Presentation on the operation of DNS and different methods of cache poisoning

1. DNS cache poisoning
Christiaan Ottow, christiaan.ottow@pine.nl

2. Contents
• Overview of DNS
• About cache poisoning
• Timeline of vulnerabilities
• Counter-measures

3. Overview of DNS

4. DNS overview
• Name to IP and IP to name translation
• 1983 by IETF
• 114 RFCs
• TCP & UDP port 53
• Key concept: authoritative and recursive (caching) DNS
servers

5. DNS - servers
• Authoritative server
• Responsible for one or more zones
• Answers queries based on its zones
• Recursing server (resolver, recursor, cache)
• No records of its own, just cache
• Queries authoritative servers for the answer

6. DNS - zones
• Zone
• Domain name, e.g. pine.nl
• Contains resource records (RRs)
• Stored on authoritative servers
• Usually master and slave(s)
• SOA record
• E-mail, serial, refresh, retry, expire, minTTL

7. DNS - records
• Records are the actual mappings of hostnames to IP addresses
• Different types, not all give an IP address
• Common: A, AAAA, NS, CNAME, MX
• Examples
• pine.nl. 86400 IN A 213.156.1.80
• www.pine.nl. 86400 IN CNAME sechost.pine.nl.
• pine.nl. 86400 IN MX 1 mx.pine.nl.

8. DNS - Wire format
• Server on UDP/TCP port 53 (TCP for large query/response)
• Transaction ID
• Flags
• e.g. recursion desired, authoritative, is-response, truncated
• Sections
• Question, Answer, Authority, Additional

9. DNS - Wire format

10. DNS - operation
Root server
pine.nl A ? k.root-servers.net
nl. NS ns1.nic.nl
ns1.nic.nl A 193.176.144.2
pine.nl A ?
pine.nl A ?
pine.nl NS ns1.pine.nl
Client Resolver ns1.pine.nl A 213.156.2.1 ccTLD server
pine.nl A 213.156.1.80 ns1.nic.nl
pine.nl A? pine.nl A 213.156.1.80
Authoritative server
ns1.pine.nl

11. DNS - operation
• Every server is asked the same question
• Every server responds with what it knows towards the
answer
• Only the definitive answer is given in the “answer” section
• A server may give additional info with its response
• auth section: “NS for nl. is ns1.nic.nl.”
• additional section: “ns1.nic.nl is at 193.176.144.2”

12. DNS - operation
Authority section
Root server
pine.nl A ? k.root-servers.net
Additional section
nl. NS ns1.nic.nl
ns1.nic.nl A 193.176.144.2
pine.nl A ?
pine.nl A ?
pine.nl NS ns1.pine.nl
Client Resolver ns1.pine.nl A 213.156.2.1 ccTLD server
pine.nl A 213.156.1.80 ns1.nic.nl
pine.nl A? pine.nl A 213.156.1.80
Authoritative server
ns1.pine.nl
Answer section

13. DNS - operation

14. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?

15. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records

16. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section

17. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section
• Extra info the server has that you will probably need

18. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section
• Extra info the server has that you will probably need
• Prevents an endless loop

19. On cache poisoning

20. Poisoning - what?
• Entering specific (non-authoritative) RRs into a resolver
cache
• Resolver will provide this information to all clients that query
it

21. Poisoning - why?
• Suppose Alice wants to login to secure.bank.net
• Eve has poisoned her resolver’s cache
• secure.bank.net may now resolve to the address of Eves
computer
• DNS cache poisoning results in MITM attacks or excellent
phishing

22. Poisoning - how?
• Faulty protocol implementations
• Send unauthoritative additional RRs
• Reply before authoritative answer
• Brute force - for n replies, n/65535 success rate for static
port
• Birthday attack
• Weak PRNG exploitation

23. Poisoning - brute force

24. Poisoning - brute force
• Resolver uses UDP, thus stateless

25. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer

26. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer
• Need to guess the source port of the resolver (sometimes
static)

27. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer
• Need to guess the source port of the resolver (sometimes
static)
• Need to guess transaction ID

28. Poisoning - birthday attack
• Resolver sends multiple
outbound queries for one
record
• Birthday paradox:
increased collision rate
• near 100% success rate for
700 queries

29. Poisoning - weak PRNG

30. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)

31. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy

32. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy
• Need up to 10 transaction IDs to predict the next

33. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy
• Need up to 10 transaction IDs to predict the next
• How can we do this?

34. Poisoning - Example BIND
pine.nl A?
CNAME c1.pine.nl
c1.pine.nl A? 2
CNAME c2.pine.nl
c2.pine.nl A?
1
A 213.156.1.80
pine.nl A?
Attacker bank.com A? Resolver bank.com A 213.156.1.80
5 Evil server
3
6
bank.com A? bank.com A?
bank.com A 213.156.1.80 4 A 1.2.3.4 bank.com
Victim Lost in teh mail auth server
7

35. Timeline of vulnerabilities

36. Vulnerabilities
• 1993: ‘additional’ section information accepted (Schuba)
• 1997: BIND has sequential transaction IDs (CERT)
• 2002: BIND multiple requests - birthday attack (Sacramento)
• 2007: BIND 8 & 9 weak ID randomization (Klein)
• 2008: Most resolvers use static source port and/or weak
randomization (Kaminsky)
• 2010: pdns accepts malicious info in zones (anonymous)

37. Counter-measures

38. Counter-measures
• Proper randomization of source port and transaction ID
• Temporary fix, protocol is still weak (32 bits entropy)
• A man-in-the-middle (or even just passive sniffer) can
always poison the cache, regardless of entropy

39. DNSSEC
• Message authentication
• Message integrity
• Authenticated denial of existence

40. DNSSEC
• New record types: DNSKEY, RRSIG, DS, NSEC3
• Public key cryptography
• RRSIG contains signature for requested data
• DNSKEY contains public key of a zone
• Upstream DNS server has hash of key in DS record
• NSEC3 for denial of existence

41. DNSSEC
• Mostly backwards compatible with DNS
• requires EDNS extension and larger packets
• .org and some ccTLDs are signed
• dig -t DNSKEY org @B2.ORG.AFILIAS-NST.org
• dig axfr . @k.root-servers.net | grep -w DS
• .nl signed but not in root yet

42. References
• http://www.secureworks.com/research/articles/dns-cache-poisoning
• http://en.wikipedia.org/wiki/Domain_Name_System
• http://www.trusteer.com/list-context/publications/bind-9-dns-cache-poisoning
• http://code.google.com/p/nschaind/
• http://www.firewall.cx/dns-query-format.php
• https://www.dns-oarc.net/oarc/services/dnsentropy
• http://tools.ietf.org/html/rfc3755
• http://ds9a.nl/dnssec/