1/30

Agenda

▶ DNS Fundamentals

▶ DNS Security

▶ Summary

2/30

Basic Terminologies

▶ DNS: Domain Name System. A system designed to makecomputers easier to use for human beings. DNS maps domainnames to IP addresses, like a phonebook map people’s namesto their phone numbers - it’s easy to remember (people’s andcomputer’s) names than their numbers.

▶ DNS nameserver: A server that stores the DNS records, suchas address (A) records, name server (NS) records, and mailexchanger (MX) records for a domain name and respondswith answers to queries against its database. (port 53)

▶ DNS resolver: Used to be a “local server” that stores acentral database of DNS nameservers and manages DNSrequests for all the clients on your network. Sometimes peoplealso use it to represent the client side of DNS, i.e., acomponent of your OS, which is responsible for initiating thequeries. Today: Not necessarily local.

3/30

Basic Terminologies

▶ DNS hierarchy: An inverted tree structure to manage theDNS database system.

▶ DNS caching: After your computer or a local DNS serverobtains the query results from another DNS server, it willstore the results in its cache for certain period of time.

4/30

DNS Hierarchy

.  (Root)

.com .net .edu .gov .fr

google example

Top‐Level Domains (TLDs)

Second‐Level Domains

Root Domain

Top-level domain: TLD;

Generic top-level domain (gTLD);

Country code top-level domain (ccTLD);

Fully qualified domain name (FQDN); A FQDN = host name +domain name.

5/30

DNS Root Servers

https://www.iana.org/domains/root/servers

6/30

DNS Message Format

Two types of DNS messages are used in DNS protocol: queriesand replies, (same format). Each message consists of a header andfour sections: question, answer, authority, and additional.

61

Local DNS Server10.0.2.69

User Machine10.0.2.68

Attacker10.0.2.70

Figure 18.5: Environment setup for the experiment

IP Header

UDP Header

Transaction ID (id) Flags 

Number of Question Records (qdcount) Number of Answer Records (ancount)

Number of Authority Records (nscount) Number of Additional Records (arcount) DNS Hea

der

Records: qd, an, ns, ar

DNS Data

Figure 18.6: DNS packet

7/30

DNS Queries

▶ Recursive queries: the DNS client requires that the DNSserver respond to the client with either the requested resourcerecord or an error message stating that the record or domainname does not exist. The DNS server cannot just refer theDNS client to a different DNS server. Thus, if a DNS serverdoes not have the requested information when it receives arecursive query, it queries other servers until it gets theinformation, or until the name query fails.

▶ Iterative queries: when a DNS client allows the DNS server toreturn the best answer it can give based on its cache or data.If the queried DNS server does not have an exact match forthe queried name, the best possible information it can returnis a referral.

8/30

DNS Recursive and Iterative Queries

9/30

DNS Recursive Queries

If not, ask the local DNS server 

for answer

If not, ask the other DNS servers on the Internet for answer

DNS Servers on the Internet

Local DNS ServerUser Machine

Do I know the IP address for 

www.example.com? If so, just use it.

Do I know the IP address for www.example.com? If so, return the answer.

10/30

DNS Iterative QueriesLocal D

NS Se

rver

ROOT Server

.NET Server

example.net Server

Step 1. What is the IP address of www.example.net?

Step 2. What is the IP address of www.example.net?

Step 3. What is the IP address of www.example.net?

11/30

Useful DNS Tools - dig

▶ Name resolution: dig boisestate.edu;

▶ Reverse lookup: dig -x 132.178.214.91

▶ Find a domain’s mail server: dig boisestate.edu MX

▶ Find a domain’s authoritative name server: dig boisestate.eduNS

▶ What if you don’t have dig on your computer or your mobilephone: Kloth.net

12/30

Useful DNS Tools

▶ nslookup

▶ whois

13/30

DNS Security

▶ DNS spoofing - impact: temporary

▶ DNS cache poisoning - impact: permanent (or until ttlexpires)

▶ DNS pharming - impact: permanent

▶ DNS amplification/reflection - impact: temporary

14/30

DNS Spoofing

Answering DNS request that intended for another server (a realDNS server).

▶ Spoofs the DNS server’s answer by answering with the DNSserver’s IP address in the packets source-address field

▶ client-server exchange or server-server exchange.

15/30

DNS Cache Poison

▶ Making a DNS server cache false information

▶ e.g., try to make the ns.defense.gov DNS to answer with theIP of the hacker’s computer to any query about the IP oftelnetaccess.defense.gov.

▶ Affect more than one individual - affect a large number ofpeople.

16/30

DNS Cache Poison: Remote Attacks

▶ Local DNS attack: we assume that the attacker and the DNSserver are on the same LAN. The attacker can observe theDNS query message.

▶ When the attacker and the DNS server are not on the sameLAN, the cache poisoning attack becomes much morechallenging.

▶ Remote DNS attack.

17/30

DNS Pharming

▶ Change the DNS server setting on a victim’s computer.

▶ Or change the DNS server setting on the DHCP server.

▶ DHCP: Dynamic Host Configuration Protocol.

18/30

DNS Pharming - Exercise

▶ Two files in Linux: /etc/hosts and /etc/resolv.conf

▶ Attacker can change either one.

▶ Exercise: change /etc/hosts, so that when typingwww.cnn.com in the browser, it goes to www.fakenews.com.

▶ Exercise: change /etc/hosts, so that when typingwww.chase.com in the browser, it goes to cs.boisestate.edu.

▶ Take-away: Lock your screen when you leave your computer.

19/30

DNS Amplification/Reflection

A type of DoS attack

Image sources: https://blog.opendns.com/2014/03/17/dns-amplification-attacks/

20/30

DNS Amplification/Reflection

Three factors that make DNS amplifcation/reflection possible:

▶ Forgeability of source addresses of DNS messages.

▶ Availability of open resolvers: A DNS resolver is open if itprovides recursive name resolution for clients outside of itsadministrative domain.

▶ Asymmetry of DNS requests and responses: “ANY requestsask the DNS resolver for ALL information that it currentlyknows about the domain which may include where the mailservers are (MX records), what the IP addresses are (Arecords) and so on. Attackers use this type of query tomaximize the size of the response sent to the victim.” Seemore at: https://blog.opendns.com/2014/03/17/dns-amplification-attacks/

21/30

Summary

▶ DNS database: inverted tree structure.

▶ DNS queries: recursive, iterative.

▶ DNS attacks: DNS spoofing, DNS cache poison, DNSpharming, DNS Amplification.

22/30

References

A large portion of the material is adapted from:

▶ Security Issues with DNS - SANS Institute

▶ Top Five DNS Security Attack Risks and How to Avoid Them- Infoblox

▶ What Are Domain Name System (DNS) Resolvers and HowDo They Work? http://smallbusiness.chron.com/

domain-name-system-dns-resolvers-work-76639.html

▶ Computer Security - A Hands-on Approach by Wenliang Du

23/30

References

▶ How a DNS Server (Domain Name System) works.https://www.youtube.com/watch?v=mpQZVYPuDGU

▶ 2004 VP Debate with Cheney and Edwards, 32:10https://www.youtube.com/watch?v=WBZqRt61ZjE

▶ Dick Cheney and John Edwards Vice Presidential Debate2004, 37:08https://www.youtube.com/watch?v=uFgXgAJ2qoE

24/30

Backup Slides

25/30

Question

When your friend visits your house, you never tell them what DNSserver(s) they should use, but they still can access the Internetusing your home wifi, why? Or how do they know the DNSserver(s) IP address?

Your home router runs a DHCP service.

25/30

Question

When your friend visits your house, you never tell them what DNSserver(s) they should use, but they still can access the Internetusing your home wifi, why? Or how do they know the DNSserver(s) IP address?

Your home router runs a DHCP service.

26/30

DHCP: Dynamic Host Configuration Protocol

▶ on top of UDP

▶ Uses bootstrap protocol (BOOTP)

▶ DHCP server port: 67, client port 68.

▶ DHCP request: source IP: 0.0.0.0; destination IP:255.255.255.255.

▶ DHCP lease time: by default, 24 hours. (can be changed. tryto find the lease time in wireshark.)

27/30

DHCP: 4-phase exchange

▶ DHCPDISCOVER: client tries to find out what are availableout there?

▶ DHCPOFFER: server(s) respond - just to tell client thatDHCP service is available.

▶ DHCPREQUEST: from 1 or multiple offers, client picks oneDHCP server and sends a request to that server.

▶ DHCPACK: the chosen server responds and supplies with therequested information.

▶ sometimes in wireshark, you only see the 2-phase exchange,which only has Request and Ack.

28/30

DHCP Security

▶ Rogue DHCP server: sends out false information, enablesattackers to perform Man-in-the-middle attack.

▶ DHCP starvation (a type of DoS attack): attacker sends alarge amount of malicious DISCOVER or REQUEST packetsusing spoofed MAC addresses as the source MAC address foreach request; these will exhaust the DHCP’s IP address pool:a pool which stores all available IP addresses. The DHCPserver will then have nothing to offer for legitimate clients,and clients may then resort to malicious DHCP servers.

29/30

DHCP Defense

▶ port security on switches: configure the switch so as tospecify which port is trusted, which is not. A technologycalled DHCP snooping is then used: DHCP responses fromthe trusted port is allowed, DHCP responses from untrustedport is not allowed.

30/30

ICANN

▶ short for Internet Corporation for Assigned Names andNumbers

▶ A California-based nonprofit, responsible for protecting “theoperational stability of the Internet,” manages the global DNSroot zone.