CSC 574 Computer and Network Security. DNS Security

Similar documents
CNT Computer and Network Security: DNS Security

CSE Computer Security

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

CSC 574 Computer and Network Security. TCP/IP Security

Computer Security CS 426

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Introduction to Network. Topics

DNS Cache Poisoning Looking at CERT VU#800113

Networking Applications

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

A Security Evaluation of DNSSEC with NSEC Review

Domain Name System.

IP ADDRESSES, NAMING, AND DNS

CSE 565 Computer Security Fall 2018

DNS & Iodine. Christian Grothoff.

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

Lecture 4: Basic Internet Operations

Remote DNS Cache Poisoning Attack Lab

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Domain Name System (DNS)

Chapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

DNSSEC All You Need To Know To Get Started

ECE 435 Network Engineering Lecture 7

CS Paul Krzyzanowski

More Internet Support Protocols

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

CSE543 Computer and Network Security Module: Network Security

Module: Network Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

Network Security Part 3 Domain Name System

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Attacks on DNS: Risks of Caching

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

IPv6: An Introduction

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

CS 43: Computer Networks. 10: Naming and DNS September 24, 2018

Chapter 19. Domain Name System (DNS)

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

Computer Networks. Domain Name System. Jianping Pan Spring /25/17 CSC361 1

APNIC elearning: DNS Concepts

CIS 5373 Systems Security

Protocol Classification

Remote DNS Cache Poisoning Attack Lab

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

DNS and HTTP. A High-Level Overview of how the Internet works

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

DNS and BGP. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu. University of Wisconsin CS 642

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

CSCE 463/612 Networks and Distributed Processing Spring 2018

CSCI 680: Computer & Network Security

CSc 450/550 Computer Networks Domain Name System

CSE 127: Computer Security Network Security. Kirill Levchenko

Advanced Networking. Domain Name System

Advanced Networking. Domain Name System. Purpose of DNS servers. Purpose of DNS servers. Purpose of DNS servers

IP: Addressing, ARP, Routing

More on DNS and DNSSEC

DNS. David Malone. 19th October 2004

CSCE 463/612 Networks and Distributed Processing Spring 2018

Managing DNS Firewall

CSE 127 Computer Security

In the Domain Name System s language, rcode 0 stands for: no error condition.

Domain Name System (DNS)

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

DNSSEC Basics, Risks and Benefits

DNSSEC Basics, Risks and Benefits

Manual Configuration Stateful Address Configuration (i.e. from servers) Stateless Autoconfiguration : IPv6

CSc 466/566. Computer Security. 18 : Network Security Introduction

Network Security. Thierry Sans

Internet Security: How the Internet works and some basic vulnerabilities

CS 161 Computer Security

Application Layer Protocols

ECE 650 Systems Programming & Engineering. Spring 2018

Weaver. Computer Science 161 Fall Network Security 3

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

DOMAIN NAME SECURITY EXTENSIONS

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

12. Name & Address 최양희서울대학교컴퓨터공학부

BIG-IP DNS Services: Implementations. Version 12.0

Managing Caching DNS Server

Network Security. Network Vulnerabilities

Internet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016

Lecture 7: Application Layer Domain Name System

By Paul Wouters

DNS Security DNSSEC. * zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

Internet Technology 3/2/2016

CSCI-1680 Network Layer:

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Transcription:

CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr)

A primer on routing

Routing Problem: How do Alice s messages get to Bob? 10.0.0.25 195.42.54.123

Routing within the local network 10.0.0.24 10.0.0.25 10.0.0.29 10.0.0.55 10.0.0.81 Switch Each host knows the network prefix of the local network All nodes within the local network are reachable within 1 hop CIDR Notation: BaseAddress/Prefix_Size e.g., 10.0.0.0/24: Network prefix is 10.0.0 (first 24 bits -- or 3 octets) Number of possible addresses in network: 32-24 = 8 bits 2 8 = 256 addresses If Alice wants to communicate with node in local network, she uses ARP to discover the node s IP address and relies on the (layer 2) switch to correctly deliver the message. But what if Alice wants to route outside of her local network?

Routing outside of the local subnet 10.0.0.24 10.0.0.25 10.0.0.29 10.0.0.55 10.0.0.81 10.0.0.1 Switch Router Alice relays her message thru her subnet s router Specifies Bob s IP address as destination IP in IP header But specifies router s MAC address as destination in Ethernet frame Switch relays Alice s message to router

10.0.0.29 Routing outside of the local subnet 10.0.0.1 0.0.0.0/2 192.0.0.0/4 Switch Router is connected to other router(s) Choice of path Router based on CIDR prefixes and destination IP 128.0.0.0/4... Bob s Router 195.0.0.0/24 Bob s Switch 195.42.54.123

But what if Alice doesn t know Bob s (bob.com) IP address?

The Old Fashioned Way Each host stores mapping between hostnames and IP addresses Local /etc/hosts file: 127.0.0.1 localhost 152.14.93.88 wspr.csc.ncsu.edu wspr 158.130.69.163 www.cis.upenn.edu 18.9.22.169 www.mit.edu Q: Does this scale?

Domain Name System (DNS) Distributed translation service between hostnames and IP addresses http://wspr.csc.ncsu.edu http://152.14.93.88

What s the IP address of Bob.com? DNS Src=A, Dst=DNS, Req=Bob.com? Src=DNS, Dst=A, Resp=195.42.54.123 195.42.54.123

DNS DNS is distributed Organized as a tree, with the root nameservers at the top Each top-level domain (TLD) (e.g.,.com,.edu,.gov,.uk) served by a separate root nameserver Authoritative Name Servers responsible for their domains Domain information stored as a zone record

Name servers Authoritative Name Server: gives authoritative results for hostnames that have been configured Domains are registered with a domain name registrar (e.g., GoDaddy) Each domain must have one primary and at least one secondary name servers For reliability in case of failure

TLDs Name servers pre-loaded with IP addresses of TLD name servers A.ROOT-SERVERS.NET. IN A 198.41.0.4 B.ROOT-SERVERS.NET. IN A 192.228.79.201 C.ROOT-SERVERS.NET. IN A 192.33.4.12... M.ROOT-SERVERS.NET. IN A 202.12.27.33

DNS Many record types: A Records: Maps hostname to IPv4 address AAAA Records: Maps hostname to IPv6 address CNAME Records: Specifies alias for hostname MX Records: Maps hostname to list of Mail Transfer Agents (MTAs) SOA Records: Specifies authoritative info about zone

Naive Recursive Query What s the IP address of smtp.mail.bob.com? smtp.mail.bob.com?.com Root Nameserver knows IP of bob.com bob.com Nameserver knows IP of mail.bob.com smtp.mail.bob.com is at 195.42.54.123 mail.bob.com Nameserver knows IP of smtp.mail.bob.com

Naive Iterative Query What s the IP address of smtp.mail.bob.com? smtp.mail.bob.com? try bob.com nameserver at 1.2.3.4 smtp.mail.bob.com? try mail.bob.com nameserver at 1.2.3.5.com Root Nameserver bob.com Nameserver knows IP of bob.com knows IP of mail.bob.com smtp.mail.bob.com? smtp.mail.bob.com is at 195.42.54.123 mail.bob.com Nameserver knows IP of smtp.mail.bob.com

What s the IP address of smtp.mail.bob.com? Naive Iterative Query smtp.mail.bob.com?.com Root Nameserver Why are these two try bob.com nameserver at 1.2.3.4 smtp.mail.bob.com? approaches bob.com Nameserver (recursive and iterative) try mail.bob.com nameserver at 1.2.3.5 knows IP of bob.com knows IP of mail.bob.com smtp.mail.bob.com? smtp.mail.bob.com is at 195.42.54.123 unscalable? mail.bob.com Nameserver knows IP of smtp.mail.bob.com

DNS in the Real World Browser IM Email Local Resolver OS Cache Recursive DNS Query ISP s DNS Resolver Cache Iterative DNS Query Cache

DNS Vulnerabilities

DNS Problems DNS requests and responses are not authenticated Yet many applications trust DNS resolutions... or, more accurately, they don t consider the threat at all Spoofing of DNS is very dangerous -- WHY? Caching doesn t help: DNS relies heavily on caching for efficiency, enabling cache pollution attacks Once something is wrong, it can remain that way in caches for a long time Data may be corrupted before it gets to authoritative server

DNS Message Format

DNS Message Example (local DNS server queries.net TLD DNS server) (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

DNS Message Example (.net TLD DNS server responds) (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

DNS Message Example (local DNS server queries domain DNS server) (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

DNS Message Example (domain DNS server responds) (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

A Cache Poisoning Attack All DNS requests have a unique query ID The nameserver/resolver uses this information to match up requests and responses -- this is useful since DNS uses UDP If an adversary can guess the query ID, then it can forge the responses and pollute the DNS cache 16-bit query IDs (only 2 16 =65536 possible query IDs) Some servers increment IDs (or use some other predictable algo) gethostbyname returns as soon as it gets a response, so first one in wins!!! Note: If you can observe the traffic going to a name server, you can pretty much arbitrarily 0wn the Internet for the clients it serves

A Cache Poisoning Attack A simple (and extremely effective) attack: 1. Wait for Alice to send DNS request to nameserver 2. Intercept request 3. Quickly insert a fake response If attacker is faster and/or closer to Alice than the DNS server, then the attack is successful Advantage attacker: unlike the name server, the attacker doesn t have to do any actual resolving

What if attacker cannot intercept DNS queries? First, cause DNS server to make a query How? Second, guess the QueryID and exploit the race condition

Single DNS Name Attack (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

Attack Limitations Victim hostname cannot already be in the cache Randomizing the QueryID makes the race condition much harder to exploit (2 16 possible Query IDs)

Kaminsky Attack Hijacks the entire name server of victim host Basic idea Choose a random hostname in the domain (guaranteed not to be cached) Try to beat real name server response (guessing the QueryID) Forged response specifies an update for the name server IP address (to attacker) Repeat until successful All future DNS queries for the victim domain now directed to the attacker s DNS server (until TTL expires)

Key part of the attack (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

Mitigations? The QueryID is 16 bits. Increasing the size would break the Internet What else can we randomize? Source port address (http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html)

Can we do better?

DNSSEC A standards-based (IETF) solution to security in DNS Prevents data spoofing and corruption Authentication (verifiable DNS) using public key infrastructure Authenticates: Communication between servers DNS data content existence non-existence Public keys

DNSSEC Mechanisms Each domain signs their zone with a private key Public keys published via DNS Zones signed by parent zones Ideally, you only need a self-signed root, and follow keys down the hierarchy Signs Signs Signs root.edu ncsu.edu csc.ncsu.edu

DNSSEC challenges Incremental deployability Everyone has DNS, can t assume a flag day Resource imbalances Some devices can t afford real authentication Cultural Who gets to control the root keys? (US, China, EFF, NCSU?) Most people don t have any strong reason to have secure DNS ($$$ not justified in most environments) Lots of transitive trust assumptions Take away: DNSSEC will be deployed, but it is unclear whether it will be used appropriately/widely

DNS configuration attack in the wild

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback