3. DNS Intro
Domain Name System
DNS is a naming system that maps an “easily
remembered name” to a routable IP address for any
resource (host or service) that is connected to Internet.
Example URL:
Name: google.com
Addresses: 2607:f8b0:4005:802::1005
74.125.239.135, 74.125.239.137;
Example Implementations
Berkeley Internet Name Domain system (BIND)
Microsoft server from NT 4.0, 2003 and 2008
RFC’s 882, 883, 1034 and 1035
4. Domain Name System’s architecture is a database
and a set of protocols.
The database
Contains the data for any resource (or service) including
host names and domain names.
Is hierarchical
Is distributed over multiple servers.
The protocol defines the mechanism for
Query the database
Update the database
Replicate the information among the servers to keep
identical records
DNS Intro
5. DNS Database
The hierarchical system of DB is like a tree where
each level can either be a branch or a leaf
A leaf is information about a host/service
A branch can be a domain namespace. Domain names
consist of labels
e.g, mail.fortinet.com
DNS resource information is stored in the database in
the form of Resource Records(RR)
All RRs have a predefined format
Many types of records
FQDN
A fully qualified domain name (FQDN) identifies the host
position within DNS tree by specifying the full name
e.g., support.fortinet.com/home.aspx
6. DNS’s Database Structure
Second-level domain
Individual or organization name for use on the Internet.
Example: Fortinet.com Fortinet=>organization name.
Sub domain:
An additional name an organization can create to divide
their domain into departments, locations, etc.
cs.yale.edu or support.fortinet.com
Host or Resource name:
Identify a specific resource or service
At least one IP address is associated.
Name: mail.fortinet.com
Address: 208.91.113.80
7. DNS’s Database Structure
Root:
Top of the tree, indicated by dot “.”
http://www.fortinet.com.
Top level Domain:
The length is fixed except country.
Type of organization, country, or place
• Com Commercial organizations
• Edu Educational
• Org Non-profit organizations
• Net Networks (he backbone of the Internet)
• Gov Government ( non Military)
• Mil Military government
• Arpa Reverse DNS
• “xx” Country codes like us, au, ca,
9. Resource Records fields
https://www.ietf.org/rfc/rfc1035.txt
Name Name of the node
Type RR type, 2 octal
Class RR Class, 2 octal
TTL Time to live, 32 bit integer. Time interval
till RR can be used before it need to
revalidate by source or primary server.
RDLENGTH length in octets of the RDATA field
RDATA Variable length that describe the resource,
like IP address for address records, or
priority and hostname for MX records
10. Resource Records types( most used)
Type Description Value Class Data
A Host 1 Internet (IN) Host IP address/owner name
F11 IN A 10.1.1.11
NS authoritative name
server
2 Internet (IN) Owner name
Name Server DNS name(NS SRI-NIC.ARPA)
CNAME canonical name for
an alias
5 Internet (IN) Owner name (alias Name). The DNS lookup will
continue by retrying the lookup with the new name.
ftp.fortinet.com. IN CNAME ftp1.fortinet.com.
SOA Make a start of zone
authority. It needs in
all zone file.
6 Internet (IN) primary name server and the email address of the
person responsible for the domain ( owner name ).
Refresh Interval
Retry Interval ,Expire Time, Minimum TTL
WKR Well know service
description
11 Internet (IN) Well know service description
PTR Domain name
pointer
12 Internet (IN) Contains a textual name. It bounds to names built
from numerical IP addresses, and used for reverse
mapping from an IP address to a textual name
73.0.0.26.IN-ADDR.ARPA. PTR SRI-
NIC.ARPA.
MX Main exchange 15 Internet (IN) Owner Name,Mail Exchange Server DNS Name.
FQDN for a host will accept SMTP mail.
SRI-NIC.ARPA. MX 0 SRI-NIC.ARPA
TXT Test string 16 Used to be Txt, but now this record more often
carries machine-readable data
AAAA Host 28 Internet (IN) IPv6 address record
11. Resource Records Description
SOA Resource Records
Every zone contains a Start of Authority RR at the beginning of
the zone.
This record contains information about the
Owner
Minimum TTL
Class and Type
Retry time a secondary server will wait before retrying
Authoritative server (primary server), serial number (updated number),
refresh, administrator, expiry and more
Example
noam.reskit.com. IN SOA (
noamdc1.noam.reskit.com. ; authoritative server for the zone
administrator.noam.reskit.com. ; zone admin e-mail
; (responsible person)
5099 ; serial number
3600 ; refresh (1 hour)
600 ; retry (10 mins)
86400 ; expire (1 day)
60 ) ; minimum TTL (1 min) … )
http://www.zytrax.com/books/dns/ch6/mydomain.html
13. Reverse lookup
A reverse lookup is a query of the DNS for domain names when the IP address is known.
4.0.10.18.IN-ADDR.ARPA. PTR GW.LCS.MIT.EDU.
14. DNS Zone and zone file
The DNS scheme allow a namespace to be split into multiple
zones and keep it on the same server. The split into zones
helps
Performance
Delegate management into departments
Those zones store information about DNS domains (or
subdomains)
A zone stores information about all names that end with
the zone root domain name in a file called the “zone file”
A zone file contains multiple Resource Records; the first
record is the Start of Authority (SOA)
SOA contains the primary DNS nameserver
A zone file may contain other zone information if added
15. IN SOA SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
870611 ;serial
1800 ;refresh every 30 min
300 ;retry every 5 min
604800 ;expire after a week
86400) ;minimum of a day
NS A.ISI.EDU.
NS C.ISI.EDU.
NS SRI-NIC.ARPA
MIL. 86400 NS SRI-NIC.ARPA.
86400 NS A.ISI.EDU.
EDU. 86400 NS SRI-NIC.ARPA.
86400 NS C.ISI.EDU.
SRI-NIC.ARPA. A 26.0.0.73
A 10.0.0.51
MX 0 SRI-NIC.ARPA.
HINFO DEC-2060 TOPS20
ACC.ARPA. A 26.6.0.65
HINFO PDP-11/70 UNIX
MX 10 ACC.ARPA.
USC-ISIC.ARPA. CNAME C.ISI.EDU.
73.0.0.26.IN-ADDR.ARPA. PTR SRI-NIC.ARPA.
65.0.6.26.IN-ADDR.ARPA. PTR ACC.ARPA.
51.0.0.10.IN-ADDR.ARPA. PTR SRI-NIC.ARPA.
52.0.0.10.IN-ADDR.ARPA. PTR C.ISI.EDU.
103.0.3.26.IN-ADDR.ARPA. PTR A.ISI.EDU.
A.ISI.EDU. 86400 A 26.3.0.103
C.ISI.EDU. 86400 A 10.0.0.52
zone file
16. Zone transfer
Zone transfer is achieved by copying the zone file
from one DNS server to a second DNS server
There are two types of zone file replication.
Full zone transfer (AXFR) replicates the entire zone
file.
Incremental zone transfer (IXFR) replicates only
records that have been modified.
18. Authoritative, Non-Authoritative and Caching
Authoritative DNS
Is the authoritative source for all name query/request made for zone, the record is
been configure by the original source. It is also possible that same DNS server can
be primary on one zone and secondly for other.
The secondary server can respond to any authoritative request that allow the load
balance.
Non-Authoritative
This is not a delegated server for its existing zone but it have record information
from other servers.
It can’t respond to requests in a authoritative manor.
Caching
If DNS server receive a request for a record that he don’t have, it does the
recursive query to get information.
Server hold this information locally in a temporary file is called Cache.
The data is only response till time-to-live (TTL) >0.
Caching can response as 'authoritative' if the data came from zone-master
otherwise non-authoritative.
19. DNS servers type
Root name server:
This is a top level server, this provided the information on top level. The list of
root servers are http://www.root-servers.org/
Primary server (or master)
When domain names are registered with registrar, it required to give the address
for primary and at least one secondly server.
In a Primary server’s zone file is updated by local source in comparison to
Secondary ( slave) get data from external ( either master or form network). That is,
master DNS server is the Authoritative server for one or more zones.
A zone can have any number of masters, the only condition is that zone files should
be synchronized.
In case of multiple master, one server is primary master.
Master respond for a Queries with AA bit set if it is authoritative server for that
zone.
Delegation: I know the zone you are asking for, I know how to find it. When a
nameserver doesn't have the contents of a zone, but knows how to find the owner, it's
said to delegate service of that zone to another nameserver.
20. Primary and Secondary server
Primary
Server
Zone
file
Request/ response
Primary
Server
Zone
file
Update on the based
SOA serial number
Secondary
21. DNS server type
Secondary (or slave)
A read-only copy of the primary zone
It get zone data using zone transfer operation
Provide the load balance and fault Torrance
Respond as authoritative for all the zone it is define as
slave as well as define as authoritative
Record refresh
Slave refresh there zone records when expiry time is reached
In case it can’t reach primary server before expiry it will not
respond to query.
Zone changed is propagated to all the servers with NS
records in zone file.
BIND implementation is name it as slave and later
called as secondary.
22. DNS server type
Slave can be master
If the slave is sitting as public facing and real master can be
hidden,
To provide resilience, two such servers is needed. In that case
one slave will get zone information from real master and other
can get form pretend master.
Stub
Read only copy for limited RR read-only copy of the primary
zone that contains only the resource records that identify the
DNS servers that are authoritative for a DNS domain name
Forward DNS
A forward, Proxy, Client or Remote server simply forwards
requests to another DNS server.
It does store the cache and respond fast.
Useful in slow networks.
23. DNS Protocol
Protocol
Mostly done by UDP, TCP Port 53
Request response system
Response in one message
Type of messages
Queries
Responses
Updates
24. Query
Query can be send by
Client to DNS server
Between two servers
There are two types of DNS queries :
Recursive
Mostly DNS client makes this kind of query. DNS server
can response with local information or make request to
another server.
Iterative
Respond with the best local information either local zone
files or caching.
If the DNS serve is not authoritative for that name, this
response is called as referral.
25. Query
When a DNS server receive a query for a
resource, it send a response as following
If it is master for that zone
If it is slave that has record (or cache)that is not
expired
If neither a Master nor a Slave then it will act as
configured
If caching and recursive queries are allowed, server will
response with answer or an error.
If caching and Iterative queries are allowed, server will
response with answer or an error.
If not caching is allowed then server will return an referral or
an error.
26. ISP local
recursive
Name
Server
(recursion
desired=1
) Example.com
Com
Name serer
“.”
Name server
Resolver
8
2 IP for www.abc.com
3. Referral to next server who may know
4 IP for www.abc.com
5. Still do not know, one of authoritative server
6 . IP for www.abc.com
7 IP is 1.2.3.4
1
Iterative Query
Recursive
DNS recursive query example
8 Recursive server will add this to its own cache .
Answer is non-authoritative.1. ISP's nameserver knows that it's not authoritative
for abc.com, so it can't look it up in its local zone database.
It also doesn't find the name it its cache of recently-seen
data,
27. DNS protocol
Header (12 byte)
Question (variable)
Answer(variable )
Authority (variable)
Additional(variable)
Questions are Name, Type, Class
Answers are RRs that match the Name, Type, Class. If multiple RRs
with the same labels, there can be multiple answer.
Authority RRs pointing toward an authority
Additional RRs are records that can be useful to the client.
28. Header and query answer
Name (variable)
Name of the object , domain ar zone. All information associated
with this name.
Type (2 Byte)
code value specifying the type of resource record.
Class ( 2 byte)
class of the resource record
Time to Live( 4 byte)
number of seconds that the record should be retained in the cache.
RDLength (2 byte)
Indicates the size of the RData field, in bytes
Resource Data (variable)
data portion of the resource record.
30. DNS update message
The DNS update message format uses a header
defining the update operation to be performed
and a resource record set that contains the
update.
34. DNS Security Extensions
DNSSEC adds four new resource record types:
Resource Record Signature (RRSIG),
DNS Public Key (DNSKEY),
Delegation Signer (DS), and N
Next Secure (NSEC) ( Please see RFC 4034) RFC 4034.
Two New DNS header flags
Checking Disabled (CD)
Authenticated Data (AD).
To support DNSSEC
Support for DNSSEC OK (DO) EDNS header bit so resolver
can indicate the support for DENSEC RRs.
DNS also required EDNSO support ( rfc 2671), By adding
DENSEC RR, the message size can be larger than 512.
Potential DDoS amplified attack
35. DNS Security Extensions
DNSSEC adds security to the Domain Name
System.
DNSSEC was created to protect DNS with
internet attacks like DNS cache poisoning
It is a set of extensions of DNS and provides
Origin the authentication of DNS data
Data integrity ( not privacy)
Authenticated denial of existence
36. DNS attacks
DNS DDoS Attacks
The percentage of DNS attacks(72%) is little less than
Http(82%)
DNS attacks includes
DNS cache poisoning attack
attacker injects the malicious DNS data into the recursive DNS servers
redirect all incoming traffic to a server of their choosing
UDP Flood
DNS exploits
Man in the middle :Attacker one or more authoritative DNS
servers for a domain and sniff the traffic.
DNS tunneling
Amplification
37. DNS cache poisoning attacks
Now this cache can be changed to fake record.
What is DNS cashes poisoning
Try to Insert a Fake address record for a internet
domain.
Server will keep in the cache or pass to cache
server
In the case of success, subscriber link is redirected
o fake server/location.
User may not suspect because url seems to correct.
This fake record can be spade to other DNS server
38. Kashpureff Attack(BIND name server)
1. It was in 1997, Four people including Kashpureff started the DNS service called AlterNIC.
2. Use recursive name server to alter the cache.
3. Resolver( evil) asked for the very limited query from the “recursive server” so that rescursive-server will
go to that alternative server to resolve that query.
4. Now AlterNic server will send the answer, but at the same time it will send the “additional records “ with
“completely unrelated resource record “ to DNS recursive address. Suppose the Rrecord is for
www.fooback.com
5. DNS Recursive server will keep that data on its cache and pass to any host that does the query.
6. Host will go to fake Website, that was resolved by AlrerNic, or any other attacker controlled DNS
7. Solution:
1. BIND patch that will not accept the unrelated recourse records.
Cache Server
DNS recursive server
Alternate server
AlterNIC
1
2
3
4
Resolver
39. DNS cache poisoning attacks – message ID
DNS server will believe the response if the query ID is same.
Those MessageID(QID) are not random enough.
Most system has pseudo-random number generator, and most of the time, next
random number is quite predictable.
How it is done
accepts responses to pending queries
Response on the same port as the request was send, otherwise network stack will not
deliver it.
Question session match Question
QueryID match QueryID
Send the normal query and check the QueryID
Now Guess the queryID for next query
Make a query for DNS some valuable domain like bankofamerica.com
DNS-Recursive server will send the request to resolve this address.
Attacker will spoof all dns next 20 possible QID and send to DNS-server.
That response should go before real response comes back.
If successful, fake address is been inserted.
Solution : Bind patch and randomized the QID.
40. Victim name server with spoofed QID
Mitigation: randomized the query ID.
41.
42. Dan Kaminsky attack
The possible QID, 65542 ID’s . It can be done by brute force.
Used to called Birthday paradox, possibility that two people having same
BD is 99.7%
Possibility that n people will have same bday is more.
p(n) = (364/365)* (363/365) * … (366-n)/365
So if we have 20 people that having the same Bday is about 40%.
hijack the authority records
Same as before but rather then putting “A” record, it adds a delegates to
another nameserver via Authority records. Basically ask this DNS
server that might know it.
The server is own by attacker.
The authority data may well contain the
"real" bankofsteve.com nameserver hostnames, but the glue points
those nameservers at badguy IPs. This is the crucial poisoning,
because a Query ID match means that the victim believes that badguy's
nameservers are authoritative for bankofsteve.com.
The bad guy now owns the entire zone.
44. Kaminsky attack Fix and DNSSEC
Query ID = 16 bit, so easy to get into trouble.
randomizing the source port.
ports are 2500( 2 to the power 11)
Kaminsky attack
DNS was such trusting that any one could inster a
location.
Singing certificate – I know who and I am not
inserting a record if the you can prove who you
are
Trust certificate and key
Hard to deploy, need to change the key
45. Mordent DDoS attacks – amplification
Example of DNS attack
Reflection and amplification
Reflection
Spoof the victim address in DNS query
Have bots army to send the DNS replay to victim address.
Amplification
Send the small query that can result into larger data. The
simple query of 64 byte can result into 400 byte.
Example query
dig ANY abc.com @208.67.220.220
Response<<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 9.7.3 ANY sjsu.edu @208.67.220.220 TXT= query
;; global options: +cmd
--many lines are deleted—
; Query time:14 msec
;; Query time:1 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Aug 13 17:01:06 2014
;; MSG SIZE rcvd: 394
46. Mordent DDoS attacks – amplification
How it is achieved
Many open resolver over the internet
Use DNS TXT resource record
DNS protocol extension DENSEC is used, as by nature
those are big records.
Amplification factor is approximately 70.1
Use the bot army to spoof the victim address, use open
resolver with recursive query, look for txt response and send
the send the request.
48. Solutions
Any cast ---
network addressing and routing methodology in which datagram's from a
single sender are routed to the topologically nearest node in a group of
potential receivers.
Use any cast for DNS
Why, because in a distributed DNS server environment, only some DNS server
will come under attack but other server or over all DNS server should be fine.
Identify and block
RRL Response Rate limiting:
RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which authoritative servers
respond to high volumes of malicious queries. The RRL mechanism is part of BIND 9.10, and was
available as a software build option in BIND 9.9.4.
A DDoS system
if the request has a pattern like same source, same name, class and type, that is most likely is a
attack( in a normal scenario once a query is made, that will be cashed on non- authoritative servers
and will not be sending it again and again)
limit the number of query for that source
Very short TTL and heavy response
49. Solutions
Very short TTL and heavy response
Message size
Watch for bigger message and close
DNS query types (such as ANY) to be re-transmitted using TCP.
Force to use TCP connection.
RFC 2827(bcp38 )
Our ISP should follow the best practice 38(BP38) on the network, and
watch for traffic.
According to the BBP38, if a packet don’t belong to internal network then it
should not be coming from internal-network.
Non-existing domain
Negative response
50. Reference
Dan Kaminsky's Black Hat presentation (PowerPoint) —
Excellent reading.
DNS and BIND, O'Reilly — The definitive book on DNS.
TCP/IP Illustrated, Volume 1: The Protocols, W. Richard
Stevens — the definitive book on TCP/IP.
DNS Cache Poisoning at Wikipedia
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
http://securityaffairs.co/wordpress/3184/cyber-
crime/anonymous-dns-amplification-attacks-for-operation-
global-blackout.html
DNS Cache Poision
http://en.wikipedia.org/wiki/AlterNIC
https://ripe66.ripe.net/presentations/164-ripe66-dns.pdf
Notas del editor
Resources are urls and email addresses
C.ISI.EDU is a name server for the root, MIL,
All recursive nameservers are preconfigured with a list of 13 root servers.
Root hints
A.ROOT-SERVERS.NET. IN A 198.41.0.4
B.ROOT-SERVERS.NET. IN A 192.228.79.201
...
M.ROOT-SERVERS.NET. IN A 202.12.27.33
The nameserver picks one at random and sends off the query for the A record.
Identification. A 16-bit identifier
Copied in reply to use by requester for tracking.
Flags. A 16-bit DNS update message flags
request/response. 1-bit field set to 0 to represent an update request and 1 to represent an update response.
Operation code. 4-bit field set to 0x5 for DNS updates.
Reserved. 7-bit reserved field set to 0.
Return code. 4-bit field containing codes to represent the result of the update query. The codes are as follows:
Number of zone entries. The number of resource records
Number of prerequisite resource records.
Number of update resource records.
Number of additional resource records.
Zone entry.
Prerequisite resource records
Update resource records.
Additional resource records
EDNS0: Extension Mechanisms for DNS (EDNS0 as defined in RFC 2671) allow DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets larger than 512 bytes.
How it is done
accepts responses to pending queries
Response on the same port as the request was send, otherwise network stack will not deliver it.
Question session match Question
QueryID match QueryID
Guess the queryID
Make sure a query was made to victim server using say “attacket.com”
Because of recursive query and since attacker is authertative server for attacker.com, the final query will come to his domain ns.attack.com,
Attacker can guess the queryID
http://en.wikipedia.org/wiki/AlterNIC
https://ripe66.ripe.net/presentations/164-ripe66-dns.pdf
How it is done
A typical query will work as following.
C: What is the IP of www.abc.com?
S: www.abc.com IP is 199.181.132.250 (Answer RR); BTW cdn.beta.abc.cre.go.com is at 173.223.232.131 ====== Non-related records
and cdm.media.abc.com is at 173.223.232.147==========Non –related recordsKeep using both of them and ignore any response within 1 hour (TTL).
Add fake record at this time.
Make sure a query was made to victim server using say “attacket.com”
Because of recursive query and since attacker is authertative server for attacker.com, the final query will come to his domain ns.attack.com,
10 sec if you have lan connection/
10 sec if you connect with lan
Send DNS refrel that is q001.paypal.com is delegate server as www.paypal.com
Message ID can be make long
OS -> give some port. Name server use that port again and again.
Port has been added. Like Qport 8000 etc
Rasian person get – 10 hourse
Use DNSSEc
Asymmetric crytogapthy
Administaotors sign zone data
New rr,signed zones, ket generations, signing resigning Dswet