Beruflich Dokumente
Kultur Dokumente
What is DNS?
The Domain Name System (DNS) associates
various information with domain names; most
importantly, it serves as the "phone book" for the
Internet by translating human-readable computer
hostnames, e.g. www.example.com, into
IP addresses, e.g. 208.77.188.166, which
networking equipment needs to deliver
information.
A DNS also stores other information such as the
list of mail servers that accept email for a given
domain. By providing a worldwide keyword-based
redirection service, the Domain Name System is
an essential component of contemporary Internet
use.
Source Wikipedia
2
org
wisc
edu
net
com
stanford
ucb
cs
uk
cmu
ca
mit
ee
www= 192.168.20.1
3
Zone Files
Master DNS
Server
Recursive DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Zone Files
Master DNS
Server
Recursive DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Master DNS
Server
Recursive DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Zone Administrator
Zone Files
Dynamic Updates
(DHCP & AAA)
Master DNS
Server
Slave DNS
Server (s)
Recursive DNS
Server
Client (Customer)
7
Zone Files
Dynamic Updates
(DHCP & AAA)
Master DNS
Server
Slave DNS
Server (s)
Recursive DNS
Server
Stub Resolvers
1!
Zone Files
2!
4!
Master DNS
Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Client
1!
Zone Files
2!
4!
Master DNS
Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Resolvers
11
1!
Zone Files
2!
4!
Master DNS
Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Client
1!
Zone Files
2!
4!
Master DNS
Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Client
1!
Zone Files
2!
4!
Master DNS
Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Client
1!
www.apricot.net A ?
192.168.5.10
Client
ROOT
Server
4! www.apricot.net A ?
8!
Recursive Server
9!
Add to cache
GTLD
Server
10! TTL
192.168.5.10 7!
APNIC
Server
15
16
1!
Zone Files
2!
4!
Master DNS
Server
Recursive Server
5!
3!
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Computer with
Hijacking Malware
Client
19
20
Zone Administrator
Zone Files
Master DNS
Server
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
21
Zone Files
Cache Impersonation
DOS Servers
Master DNS
Server
Redirection
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
Client
Impersonating Master
Unauthorized Updates
22
Server Protection
Data Protection
Zone Administrator
Zone Files
Master DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
23
Zone Files
Are the Zone files protected?
Are they edited on the Master or off on another
machine.
Is the path between the Zone Administrator and
Master DNS Server protected?
Zone Administrator
Zone Files
Master DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
24
Zone Files
Master DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
25
Zone Files
Master DNS
Server
Recursive DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
26
Dynamic Updates
DHCP and other dynamic update tools need
protection.
It could be a back door into the DNS System.
Zone Administrator
Zone Files
Master DNS
Server
Caching Forwarders
Resolvers
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
27
Zone Files
Master DNS
Server
Recursive DNS
Server
Client
Dynamic Updates
(DHCP & AAA)
Slave DNS
Server (s)
28
ME
ME
ME
www.apricot.net A ?
www.apricot.net A ?
UDP
172.13.1.66
Client
ME
ME ME
UDP
192.168.5.10
Recursive DNS
Server
APNIC
DNS
Server
29
ME
ME
ME
ME
ME
www.apricot.net A ?
www.apricot.net A ?
UDP
172.13.1.66
Client
ME
ME ME
UDP
192.168.5.10
Recursive DNS
Server
APNIC
DNS
Server
30
ME
ME ME
ME
ME
www.apricot.net A ?
www.apricot.net A ?
UDP
192.168.5.10
Client
Recursive DNS
Server
APNIC
DNS
Server
31
ME
ME
ME
ME
ME
Low Level
DOS
www.apricot.net A ?
www.apricot.net A ?
Client
ME
ME ME
Recursive DNS
Server
APNIC
DNS
Server
32
a.apricot.net A
Aapple.apricot.net A
Aadvark.apricot.net A
alvin.apricot.net A
ake.juniper.net A
A$#@.juniper.net A
affrroo.juniper.net A
(password crakcing file).juniper.net A
ME
ME
ME
ME
ME
www.apricot.net A ?
www.apricot.net A ?
Client
ME
ME ME
Recursive DNS
Server
APRICOT
DNS
Server
33
DNS Architecture
Idea: Modularization &
Compartmentalization
34
34
External
Resolution
Zone Master
Internally DNS
Infrastructure Only
35
Caching Resolvers
External
Resolution
Internally DNS
Infrastructure Only
New Failure
Point
36
Options
There are key options a provider has to rearchitect their DNS. Two key requirements are:
Investing in your own people to turn them into DNS
Gurus.
Join DNS-OARC (https://www.dns-oarc.net/)
Active Participation in your network operations
communities (RIPE and MENOG)
38
DNS Backscatter
Knowing when you
are being Poisoned
39
39
Spoof ns.example.com
My DNS
Server
Controller
Poison
Engine
ns.example.com
DNS Authority
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Wert543.example.com
Victim of Crime
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m
40
} Live Observation
} Launching the attack results packets arriving on
closed ports of the recursive DNS Server.
} This send ICMP Port Unreachable to the source
packet which is the DNS Authority being spoofed.
41
42
ACLs How?
Spoof ns.example.com
www.example.com
ACL on Router with SNMP trap
My DNS
Server
ns.example.com
DNS Authority
Controller
Poison
Engine
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Wert543.example.com
Victim of Crime
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
43
Netflow
Spoof ns.example.com
www.example.com
My DNS
Server
Netflow Export
Controller
Poison
Engine
ns.example.com
DNS Authority
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Wert543.example.com
Victim of Crime
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m
44
IDP/IPS
Spoof ns.example.com
www.example.com
My DNS
Server
IDP/IPS
Controller
Poison
Engine
ns.example.com
DNS Authority
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Wert543.example.com
Victim of Crime
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m
45
Attack Vector #1
Big Money Companys DNS Server get
poisoned.
www.example.com is victimized
Everyone going to the bad guys server is
victimized.
Bad Guys Server
www.example.com
DNS
Poison
Company
Users
Home Users
SPs DNS
47
Attack Vector #2
DNS Server get poisoned.
Big Money Company is victimized
Everyone going to the bad guys server is
victimized.
Bad Guys Server
www.example.com
DNS
Poison
Company
Users
Home Users
SPs DNS
48
Chain of Victimization
Bad Guys Server
Target
Users
Means to a
Target
Target
www.example.com
Operator
Domain
Owner
49
Target
Users
Means to a
Target
Target
www.example.com
Operator
Domain
Owner
50
51
Solution? DNSSEC!
DNSSEC = DNS SECurity Extensions
Adds a cryptographic signature to a DNS
response.
This signature can be validated from the root
downward by a validating resolver.
Be warned, the responses WILL be bigger.
Update firewalls to accept larger then 512 byte DNS
responses and UDP fragments.
52
org
wisc
edu
net
com
stanford
ucb
cs
uk
cmu
ca
mit
ee
www= 192.168.20.1
53
54
External
Resolution
Zone Master
Internally DNS
Infrastructure Only
55
Zone Slaves
Zone Master
Internally DNS
Infrastructure Only
Internet Accessible
Aggregate Caching
Forwarders (ACFs)
Internal
Resolvers (iRs)
(Optional)
Internal
Resolvers (iRs)
Zone Slaves
Zone Master
Aggregate Caching
Forwarders (ACFs)
Caching Forwarders
(CFs)
Resolvers
57
CERT/CC #800113
Multiple DNS Implementations
Vulnerable to Cache Poisoning
Detailed Analysis
58
CERT/CC Overview
The Domain Name System (DNS) is responsible for
translating host name to IP addresses (and vice
versa) and is critical for the normal operation of
Internet-connected systems.
DNS cache poisoning (sometimes referred to as cache
pollution) is an attack technique that allows an
attacker to introduce forged DNS information into the
cache of a caching nameserver.
The general concept has been known for some time,
and a number of inherent deficiencies in the DNS
protocol and defects in common DNS implementations
that facilitate DNS cache poisoning have previously
been identified and described in public literature.
59
Issue #1 - Insufficient
transaction ID space
The DNS protocol specification includes a transaction
ID field of 16 bits. If correctly implemented and
randomly selected with a strong random number
generator, an attacker will require, on average, 32768
attempts to successfully predict the ID.
Some flawed implementations may be utilizing a
smaller number of bits for this transaction ID,
meaning that fewer attempts will suffice.
Furthermore, implementation errors in the
randomness of transaction IDs generated by a
number of implementations have been identified.
Amit Klein researched several such affected
implementations in 2007.
These vulnerabilities were published as: VU#484649 Microsoft Windows DNS Server vulnerable to cache
poisoning VU#252735 - ISC BIND generates
cryptographically weak DNS query IDs VU#927905 BIND version 8 generates cryptographically weak DNS
query identifiers
60
62
64
66
67
68
Disable Recursion
Disable recursion on any nameserver responding to
DNS requests made by untrusted systems.
Securing an Internet Name Server contains
instructions for disabling recursion in ISC BIND.
69
http://www.doxpara.com/
Use a DNS query tool such as dig to ask for the TXT record of porttest.dnsoarc.net:
$ dig +short porttest.dns-oarc.net TXT
70
71
My Tool Kit
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
BOT
Herder
DNS Recursive
Server
Malware
Victim of Crime
Packer
72
Prepare Drive-by
Send
Malware
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
Load
Malware
BOT
Herder
DNS Recursive
Server
Malware
Victim of Crime
Packer
73
Send
SPAM
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
Click on
me now
DNS Recursive
Server
BOT
Herder
Malware
Victim of Crime
Packer
74
Drive By Violation
Click on
me now
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
BOT
Herder
DNS Recursive
Server
Malware
Victim of Crime
Packer
75
Poison Checker
Redirect
to new
domain
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
BOT
Herder
Malware
Victim of Crime
Packer
76
SPAM
BOTNET
Drive-By
Secondary
Malware
Call to Secondary
Malware Site
Load Secondary Package
Controller
Poison
Engine
Proxy
Tell Malware
Downloader to Push
the Poison Tool
DNS Recursive
Server
BOT
Herder
Malware
Victim of Crime
Packer
77
Poison Test #2
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
Poison
Attempt w/
RR Hint
BOT
Herder
DNS Recursive
Server
Malware
Victim of Crime
Packer
78
SPAM
BOTNET
Drive-By
Secondary
Malware
Controller
Poison
Engine
Proxy
Poison
Tester NS
DNS Recursive
Server
BOT
Herder
Malware
Victim of Crime
Packer
79
Poison Victory!
The BOT Herder now has an asset which can be
cultivated and sold.
The BOT Herder can sell BOT for some good
money.
Why?
80
ns.example.com
DNS Authority
Controller
Poison
Engine
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Victim of Crime
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
81
Controller
Poison
Engine
Proxy
ns.example.com
DNS Authority
www.example.com
Where is
www.example.com?
Miscreant
Driving
the BOTNET
DNS Recursive
Server
82
Controller
Poison
Engine
Proxy
ns.example.com
DNS Authority
www.example.com
Where is
www.example.com?
Miscreant
Driving
the BOTNET
DNS Recursive
Server
83
Controller
Poison
Engine
Proxy
ns.example.com
DNS Authority
smtp.example.com
I need to E-mail
smtp.example.com?
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Victim of Crime
84
My DNS
Server
Controller
Poison
Engine
Proxy
ns.example.com
DNS Authority
I need to telnet to my
router ams-23pos23.example.com
Miscreant
Driving
the BOTNET
DNS Recursive
Server
85
My DNS
Server
Controller
Poison
Engine
Proxy
ns.example.com
DNS Authority
I need to send a
SNMP Trap to my
Network Management
Tool to my smtp-noc
server1.example.com
Miscreant
Driving
the BOTNET
DNS Recursive
Server
86
87
88
My Tool Kit
SPAM
BOTNET
Drive-By
DNS Recursive
Server
Poison
Engine
Proxy
Miscreant
Driving
the Poison
Attack
Victim of Crime
89
Send
SPAM
Drive-By
Poison
Engine
Click on
me now
DNS Recursive
Server
Proxy
Miscreant
Driving
the Poison
Attack
Victim of Crime
90
Drive By Violation
Click on
me now
SPAM
BOTNET
Drive-By
DNS Recursive
Server
Poison
Engine
Proxy
Miscreant
Driving
the Poison
Attack
Victim of Crime
91
Poison Checker
Redirect to
domain you
control
SPAM
BOTNET
Drive-By
Poison
Engine
Proxy
DNS Recursive
Server
Victim of Crime
A potentially
poisonable recursive
server.
Trigger the Poison
Attack
92
ns.example.com
DNS Authority
Redirect to erowij.example.com
Test
Redirect to 49u0vfv.example.com
Test
Redirect to 943ofvoiv.example.com
Test
DNS Recursive
Server
Poison
Engine
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the Poison
Attack
Victim of Crime
93
Poison
Engine
Proxy
ns.example.com
DNS Authority
Poison
Tester NS
DNS Recursive
Server
Miscreant
Driving
the Poison
Attack
Victim of Crime
94
95
Spoof ns.example.com
www.example.com
My DNS
Server
ns.example.com
DNS Authority
Controller
Poison
Engine
Proxy
Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET
DNS Recursive
Server
Victim of Crime
Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
96
Live Observation
Lauching the attack results packets arriving on closed
ports of the recursive DNS Server.
This send ICMP Port Unreachable to the source packet
which is the DNS Authority being spoofed.
97
98
100
IXP-W
Peer B
IXP-E
DNS Secondary
Server Cluster
Sink Hole
Network
Upstream
A
Upstream A
DNS Caching
Server Cluster
DNS Secondary
Server Cluster
Upstream
B
Upstream
B
DNS Caching
Server Cluster
DNS Secondary
Server Cluster
171.68.19.0/24
Customer
DNS Caching
Server Cluster
SAFE - Architecture
POP
171.68.19.1
DNS Caching
Server Cluster
101
IXP-W
Peer B
IXP-E
DNS Secondary
Server Cluster
Sink Hole
Network
Upstream
A
Upstream A
DNS Caching
Server Cluster
DNS Secondary
Server Cluster
Upstream
B
Upstream
B
DNS Caching
Server Cluster
DNS Secondary
Server Cluster
171.68.19.0/24
Customer
DNS Caching
Server Cluster
SAFE - Architecture
POP
171.68.19.1
DNS Forwarded to
the closed Caching
Cluster
DNS Caching
Server Cluster
102
103
Agenda
104