DNS Security Module

Quick DNS Refresher

What is DNS?
The Domain Name System (DNS) associates
various information with domain names; most
importantly, it serves as the "phone book" for the
Internet by translating human-readable computer
hostnames, e.g. www.example.com, into
IP addresses, e.g. 208.77.188.166, which
networking equipment needs to deliver
information.
A DNS also stores other information such as the
list of mail servers that accept email for a given
domain. By providing a worldwide keyword-based
redirection service, the Domain Name System is
an essential component of contemporary Internet
use.
Source Wikipedia
2

Hierarchical Name Space

www.cs.stanford.edu
root

org

wisc

edu

net

com

stanford

ucb

cs

uk

cmu

ca

mit

ee

www= 192.168.20.1
3

DNS Server Functions/Roles

Zone (Domain): A DNS zone is a portion of the
global Domain Name System (DNS) namespace
for which administrative responsibility has been
delegated.
Zone = apricot.net
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS
Server
Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

DNS Server Functions/Roles

Zone Master (Primary): The authoritative server
for a zone (domain). The Zone Master contains
one or more zone files for which the DNS is
authoritative. Other DNS Servers can
automatically transfer zone files.
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS
Server
Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

DNS Server Functions/Roles

Zone Slave (Secondary): A Zone Slave (also called a

stub name server or secondary DNS), gets zone data from

the Zone Master. When Zone Slave server starts up, it
contacts its Zone Master, requesting a zone transfer. The
goal of the Zone Slave is scaling (load) and zone
resiliency (in case the Zone Master is down). You can
have multiple Zone Slaves geographically distributed to
Zone Administrator
increase resiliency.
Zone Files

Master DNS
Server

Recursive DNS
Server
Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

DNS Server Functions/Roles

Resolvers: A resolver looks up the resource record
information associated with nodes. A resolver knows how to
communicate with name servers by sending DNS queries
and heeding DNS responses.

Zone Administrator

Zone Files

Dynamic Updates
(DHCP & AAA)

Master DNS
Server

Slave DNS
Server (s)

Recursive DNS
Server

Client (Customer)
7

DNS Server Functions/Roles

Stub Resolvers (customers): Stub Resolvers
move the resolution function out of the local
machine and into a name server which supports
recursive queries. Little to no local caching
happens.
Zone Administrator

Zone Files

Dynamic Updates
(DHCP & AAA)

Master DNS
Server

Slave DNS
Server (s)

Recursive DNS
Server

Stub Resolvers

DNS Server Functions/Roles (Options)

External Resolvers: External Resolvers are

designed to proxy all queries from inside a large
organization. It becomes one of the publicly
visible addresses of the large network allowing
the internal DNS servers to be hidden (core
hiding) and protected from outside attack.
Internal Resolvers: Internal resolvers are slaves
configured in split horizon mode to allow for
external zone transfers and authoritative
responses. It becomes one of the publicly visible
addresses of the large network allowing the
internal DNS servers to be hidden (core hiding)
and protected from outside attack.
9

DNS Information Flow

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive DNS Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Client

1. Zone Administrator (i.e. apricot.net) updates

information in the Zone files. These files are moved
to the DNS Master.
10

DNS Information Flow

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive DNS Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Resolvers

2. Dynamic Updates are sent by the DHCP or AAA

server. The DNS Master updates its records.

11

DNS Information Flow

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive DNS Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Client

3. Zone transfer is use to push copies of the Masters

Records to Slave DNS Servers. This allows for
scaling and resilancy.
12

DNS Information Flow

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive DNS Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Client

4. Caching Forwarders, Proxies, and Resolvers all

query the Master/Slave DNS server to get
authoritative information about the DNS Zone.
13

DNS Information Flow

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive DNS Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Client

5. Resolvers query Recursive Caching Forwarders to

have them get DNS records on their behalf. These
are your local DNS servers set in most end devices.
14

DNS Query Recursive

Resolution
Question: www.apricot.net A
2! www.apricot.net A ?

1!
www.apricot.net A ?

3! go ask net server @ X.gtld-servers.net

(+ glue)

192.168.5.10
Client

ROOT
Server

4! www.apricot.net A ?

8!
Recursive Server

9!
Add to cache

GTLD
Server

5! go ask APNIC server @ ns.apnic.net

(+ glue)
6! www.apricot.net A ?

10! TTL
192.168.5.10 7!

APNIC
Server

15

What is the DNS

Problem?

16

Industry Wide Vulnerability

DNS has a highly exploitable architectural flaw.
This is an industry wide vulnerability which
impact ever DNS Server on the planet.
The risk is a general breach of confidence and a
feasible ability to break chains of commercial
trust.
Demonstrated ability for the exploit to be
commercially capitalized by the cyber-criminal
economy (miscreant economy)
See http://www.getit.org/Mediawiki/index.php?
title=Miscreant_economy

Suspected but not confirmed - active exploit today in

China.
17

DNS: Where is the Problem?

Zone Administrator

1!

Zone Files

2!

4!

Master DNS
Server

Recursive Server

5!

3!

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Computer with
Hijacking Malware

Client

DNS Poison Entries in 4.

Threat Botable and Criminally Executable Threat
to the confident of the Internet.
18

DNS Threat Vectors

19

DNS is a Critical Dependency

Services depend on DNS to be there.
Applications depend on DNS to be there.
People depend on DNS to be there.
The Internet could be passing plenty of packets
at line rate speeds, but if DNS is not working, the
customer see the Internet as not working.

20

DNS Security Protect the

resolution path!
DNS Security is all about protecting the
information that flows from one functional node
to another.

Zone Administrator

Zone Files

Master DNS
Server

Resolving DNS Server

Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

21

DNS Attack Vectors

Poison Recursive Caching

Corrupt Zone Data

Zone Administrator

Zone Files

Cache Impersonation

DOS Servers

Master DNS
Server

Resolving DNS Server

Redirection

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

Client

Impersonating Master

Unauthorized Updates
22

Divide the Problem in Half!

Policy, Tools, Protocols and Technique can be
easily derived by dividing the problem in half:

Server Protection

Data Protection

Zone Administrator

Zone Files

Master DNS
Server

Resolving DNS Server

Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

23

Zone Files
Are the Zone files protected?
Are they edited on the Master or off on another
machine.
Is the path between the Zone Administrator and
Master DNS Server protected?
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS Server

Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

24

Master & Slave DNS Servers

Basic 101 of Server Security. The Master is a
critical resource.
What happens if its gets DOSed?
Who do you allow zone transfers to and from?
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS Server

Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

25

Zone Transfer to Slave Servers

Data path between the Master and Slave needs
protection.
File corruption of the zone transfer, hijacking
the zone transfer, and DOS (low level) all could
happen.
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS
Server
Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

26

Dynamic Updates
DHCP and other dynamic update tools need
protection.
It could be a back door into the DNS System.

Zone Administrator

Zone Files

Master DNS
Server

Caching Forwarders
Resolvers

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

27

DNS Cache Poising

DNS Cache poising is one of the most common
attack vectors.
Anti-Spoofing and the new Source Port
Randomization helps.
Zone Administrator

Zone Files

Master DNS
Server

Recursive DNS
Server
Client

Dynamic Updates
(DHCP & AAA)

Slave DNS
Server (s)

28

DNS Poison Basic

DNS Poisoning is a by product of DNS using UDP.
When a query goes out, the resolver will take the
first UDP packet back which seems to be
authoritative.
It is a race to see who gets the UDP packet back
first.
Once the Caching Forwarder is poisoned, all
queries from all other resolvers will get the
poisoned data.
ME
ME

ME

ME

ME

www.apricot.net A ?

www.apricot.net A ?

UDP
172.13.1.66
Client

ME
ME ME

UDP
192.168.5.10
Recursive DNS
Server

APNIC
DNS
Server

29

DNS Poison The Catch

+---------------------------+---------------------------+
| ID
| flags
|
+---------------------------+---------------------------+
| numbers of questions
| numbers of answer
|
+---------------------------+---------------------------+
| number of RR authority
|number of supplementary RR |
+---------------------------+---------------------------+
|
|
\
QUESTION
\
|
|
+-------------------------------------------------------+
|
|
\
ANSWER
\
|
|
+-------------------------------------------------------+
|
|
\
Stuff etc.. No matter
\
|
|
+-------------------------------------------------------+

You must match the

transaction ID (query ID)
of the DNS query which
means you need to sniff
the wire

ME
ME
ME

ME

ME

www.apricot.net A ?

www.apricot.net A ?

UDP
172.13.1.66
Client

ME
ME ME

UDP
192.168.5.10
Recursive DNS
Server

APNIC
DNS
Server

30

DNS Poison Miscreant

Workaround
If I cannot sniff the packets, but I can query the
caching resolver, then I can brute force my way into
a DNS Poison.
Instead of waiting for someone else to query, you
send your own queries into the caching forwarder.
I can then brute force the query ID.
ME
ME
ME

ME
ME ME
ME

ME

www.apricot.net A ?

www.apricot.net A ?

UDP
192.168.5.10
Client

Recursive DNS
Server

APNIC
DNS
Server

31

DNS Poison Better Yet DOS

the Server
DOSing the authoritative DNS Server(s) is one
way to give the Miscreant Breathing room.
The DOS attack does not need to be big, just
enough to clog up the DNSs servers.
It might now be a flood. It could be a
computational overload attack.

ME
ME
ME

ME

ME

Low Level
DOS
www.apricot.net A ?

www.apricot.net A ?

Client

ME
ME ME

Recursive DNS
Server

APNIC
DNS
Server

32

DNS Poison Computational

Overload
A computational overload attack makes the core
functions of the application work really hard.
Send queries to the DNS server where each subdomain = a name in a password cracking database.
Consequence: DNS Server is waiting for each
domain to resolve really nasty if you are forcing
this to do recursive lookups.

a.apricot.net A
Aapple.apricot.net A
Aadvark.apricot.net A
alvin.apricot.net A
ake.juniper.net A
A$#@.juniper.net A
affrroo.juniper.net A
(password crakcing file).juniper.net A

ME
ME
ME

ME

ME

www.apricot.net A ?

www.apricot.net A ?

Client

ME
ME ME

Recursive DNS
Server

APRICOT
DNS
Server
33

DNS Architecture
Idea: Modularization &
Compartmentalization

34

34

Most DNS Today

Zone Slaves
Caching Resolvers

External
Resolution

Zone Master

Internally DNS

Infrastructure Only

Only Slave Servers

The Soft Underbelly of the Internet

35

Protecting DNS like HTTP does

not work
Zone Slaves
Zone Master

Caching Resolvers

External
Resolution

Internally DNS

Infrastructure Only

New Failure
Point

Only Slave Servers

Protective Anti-DDOS Box

36

DNS Resiliency Requires

Engineering
DNS Resiliency requires engineers to execute
engineering.
The technology must be understood.
DNSs Interdependency with all parts of the other
services must be mapped out.
Architectural Plans must be drawn and tested.

Some of the worlds biggest companys have had

complete DNS failures . where the root cause
was based on throwing DNS into a network,
putting a router/load balancer/anti-DOS device in
front of it, and thinking it is going to just work.
Architectural Principles are the key to DNS
Resiliency
37

Options
There are key options a provider has to rearchitect their DNS. Two key requirements are:
Investing in your own people to turn them into DNS
Gurus.
Join DNS-OARC (https://www.dns-oarc.net/)
Active Participation in your network operations
communities (RIPE and MENOG)

The kick start options to change fast include:

Contracting with Internet Systems Consortium (
http://www.isc.org/)
Outsourcing to a DNS provider (i.e. ISC)
Work with one of the two big DNS product Vendors (ISC,
Nominum, or Infoblox).

38

DNS Backscatter
Knowing when you
are being Poisoned

39

39

Backscatter ICMP Port

Unreachable
ICMP Port
Unreachable
www.example.com

Spoof ns.example.com

My DNS
Server

Controller

Poison
Engine

ns.example.com
DNS Authority

Proxy

Poison
Attempt w/
RR Hint

Send DNS Query to

Controlled Domain

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Wert543.example.com
Victim of Crime

Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m

40

ICMP Unreachable & DNS

} ICMP Unreachable specific port unreachable
are not normal packets which arrive at:
} DNS Masters
} DNS Slaves
} DNS Split-Horizon Authoritative Servers

} Live Observation
} Launching the attack results packets arriving on
closed ports of the recursive DNS Server.
} This send ICMP Port Unreachable to the source
packet which is the DNS Authority being spoofed.

41

ICMP Port Unreachable

} This will tell you that someone somewhere is
poising somewhere so that they can be a man
in the middle between you and your customer!
} How to monitor:

} Classification ACLs (match ingress on ICMP port

unreachable)
} Netflow
} IDP/IPS
} Firewalls
} DPI Boxes

42

ACLs How?
Spoof ns.example.com

www.example.com
ACL on Router with SNMP trap

My DNS
Server

ns.example.com
DNS Authority

Controller

Poison
Engine

Proxy

Poison
Attempt w/
RR Hint

Send DNS Query to

Controlled Domain

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Wert543.example.com
Victim of Crime

Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
43

Netflow
Spoof ns.example.com

www.example.com
My DNS
Server

Netflow Export

Controller

Poison
Engine

ns.example.com
DNS Authority

Proxy

Poison
Attempt w/
RR Hint

Send DNS Query to

Controlled Domain

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Wert543.example.com
Victim of Crime

Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m

44

IDP/IPS
Spoof ns.example.com

www.example.com
My DNS
Server

IDP/IPS

Controller

Poison
Engine

ns.example.com
DNS Authority

Proxy

Poison
Attempt w/
RR Hint

Send DNS Query to

Controlled Domain

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Wert543.example.com
Victim of Crime

Oihwoeif.example.com
Fdvakjnfvkjndaf.example.co
m

45

DNS Security (DRAFT)

Barry Raveendran Greene
bgreene@senki.org
Version 0.7

Attack Vector #1
Big Money Companys DNS Server get
poisoned.
www.example.com is victimized
Everyone going to the bad guys server is
victimized.
Bad Guys Server

Big Money Company

www.example.com

DNS
Poison

Company
Users

Home Users
SPs DNS

47

Attack Vector #2
DNS Server get poisoned.
Big Money Company is victimized
Everyone going to the bad guys server is
victimized.
Bad Guys Server

Big Money Company

www.example.com

DNS
Poison

Company
Users

Home Users
SPs DNS

48

Chain of Victimization
Bad Guys Server

Target

Users

Means to a
Target

Target

Recursive DNS Resolver

www.example.com

Operator

Focus of the Industry

Domain
Owner
49

Threat to any domain on the

Internet!
Bad Guys Server

Target

Users

Means to a
Target

Target

Recursive DNS Resolver

www.example.com

Operator

Domain
Owner
50

These two attack vectors are

just the start
Now that DNS Poison is easier, more attack
vectors will be discovered.
This is a threat to the trust model(s) of the
Internet.

51

Solution? DNSSEC!
DNSSEC = DNS SECurity Extensions
Adds a cryptographic signature to a DNS
response.
This signature can be validated from the root
downward by a validating resolver.
Be warned, the responses WILL be bigger.
Update firewalls to accept larger then 512 byte DNS
responses and UDP fragments.

Most open source (BIND/Unbound/NSD) and

commercial products (Nominum, Infoblox)
support DNSSEC (records and validation)

52

Hierarchical Name Space

www.cs.stanford.edu
root

org

wisc

edu

net

com

stanford

ucb

cs

uk

cmu

ca

mit

ee

www= 192.168.20.1
53

DNS Architecture Idea:

Modularization &
Compartmentalization

54

Most DNS Today

Zone Slaves
Caching Resolvers

External
Resolution

Zone Master

Internally DNS
Infrastructure Only

Only Slave Servers

The Soft Underbelly to IP NGN

55

Robust IPNGN DNS Topology

External
Resolvers (eRs)

Zone Slaves

Zone Master

Internally DNS
Infrastructure Only

Internet Accessible

Only Slave Servers

Aggregate Caching
Forwarders (ACFs)

Internal
Resolvers (iRs)

(Optional)

Internally Access Only

Caching Forwarders
(CFs)
Resolvers
56

Out Bound Recursion/

Resolution
External
Resolvers (eRs)

Internal
Resolvers (iRs)

Zone Slaves

Zone Master

Aggregate Caching
Forwarders (ACFs)

Caching Forwarders
(CFs)
Resolvers
57

CERT/CC #800113
Multiple DNS Implementations
Vulnerable to Cache Poisoning
Detailed Analysis

58

CERT/CC Overview
The Domain Name System (DNS) is responsible for
translating host name to IP addresses (and vice
versa) and is critical for the normal operation of
Internet-connected systems.
DNS cache poisoning (sometimes referred to as cache
pollution) is an attack technique that allows an
attacker to introduce forged DNS information into the
cache of a caching nameserver.
The general concept has been known for some time,
and a number of inherent deficiencies in the DNS
protocol and defects in common DNS implementations
that facilitate DNS cache poisoning have previously
been identified and described in public literature.
59

Issue #1 - Insufficient
transaction ID space
The DNS protocol specification includes a transaction
ID field of 16 bits. If correctly implemented and
randomly selected with a strong random number
generator, an attacker will require, on average, 32768
attempts to successfully predict the ID.
Some flawed implementations may be utilizing a
smaller number of bits for this transaction ID,
meaning that fewer attempts will suffice.
Furthermore, implementation errors in the
randomness of transaction IDs generated by a
number of implementations have been identified.
Amit Klein researched several such affected
implementations in 2007.
These vulnerabilities were published as: VU#484649 Microsoft Windows DNS Server vulnerable to cache
poisoning VU#252735 - ISC BIND generates
cryptographically weak DNS query IDs VU#927905 BIND version 8 generates cryptographically weak DNS
query identifiers
60

Issue #2 'Birthday Attack

Multiple outstanding requests Some
implementations of DNS services contain a
vulnerability whereby multiple identical queries
for the same resource record (RR) will generate
multiple outstanding queries for that RR.
This condition leads to the feasibility of a
'Birthday Attack', significantly raising the chance
of success for an attacker.
This problem was previously described in
VU#457875. A number of vendors and
implementations have already added mitigations
to address this issue.
61

Issue #3 Fixed Source Port for Generating

Queries
Some current implementations allocate an
arbitrary port at startup (sometimes selected at
random) and reuse this source port for all
outgoing queries.
In some implementations, the source port for
outgoing queries is fixed at the traditional
assigned DNS server port number, 53/udp.

62

Add them together

Recent additional research into these issues and
methods of combining them to conduct improved
cache poisoning attacks have yielded extremely
effective exploitation techniques.
Caching DNS resolvers are primarily at risk, both
those that are open (a DNS resolver is open if it
provides recursive name resolution for clients
outside of its administrative domain) and those
that are not.
These caching resolvers are the most common
target for attackers, however stub resolvers are
also at risk.
63

Per-query source port

randomization
Because attacks against these vulnerabilities all
revolve around the ability for the attacker to
predictably spoof traffic, the implementation of
per-query source port randomization in the
server presents a practical mitigation against
these attacks within the boundaries of the current
protocol specification.

64

Added Resiliency Not the

Final Solution
The use of randomized source ports can be used to
gain an additional approximately 16 bits of
randomness in the data that an attacker must guess.
In practice, implementers will be restricted to less
than 65535 in the actual number of source ports they
can allocate (port numbers <1024 may be reserved,
other ports may already be allocated, etc.) however a
significant amount of additional attack resiliency can
be achieved. It is important to note that in the
absence of changes to the DNS protocol, these
mitigations are insufficient to completely prevent
cache poisoning. However, if properly implemented,
they reduce the chances of success for an attacker by
several orders of magnitude and make attacks
impractical.
65

Restrict Access to Recursion

Administrators, particularly those who are unable to
apply a patch, can limit exposure to this vulnerability
by restricting sources that can ask for recursion.
Note that restricting access will still allow attackers
with access to authorized hosts to exploit this
vulnerability.

66

Filter Traffic at Network

Perimeters
Because the ability to spoof IP addresses is necessary to
conduct these attacks, administrators should filter
spoofed addresses at the network perimeter. IETF
Request for Comments (RFC) documents RFC 2827,
RFC 3704, and RFC 3013 describe best current practices
(BCPs) for implementing this defense. It is important to
understand your network's configuration and service
requirements before deciding what changes are
appropriate.

67

Run a Local DNS Cache

In lieu of strong port randomization characteristics in
a stub resolver, administrators can protect their
systems by using local caching full-service resolvers,
both on the client systems and on servers that are
topologically close on the network to the client
systems, in conjunction with the network
segmentation and filtering strategies mentioned
above.

68

Disable Recursion
Disable recursion on any nameserver responding to
DNS requests made by untrusted systems.
Securing an Internet Name Server contains
instructions for disabling recursion in ISC BIND.

69

Two DNS Checkers available

Dan Kamiskis Tool:

OARCs Tool (https://www.dns-oarc.net/)

http://www.doxpara.com/

Use a DNS query tool such as dig to ask for the TXT record of porttest.dnsoarc.net:
$ dig +short porttest.dns-oarc.net TXT

You should get back an answer that looks like this:

z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"169.254.0.1 is FAIR: 26 queries in 0.1 seconds from 25 ports with std dev
3843.00"
Your resolver's randomness will be rated either GOOD, FAIR, or POOR, based on
the standard deviation of observed source ports. In order to receive a GOOD
rating, the standard deviation must be at least 10,000. For FAIR it must be at
least 3,000. Anything less is POOR. The best standard deviation you can expect
to see from 26 queries is in the 18,000-20,000 range.
DNS records used in this test are given 60 second TTLs. To repeat the test you
should wait at least 60 seconds.
Note that you can tell dig to test a specific resolver with an @-argument:
$ dig @4.2.2.3 +short porttest.dns-oarc.net TXT

70

How the Cyber-Criminal Might Use

this Vulnerability
DNS Poison The BOT Version

71

My Tool Kit

SPAM
BOTNET

Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

BOT
Herder
DNS Recursive
Server

Malware

Victim of Crime
Packer
72

Prepare Drive-by
Send
Malware
SPAM
BOTNET

Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

Load
Malware

BOT
Herder
DNS Recursive
Server

Malware

Victim of Crime
Packer
73

Send SPAM to get People To

Click
SPAM
BOTNET

Send
SPAM
Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

Click on
me now

DNS Recursive
Server

BOT
Herder
Malware

Victim of Crime
Packer
74

Drive By Violation
Click on
me now
SPAM
BOTNET

Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

BOT
Herder
DNS Recursive
Server

Malware

Victim of Crime
Packer
75

Poison Checker
Redirect
to new
domain

SPAM
BOTNET

Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

Use Published DNS

Check Tools to Test
a Poison Candidate
DNS Recursive
Server

BOT
Herder

Malware

Victim of Crime
Packer
76

Prepare Violated Computer

SPAM
BOTNET

Drive-By

Secondary
Malware

Call to Secondary
Malware Site
Load Secondary Package

Controller

Poison
Engine

Proxy

Tell Malware
Downloader to Push
the Poison Tool
DNS Recursive
Server

BOT
Herder

Malware

Victim of Crime
Packer
77

Poison Test #2

SPAM
BOTNET

Send DNS Query to

Controlled Domain

Drive-By

Secondary
Malware

Controller

Poison
Engine

Proxy

Poison
Attempt w/
RR Hint

BOT
Herder
DNS Recursive
Server

Malware

Victim of Crime
Packer
78

Poison Test #2 - Validation

SPAM
BOTNET

Drive-By

Secondary
Malware

Malware Test to see if the

Poison with new NS is
working.

Controller

Poison
Engine

Proxy

Poison
Tester NS

DNS Recursive
Server

BOT
Herder
Malware

Victim of Crime
Packer
79

Poison Victory!
The BOT Herder now has an asset which can be
cultivated and sold.
The BOT Herder can sell BOT for some good
money.
Why?

80

Using the Poison - WWW

www.example.com
My DNS
Server

ns.example.com
DNS Authority

Send DNS Query to

Controlled Domain

Controller

Poison
Engine

Proxy

Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET

DNS Recursive
Server

Victim of Crime

Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
81

Using the Poison - WWW

www.example.com
My DNS
Server

Controller

Poison
Engine

Proxy

ns.example.com
DNS Authority
www.example.com
Where is
www.example.com?

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Yea! Ive control their

view!
Victims of Crime

82

Using the Poison WWW

Proxy
www.example.com
My DNS
Server

Controller

Poison
Engine

Proxy

ns.example.com
DNS Authority
www.example.com
Where is
www.example.com?

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Yea! Copy what I want

like CREDIT CARDs and
PASSWORD!
Victims of Crime

83

Using the Poison E-mail

smtp.example.com
My DNS
Server

Controller

Poison
Engine

Proxy

ns.example.com
DNS Authority
smtp.example.com
I need to E-mail
smtp.example.com?

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Victim of Crime

Yea! Ive got copies!

84

Using the Poison Routers

My DNS
Server

Controller

Poison
Engine

Proxy

ns.example.com
DNS Authority

I need to telnet to my
router ams-23pos23.example.com

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Yea! Ive got router

Passwords!
NOC Team

85

Using the Poison Routers

My DNS
Server

Controller

Poison
Engine

Proxy

ns.example.com
DNS Authority

I need to send a
SNMP Trap to my
Network Management
Tool to my smtp-noc
server1.example.com

Miscreant
Driving
the BOTNET

DNS Recursive
Server

Yea! Ive got SNMP

Details!
Router Services

86

How the Cyber-Criminal Might Use

this Vulnerability
DNS Poison Drive By

87

DNS Poison The Drive-By Version

You do not need malware/BOTs to activate this

attack vector.
All you need to do is to drive the resolver to a
new domain and force a DNS query that you
know.
You then trigger a poison.
Can you say HTTP Redirect?

88

My Tool Kit

SPAM
BOTNET

Drive-By

DNS Recursive
Server

Poison
Engine

Proxy

Miscreant
Driving
the Poison
Attack

Victim of Crime

89

Send SPAM to get People To

Click
SPAM
BOTNET

Send
SPAM
Drive-By

Poison
Engine

Click on
me now

DNS Recursive
Server

Proxy

Miscreant
Driving
the Poison
Attack

Victim of Crime

90

Drive By Violation
Click on
me now
SPAM
BOTNET

Drive-By

DNS Recursive
Server

Poison
Engine

Proxy

Miscreant
Driving
the Poison
Attack

Victim of Crime

91

Poison Checker
Redirect to
domain you
control
SPAM
BOTNET

Drive-By

Poison
Engine

Proxy

Use Published DNS

Check Tools to Test
a Poison Candidate
Miscreant
Driving
the Poison
Attack

DNS Recursive
Server

Victim of Crime

A potentially
poisonable recursive
server.
Trigger the Poison
Attack
92

Poison via Redirect

www.example.com
Drive-By

ns.example.com
DNS Authority

Redirect to erowij.example.com
Test
Redirect to 49u0vfv.example.com
Test
Redirect to 943ofvoiv.example.com
Test

DNS Recursive
Server

Poison
Engine

Proxy

Poison
Attempt w/
RR Hint

Miscreant
Driving
the Poison
Attack

Victim of Crime

93

Poison via Redirect Testing

www.example.com
Drive-By

Poison
Engine

Proxy

ns.example.com
DNS Authority

Testing after each

redirect tells you when
you have succeeded

Poison
Tester NS

DNS Recursive
Server

Miscreant
Driving
the Poison
Attack

Once Poisoned server

goes to test NS, you
can stop

Victim of Crime

94

Spotting when someone is trying to

Poison Your DNS Identity

95

Backscatter ICMP Port

Unreachable
ICMP Port Unreachable

Spoof ns.example.com

www.example.com
My DNS
Server

ns.example.com
DNS Authority

Send DNS Query to

Controlled Domain

Controller

Poison
Engine

Proxy

Poison
Attempt w/
RR Hint
Miscreant
Driving
the BOTNET

DNS Recursive
Server

Victim of Crime

Wert543.example.com
Oihwoeif.example.com
Fdvakjnfvkjndaf.example.com
96

ICMP Unreachable & DNS

ICMP Unreachable specific port unreachable
are not normal packets which arrive at:
DNS Masters
DNS Slaves
DNS Split-Horizon Authoritative Servers

Live Observation
Lauching the attack results packets arriving on closed
ports of the recursive DNS Server.
This send ICMP Port Unreachable to the source packet
which is the DNS Authority being spoofed.

97

ICMP Port Unreachable

This will tell you that someone somewhere is
poising somewhere so that they can be a man in
the middle between you and your customer!
How to monitor:
Classification ACLs (match ingress on ICMP port
unreachable)
Netflow
IDP
NetScreen (any matches on ICMP Unreachable

98

DNS Anycast and Security

DNS & Anycast

Problem #1 How to manage the load on those
two DNS entries in customers TCP/IP Stack?
Problem #2 How to manage saturation attacks
targeted at your DNS infrastructure?
Answer Anycast the DNS Caching Servers.

100

Anycast DNS Caches

Peer A

IXP-W

Peer B

IXP-E

DNS Secondary
Server Cluster

Sink Hole
Network

Upstream
A

Upstream A

DNS Caching
Server Cluster

DNS Secondary
Server Cluster

Upstream
B

Upstream
B

DNS Caching
Server Cluster

DNS Secondary
Server Cluster

171.68.19.0/24
Customer

DNS Caching
Server Cluster

SAFE - Architecture

POP
171.68.19.1

DNS Caching
Server Cluster

Primary DNS Servers

101

Anycast DNS Caches

Peer A

IXP-W

Peer B

IXP-E

DNS Secondary
Server Cluster

Sink Hole
Network

Upstream
A

Upstream A

DNS Caching
Server Cluster

DNS Secondary
Server Cluster

Upstream
B

Upstream
B

DNS Caching
Server Cluster

DNS Secondary
Server Cluster

171.68.19.0/24
Customer

DNS Caching
Server Cluster

SAFE - Architecture

POP
171.68.19.1

DNS Forwarded to
the closed Caching
Cluster

DNS Caching
Server Cluster

Primary DNS Servers

102

DNS Anycast What is

needed?
Two IP Addresses to be used for the DNS Caching
clusters.
Router to perform the load balancing and
advertise the two IP addresses.

103

Agenda

DNS Server Roles

DNS Server Communications
DNS Architecture Layout
Types of Attacks
Protecting the DNS
Monitoring and Forensics
Summary

104