4. DNS overview
• Name to IP and IP to name translation
• 1983 by IETF
• 114 RFCs
• TCP & UDP port 53
• Key concept: authoritative and recursive (caching) DNS
servers
5. DNS - servers
• Authoritative server
• Responsible for one or more zones
• Answers queries based on its zones
• Recursing server (resolver, recursor, cache)
• No records of its own, just cache
• Queries authoritative servers for the answer
6. DNS - zones
• Zone
• Domain name, e.g. pine.nl
• Contains resource records (RRs)
• Stored on authoritative servers
• Usually master and slave(s)
• SOA record
• E-mail, serial, refresh, retry, expire, minTTL
7. DNS - records
• Records are the actual mappings of hostnames to IP addresses
• Different types, not all give an IP address
• Common: A, AAAA, NS, CNAME, MX
• Examples
• pine.nl. 86400 IN A 213.156.1.80
• www.pine.nl. 86400 IN CNAME sechost.pine.nl.
• pine.nl. 86400 IN MX 1 mx.pine.nl.
8. DNS - Wire format
• Server on UDP/TCP port 53 (TCP for large query/response)
• Transaction ID
• Flags
• e.g. recursion desired, authoritative, is-response, truncated
• Sections
• Question, Answer, Authority, Additional
10. DNS - operation
Root server
pine.nl A ? k.root-servers.net
nl. NS ns1.nic.nl
ns1.nic.nl A 193.176.144.2
pine.nl A ?
pine.nl A ?
pine.nl NS ns1.pine.nl
Client Resolver ns1.pine.nl A 213.156.2.1 ccTLD server
pine.nl A 213.156.1.80 ns1.nic.nl
pine.nl A? pine.nl A 213.156.1.80
Authoritative server
ns1.pine.nl
11. DNS - operation
• Every server is asked the same question
• Every server responds with what it knows towards the
answer
• Only the definitive answer is given in the “answer” section
• A server may give additional info with its response
• auth section: “NS for nl. is ns1.nic.nl.”
• additional section: “ns1.nic.nl is at 193.176.144.2”
12. DNS - operation
Authority section
Root server
pine.nl A ? k.root-servers.net
Additional section
nl. NS ns1.nic.nl
ns1.nic.nl A 193.176.144.2
pine.nl A ?
pine.nl A ?
pine.nl NS ns1.pine.nl
Client Resolver ns1.pine.nl A 213.156.2.1 ccTLD server
pine.nl A 213.156.1.80 ns1.nic.nl
pine.nl A? pine.nl A 213.156.1.80
Authoritative server
ns1.pine.nl
Answer section
15. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
16. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section
17. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section
• Extra info the server has that you will probably need
18. DNS - operation
• What if nameserver voor pine.nl is ns1.pine.nl?
• Glue records
• Additional section
• Extra info the server has that you will probably need
• Prevents an endless loop
20. Poisoning - what?
• Entering specific (non-authoritative) RRs into a resolver
cache
• Resolver will provide this information to all clients that query
it
21. Poisoning - why?
• Suppose Alice wants to login to secure.bank.net
• Eve has poisoned her resolver’s cache
• secure.bank.net may now resolve to the address of Eves
computer
• DNS cache poisoning results in MITM attacks or excellent
phishing
22. Poisoning - how?
• Faulty protocol implementations
• Send unauthoritative additional RRs
• Reply before authoritative answer
• Brute force - for n replies, n/65535 success rate for static
port
• Birthday attack
• Weak PRNG exploitation
25. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer
26. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer
• Need to guess the source port of the resolver (sometimes
static)
27. Poisoning - brute force
• Resolver uses UDP, thus stateless
• Reply as the authoritative server would but with different
answer
• Need to guess the source port of the resolver (sometimes
static)
• Need to guess transaction ID
28. Poisoning - birthday attack
• Resolver sends multiple
outbound queries for one
record
• Birthday paradox:
increased collision rate
• near 100% success rate for
700 queries
31. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy
32. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy
• Need up to 10 transaction IDs to predict the next
33. Poisoning - weak PRNG
• 2007/2008 BIND bugs: weak transaction ID randomization
(simple LFSR)
• Static source port (53) up to BIND 9.4.1, so just 16 bits poor
entropy
• Need up to 10 transaction IDs to predict the next
• How can we do this?
34. Poisoning - Example BIND
pine.nl A?
CNAME c1.pine.nl
c1.pine.nl A? 2
CNAME c2.pine.nl
c2.pine.nl A?
1
A 213.156.1.80
pine.nl A?
Attacker bank.com A? Resolver bank.com A 213.156.1.80
5 Evil server
3
6
bank.com A? bank.com A?
bank.com A 213.156.1.80 4 A 1.2.3.4 bank.com
Victim Lost in teh mail auth server
7
38. Counter-measures
• Proper randomization of source port and transaction ID
• Temporary fix, protocol is still weak (32 bits entropy)
• A man-in-the-middle (or even just passive sniffer) can
always poison the cache, regardless of entropy
39. DNSSEC
• Message authentication
• Message integrity
• Authenticated denial of existence
40. DNSSEC
• New record types: DNSKEY, RRSIG, DS, NSEC3
• Public key cryptography
• RRSIG contains signature for requested data
• DNSKEY contains public key of a zone
• Upstream DNS server has hash of key in DS record
• NSEC3 for denial of existence
41. DNSSEC
• Mostly backwards compatible with DNS
• requires EDNS extension and larger packets
• .org and some ccTLDs are signed
• dig -t DNSKEY org @B2.ORG.AFILIAS-NST.org
• dig axfr . @k.root-servers.net | grep -w DS
• .nl signed but not in root yet