Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed 17-02-2012 Jesper Buus Nielsen.

Slides:



Advertisements
Similar presentations
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Distributed Web Systems Name Services Lecturer Department University.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Spring 2006CS 3321 Name Service (DNS) Outline Terminology Domain Naming System.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Naming (2) DISTRIBUTED.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Computer Science Lecture 9, page 1 CS677: Distributed OS Today: Naming Names are used to share resources, uniquely identify entities and refer to locations.
NamingCS-4513, D-Term Naming CS-4513 Distributed Computing Systems (Slides include materials from Operating System Concepts, 7 th ed., by Silbershatz,
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
Reliable Distributed Systems Naming (Communication Basics Part II) Slide set based on one by Prof. Paul Francis, Cornell University. Updated by Bina Ramamurthy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
NamingCS-4513, D-Term Naming CS-4513 Distributed Computing Systems (Slides include materials from Operating System Concepts, 7 th ed., by Silbershatz,
DOMAIN NAME SYSTEM. Introduction  There are several applications that follow client server paradigm.  The client/server programs can be divided into.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
Domain Name Services And IP Addressing. Domain Name Services Domain name is a way to identify and locate computers connected to the Internet. No two organizations.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Ch-9: NAME SERVICES By Srinivasa R. Gudipati. To be discussed.. Fundamentals of Naming Services Naming Resolution The Domain Name System (DNS) Directory.
Computer Science Lecture 9, page 1 CS677: Distributed OS Today: Naming Names are used to share resources, uniquely identify entities and refer to locations.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
5.1 Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Naming Chapter 4.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
1 Domain Name System (DNS). 2 3 How DNS Works Application Transport Internet Network Application Transport Internet Network DNS Resolver Name Server.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
24. DNS Domain Name System address 1. Name server domain name IP address ftp.cs.mit.eduxx.xx.xx.xx 24.2 Mapping Domain Names To.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Domain Name System (DNS)
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
4343 X2 – The Application Layer Tanenbaum Chapter 7.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Naming CSCI 4780/6780. Name Space Implementation Naming service – A service that lets users to add/delete and lookup names In large distributed systems.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
Understand Names Resolution
Chapter 9: Domain Name Servers
Working at a Small-to-Medium Business or ISP – Chapter 7
Naming Chapter 4.
Naming A name in a distributed system is a string of bits or characters used to refer to an entity. To resolve name a naming system is needed.
Chapter 19 Domain Name System (DNS)
Working at a Small-to-Medium Business or ISP – Chapter 7
Lecture 7: Name and Directory Servers
Lecture 7: Name and Directory Servers
Working at a Small-to-Medium Business or ISP – Chapter 7
Lecture 8: Name and Directory Servers
Presentation transcript:

Network Attack via DNS Fagpakke: IT Sikkerhed Modul: Introduktion til IT Sikkerhed Jesper Buus Nielsen

DNS TCP IP Link Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Internet Protokol Stack Applications

IP Ex.: Can send a package to port 4 on address Machines have IP address Machines have a number of ports (2 16 ) Can send individual packages to a port on an address Server Client

TCP/IP Ex.: Can establish a connection to port 4 on address Typically the client gets a random free local port, here 2 Server Client Machines have IP address Machines have a number of ports (2 16 ) Can establish connections between two (address, port) pairs

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Domain Name System (DNS) How to map DNS name like to IP addresses in the Internet? –“Back in the days”: HOSTS.TXT file FTP’ed among hosts Now a distributed name service –Hierarchical name space –Each level separated by ‘.’ Analogous to ‘/’ separator in file systems –One global root Replicated across 13 root servers There have been Denial of Service (DoS) attacks on these root servers, none real successful Because of caching, queries to root servers relatively rare DNS is the true backbone of the Internet

DNS is simple but powerful Three major components –Domain Name Space and Resource Records Specification for a tree-structured name space and small databases associated with nodes (both internal nodes and leaf nodes) –Name Servers Servers which hold the databases associated with some nodes and references to other name servers –Resolvers Client programs that extract information from name servers Name servers can be resolvers –Will be so in so-called recursive lookup Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved

Resource Records (1/3) Each name server holds a set of resource records which for each path specifies, e.g., what is the name server for the path and what is the address of the machine at the path path type data cs.au.dk.MX mx.nfit.au.dk means that mx.nfit.au.dk is mail server for the domain cs.au.dk

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Resource Records (2/3) path type data Some types of records –NS:Name server for the path –A:IP address for the path, if any Not all partial paths, like dk, correspond to machines –MX:Name of the mail server for path, if any (Mail eXchange) –AAAA:IPv6 address

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Resource Records (3/3) Examples of resource records: pathtype data dk.NSa.nic.dk. a.nic.dk.A au.dk. NS ns.au.dk ns.au.dkA cs.au.dkA cs.au.dkA cs.au.dkMXmx.nfit.au.dk. mx.nfit.au.dkA

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Glue If a name server holds a record like pathtype data au.dk. NS ns.au.dk then it also holds a record like pathtype data ns.au.dkA And it sends it along with the NS record

DiG Let us ask the NS for “dk.” what the NS for “au.dk.” is?

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Implementation of Name Resolution Figure The principle of iterative name resolution.

Path name resolved:  dk, au  Name server: ns.au.dk Knows: “cs.au.dk.” A  Knows: “cs.au.dk.” NS  au Looking up cs.au.dk Path name resolved:   Name server: a.root-servers.net Knows: “dk.” NS  Path name resolved:  dk  Name server: a.nic.dk Knows: “au.dk.” NS  dk com org aau Path name resolved:  dk, au, cs  DNS name: cs.au.dk. IP: cs science

Caching DNS resolvers are allowed to cache entries –This speeds up lookup immensely The name server sending the entry can tell how long it is safe to cache it

Cache Poisoning There is a very serious attack on the DNS system called cache poisoning –[ The goal for some naughty hacker is to make a resolver, preferably a resolver for a lot of clients, think that the name server for, e.g. handelsbanken.dk, is at an IP address owned by the hacker

Attacking via DNS Providers name resolver hacker in kûrruptyztan root name server handelsbanken.dk? dk. name server handelsbanken.dk? handelsbanken.dk. name server NS dk = handelsbanken.? NS handelsbanken.dk = NS handelsbanken.dk = Cache for long time! Handelsbanken kunde under provider handelsbanken.dk? NS handelsbanken.dk = handelsbanken.dk? A handelsbanken.dk =

DNSSEC A secure version of DNS, called DNSSEC, is being deployed DNSSEC uses digital signature schemes to authenticate the provided resource records Each DNS server has its own key pair Public key of the root servers known by all resolvers Each DNS server authenticates the public keys of the DNS servers in its sub-domains Not yet widely used

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.