DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
SSH Secure Login Connections over the Internet
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
IIT Indore © Neminath Hubballi
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
Presentation on ip spoofing BY
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
THE DNS (DOMAIN NAME SYSTEM). Before the DNS, all computers connected to the internet through ARPANET (the worlds first operational packet switching network).
Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.
Introduction to Information Security
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
DNS Security Advanced Network Security Peter Reiher August, 2014
Error and Control Messages in the Internet Protocol
DNS Session 5 Additional Topics
Unit 5: Providing Network Services
DNS Cache Poisoning Attack
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNSSEC Iván González Montemayor A
DNS security.
Chapter 19 Domain Name System (DNS)
CS4622: Computer Networking
Network Security: IP Spoofing and Firewall
Message Digest Cryptographic checksum One-way function Relevance
A New Approach to DNS Security (DNSSEC)
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Outline Using cryptography in networks IPSec SSL and TLS.
DNS: Domain Name System
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
COMPUTER NETWORKS PRESENTATION
(DNS – Domain Name System)
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Computer Networks Presentation
Computer Networks ARP and RARP
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Domain Name Server Presented By: Mahesh Venkat Adusumelli
Presentation transcript:

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH nology@postech.ac.kr 2008.5.27 Future Internet

Contents Introduction Overview of the DNS Protocol Attacks DNS cache poisoning DNS spoofing Related data attack Unrelated data attack DNS ID hacking Server Attacks DNSSEC Relevance and How to Protect? Conclusion

Introduction The accuracy of the information contained within the DNS is vital to many aspects of IP based communications. The Threats are due in part of the lack of authenticity and integrity checking of the data Two ways DNS can be hacked: By using protocol attacks (attacks based on how DNS is actually working) By using server attacks (attacks based on the bugs or flaws of the programs or machines running DNS services)

Overview of the DNS Translating a host’s name into its IP address Internet is an IP network. Every host is affected an IP address that must be known to any other host willing to communicate. It would be impossible for a human being to remember all the IP addresses. It would be possible to create mapping between IP addresses and names.

Overview of the DNS DNS provides a way to know the IP address of any host DNS is a hierarchical service. Indeed a name has a structure. A host is a leaf on the tree. Any other node is called a “domain”. Servers are called “authoritative” for a domain when they can map the IP addresses with the host names of all the hosts in the domain. Servers are responsible for finding any name-ip mapping.

Overview of the DNS Recursive Query Iterative Query A host wants the answer or an error message. The queried host must do whatever it takes to find the answer: query other servers until it gets the information, or until the name query fails. Iterative Query A host asks the server for an answer if the server knows it. If it dose not, then the host will receive a “referral” Recursive queries are usually made by client host so that they don’t have to take care of the whole search process, whereas local DNS servers usually make iterative requests.

Protocol Attacks Client Misdirection Making a client host go where he was not willing to. Is the basic purpose of DNS hacking in general.

1. DNS Cache Poisoning An attack considering of making a DNS server cache false information Usually, a wrong record will map a name to a wrong IP address. A hacker will try to make a DNS answer something he wants for a specific request.

2. DNS Spoofing The action of answering a DNS request that was intended for another server (a “real” DNS server). This can be in a server-server exchange (a DNS server asks another for a mapping) This can be in a client-server dialog (when a client asks a DNS server for a mapping) The hacker “spoofs” the DNS server’s answer by answering with the DNS server’s IP address in the packet’s source-address field. But this is not enough to spoof a DNS reply. DNS uses ID number to identify queries and answer. The hacker needs to find the ID the client is waiting for. The hacker will try to impersonate the DNS reply so that the requesting client is misdirected.

3. Unrelated Data Attack The simplest and the most widely used 1. The hacker asks the victim DNS for a nonexistent name mapping in a domain for which he controls the DNS. The hacker uses a “recursive” query so that the remote DNS server will make further inquiries by itself. 2. The remote DNS, which is not aware of such mapping, will go and ask the DNS server responsible for the required domain. (Remember this server is under the control of the hacker.) 3. The hacker will answer, and add in the answer anything he wants to be cached in the victim DNS’ cache. That way, he will have poisoned the cache of the remote DNS server. This problem has been fixed in BIND, by forbidding anything that is not related to the original request to be cached.

3. Unrelated Data Attack The simplest and the most widely used

4. Related Data Attack Hacker has to make the “extra” information related to the original query. The attack is exactly the same as an “unrelated data attack” By adding MX, CNAME or NS records, which point to unrelated data. These three records are not a real “mapping” between IP address and a hostname. They point to some other useful information The information in these records is “related” to the original request, but they can point to totally different information the hacker wants to be cached. This problem has also been fixed in BIND, by rejecting all the “out of zone” information. These attacks are quite old and won’t work anymore on BIND. DNS spoofing, via the DNS ID hacking technique.

5. DNS ID Hacking Normal Dialog The client will send a query to the DNS server using a specific ID number. The server will reply using the same ID number. This is the number the hacker to find.

5. DNS ID Hacking On a LAN Not on the same LAN Getting the ID is pretty easy All the hacker has to do is sniff the network for the initial query and answer quicker than the DNS The late reply from the real DNS server will be discarded. Not on the same LAN The hacker has four options to try to guess the ID. 1. Test all the possible values of the ID flag (or as many random values as you can before NS replies)  Quite an obsolete method and useless 2. Flood the DNS server to buy some more time for trying different ID numbers.  The hacker can even hope it will crash the server 3. Send a few hundred replies at the same time to increase his chances to find the good ID.  The hacker can do several times one after the other with different ranges until the server replies

5. DNS ID Hacking Not on the same LAN The hacker has four options to try to guess the ID. 4. Use a vulnerability in the server, knowing that some of them just increase the ID number from one request to another.  The hacker knows the range of IDs currently used by the victim server. All he has to do now is to make a request to the host name he wants to poison the cache of our victim with, and fake the answer using an increased value of the stolen ID

Server Attacks Two kinds of attacks cam aim at the server Attacks taking advantage of bugs in DNS Software implementation (buffer overflows in BIND for instance) or in any other running service on the DNS server machine. Attack by Denial of Service (using flooding for instance). The advice is to update as often as possible and to be aware of any newly discovered bug. Many sites (like www.securityfocus.com or www.cert.com) will catalog all the existing bugs, exploits and fixes. some are even specialized on BIND.

DNSSEC In 1994, the IETF formed a working group to provide security extensions to the DNS protocol. These extensions are commonly referred to as DNSSEC extensions. These extensions are designed to be interoperable with non-security aware implementations of DNS. The WG defined a new set of RRs to hold the security information that provides strong security to DNS zones. DNSSEC must provide backwards compatibly and must have the ability to co-exist with non-secure DNS implementations. DNS Objectives The objectives of DNSSEC are to provide authentication and integrity to the DNS. Authentication and integrity of information held within DNS zones is provided through the use of cryptographic signatures generated through the use of public key technology.

DNSSEC DNSSEC scope Key Distribution The public key distribution service supports several different types of keys and several different types of key algorithms. Data Origin Authentication DNSSEC makes use of digital signature technology to sign DNS RRSet. The digital signature contains the encrypted hash of the RRSet. The hash is a cryptographic checksum of the data contained in the RRSet. The hash is signed using a private key usually belonging to the originator of the information. DNS Transaction and Request Authentication DNS transaction and request authentication provides the ability to authenticate DNS requests and DNS message headers.

Relevance and How to protect? Most of those issues have been addressed with patches. But according to menandmice.com, the threat is still real DNSSEC is a proposition for secure DNS transactions RFC 2535: http://www.ietf.org/rfc/rfc2535.txt This appears to be a very good solution, which solves most of the protocol problems. However, due to backward compatibility reasons, this will not be implemented for quite some time. current network administrators should think about other ways of securing their network against those threats.

Relevance and How to protect? A good idea of DNS architecture is “Split DNS architecture”. The principle is as follows: “splitting” the DNS system in two parts, one will be responsible for advertising the name-to-address mappings we are authoritative for, and the other is there to resolve the requests coming from the internal or, more generally, the “trusted” hosts. if the external DNS is hacked, at least it won’t affect the service provided to the internal hosts.

Conclusion The original DNS protocol specifications did not include security. Without security, the DNS is vulnerable to attacks. The IETF added security extensions to the DNS, known as DNSSEC. DNSSEC provides authentication and integrity to the DNS. Hardening DNS by detecting and protecting against potential attacks rather than preventing attacks through cryptographic means

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.