today & tomorrow presented by: james speirs charles higby brady redfearn domain name system...
TRANSCRIPT
TODAY & TOMORROWTODAY & TOMORROW
PRESENTED BY:PRESENTED BY:JAMES SPEIRSJAMES SPEIRS
CHARLES HIGBYCHARLES HIGBYBRADY REDFEARNBRADY REDFEARN
Domain Name Domain Name System (DNS)System (DNS)
OverviewOverviewo HistoryHistoryo How It WorksHow It Workso DNS Packet StructureDNS Packet Structureo DNS Features DNS Features o DNS Security Evolution, Early DaysDNS Security Evolution, Early Dayso Current DNS IssuesCurrent DNS Issueso Bailiwick Defined Bailiwick Defined o BIND 9.6 Or Later BIND 9.6 Or Later o Guilty PartiesGuilty Partieso DNS Exploit, Dan Kaminiski DNS Exploit, Dan Kaminiski o BIND 8 Or Earlier BIND 8 Or Earlier o Kaminski's ResultsKaminski's Resultso What Can Save Us? What Can Save Us?
HistoryHistory Pre-DNSPre-DNS
o Hosts fileHosts file Stanford Research Institute (SRI) Stanford Research Institute (SRI) FTPFTP
History ContinuedHistory Continued 19831983
o Paul Mockapetris, InventorPaul Mockapetris, Inventoro RFCs 882 & 883RFCs 882 & 883
19841984o Berkeley & UNIX Berkeley & UNIX
1985 1985 o Kevin Dunlap, Digital Equipment Corporation Kevin Dunlap, Digital Equipment Corporation
(DEC) (DEC) o Berkeley Internet Name Domain (BIND)Berkeley Internet Name Domain (BIND)
19871987o RFCs1034 &1035RFCs1034 &1035
1990s1990so BIND ported to Windows NTBIND ported to Windows NT
How it WorksHow it Works Distributed DatabasesDistributed Databases
o Local machineLocal machine Hosts file Hosts file
Linux - /etc/hostsLinux - /etc/hosts Mac - /private/etc/hostsMac - /private/etc/hosts Windows - %SystemRoot%\system32\drivers\Windows - %SystemRoot%\system32\drivers\
etc\etc\ Local cacheLocal cache
Active memoryActive memory Browser cacheBrowser cache
How It Works ContinuedHow It Works Continued Distributed DatabasesDistributed Databases
o Not on local machineNot on local machine UDP requestUDP request
100 bytes100 bytes ISP DNS respondsISP DNS responds ISPs ISP DNS respondsISPs ISP DNS responds Core DNS respondsCore DNS responds
DNS FeaturesDNS Features Name server responds with all sub-domainsName server responds with all sub-domains
o microsoft.com, microsoft.com, o secure.microsoft.comsecure.microsoft.como update.microsoft.comupdate.microsoft.com
Compression (~3x)Compression (~3x) RedundancyRedundancy Round-robin assignmentRound-robin assignment Entry expiration (3,600 seconds)Entry expiration (3,600 seconds)
o 3,600 second default3,600 second defaulto Defined by name serverDefined by name server
The "big 13 root servers" contain main DNS entries The "big 13 root servers" contain main DNS entries alwaysalwayso .com, .net, .tv, .info, .gov, .mil, etc..com, .net, .tv, .info, .gov, .mil, etc.o http://www.isoc.org/briefings/020/zonefile.shtmlhttp://www.isoc.org/briefings/020/zonefile.shtml
DNS Security Evolution, Early DNS Security Evolution, Early DaysDays No bad guys in 1983No bad guys in 1983 Transaction ID (TID)Transaction ID (TID)
o Incremental counting integer Incremental counting integer o Random TIDRandom TID
Port 53Port 53o Incoming port 53Incoming port 53o Port 53 outgoingPort 53 outgoingo Random outgoing port, Dan BernsteinRandom outgoing port, Dan Bernstein
Current DNS IssuesCurrent DNS Issues DNS PoisoningDNS Poisoning
o First response winsFirst response winso No TCPNo TCPo Transaction IDs – 16-bitsTransaction IDs – 16-bitso Ports – 16-bitsPorts – 16-bits
DNS ControllersDNS Controllerso ICANNICANNo US Commerce Department US Commerce Department o Verisign Verisign o 13 core servers 13 core servers
BailiwickBailiwick DefinedDefined
o "The neighborhood of the domain""The neighborhood of the domain" Bailiwicked Domain AttackBailiwicked Domain Attack
o In BailiwickIn Bailiwick microsoft.commicrosoft.com update.microsoft.comupdate.microsoft.com security.microsoft.comsecurity.microsoft.com All acceptable DNS entries All acceptable DNS entries
o Not in BailiwickNot in Bailiwick google.comgoogle.com yahoo.comyahoo.com These entries are thrown awayThese entries are thrown away
BIND 9.6 Or LaterBIND 9.6 Or Later
Example of current version of BINDExample of current version of BIND
Guilty PartiesGuilty Parties Guilty Parties Guilty Parties
o Any DNS not randomizing portsAny DNS not randomizing portso OpenWRT software OpenWRT software
Secure ServicesSecure Serviceso OpenDNSOpenDNSo djbdnsdjbdnso Simple router softwareSimple router software
DNS Exploit, Dan DNS Exploit, Dan KaminskiKaminski Cache miss at ISPCache miss at ISP
o Find DNS IPs for example.com Find DNS IPs for example.com ns1.example.com (1.1.1.1)ns1.example.com (1.1.1.1) ns2.example.com (1.1.1.2)ns2.example.com (1.1.1.2)
o Send query of bogus machineSend query of bogus machine aaa.example.comaaa.example.com
o ISPs DNS queries example.com for fake compISPs DNS queries example.com for fake comp Note UDP outgoing port from ISP (7649)Note UDP outgoing port from ISP (7649)
o Send 100 UDP packets with random TIDs to ISP at Send 100 UDP packets with random TIDs to ISP at port 7649 with your IP 1.1.1.100 as location for port 7649 with your IP 1.1.1.100 as location for example.comexample.com
BIND 8 Or EarlierBIND 8 Or Earlier
Example of older versions of BINDExample of older versions of BIND
Kaminski's ResultsKaminski's Results Repeat the exploit for any domainRepeat the exploit for any domain In 30 seconds, you control the entire domainIn 30 seconds, you control the entire domain Works because Works because
o New IPs are in bailiwick New IPs are in bailiwick o New IPs replace old ones at ISPNew IPs replace old ones at ISPo Make TTL really bigMake TTL really big
Maximum of 2,147,483,647 secondsMaximum of 2,147,483,647 seconds 68+ Years68+ Years Never expiresNever expires
o Nothing appears wrongNothing appears wrong URL bar is http://www.google.comURL bar is http://www.google.com Displayed site is google.comDisplayed site is google.com
What Can Save Us?What Can Save Us? SSL certificatesSSL certificates
o Cannot be duplicatedCannot be duplicatedo Must be examined Must be examined
If available, force HTTPSIf available, force HTTPS Most sites don't support either solution Most sites don't support either solution Test your ISPTest your ISP
o entropy.dns-oarc.net/testentropy.dns-oarc.net/test