DNS Attacks

MAIN WEAKNESS OF THE SYSTEM. HOW ATTACKS WORK IN GENERAL?

DNS ATTACKS

BY: HIMANSHU PRABHAKAR

DNS ATTACKS

WHAT IS DNS?

DOMAIN NAME SYSTEM

DNS ATTACKS 2

WHAT IS DNS?

DNS ATTACKS 3

HOW INTERNET WORKS :

WHAT IS DNS?

www.facebook.com www.yahoo.com www.google.com

72.190.12.206

85.206.25.156

56.25.25.128

DNS ATTACKS 4

WHAT IS DNS?

Its like Yellow Pages of the Internet.

A globally distributed, loosely coherent, scalable, reliable, dynamic

database

Comprised of three components

1. A “name space”

2. Servers making that name space available

3. Resolvers (clients) which query the servers about the name

space

DNS ATTACKS 5

HOW DNS WORKS?

DOMAIN NAME SYSTEM

DNS ATTACKS 6

HOW DNS WORKS?

DNS ATTACKS 7

HOW DNS WORKS?

root

edu net org uk com ca

wisc ucb utdallas cmu mit

cs1 ee

www

129.110.92.15 DNS ATTACKS 8

HOW DNS WORKS?

DNS ATTACKS 9

DNS Message Header Format

DNS VULNERABILITIES

DOMAIN NAME SYSTEM

DNS ATTACKS 10

DNS VULNERABILITIES

DNS ATTACKS 11

DNS VULNERABILITIES

DNS was designed with usability in mind and not Security. Security: Confidentiality: NOT A CONCERN Data Integrity: BIG CONCERN UDP Based design: Any correctly formatted DNS response over UDP can be considered legitimate.

DNS attack tools are readily available on the Internet (for example,

dsniff, dnshijack, and many more) and they are all FREE!

DNS ATTACKS 12

DNS VULNERABILITIES

Zone file

Slaves

Master Recursor

Resolver

Zone

administrator

Dynamic

updates

Cache pollution by

Data spoofing Unauthorized updates

Corrupting data Impersonating master

Cache impersonation

DNS ATTACKS 13

DNS ATTACKS?

DOMAIN NAME SYSTEM

DNS ATTACKS 14

DNS ATTACKS?

1. Packet Interception

2. ID Guessing and Query Prediction

3. Name Chaining

4. Betrayal By Trusted Server

5. Denial of Service

6. Authenticated Denial of Domain Names

DNS ATTACKS 15

DNS KNOWN THREATS: (Source RFC 3833)

DNS ATTACKS?

1. DNS Amplification Attack

2. DNS Cache Poisoning / DNS Spoofing

3. (DDoS) Distributed Denial of Service attack

4. BIND9 Spoofing

DNS ATTACKS 16

DNS AMPLIFICATION ATTACK

Attacker use DNS open resolvers

by sending DNS requests with

source IP address of the target.

When Resolvers receive DNS

queries, they respond by DNS

responses to the target address.

Attacks of these types use

multiple DNS open resolvers so

the effects on the target devices

are magnified.

DNS ATTACKS 17

DNS CACHE POISONING

This technique can be used

to direct users of a website

to another site of the

attacker's choosing.

A user whose computer has

referenced the poisoned

DNS server would be tricked

into accepting content

coming from a non-

authentic server and

unknowingly download

malicious content.

DNS ATTACKS 18

DNS CACHE POISONING

1. Attacker poisons the cache

of Local DNS Server by either

remotely attacking or

breaking into the server.

2. Legitimate User tries to log

onto www.nicebank.com

3. DNS request to DNS server.

4. DNS server replies with IP of

fake website.

5. User is redirected to

www.n1cebank.com

DNS ATTACKS 19

(DDOS) DISTRIBUTED DENIAL OF SERVICE

The attacker tries to target one or more of 13 DNS root name servers.

The root name servers are critical components of the Internet.

Attacks against the root name servers could, in theory, impact operation of

the entire global Domain Name System.

DNS ATTACKS 20

On October 21, 2002 an attack lasting for approximately one hour was targeted at all 13 DNS root name servers

On February 6, 2007 a similar attack lasted twenty-four hours.

BIND9 SPOOFING

BIND is most widely used DNS software on Internet. BIND 9 (Stable

Production Release)

BIND 9 DNS queries are predictable (Source: bind-9-dns-cache-poisoning )

Source UDP port and DNS transaction ID can be effectively predicted.

BIND9 is found to be predictable to 10 choice.

This enables a much more effective DNS cache poisoning than the

currently known attacks against BIND 9.

DNS ATTACKS 21

http://www.trusteer.com/list-context/publications/bind-9-dns-cache-poisoning









HOW TO PREVENT DNS ATTACKS?

DOMAIN NAME SYSTEM

DNS ATTACKS 22

DNS ATTACKS 23

Band-Aid solutions

• Only cache information from authoritative servers

• Cross-check IP DNS mappings

• Transaction signatures for zone transfer, dynamic updates

• Split-split strategy: Advertising name server for DNS servers

• No cache to poison

• Only allow internal traffic

Firewalls can be utilized to minimize attacks against the DNS protocol.

• Query and Response Verification

• Transaction ID randomization

• DNS Header Flag Filtering

• DNS message size limitations

HOW TO PREVENT DNS ATTACKS?

DNSSEC

DNS ATTACKS 24

DNS Security Extensions (DNSSEC)

• Adds security functions to the DNS protocol

• Can prevent some attacks like DNS cache poisoning.

• It adds data origin authentication and data integrity to DNS protocol.

• Digitally Sign DNS lookup using Public Key Crypto.

• DNSKEY record is authenticated via Chain of Trust starting with trusted

root.

• Its kind of SSL authentication for the DNS.

DNSSEC

DNS ATTACKS 25

1. RECORDS: RRSIG, DNSKEY, DS, NSEC and NSEC3

2. ALGORITHMS: RSA/MD5, DSA/SHA-1, RSA/SHA-256/512

3. LOOKUP PROCEDURE: Recursive Name Servers, Stub Resolver

4. TRUST ANCHORS AND AUTHENTICATION CHAIN

5. SIGNATURE AND ZONE SIGNING

6. KEY MANAGEMENT

HOW DNSSEC WORKS?

DNS ATTACKS 26

Stub Resolver

ns.utdallas.edu ns.dns.edu Root Server Recursor

IP for www.utdallas.edu

Check Cache Req DNSKEY Root

DNSKEY: KSKRoot +

RRSIG(KSKRoot) +

DNSKEY:ZSKroot +

RRSIG(ZSKroot)

IP for www.utdallas.edu

gotoNS:ns.dns.edu

DS(KSKedu) + RRSIG(DS)

NS:root + RRSIG(NS)

Check RRSIG with KSKroot =>

Valid ZSKroot


Valid DS(KSKedu)


Valid NS:root

HOW DNSSEC WORKS?

DNS ATTACKS 27

Stub Resolver


Validate KSKedu with DS(KSKedu) => Valid KSKedu

Req DNSKEYedu

DNSKEY: KSKorg +

RRSIG(KSKorg) +

DNSKEY:ZSKorg +

RRSIG(ZSKorg)

Check RRSIG with ZSKroot =>

Valid DS(KSKedu)

Check RRSIG with ZSKroot =>

Valid NS:root

Check RRSIG with KSKedu

=> Valid ZSKedu IP for www.utdallas.edu

gotoNS:ns.utdallas.edu

DS(KSKutd) + RRSIG(DS)

NS:ns.dns.edu + RRSIG(NS)

Check RRSIG with ZSKedu =>

Valid DS(KSKutd) Check RRSIG with ZSKedu =>

Valid NS:ns.dns.edu

HOW DNSSEC WORKS?

DNS ATTACKS 28

Stub Resolver


Validate KSKutd with DS(KSKutd) => Valid KSKutd

Req DNSKEYutd

DNSKEY: KSKutd +

RRSIG(KSKutd) +

DNSKEY:ZSKutd +

RRSIG(ZSKutd)

Check RRSIG with KSKutd

=> Valid ZSKutd IP for www.utdallas.edu

A;123.123.123.123

RRSIG(A)

NS:ns.utdallas.edu + RRSIG(NS)


Valid DS(KSKutd)


Valid NS:ns.dns.edu

Check RRSIG with ZSKutd =>

Valid A record Check RRSIG with ZSKutd =>

Valid NS:ns.utdallas.edu

A;123.123.123.123

DNSSEC STANDARDS

DNS ATTACKS 29

RFC4033 DNS Security Introduction and Requirements :

What is provided by DNSSEC? Origin Authentication and data integrity

• Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • New Header bits: Checking Disabled (CD) and Authenticated Data (AD)

What is not provided by DNSSEC? Confidentiality, ACL, No protection against DoS attacks.

CONSIDERATIONS:

Resolver Cryptographic analysis on signatures, authentication chaining, validate DNS replies.

Stub Resolver DNSSEC validity checks, IPSec, setting of AD bit

Zones signed and unsigned zones, regular maintenance of RRset

Name Server DNSSEC records (RRSIG, DNSKEY, DS, and NSEC), EDNS "sender's UDP payload" mechanism, private part of DNSSEC key pair should be kept offline

Security a channel secured by IPsec, DNS transaction authentication mechanism such as TSIG

DNS ATTACKS 30

RFC4034 Resource Records for the DNS Security Extensions: DNSKEY Resource Record

RRSIG Resource Record

NSEC Resource Record

DS Resource Record

RFC4035 Protocol Modifications for the DNS Security Extensions: Zone Signing: DNSKEY, RRSIG, NSEC, DS

Serving : Authoritative Name Servers and Recursive Name Servers

Resolving : EDNS Support, Signature verification, trust anchors

Authenticating DNS Responses

RFC5155: DNSSEC Hashed Authenticated Denial of Existence

RFC4310: DNS Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)

RFC4641: DNSSEC Operational Practices

DNSSEC STANDARDS

ARE WE SECURE WITH DNSSEC?

DNS ATTACKS 31

DNSSEC has some problems of its own:

Trivial Zone Configuration errors or expired keys can prove bad for DNSSEC-

aware resolver.

Increased size of DNSSEC response could encourage DoS amplifiers.

Slow response due to extra overhead of signature validation could result in

timeouts/re-queries. (Impatient DNS Clients)

Compromise in any of the zones between the root and target could

damage DNSSEC's ability to protect the integrity of data owned by that

target name

THANKS [email protected]

DNS ATTACKS 32

REFERENCES

DNS ATTACKS 33

http://www.cisco.com/web/about/security/intelligence/dns-bcp.html

http://tools.ietf.org/html/rfc4033






https://www.dnssec.nl/wiki/index.php/DNSSEC_explained

http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSecti

onFormat.htm





















http://www.tcpipguide.com/free/t_DNSMessageHeaderandQuestionSectionFormat.htm



Technology

DNS Attacks