Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 480: Securing Computer Systems

Published byAlexandra Blair Modified over 5 years ago

Similar presentations

Presentation on theme: "CIT 480: Securing Computer Systems"— Presentation transcript:

1 CIT 480: Securing Computer Systems
DNS Security

2 Topics How DNS Works DNS Caching Pharming DNS Cache Poisoning
DNS Cache Defenses DNSSEC 2 2

3 Domain Name System (DNS)
The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation Savings DNS My Example Blog Spot 3 3

4 Domain Name System DNS provides a distributed database over the internet that stores various resource records, including: Address (A) record: IP address associated with a host name Mail exchange(MX) record: mail server of a domain Name server (NS) record: authoritative server for a domain Example DNS entries from 4 4

5 Name Servers Domain names: Hierarchy of authoritative name servers
Two or more labels, separated by dots (e.g., cs166.net) Rightmost label is the top-level domain (TLD) Hierarchy of authoritative name servers Information about root domain Information about its subdomains (A records) or references to other name servers (NS records) The authoritative name server hierarchy matches the domain hierarchy: root servers point to DNS servers for TLDs, etc. Root and TLD servers change infrequently. DNS servers refer to other DNS servers by name, not by IP: sometimes must bootstrap by providing an IP along with a name, called a glue record.

6 DNS Tree ... ... com edu brown.edu google.com stanford.edu
A brown.edu A xxx.brown.edu ###.### A xxx.brown.edu ### A cs.brown.edu A google.com A xxx.google.com ########### google.com stanford.edu microsoft.com resource records ... A xxx.com ########### A xxx.edu ########### Amicrosoft.com A xxx.microsoft.com ########### A stanford.edu A xxx.stanford.edu ###.### ... cs.brown.edu

7 Internet Corporation for Assigned Names and Numbers
Non-profit organization at USC that Manages root DNS servers Allocates IP addresses Originally created and run by US government Controversial in EU, China, UN Independent as of Sept 30, 2009 Alternative to ICANN Multiple DNS trees with their own roots Name resolution varies based on geography

8 Top Level Domains Suffix Purpose Example com
Commercial organizations (businesses) intel.com edu Educational organizations (universities) nku.edu gov Government organizations kentucky.gov mil Military organizations army.mil net Networking organizations (ISPs) sprint.net org Noncommercial organizations ietf.org int International organizations nato.int info Informational sites cat.info at Country code for Austria austria.at uk Country code for United Kingdom bbc.co.uk us Country code for United States gov.state.ky.us Generic TLDs (gTLDs) ccTLDs

9 Name Resolution Zone: collection of connected nodes with the same authoritative DNS server, e.g. nku.edu. Resolution method when answer not in cache: Where is Try com nameserver Try example.com nameserver Client ISP DNS Server root name server com example.com

10 DNS Query Packet Image from

11 DNS Response Packet Image from

12 Authoritative Name Servers
Control of the DNS is distributed among authoritative name servers (ANSs) ANS are responsible for specific domains. Can designate other ANS for subdomains. ANS can be master or slave Master contains original zone table. Slaves are replicas, automatically updating. Fault tolerance + load balancing. Set Authoritative Answer (AA) flag in responses.

13 DNS Lookup Activity dig www.nku.edu dig +trace www.nku.edu
What is the IP address? What are the nameservers for nku.edu? dig +trace List each element of the DNS tree queried. What does the first result from each tree element tell you? Lookup in the same ways.

14 Dynamic Resolution Many large providers have more than one authoritative name server for a domain Problem: need to locate the instance of domain geographically closest to user Proposed solution: include first 3 octets of requester's IP in recursive requests to allow better service Content distribution networks like Akamai already do adaptive DNS routing

15 DNS Caching Too much network traffic required to traverse DNS tree for each query Root zone would be rapidly overloaded. DNS servers cache results for a specified amount of time Specified by ANS reply's time-to-live (TTL) field. Domain admin determines TTL based on how often changes. OS and browsers maintain resolvers and DNS caches View DNS servers in Windows with ipconfig /displaydns View DNS servers Linux with cat /etc/resolv.conf Privacy issues: DNS cache reveals which sites you visited. DNS queries are typically issued over UDP on port 53 16-bit query identifier (QID) in payload ties response to request. Responses whose QIDs do not match pending requests are ignored.

16 DNS Caching Step 1: query yourdomain.org
Local NS Resolver cache Authoritative Name Server Local Machine Application Resolver cache query query Step 2: receive reply and cache at local NS and host Local NS Resolver cache Authoritative Name Server Local Machine Application Resolver cache answer answer

17 DNS Caching (con'd) Step 3: use cached results rather than querying the ANS Local NS Resolver cache Local Machine 1 Application Resolver cache query Local Machine 2 Application Resolver cache answer Step 4: Evict cache entries upon TTL expiration

18 Pharming: DNS Hijacking
Changing IP associated with a server maliciously My Premium Blog Spot userID: password: Normal DNS Pharming attack Phishing: the different web sites look the same.

19 Pharming Attack Vectors
Malware modifies host name resolution. Rewrite addresses in local hosts file. Rewrite addresses of DNS servers. Attacker subverts DHCP server, configures it to return malicious DNS servers. Target DHCP server on home router. Target DHCP server at ISP or corporate network.

20 DNS Cache Poisoning Send DNS servers false responses that will be cached. Fake response maps valid name to malicious IP address. Fake response has new authoritative nameserver, which is controlled by threat, in glue records. False responses must have Same UDP destination port as query UDP source port. Same Question as a pending request. QID that matches that of pending request. DNS server accepts first response to question. If malicious response first, then its result is used + cached. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 20 20

21 QID Guessing Network sniffer if on same subnet.
Wait for request and observe QID from packet. Some servers have predictable QIDs Lure user to click on link to site whose domain you control. When attacker DNS server is contacted, record QID. Increment QID to match QID of next query. Mass guessing Send multiple responses with different QIDs to same query. Birthday paradox math requires a few hundred responses. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 21 21

22 DNS Cache Poisoning Prevention
Use random identifiers for queries Attacker must brute force 16-bit QID, which requires thousands of responses, but is doable. Port randomization for DNS requests Attacker must guess 16-bit port as well as query. Harder, but successful attacks observed. Deploy DNSSEC Signed updates cannot be spoofed, but Not yet deployed widely. There are 3 main different ways to do DNS cache poisoning. The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver. The third variant just involves “racing” the real nameserver to give an answer. 22 22

23 DNSSEC Guarantees: Digital signatures of DNS replies.
Authenticity of DNS answer origin. Integrity of reply. Does not protect confidentiality. Digital signatures of DNS replies. Uses a chain of trust model like SSL. Trust anchors built into OS give starting point like root CA certificates in web browsers. 23

24 DNS Signing 24

25 DNSSEC Deployed at root in 2010 Political issues
Allows use of root servers as trust anchors. .com uses DNSSEC since 2011. .br, .pr, .se, and some other ccTLDs use DNSSEC. Political issues Concern about US control over root servers. Some governments might ban DNSSEC-based encryption key distribution to enable surveillance. 25

26 Key Points DNS maps names to IP addresses DNS caching
DNS tree structure and how names are paths. Name resolution process. Pharming attacks take control of DNS servers to map names of legitimate sites to malicious ones. DNS caching Multiple levels: OS, browser, ISP, etc. Threat can poison caches by sending malicious responses to query with correct Question and QID of original query. DNSSEC protects integrity of responses. Blocks DNS cache poisoning attacks.

27 References Steve Friedl, An Illustrated Guide to the Kaminsky DNS Vulnerability, vuln.html, 2008. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.

Download ppt "CIT 480: Securing Computer Systems"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Domain Name System: DNS

Domain Name System: DNS
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.

CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.

Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
Chapter 17 Domain Name System

Chapter 17 Domain Name System
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
1 Kyung Hee University Chapter 18 Domain Name System.

1 Kyung Hee University Chapter 18 Domain Name System.

Similar presentations

Ads by Google