This time. Digging into. Networking. Protocols. Naming DNS & DHCP

Similar documents
TCP/IP SECURITY GRAD SEC NOV

CSC 574 Computer and Network Security. DNS Security

Network Attacks. CS Computer Security Profs. Vern Paxson & David Wagner

Attacks on DNS: Risks of Caching

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Computer Security CS 426

DNS and HTTP. A High-Level Overview of how the Internet works

Domain Name Service. DNS Overview. October 2009 Computer Networking 1

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

The Application Layer: Sockets, DNS

Network Security Part 3 Domain Name System

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

More on DNS and DNSSEC

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

A Security Evaluation of DNSSEC with NSEC Review

Attacks on DNS: Risks of Caching. March 21, 2018

More Internet Support Protocols

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

CS 3640: Introduction to Networks and Their Applications

Domain Name System.

APNIC elearning: DNS Concepts

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

ECE 650 Systems Programming & Engineering. Spring 2018

Network Attacks. CS Computer Security. Once again thanks to Vern Paxson and David Wagner

Goal of this session

DNS Basics BUPT/QMUL

CSE 127: Computer Security Network Security. Kirill Levchenko

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1

Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Internet Engineering. DNS Message Format. Contents. Robert Elz.

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

A DNS Tutorial

ECE 435 Network Engineering Lecture 7

DNSSEC All You Need To Know To Get Started

DNS. Introduction To. everything you never wanted to know about IP directory services

page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

Oversimplified DNS. ... or, even a rocket scientist can understand DNS. Step 1 - Verify WHOIS information

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS & Iodine. Christian Grothoff.

Implementing DNSSEC with DynDNS and GoDaddy

Introduction to the Domain Name System

Foundations of Network and Computer Security

CSE 565 Computer Security Fall 2018

Introduction to Network. Topics

Agenda. Review DNS Fundamentals DNS Security Summary 1/22

Client Server Concepts, DNS, DHCP

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

Networking Applications

CSE Computer Security

The Domain Name System

OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

Domain Name System - Advanced Computer Networks

Network security (DNS caching and DoS)

Configuring DNS. Finding Feature Information. Prerequisites for Configuring DNS

CS 3640: Introduction to Networks and Their Applications

DNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31

Electrical Engineering Department EE 400, Experiment # 4 IP Addressing and Subnetting

6.033 Computer System Engineering

Protocol Classification

CSCE 463/612 Networks and Distributed Processing Spring 2018

CNT Computer and Network Security: DNS Security

Weaver. Computer Science 161 Fall Network Security 3

CS 161 Computer Security

Sicurezza dei sistemi e delle reti

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

Domain Name System (DNS) Services

CSCE 463/612 Networks and Distributed Processing Spring 2018

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

DOMAIN NAME SECURITY EXTENSIONS

Computer Networking Introduction

Managing Caching DNS Server

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

IP Addressing: DNS Configuration Guide

CS Paul Krzyzanowski

DNS & DHCP CONFIGURATION

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

DNS Concepts. Acknowledgements July 2005, Thimphu, Bhutan. In conjunction with SANOG VI. Bill Manning Ed Lewis Joe Abley Olaf M.

Objectives. Upon completion you will be able to:

DNS CACHE POISONING LAB

Chapter 19. Domain Name System (DNS)

IP ADDRESSES, NAMING, AND DNS

Domain Name System (DNS)

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Higher layer protocols

Manual Configuration Stateful Address Configuration (i.e. from servers) Stateless Autoconfiguration : IPv6

Transcription:

This time Digging into Networking Protocols Naming DNS & DHCP

Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be expected to remember another s IP address DHCP : Setting IP addresses DNS : Mapping a memorable name to a routable IP address

DHCP Dynamic Host Configuration Protocol New host DHCP server

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) New host DHCP server

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) New host DHCP server Doesn t know who to ask for one

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) New host DHCP server Doesn t know who to ask for one Solution: Discover one on the local subnet

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) New host DHCP discover (L2 broadcast) DHCP server Doesn t know who to ask for one Solution: Discover one on the local subnet

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) Doesn t know who to ask for one New host DHCP discover (L2 broadcast) DHCP offer DHCP server Solution: Discover one on the local subnet

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) Doesn t know who to ask for one Solution: Discover one on the local subnet New host DHCP discover (L2 broadcast) DHCP offer DHCP server offer includes: IP address, DNS server, gateway router, and duration of this offer ( lease time)

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) Doesn t know who to ask for one Solution: Discover one on the local subnet New host DHCP discover (L2 broadcast) DHCP offer DHCP request (L2 broadcast) DHCP server offer includes: IP address, DNS server, gateway router, and duration of this offer ( lease time)

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) Doesn t know who to ask for one Solution: Discover one on the local subnet New host DHCP discover (L2 broadcast) DHCP offer DHCP request (L2 broadcast) DHCP server offer includes: IP address, DNS server, gateway router, and duration of this offer ( lease time) request asks for the offered IP address

DHCP Dynamic Host Configuration Protocol Doesn t have an IP address yet (can t set src addr) Doesn t know who to ask for one Solution: Discover one on the local subnet New host DHCP discover (L2 broadcast) DHCP offer DHCP request (L2 broadcast) DHCP ACK DHCP server offer includes: IP address, DNS server, gateway router, and duration of this offer ( lease time) request asks for the offered IP address

DHCP attacks Requests are broadcast: attackers on the same subnet can hear new host s request Race the actual DHCP server to replace: DNS server - Redirect any of a host s lookups ( what IP address should I use when trying to connect to google.com? ) to a machine of the attacker s choice Gateway - The gateway is where the host sends all of its outgoing traffic (so that the host doesn t have to figure out routes himself) - Modify the gateway to intercept all of a user s traffic - Then relay it to the gateway (MITM) - How could the user detect this?

Hostnames & IP addresses gold:~ dml$ ping google.com PING google.com (74.125.228.65): 56 data bytes 64 bytes from 74.125.228.65: icmp_seq=0 ttl=52 time=22.330 ms 64 bytes from 74.125.228.65: icmp_seq=1 ttl=52 time=6.304 ms 64 bytes from 74.125.228.65: icmp_seq=2 ttl=52 time=5.186 ms 64 bytes from 74.125.228.65: icmp_seq=3 ttl=52 time=12.805 ms

Hostnames & IP addresses gold:~ dml$ ping google.com PING google.com (74.125.228.65): 56 data bytes 64 bytes from 74.125.228.65: icmp_seq=0 ttl=52 time=22.330 ms 64 bytes from 74.125.228.65: icmp_seq=1 ttl=52 time=6.304 ms 64 bytes from 74.125.228.65: icmp_seq=2 ttl=52 time=5.186 ms 64 bytes from 74.125.228.65: icmp_seq=3 ttl=52 time=12.805 ms

Hostnames & IP addresses gold:~ dml$ ping google.com PING google.com (74.125.228.65): 56 data bytes 64 bytes from 74.125.228.65: icmp_seq=0 ttl=52 time=22.330 ms 64 bytes from 74.125.228.65: icmp_seq=1 ttl=52 time=6.304 ms 64 bytes from 74.125.228.65: icmp_seq=2 ttl=52 time=5.186 ms 64 bytes from 74.125.228.65: icmp_seq=3 ttl=52 time=12.805 ms

Hostnames & IP addresses gold:~ dml$ ping google.com PING google.com (74.125.228.65): 56 data bytes 64 bytes from 74.125.228.65: icmp_seq=0 ttl=52 time=22.330 ms 64 bytes from 74.125.228.65: icmp_seq=1 ttl=52 time=6.304 ms 64 bytes from 74.125.228.65: icmp_seq=2 ttl=52 time=5.186 ms 64 bytes from 74.125.228.65: icmp_seq=3 ttl=52 time=12.805 ms google.com is easy to remember, but not routable 74.125.228.65 is routable Name resolution: The process of mapping from one to the other

Terminology www.cs.umd.edu = domain name www.cs.umd.edu is a subdomain of cs.umd.edu Domain names can map to a set of IP addresses gold:~ dml$ dig google.com ; <<>> DiG 9.8.3-P1 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 105 IN A 74.125.228.70 google.com. 105 IN A 74.125.228.66 google.com. 105 IN A 74.125.228.64 google.com. 105 IN A 74.125.228.69 google.com. 105 IN A 74.125.228.78 google.com. 105 IN A 74.125.228.73 google.com. 105 IN A 74.125.228.68 google.com. 105 IN A 74.125.228.65 google.com. 105 IN A 74.125.228.72 We ll understand this more in a bit; for now, note that google.com is mapped to many IP addresses

Terminology www.cs.umd.edu = domain name www.cs.umd.edu is a subdomain of cs.umd.edu Domain names can map to a set of IP addresses gold:~ dml$ dig google.com ; <<>> DiG 9.8.3-P1 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 105 IN A 74.125.228.70 google.com. 105 IN A 74.125.228.66 google.com. 105 IN A 74.125.228.64 google.com. 105 IN A 74.125.228.69 google.com. 105 IN A 74.125.228.78 google.com. 105 IN A 74.125.228.73 google.com. 105 IN A 74.125.228.68 google.com. 105 IN A 74.125.228.65 google.com. 105 IN A 74.125.228.72 We ll understand this more in a bit; for now, note that google.com is mapped to many IP addresses

Terminology zone = a portion of the DNS namespace, divided up for administrative reasons Think of it like a collection of hostname/ip address pairs that happen to be lumped together - www.google.com, mail.google.com, dev.google.com, Subdomains do not need to be in the same zone Allows the owner of one zone (umd.edu) to delegate responsibility to another (cs.umd.edu)

Namespace hierarchy. Zones edu com net umd.edu duke.edu cs.umd.edu www.cs.umd.edu

Terminology Nameserver = A piece of code that answers queries of the form What is the IP address for foo.bar.com? Every zone must run 2 nameservers Several very common nameserver implementations: BIND, PowerDNS (more popular in Europe) Authoritative nameserver : Every zone has to maintain a file that maps IP addresses and hostnames ( www.cs.umd.edu is 128.8.127.3 ) One of the name servers in the zone has the master copy of this file. It is the authority on the mapping.

Terminology Resolver - while name servers answer queries, resolvers ask queries. Every OS has a resolver. Typically small and pretty dumb. All it typically does it forward the query to a local Recursive nameserver - a nameserver which will do the heavy lifting, issuing queries on behalf of the client resolver until an authoritative answer returns. Prevalence There is almost always a local (private) recursive name server But very rare for name servers to support recursive queries otherwise

Terminology Record (or resource record ) = usually think of it as a mapping between hostname and IP address But more generally, it can map virtually anything to virtually anything Many record types: (A)ddress records (IP <-> hostname) Mail server (MX, mail exchanger) SOA (start of authority, to delineate different zones) Others for DNSSEC to be able to share keys Records are the unit of information

Terminology Nameservers within a zone must be able to give: Authoritative answers (A) for hostnames in that zone The umd.edu zone s nameservers must be able to tell us what the IP address for umd.edu is A record: umd.edu = 54.84.241.99 54.84.241.99 is a valid IP address for umd.edu Pointers to name servers (NS) who host zones in its subdomains The umd.edu zone s nameservers must be able to tell us what the name and IP address of the cs.umd.edu zone s nameservers NS record: cs.umd.edu = ipa01.cs.umd.edu. Ask ipa01.cs.umd.edu for all cs.umd.edu subdomains

Terminology Nameservers within a zone must be able to give: Authoritative answers (A) for hostnames in that zone The umd.edu zone s nameservers must be able to tell us what the IP address for umd.edu is A record: umd.edu = 54.84.241.99 54.84.241.99 is a valid IP address for umd.edu Pointers to name servers (NS) who host zones in its subdomains The umd.edu zone s nameservers must be able to tell us what the name and IP address of the cs.umd.edu zone s nameservers NS record: cs.umd.edu = ipa01.cs.umd.edu. Ask ipa01.cs.umd.edu for all cs.umd.edu subdomains

DNS Domain Name Service at a very high level Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level Local nameserver (recursive) Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level Local nameserver (recursive) 1 Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level Root DNS server. Local nameserver (recursive) 1 Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 Root DNS server. Local nameserver (recursive) 1 Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 Root DNS server. Local nameserver (recursive) 1 Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level Local nameserver (recursive) 1 2 3 NS Root DNS server. TLD DNS server (.edu ) Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 4 TLD DNS server (.edu ) Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 4 5 TLD DNS server (.edu ) Requesting host What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 4 5 NS TLD DNS server (.edu ) 1 Requesting host Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 Requesting host 4 5 6 NS TLD DNS server (.edu ) Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 Requesting host 4 5 7 6 NS TLD DNS server (.edu ) Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu?

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 Requesting host 4 5 7 6 NS TLD DNS server (.edu ) A Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu? cs.umd.edu

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 8 Requesting host 4 5 7 6 NS TLD DNS server (.edu ) A Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu? cs.umd.edu

DNS Domain Name Service at a very high level 2 3 NS Root DNS server. Local nameserver (recursive) 1 8 Requesting host 4 5 7 6 NS 9 TLD DNS server (.edu ) A Authoritative DNS server ( umd.edu ) What is an IP address for cs.umd.edu? cs.umd.edu

DNS Domain Name Service at a very high level Local nameserver (recursive) 1 8 Requesting host 2 3 4 5 NS Root DNS server. 7 6 NS 9 TLD DNS server (.edu ) A Caching responses is critical to DNS s success Every response (3,5,7,8) has a time-to-live (TTL). TTLs should be reasonably Authoritative DNS server ( umd.edu ) long (days), but some are minutes. What is an IP address for cs.umd.edu? cs.umd.edu

How do they know these IP addresses? Local DNS server: host learned this via DHCP A parent knows its children: part of the registration process Root nameserver: hardcoded into the local DNS server (and every DNS server) 13 root servers (logically): A-root, B-root,, M-root These IP addresses change very infrequently UMD runs D-root. - IP address changed beginning of 2013!! - For the most part, the change-over went alright, but Lots of weird things happened ask me some time.

Caching Central to DNS s success Also central to attacks Cache poisoning : filling a victim s cache with false information

Queries Local nameserver (recursive) 1 8 Requesting host 2 3 4 5 NS Root DNS server. 7 6 NS 9 TLD DNS server (.edu ) A Authoritative DNS server ( umd.edu ) Every query (2,4,6) has the same request in it ( what is the IP address for cs.umd.edu? ) But different: - dst IP (port = 53) - query ID hat is an IP address for cs.umd.edu? cs.umd.edu

What s in a response? Many things, but for the attacks we re concerned with A record: gives the authoritative response for the IP address of this hostname NS record: describes this is the name of the nameserver who should know more about how to answer this query than I do Often also contains glue records (IP addresses of those name servers to avoid chicken and egg problems) Resolver will generally cache all of this information

Query IDs 2 3 The local resolver has a lot of incoming/outgoing queries at any point in time. Local nameserver (recursive) 4 5 7 6 To determine which response maps to which queries, it uses a query ID Query ID: 16-bit field in the DNS header Requester sets it to whatever it wants Responder must provide the same value in its response

Query IDs Local nameserver (recursive) 2 3 4 5 7 6 The local resolver has a lot of incoming/outgoing queries at any point in time. To determine which response maps to which queries, it uses a query ID Query ID: 16-bit field in the DNS header Requester sets it to whatever it wants Responder must provide the same value in its response How would you implement query IDs at a resolver?

Query IDs used to increment Local nameserver (recursive) 16322 16322 16323 16323 16328 16328 Global query ID value Map outstanding query ID to local state of who to respond to (the client) Basically: new Packet(queryID++)

Query IDs used to increment Local nameserver (recursive) 16322 16322 16323 16323 16328 16328 Global query ID value Map outstanding query ID to local state of who to respond to (the client) Basically: new Packet(queryID++) How would you attack this?

Cache poisoning Local nameserver (recursive) Bad guy 6.6.6.6

Cache poisoning Local nameserver (recursive) Bad guy 6.6.6.6 www.bank.com

Cache poisoning Authoritative DNS server ( bank.com ) Local nameserver (recursive) Bad guy 6.6.6.6 www.bank.com

Cache poisoning 16322 Authoritative DNS server ( bank.com ) Local nameserver (recursive) Bad guy 6.6.6.6 www.bank.com

Cache poisoning 16322 Authoritative DNS server ( bank.com ) Local nameserver (recursive) 16322: A www.bank.com = 6.6.6.6 Bad guy 6.6.6.6 www.bank.com

Cache poisoning 16322 16322 Authoritative DNS server ( bank.com ) Local nameserver (recursive) 16322: A www.bank.com = 6.6.6.6 Bad guy 6.6.6.6 www.bank.com

Cache poisoning 16322 16322 Authoritative DNS server ( bank.com ) Local nameserver (recursive) Will cache www.bank.com = 6.6.6.6 and ignore authority s answer 16322: A www.bank.com = 6.6.6.6 www.bank.com Bad guy 6.6.6.6

Cache poisoning How do you guess this? 16322 16322 Authoritative DNS server ( bank.com ) Local nameserver (recursive) Will cache www.bank.com = 6.6.6.6 and ignore authority s answer 16322: A www.bank.com = 6.6.6.6 www.bank.com Bad guy 6.6.6.6

Cache poisoning How do you guess this? Local nameserver (recursive) 16322 16322 Authoritative DNS server ( bank.com ) www.bad.com Will cache www.bank.com = 6.6.6.6 and ignore authority s answer 16322: A www.bank.com = 6.6.6.6 www.bank.com Bad guy 6.6.6.6

Cache poisoning How do you guess this? Local nameserver (recursive) 16322 16322 Authoritative DNS server ( bank.com ) 16321 www.bad.com Will cache www.bank.com = 6.6.6.6 and ignore authority s answer 16322: A www.bank.com = 6.6.6.6 www.bank.com Bad guy 6.6.6.6

Cache poisoning How do you guess this? Local nameserver (recursive) 16322 16322 Authoritative DNS server ( bank.com ) 16321 www.bad.com Will cache www.bank.com = 6.6.6.6 and ignore authority s answer 16322: A www.bank.com = 6.6.6.6 www.bank.com Bad guy 6.6.6.6 Next is likely 16322

Details of getting the attack to work Must guess query ID: ask for it, and go from there Partial fix: randomize query IDs Problem: small space Attack: issue a Lot of query IDs Must guess source port number Typically constant for a given server (often always 53) The answer must not already be in the cache It will avoid issuing a query in the first place

Cache poisoning Can we do more harm than a single record? com. TLD Local nameserver (recursive) Bad guy 6.6.6.6

Cache poisoning Can we do more harm than a single record? com. TLD Local nameserver (recursive) www.bad.com Bad guy 6.6.6.6

Cache poisoning Can we do more harm than a single record? com. TLD Local nameserver (recursive) 16321 www.bad.com Bad guy 6.6.6.6

Cache poisoning Can we do more harm than a single record? com. TLD Local nameserver (recursive) 16321 www.bad.com Bad guy 6.6.6.6 Next is likely 16322

Cache poisoning Can we do more harm than a single record? com. TLD Local nameserver (recursive) 16321 www.bad.com Bad guy 6.6.6.6 somethingnotcached.bank.com Next is likely 16322

Cache poisoning Can we do more harm than a single record? 16322 com. TLD Local nameserver (recursive) 16321 www.bad.com Bad guy 6.6.6.6 somethingnotcached.bank.com Next is likely 16322

Cache poisoning Can we do more harm than a single record? 16322 com. TLD Local nameserver (recursive) 16321 www.bad.com 16322: NS bank.com = ns.bank.com A ns.bank.com = 6.6.6.6 Bad guy 6.6.6.6 somethingnotcached.bank.com Next is likely 16322

Cache poisoning Can we do more harm than a single record? Local nameserver (recursive) 16322 16322 com. TLD 16321 www.bad.com 16322: NS bank.com = ns.bank.com A ns.bank.com = 6.6.6.6 Bad guy 6.6.6.6 somethingnotcached.bank.com Next is likely 16322

Cache poisoning Can we do more harm than a single record? Local nameserver (recursive) 16322 16322 com. TLD 16321 www.bad.com Will cache the person to ask for ALL bank.com queries is 6.6.6.6 16322: NS bank.com = ns.bank.com A ns.bank.com = 6.6.6.6 somethingnotcached.bank.com Bad guy Next is likely 16322 6.6.6.6

Solutions? Randomizing query ID? Not sufficient alone: only 16 bits of entropy Randomize source port, as well There s no reason for it stay constant Gets us another 16 bits of entropy DNSSEC?

DNSSEC www.cs.umd.edu? Root DNS server.

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding)

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding) www.cs.umd.edu? TLD DNS server (.edu )

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding) www.cs.umd.edu? Ask umd.edu umd.edu s public key = PKumd (Plus edu s sig of this zone-key binding) TLD DNS server (.edu )

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding) www.cs.umd.edu? Ask umd.edu umd.edu s public key = PKumd (Plus edu s sig of this zone-key binding) TLD DNS server (.edu ) www.cs.umd.edu? Authoritative DNS server ( umd.edu )

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding) www.cs.umd.edu? Ask umd.edu umd.edu s public key = PKumd (Plus edu s sig of this zone-key binding) TLD DNS server (.edu ) www.cs.umd.edu? IN A www.cs.umd.edu 128.8.127.3 (Plus umd.edu s signature of the answer Authoritative DNS server ( umd.edu )

DNSSEC www.cs.umd.edu? Ask.edu Root DNS server..edu s public key = PKedu (Plus. s sig of this zone-key binding) www.cs.umd.edu? Ask umd.edu umd.edu s public key = PKumd (Plus edu s sig of this zone-key binding) TLD DNS server (.edu ) Only the authoritative answer is signed www.cs.umd.edu? IN A www.cs.umd.edu 128.8.127.3 (Plus umd.edu s signature of the answer Authoritative DNS server ( umd.edu )

Properties of DNSSEC If everyone has deployed it, and if you know the root s keys, then prevents spoofed responses Very similar to PKIs in this sense But unlike PKIs, we still want authenticity despite the fact that not everyone has deployed DNSSEC What if someone replies back without DNSSEC? Ignore = secure but you can t connect to a lot of hosts Accept = can connect but insecure Back to our notion of incremental deployment DNSSEC is not all that useful incrementally

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback