Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Cache Poisoning Attack

Published byNatalie Marsh Modified over 5 years ago

Similar presentations

Presentation on theme: "DNS Cache Poisoning Attack"— Presentation transcript:

1 DNS Cache Poisoning Attack
Dr. Neminath Hubballi IIT Indore © Neminath Hubballi

2 IIT Indore © Neminath Hubballi
Outline DNS Cache Poisoning Kaminsky’s DNS Cache Poisoning Defense mechanisms DNSSEC IIT Indore © Neminath Hubballi

3 IIT Indore © Neminath Hubballi
DNS Name Resolution What is IP of Root DNS Try at .com its IP is What is IP of What is IP of TLD DNS Try at google.com authoritative DNS it IP is Its IP is What is IP of Its IP is Authoritative DNS IIT Indore © Neminath Hubballi

4 IIT Indore © Neminath Hubballi
DNS Vulnerability Getting a wrong answer from the server Root DNS What is IP of TLD DNS Its IP is Authoritative DNS IIT Indore © Neminath Hubballi

5 IIT Indore © Neminath Hubballi
DNS Vulnerability Someone else answers to a DNS query before the one supposed to answer What is IP of Root DNS DNS Server Its IP is TLD DNS Its IP is Malicious guy Authoritative DNS IIT Indore © Neminath Hubballi

6 IIT Indore © Neminath Hubballi
DNS Packet Structure IIT Indore © Neminath Hubballi

7 IIT Indore © Neminath Hubballi
DNS Packet Structure IIT Indore © Neminath Hubballi

8 DNS Spoofing in Reality
DNS Replies are verified for Coming from same IP address Coming to the same port from which request was sent Reply is for the same query as was asked in the previous question Transaction ID match IIT Indore © Neminath Hubballi

9 How these Verifications are Overcome
Coming from same IP address Because authorative DNS server IP address can be discovered by offline queries Coming on the same port from which request was sent Many DNS servers used static port numbers Answer is to the same question that was asked This is easy if attacker herself initiates a request Transaction ID match Guess it

10 Dan Kamnisky Attack Kamnisky Attack
Flood the recursive name server with many answers One of them have to be right and it works ! The identifier is not fully random so one can predict

11 IIT Indore © Neminath Hubballi
Dan Kaminsky Attack Ask a recursive DNS server a question which is most likely not in its cache Pick a non existing domain like rnd.india.microsoft.com With high probability name sever will contact the authorative name server of microsoft.com domain Attacker send a reply with canonical name rnd.india.microsoft.com CNAME IN A IN IIT Indore © Neminath Hubballi

12 Defending DNS Spoofing
Many solutions focus on increasing the entropy of DNS query component Transaction ID Port number IIT Indore © Neminath Hubballi

13 IIT Indore © Neminath Hubballi
DNSSEC Security extension to DNS protocol It uses public key infrastructure to give a guarantee on who is sending the reply Use private key to digitally sign the message Use public key to verify the message Works fine as long as recipient believes in public- private key pair of sender What stops from someone generating her own key pair and replying Chain of trust relationship IIT Indore © Neminath Hubballi

14 How DNSSEC Works Each DNSSEC zone creates one or more pairs of public/private key(s) Public portion put in DNSSEC record type DNSKEY Zones sign all RRsets with private key(s) and resolvers use DNSKEY(s) to verify RRsets Each RRset has a signature attached to it: RRSIG So, if a resolver has a zone’s DNSKEY(s) it can verify that RRsets are intact by verifying their RRSIGs

15 Chain of Trust in DNSSEC
Introduces 3 new resource records RRSIG Signature over RR set using private key DNSKEY Public key, needed for verifying a RRSIG DS Delegation Signer; ‘Pointer’ for building chains of authentication Authoritative DNS server sends the following with reply RR containing IP URL mapping RRSIG DNSKEY and DS Verification can proceed one level higher the hierarchy At no point a DNS server gives a DS which is bellow it Problem is effectively addressed if Root Server becomes the highest signature verifier As of July 2010 there is one signed root server up and running ( dnssec.org/) IIT Indore © Neminath Hubballi

16 Key References for DNSSEC
nssec/basics/ _System_Security_Extensions IIT Indore © Neminath Hubballi

Download ppt "DNS Cache Poisoning Attack"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.

CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi

Similar presentations

Ads by Google