DNS introduction Type of DNS servers DNS protocols DNS Attacks

1. Himani Singh
DNS Name Server and Protocol
and attacks

2. Agenda
 DNS introduction
 Type of DNS severs
 DNS protocols
 DNS Attacks

3. DNS Intro
 Domain Name System
 DNS is a naming system that maps an “easily
remembered name” to a routable IP address for any
resource (host or service) that is connected to Internet.
Example URL:
Name: google.com
Addresses: 2607:f8b0:4005:802::1005
74.125.239.135, 74.125.239.137;
 Example Implementations
 Berkeley Internet Name Domain system (BIND)
 Microsoft server from NT 4.0, 2003 and 2008
 RFC’s 882, 883, 1034 and 1035

4. Domain Name System’s architecture is a database
and a set of protocols.
 The database
 Contains the data for any resource (or service) including
host names and domain names.
 Is hierarchical
 Is distributed over multiple servers.
 The protocol defines the mechanism for
 Query the database
 Update the database
 Replicate the information among the servers to keep
identical records
DNS Intro

5. DNS Database
 The hierarchical system of DB is like a tree where
each level can either be a branch or a leaf
 A leaf is information about a host/service
 A branch can be a domain namespace. Domain names
consist of labels
e.g, mail.fortinet.com
 DNS resource information is stored in the database in
the form of Resource Records(RR)
 All RRs have a predefined format
 Many types of records
 FQDN
 A fully qualified domain name (FQDN) identifies the host
position within DNS tree by specifying the full name
e.g., support.fortinet.com/home.aspx

6. DNS’s Database Structure
 Second-level domain
 Individual or organization name for use on the Internet.
 Example: Fortinet.com Fortinet=>organization name.
 Sub domain:
 An additional name an organization can create to divide
their domain into departments, locations, etc.
cs.yale.edu or support.fortinet.com
 Host or Resource name:
 Identify a specific resource or service
At least one IP address is associated.
Name: mail.fortinet.com
Address: 208.91.113.80

7. DNS’s Database Structure
 Root:
 Top of the tree, indicated by dot “.”
http://www.fortinet.com.
 Top level Domain:
 The length is fixed except country.
 Type of organization, country, or place
• Com Commercial organizations
• Edu Educational
• Org Non-profit organizations
• Net Networks (he backbone of the Internet)
• Gov Government ( non Military)
• Mil Military government
• Arpa Reverse DNS
• “xx” Country codes like us, au, ca,

8. http://csis.pace.edu/~marchese/CS865/Lectures/Chap5/Chapter5a.htm

9. Resource Records fields
https://www.ietf.org/rfc/rfc1035.txt
Name Name of the node
Type RR type, 2 octal
Class RR Class, 2 octal
TTL Time to live, 32 bit integer. Time interval
till RR can be used before it need to
revalidate by source or primary server.
RDLENGTH length in octets of the RDATA field
RDATA Variable length that describe the resource,
like IP address for address records, or
priority and hostname for MX records

10. Resource Records types( most used)
Type Description Value Class Data
A Host 1 Internet (IN) Host IP address/owner name
F11 IN A 10.1.1.11
NS authoritative name
server
2 Internet (IN) Owner name
Name Server DNS name(NS SRI-NIC.ARPA)
CNAME canonical name for
an alias
5 Internet (IN) Owner name (alias Name). The DNS lookup will
continue by retrying the lookup with the new name.
ftp.fortinet.com. IN CNAME ftp1.fortinet.com.
SOA Make a start of zone
authority. It needs in
all zone file.
6 Internet (IN) primary name server and the email address of the
person responsible for the domain ( owner name ).
Refresh Interval
Retry Interval ,Expire Time, Minimum TTL
WKR Well know service
description
11 Internet (IN) Well know service description
PTR Domain name
pointer
12 Internet (IN) Contains a textual name. It bounds to names built
from numerical IP addresses, and used for reverse
mapping from an IP address to a textual name
73.0.0.26.IN-ADDR.ARPA. PTR SRI-
NIC.ARPA.
MX Main exchange 15 Internet (IN) Owner Name,Mail Exchange Server DNS Name.
FQDN for a host will accept SMTP mail.
SRI-NIC.ARPA. MX 0 SRI-NIC.ARPA
TXT Test string 16 Used to be Txt, but now this record more often
carries machine-readable data
AAAA Host 28 Internet (IN) IPv6 address record

11. Resource Records Description
 SOA Resource Records
 Every zone contains a Start of Authority RR at the beginning of
the zone.
 This record contains information about the
 Owner
 Minimum TTL
 Class and Type
 Retry time a secondary server will wait before retrying
 Authoritative server (primary server), serial number (updated number),
refresh, administrator, expiry and more
Example
noam.reskit.com. IN SOA (
noamdc1.noam.reskit.com. ; authoritative server for the zone
administrator.noam.reskit.com. ; zone admin e-mail
; (responsible person)
5099 ; serial number
3600 ; refresh (1 hour)
600 ; retry (10 mins)
86400 ; expire (1 day)
60 ) ; minimum TTL (1 min) … )
http://www.zytrax.com/books/dns/ch6/mydomain.html

12. Resource Records for Window 2008 DNS

13. Reverse lookup
 A reverse lookup is a query of the DNS for domain names when the IP address is known.
4.0.10.18.IN-ADDR.ARPA. PTR GW.LCS.MIT.EDU.

14. DNS Zone and zone file
The DNS scheme allow a namespace to be split into multiple
zones and keep it on the same server. The split into zones
helps
 Performance
 Delegate management into departments
 Those zones store information about DNS domains (or
subdomains)
 A zone stores information about all names that end with
the zone root domain name in a file called the “zone file”
 A zone file contains multiple Resource Records; the first
record is the Start of Authority (SOA)
 SOA contains the primary DNS nameserver
 A zone file may contain other zone information if added

15. IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
870611 ;serial
1800 ;refresh every 30 min
300 ;retry every 5 min
604800 ;expire after a week
86400) ;minimum of a day
NS A.ISI.EDU.
NS C.ISI.EDU.
NS SRI-NIC.ARPA
MIL. 86400 NS SRI-NIC.ARPA.
86400 NS A.ISI.EDU.
EDU. 86400 NS SRI-NIC.ARPA.
86400 NS C.ISI.EDU.
SRI-NIC.ARPA. A 26.0.0.73
A 10.0.0.51
MX 0 SRI-NIC.ARPA.
HINFO DEC-2060 TOPS20
ACC.ARPA. A 26.6.0.65
HINFO PDP-11/70 UNIX
MX 10 ACC.ARPA.
USC-ISIC.ARPA. CNAME C.ISI.EDU.
73.0.0.26.IN-ADDR.ARPA. PTR SRI-NIC.ARPA.
65.0.6.26.IN-ADDR.ARPA. PTR ACC.ARPA.
51.0.0.10.IN-ADDR.ARPA. PTR SRI-NIC.ARPA.
52.0.0.10.IN-ADDR.ARPA. PTR C.ISI.EDU.
103.0.3.26.IN-ADDR.ARPA. PTR A.ISI.EDU.
A.ISI.EDU. 86400 A 26.3.0.103
C.ISI.EDU. 86400 A 10.0.0.52
zone file

16. Zone transfer
 Zone transfer is achieved by copying the zone file
from one DNS server to a second DNS server
 There are two types of zone file replication.
 Full zone transfer (AXFR) replicates the entire zone
file.
 Incremental zone transfer (IXFR) replicates only
records that have been modified.

17. DNS ZONE example.com
example.com
NorthA.example.com
Sale.NorthA.example.com
Asia.example.com
East.asia.example.com
west.asia.example.com

18. Authoritative, Non-Authoritative and Caching
Authoritative DNS
 Is the authoritative source for all name query/request made for zone, the record is
been configure by the original source. It is also possible that same DNS server can
be primary on one zone and secondly for other.
 The secondary server can respond to any authoritative request that allow the load
balance.
Non-Authoritative
 This is not a delegated server for its existing zone but it have record information
from other servers.
 It can’t respond to requests in a authoritative manor.
Caching
 If DNS server receive a request for a record that he don’t have, it does the
recursive query to get information.
 Server hold this information locally in a temporary file is called Cache.
 The data is only response till time-to-live (TTL) >0.
 Caching can response as 'authoritative' if the data came from zone-master
otherwise non-authoritative.

19. DNS servers type
 Root name server:
 This is a top level server, this provided the information on top level. The list of
root servers are http://www.root-servers.org/
 Primary server (or master)
 When domain names are registered with registrar, it required to give the address
for primary and at least one secondly server.
 In a Primary server’s zone file is updated by local source in comparison to
Secondary ( slave) get data from external ( either master or form network). That is,
master DNS server is the Authoritative server for one or more zones.
 A zone can have any number of masters, the only condition is that zone files should
be synchronized.
 In case of multiple master, one server is primary master.
 Master respond for a Queries with AA bit set if it is authoritative server for that
zone.
 Delegation: I know the zone you are asking for, I know how to find it. When a
nameserver doesn't have the contents of a zone, but knows how to find the owner, it's
said to delegate service of that zone to another nameserver.

20. Primary and Secondary server
Primary
Server
Zone
file
Request/ response
Primary
Server
Zone
file
Update on the based
SOA serial number
Secondary

21. DNS server type
 Secondary (or slave)
 A read-only copy of the primary zone
 It get zone data using zone transfer operation
 Provide the load balance and fault Torrance
 Respond as authoritative for all the zone it is define as
slave as well as define as authoritative
 Record refresh
 Slave refresh there zone records when expiry time is reached
 In case it can’t reach primary server before expiry it will not
respond to query.
 Zone changed is propagated to all the servers with NS
records in zone file.
 BIND implementation is name it as slave and later
called as secondary.

22. DNS server type
 Slave can be master
 If the slave is sitting as public facing and real master can be
hidden,
 To provide resilience, two such servers is needed. In that case
one slave will get zone information from real master and other
can get form pretend master.
 Stub
 Read only copy for limited RR read-only copy of the primary
zone that contains only the resource records that identify the
DNS servers that are authoritative for a DNS domain name
 Forward DNS
 A forward, Proxy, Client or Remote server simply forwards
requests to another DNS server.
 It does store the cache and respond fast.
 Useful in slow networks.

23. DNS Protocol
 Protocol
 Mostly done by UDP, TCP Port 53
 Request response system
 Response in one message
 Type of messages
 Queries
 Responses
 Updates

24. Query
Query can be send by
 Client to DNS server
 Between two servers
There are two types of DNS queries :
 Recursive
 Mostly DNS client makes this kind of query. DNS server
can response with local information or make request to
another server.
 Iterative
 Respond with the best local information either local zone
files or caching.
 If the DNS serve is not authoritative for that name, this
response is called as referral.

25. Query
 When a DNS server receive a query for a
resource, it send a response as following
 If it is master for that zone
 If it is slave that has record (or cache)that is not
expired
 If neither a Master nor a Slave then it will act as
configured
 If caching and recursive queries are allowed, server will
response with answer or an error.
 If caching and Iterative queries are allowed, server will
response with answer or an error.
 If not caching is allowed then server will return an referral or
an error.

26. ISP local
recursive
Name
Server
(recursion
desired=1
) Example.com
Com
Name serer
“.”
Name server
Resolver
8
2 IP for www.abc.com
3. Referral to next server who may know
4 IP for www.abc.com
5. Still do not know, one of authoritative server
6 . IP for www.abc.com
7 IP is 1.2.3.4
1
Iterative Query
Recursive
DNS recursive query example
8 Recursive server will add this to its own cache .
Answer is non-authoritative.1. ISP's nameserver knows that it's not authoritative
for abc.com, so it can't look it up in its local zone database.
It also doesn't find the name it its cache of recently-seen
data,

27. DNS protocol
Header (12 byte)
Question (variable)
Answer(variable )
Authority (variable)
Additional(variable)
Questions are Name, Type, Class
Answers are RRs that match the Name, Type, Class. If multiple RRs
with the same labels, there can be multiple answer.
Authority RRs pointing toward an authority
Additional RRs are records that can be useful to the client.

28. Header and query answer
 Name (variable)
Name of the object , domain ar zone. All information associated
with this name.
 Type (2 Byte)
code value specifying the type of resource record.
 Class ( 2 byte)
class of the resource record
 Time to Live( 4 byte)
number of seconds that the record should be retained in the cache.
 RDLength (2 byte)
Indicates the size of the RData field, in bytes
Resource Data (variable)
 data portion of the resource record.

29. DNS response capture

30. DNS update message
 The DNS update message format uses a header
defining the update operation to be performed
and a resource record set that contains the
update.

31. DNS Request capture from wireshark

32. DNS request
and
response

33. DNS Answer

34. DNS Security Extensions
 DNSSEC adds four new resource record types:
 Resource Record Signature (RRSIG),
 DNS Public Key (DNSKEY),
 Delegation Signer (DS), and N
 Next Secure (NSEC) ( Please see RFC 4034) RFC 4034.
 Two New DNS header flags
 Checking Disabled (CD)
 Authenticated Data (AD).
 To support DNSSEC
 Support for DNSSEC OK (DO) EDNS header bit so resolver
can indicate the support for DENSEC RRs.
 DNS also required EDNSO support ( rfc 2671), By adding
DENSEC RR, the message size can be larger than 512.
 Potential DDoS amplified attack

35. DNS Security Extensions
 DNSSEC adds security to the Domain Name
System.
 DNSSEC was created to protect DNS with
internet attacks like DNS cache poisoning
 It is a set of extensions of DNS and provides
 Origin the authentication of DNS data
 Data integrity ( not privacy)
 Authenticated denial of existence

36. DNS attacks
 DNS DDoS Attacks
 The percentage of DNS attacks(72%) is little less than
Http(82%)
 DNS attacks includes
 DNS cache poisoning attack
 attacker injects the malicious DNS data into the recursive DNS servers
 redirect all incoming traffic to a server of their choosing
 UDP Flood
 DNS exploits
 Man in the middle :Attacker one or more authoritative DNS
servers for a domain and sniff the traffic.
 DNS tunneling
 Amplification

37. DNS cache poisoning attacks
Now this cache can be changed to fake record.
 What is DNS cashes poisoning
 Try to Insert a Fake address record for a internet
domain.
 Server will keep in the cache or pass to cache
server
 In the case of success, subscriber link is redirected
o fake server/location.
 User may not suspect because url seems to correct.
 This fake record can be spade to other DNS server

38. Kashpureff Attack(BIND name server)
1. It was in 1997, Four people including Kashpureff started the DNS service called AlterNIC.
2. Use recursive name server to alter the cache.
3. Resolver( evil) asked for the very limited query from the “recursive server” so that rescursive-server will
go to that alternative server to resolve that query.
4. Now AlterNic server will send the answer, but at the same time it will send the “additional records “ with
“completely unrelated resource record “ to DNS recursive address. Suppose the Rrecord is for
www.fooback.com
5. DNS Recursive server will keep that data on its cache and pass to any host that does the query.
6. Host will go to fake Website, that was resolved by AlrerNic, or any other attacker controlled DNS
7. Solution:
1. BIND patch that will not accept the unrelated recourse records.
Cache Server
DNS recursive server
Alternate server
AlterNIC
1
2
3
4
Resolver

39. DNS cache poisoning attacks – message ID
 DNS server will believe the response if the query ID is same.
 Those MessageID(QID) are not random enough.
 Most system has pseudo-random number generator, and most of the time, next
random number is quite predictable.
 How it is done
 accepts responses to pending queries
 Response on the same port as the request was send, otherwise network stack will not
deliver it.
 Question session match Question
 QueryID match QueryID
 Send the normal query and check the QueryID
 Now Guess the queryID for next query
 Make a query for DNS some valuable domain like bankofamerica.com
 DNS-Recursive server will send the request to resolve this address.
 Attacker will spoof all dns next 20 possible QID and send to DNS-server.
 That response should go before real response comes back.
 If successful, fake address is been inserted.
 Solution : Bind patch and randomized the QID.

40. Victim name server with spoofed QID
Mitigation: randomized the query ID.

42. Dan Kaminsky attack
 The possible QID, 65542 ID’s . It can be done by brute force.
 Used to called Birthday paradox, possibility that two people having same
BD is 99.7%
 Possibility that n people will have same bday is more.
p(n) = (364/365)* (363/365) * … (366-n)/365
So if we have 20 people that having the same Bday is about 40%.
 hijack the authority records
 Same as before but rather then putting “A” record, it adds a delegates to
another nameserver via Authority records. Basically ask this DNS
server that might know it.
 The server is own by attacker.
 The authority data may well contain the
"real" bankofsteve.com nameserver hostnames, but the glue points
those nameservers at badguy IPs. This is the crucial poisoning,
because a Query ID match means that the victim believes that badguy's
nameservers are authoritative for bankofsteve.com.
 The bad guy now owns the entire zone.

43. Kaminsky attack

44. Kaminsky attack Fix and DNSSEC
 Query ID = 16 bit, so easy to get into trouble.
 randomizing the source port.
ports are 2500( 2 to the power 11)
 Kaminsky attack
 DNS was such trusting that any one could inster a
location.
 Singing certificate – I know who and I am not
inserting a record if the you can prove who you
are
 Trust certificate and key
 Hard to deploy, need to change the key

45. Mordent DDoS attacks – amplification
 Example of DNS attack
 Reflection and amplification
 Reflection
 Spoof the victim address in DNS query
 Have bots army to send the DNS replay to victim address.
 Amplification
 Send the small query that can result into larger data. The
simple query of 64 byte can result into 400 byte.
Example query
dig ANY abc.com @208.67.220.220
Response<<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 9.7.3 ANY sjsu.edu @208.67.220.220 TXT= query
;; global options: +cmd
--many lines are deleted—
; Query time:14 msec
;; Query time:1 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Aug 13 17:01:06 2014
;; MSG SIZE rcvd: 394

46. Mordent DDoS attacks – amplification
 How it is achieved
 Many open resolver over the internet
 Use DNS TXT resource record
 DNS protocol extension DENSEC is used, as by nature
those are big records.
 Amplification factor is approximately 70.1
 Use the bot army to spoof the victim address, use open
resolver with recursive query, look for txt response and send
the send the request.

47. http://securityaffairs.co/wordpress/3184/cyber-crime/anonymous-dns-amplification-attacks-for-operation-global-blackout.html

48. Solutions
 Any cast ---
 network addressing and routing methodology in which datagram's from a
single sender are routed to the topologically nearest node in a group of
potential receivers.
 Use any cast for DNS
 Why, because in a distributed DNS server environment, only some DNS server
will come under attack but other server or over all DNS server should be fine.
 Identify and block
 RRL Response Rate limiting:
 RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which authoritative servers
respond to high volumes of malicious queries. The RRL mechanism is part of BIND 9.10, and was
available as a software build option in BIND 9.9.4.
 A DDoS system
 if the request has a pattern like same source, same name, class and type, that is most likely is a
attack( in a normal scenario once a query is made, that will be cashed on non- authoritative servers
and will not be sending it again and again)
 limit the number of query for that source
 Very short TTL and heavy response

49. Solutions
 Very short TTL and heavy response
 Message size
 Watch for bigger message and close
 DNS query types (such as ANY) to be re-transmitted using TCP.
 Force to use TCP connection.
 RFC 2827(bcp38 )
 Our ISP should follow the best practice 38(BP38) on the network, and
watch for traffic.
 According to the BBP38, if a packet don’t belong to internal network then it
should not be coming from internal-network.
 Non-existing domain
 Negative response

50. Reference
 Dan Kaminsky's Black Hat presentation (PowerPoint) —
Excellent reading.
 DNS and BIND, O'Reilly — The definitive book on DNS.
 TCP/IP Illustrated, Volume 1: The Protocols, W. Richard
Stevens — the definitive book on TCP/IP.
 DNS Cache Poisoning at Wikipedia
 http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
 http://securityaffairs.co/wordpress/3184/cyber-
crime/anonymous-dns-amplification-attacks-for-operation-
global-blackout.html
 DNS Cache Poision
 http://en.wikipedia.org/wiki/AlterNIC
 https://ripe66.ripe.net/presentations/164-ripe66-dns.pdf