
23/30
References
▶ How a DNS Server (Domain Name System) works.https://www.youtube.com/watch?v=mpQZVYPuDGU
▶ 2004 VP Debate with Cheney and Edwards, 32:10https://www.youtube.com/watch?v=WBZqRt61ZjE
▶ Dick Cheney and John Edwards Vice Presidential Debate2004, 37:08https://www.youtube.com/watch?v=uFgXgAJ2qoE
24/30
Backup Slides
25/30
Question
When your friend visits your house, you never tell them what DNSserver(s) they should use, but they still can access the Internetusing your home wifi, why? Or how do they know the DNSserver(s) IP address?
Your home router runs a DHCP service.
25/30
Question
When your friend visits your house, you never tell them what DNSserver(s) they should use, but they still can access the Internetusing your home wifi, why? Or how do they know the DNSserver(s) IP address?
Your home router runs a DHCP service.
26/30
DHCP: Dynamic Host Configuration Protocol
▶ on top of UDP
▶ Uses bootstrap protocol (BOOTP)
▶ DHCP server port: 67, client port 68.
▶ DHCP request: source IP: 0.0.0.0; destination IP:255.255.255.255.
▶ DHCP lease time: by default, 24 hours. (can be changed. tryto find the lease time in wireshark.)
27/30
DHCP: 4-phase exchange
▶ DHCPDISCOVER: client tries to find out what are availableout there?
▶ DHCPOFFER: server(s) respond - just to tell client thatDHCP service is available.
▶ DHCPREQUEST: from 1 or multiple offers, client picks oneDHCP server and sends a request to that server.
▶ DHCPACK: the chosen server responds and supplies with therequested information.
▶ sometimes in wireshark, you only see the 2-phase exchange,which only has Request and Ack.
28/30
DHCP Security
▶ Rogue DHCP server: sends out false information, enablesattackers to perform Man-in-the-middle attack.
▶ DHCP starvation (a type of DoS attack): attacker sends alarge amount of malicious DISCOVER or REQUEST packetsusing spoofed MAC addresses as the source MAC address foreach request; these will exhaust the DHCP’s IP address pool:a pool which stores all available IP addresses. The DHCPserver will then have nothing to offer for legitimate clients,and clients may then resort to malicious DHCP servers.
29/30
DHCP Defense
▶ port security on switches: configure the switch so as tospecify which port is trusted, which is not. A technologycalled DHCP snooping is then used: DHCP responses fromthe trusted port is allowed, DHCP responses from untrustedport is not allowed.
30/30
ICANN
▶ short for Internet Corporation for Assigned Names andNumbers
▶ A California-based nonprofit, responsible for protecting “theoperational stability of the Internet,” manages the global DNSroot zone.