DNS. Introduction To. everything you never wanted to know about IP directory services

Transcription

1 Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007

2 what is the domain name system anyway?

3 it's like a phone book...kinda

4 DNS is (1) a directory service

5 DNS is (2) an identity mechanism

6 DNS is (3) a namespace structure

7 DNS is (4) an abstraction layer

8 think of the phone book...

9 maps hostnames to IP addresses

10 maps jon.oxer.com.au to

11 forward vs reverse

12 maps to jon.oxer.com.au

13 simple beginnings: hosts.txt

14 ...but phone books don't cale

15 so modern DNS is managed like a distributed phone book

16 DNS is (5) delegation of authority

17 a zone defines an area of authority

18 think of it as an inverted tree

19

20 anatomy of a host name

21 (a host name is a record inside a domain name)

22 read right to left: jon.oxer.com.au.

23 yes, it really ends in a dot!

24 root zone: jon.oxer.com.au.

25 top level domain: jon.oxer.com.au.

26 2nd level zone: jon.oxer.com.au.

27 3rd level zone: jon.oxer.com.au.

28 host name: jon.oxer.com.au.

29 back to that dot: jon.oxer.com.au.

30 ICANN's 13 : the A to M root servers

31 root.hints

32 There can be only 13

33 (UDP packets limited to 512B)

34 A response with more than 13 entries > 512B

35 root servers replicated globally using anycast

36

37 root servers delegate cctlds, gtlds, and itlds

38 so what is this delegation of which you speak?

39 registries, registrars, resellers, registrants, InterNIC, ICANN, OpenSRS, oh my!

40

41 ICANN controls the registries

42 registries control the registrars

43 registrars control delegations

44 domain allocation policies

45 own or lease?

46 trademarks and disputes

47

48 alt roots (alternative DNS roots)

49 DNS works because we agree to let it work

50 alt roots are just alternative agreements

51

52 critical concept alert!

53 authoritative vs recursive servers

54 authoritative servers answer questions about zones they own

55 recursive resolvers query other servers on your behalf

56 recursive lookups require multiple queries

57

58

59

60

61

62

63

64

65

66

67

68

69 caching good!

70 caching bad!

71 beware the cache

72 caching: in the recursive DNS resolver

73 (Big Pond bad! Bad, I say!)

74 caching: in your OSs resolver library

75 caching: directly inside applications

76 (IE very bad too!)

77 internationalisation

78 anatomy of a zone[file]

79 ; zone file for example.com. $TTL 2d ; IN SOA ns1.example.com. hostmaster.example.com. ( ; serial 12h ; refresh 15m ; retry 3w ; expiry 3h ; minimum ) IN NS ns1.myprovider.com. IN NS ns1.example.com. IN MX 10 mail.example.net. homer IN A marge IN A www IN CNAME homer vpn IN CNAME marge

80 types of DNS records

81 A (address) links names and IPv4 addresses

82 AAAA (address) links names and IPv6 addresses

83 CNAME (canonical name) aliases names to other names

84 MX (mail exchange) name of machine for mail delivery

85 NS (name server) name of DNS server for a zone

86 TXT (text) arbitrary text string

87 NAPTR (naming auth pointer) fun with regex

88 SOA (start of authority) controls inter-server data synchronisation

89 SOA (Start Of Authority)

90 SOA sets TTL (Time To Live)

91 TTL says how long data may be cached

92 SOA parameters Serial: identifies version of SOA

93 SOA parameters Refresh: seconds between updates

94 SOA parameters Retry: seconds to wait after failure

95 SOA parameters Expire: seconds before data flushed

96 SOA parameters Minimum: used now for negative caching

97 circular dependencies: self-delegation

98 the solution: glue records

99 breaking your brain: reverse DNS

100 Let's look up !

101 in-addr.arpa.

102 security

103 DNS cache poisoning

104

105 Practical example: Dr Evil wants to take over

106 Dr Evil attack vector #1 redirecting the target domain's nameserver

107 (1) Dr Evil creates a sub-zone of a zone he controls, such as bigbank.dr-evil.com

108 (2) Dr Evil delegates his evil zone to

109 (3) Dr Evil configures his DNS server to return the wrong IP address for

110 (4) Dr Evil issues a DNS lookup for bigbank.dr-evil.com to your DNS resolver

111 (5) Your DNS server caches the evil IP and uses it for future requests for

112 what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com IN NS Additional section: IN A

113 what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com IN NS Additional section: IN A

114 what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com IN NS Additional section: IN A

115 what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com IN NS Additional section: IN A

116

117 Dr Evil attack vector #2 redirect the NS record of the target domain

118 compare this with... request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com IN NS Additional section: IN A

119 ...alternative attack request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.com IN NS ns.dr-evil.com. Additional section: ns.dr-evil.com. IN A

120 Dr Evil attack vector #3 DNS forgery: respond before the real nameserver

121 not as easy as it sounds!

122 do a birthday attack against the nonce value

123 Start with the Taylor series approximation to the probability of a nonce value collision where n is the number of attempts and H is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are outputs, ie: only 301 attempts are required to generate a collision by brute force!

124 301 attempts against 2 x16 hash

125 secure zone transfers

126 (mis?)using DNS

127 TCP-over-DNS

128 dynamic DNS

129 SPF

130 useful tools nslookup

131 useful tools whois

132 useful tools dig

133 DNS server software

134 authoritative and recursive: BIND, MaraDNS

135 authoritative: MyDNS, tinydns

136 recursive: dnscache

137 master vs slave

138 firewall issues port 53 UDP and TCP

139

140 Introduction to DNS Thankyou :-) questions? Slides: jon.oxer.com.au/talks Contact: We're hiring!