DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

Transcription

1 DNS and SMTP James Walden CIT 485: Advanced Cybersecurity James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

2 Table of contents 1. DNS 2. DNS Protocol Packets 3. DNS Caching 4. DNS Cache Poisoning 5. SMTP 6. MIME 7. References James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 2 / 31

3 Domain Name Service James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 3 / 31

4 DNS DNS is a distributed database containing resource records. Record Type A AAAA CNAME PTR SOA NS MX Purpose Address records map names to IPv4 addresses. AAAA records map names to IPv6 addresses. CNAME records map one domain name to another (canonical) domain name. PTR records map IP addresses to names using the arpa TLD. Start Of Authority records describe zone administration. Nameserver records identify nameservers for a domain. Mail exchange records identify mail servers to receive with priority numbers. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 4 / 31

5 DNS has a tree structure James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 5 / 31

6 DNS Authority DNS delegates authority to domains (zones) via tree. ICANN manages the root domain, delegates authority to TLDs. Generic TLDs like.com or.info. Country Code TLDs like.cn or.uk. TLDs delegate authority to second level domains like nku.edu. Second level domains can delegate to third level domains, etc. There are 13 root servers, described at James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 6 / 31

7 Top Level Domains (TLDs) Generic TLD Purpose arpa Used for PTR records only. com Commercial. Administered by Verisign. org Organization. Public Interest Registry. edu Educational. Administrated by Educause. gov US Government. Administered by GSA. mil US military. Administered by DoD. Country Code TLD Country cn China de Germany ru Russia uk United Kingdom tv Tuvalu James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 7 / 31

8 Authoritative Domain Servers Authority for a domain lies with the owner of that domain. TLDs are typically owned by a registrar. Second level domains typically own by an organization. SOA record identifies authoratative DNS server. Organizations typically have multiple DNS servers. Master server used to make changes to domain. Slave servers provide read-only copies for performance and reliability. Master servers transfer database to slaves via zone transfers. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 8 / 31

9 DNS Query Types There are two major types of DNS queries. Recursive queries always provide a complete answer to the question asked. The DNS server queries other servers as need to obtain the answer. Not all servers support recursive queries. Iterative queries which may return a complete answer or a referral to another DNS server. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 9 / 31

10 DNS Recursive Query James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 10 / 31

11 DNS Transport DNS servers uses UDP port 53 to service most requests, but Responses larger than 512 bytes have truncation bit set, causing resolver to send a TCP query to the server which allows for a larger response. Extension Mechanisms for DNS (EDNS) was published as RFC 2671 to allow larger UDP packets, but it is not supported everywhere. Zone transfers always use TCP. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 11 / 31

12 DNS Query Packet James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 12 / 31

13 DNS Response Packet James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 13 / 31

14 DNS over TCP James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 14 / 31

15 DNS Caching: Step 1 Step 1: Client sends DNS query. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 15 / 31

16 DNS Caching: Step 2 Step 2: Server answers and caches DNS query. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 16 / 31

17 DNS Caching: Step 3 Step 3: Future client queries used cached answer. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 17 / 31

18 DNS Caching: Step 4 Step 4: Evict cached responses when TTL expires. However, DNS caches may not always obey TTL rules. DNS caches may evict cache entries if no RAM available. DNS caches may keep records longer than TTL to be faster. DNS caches may prefetch heavily used records, like root nameservers. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 18 / 31

19 DNS Spoofing A nameserver will accept a response if The response arrives on the UDP port that sent the query (otherwise the OS will not deliver the packet to the process.) The Question section matches the Question of a pending query. The Query ID matches the QID of a pending query. The Authority and Additional sections represent names in the domain of the question. No other response has previously been received for the query. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 19 / 31

20 Obtaining the Query ID Query IDs can be obtained in the following ways: Network sniffing. Brute force guessing the 16-bit QID. Intelligent guessing. Old servers incremented QID by 1. Attacker sends a query to target server for name he owns. Attacker records query ID in query to his nameserver. Attacker increments by 1 to get new query ID. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 20 / 31

21 DNS Cache Poisoning Cache poisoning can let an attacker control name resolution for requests for a specific hostname like yourbank.com. 1. Attacker sends DNS query to victim nameserver for host he wishes to spoof. 2. Attacker sends spoofed DNS responses for his question. 3. Victim nameserver caches spoofed response. 4. Future clients receive spoofed response when they send requests to victim nameserver for that hostname. Attacker response must arrive before legitimate response to work. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 21 / 31

22 DNSSEC DNSSEC uses public key authentication to provide Authentication - the DNS server sending the response was the server that the query was sent to. Integrity - the response is complete and nothing is missing or changed. Proof of non-existance - if the DNS returns a status that the name does not exist (NXDOMAIN) this response can be proven to have come from the authoritative server. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 22 / 31

23 Simple Mail Transport Protocol SMTP is the Internet standard for transmission. Port 25 is original port, still used for server to server connections. Port 587 is used for mail clients to submit messages to mail servers. Port 465 was reserved for encrypted , but ports 25 and 587 can be encrypted now, so it is rarely used. Unencrypted by default, but STARTTLS command can used to encrypt. SMTP receives mail from clients and transfers mail between servers. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 23 / 31

24 SMTP Terminology MTA (Mail Transport Agent) receive mail from clients or other servers, then either hand-off local mail to an MDA or forward to another MTA. MDA (Mail Delivery Agent) receive messages from a MTA and store them in a file (often in mbox format) or database for later retrieval. MUA (Mail User Agent) is the client program used to retrieve and send mail. Could be a desktop client like Outlook or Thunderbird or a webclient like gmail or yahoo mail. MUAs used SMTP to send mail but other protocols to retrieve mail. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 24 / 31

25 SMTP Delivery Process James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 25 / 31

26 Example SMTP Conversation S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.com S: 250 smtp.example.com, I am glad to meet you C: MAIL FROM:<bob@example.com> S: 250 Ok C: RCPT TO:<alice@example.com> S: 250 Ok C: RCPT TO:<theboss@example.com> S: 250 Ok C: DATA S: 354 End data with <CR><LF>.<CR><LF> C: From: "Bob Example" <bob@example.com> C: To: Alice Example <alice@example.com> C: Cc: theboss@example.com C: Date: Tue, 15 January :02: C: Subject: Test message C: C: Hello Alice. C: This is a test message with 5 header fields and 4 lines in the message body. C: Your friend, C: Bob C:. S: 250 Ok: queued as C: QUIT S: 221 Bye From James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 26 / 31

27 Mail Retrieval Protocols Post Office Protocol (POP) version 3 was released in Unencrypted protocol uses port 110. Encrypted (TLS) protocol uses port 995. Internet Message Access Protocol (IMAP) version 4 was released in 2003 to support multiple clients, with online and offline operation. Unencrypted protocol uses port 143. Encrypted (TLS) protocol uses port 993. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 27 / 31

28 MIME Multipurpose Internet Mail Extensions (MIME) extend to support Text in non-ascii character sets, Binary attachments, such as images or office documents, Message bodies with multiple parts, Header information in non-ascii character sets. Since SMTP only tranfers ASCII-data, MIME encodes data as ASCII. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 28 / 31

29 MIME Headers Headers are colon-separated name/value pairs. MIME-Version is always 1.0. Content-Type specifies media type, such as text/plain, text/html. MIME types are used by HTTP too. IANA maintains the type list at media-types/media-types.xhtml. Content-Transfer-Encoding specifies method of encoding non-ascii data as ASCII. Base64 is the most common encoding. Multipart messages have multiple parts with their own type and encoding headers. Each part must be separated by a boundary string that must not occur inside any part of the message. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 29 / 31

30 Example MIME Message MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=frontier This is a message with multiple parts in MIME format. --frontier Content-Type: text/plain This is the body of the message. --frontier Content-Type: application/octet-stream Content-Transfer-Encoding: base64 PGh0bWw+CiAgPGhlYWQ+CiAgPC9oZWFkPgogIDxib2R5PgogICAgPHA+ VGhpcyBpcyB0aGUg Ym9keSBvZiB0aGUgbWVzc2FnZS48L3A+CiAgPC9ib2R5Pgo8L2h0bWw+ Cg== --frontier-- James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 30 / 31

31 References 1. DNS for Rocket Scientists Steve Friedl. An Illustrated Guide to the Kaiminsky DNS Vulnerability Goodrich and Tammasia. Introduction to Computer Security. Pearson IETF. RFC Domain Names - implementation and specification IETF. RFC Extension Mechanisms for DNS (EDNS0) IETF. RFC 821. Simple Mail Transport Protocol IETF. RFC Extended Simple Mail Transport Protocol Chris Sanders. Practical Packet Analysis, Third Edition. Chapter 9. No Starch Press James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 31 / 31