Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN.

Published byJuan Salazar Modified over 10 years ago

Similar presentations

Presentation on theme: "Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN."— Presentation transcript:

1 Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN

2 Sep 2008ALAC Webinar 2 Intended web experience Type a URL: http://www.example.com/index.htmhttp://www.example.com/index.htm Browser asks DNS to find IP address of this host If DNS finds the IP address then –It passes this IP address to browser –Browser connects to the site –If page exists, browser downloads page –Else browser displays page not found Else if host does not exist –DNS returns a name error to browser –Browser displays an error Server not found (or similar)

3 Sep 2008ALAC Webinar 3 Response Modification alters this experience Type a URL: http://www.example.com/index.htmhttp://www.example.com/index.htm Browser asks DNS to find IP address of this host If DNS finds the IP address then –business as usual (well, maybe…) Else if DNS response is name error then –Respond in a way that is self-beneficial –Commonly done without notice and consent to user or domain registrant Even when notice is provided, full disclosure of the security implications are not identified –The registrant does not benefit from and in some instances is harmed by the alteration

4 Sep 2008ALAC Webinar 4 DNS Protocol Violation? RFC 1035 says name error is "only meaningful in responses from an authoritative name server " –The response is thus more than an error indication –Response expresses content that the authoritative name server expects the client to receive DNSSEC goes through great pains to provide authenticated denial of existence of DNS records –Why would we bother if non-existence was unimportant!!!

5 Sep 2008ALAC Webinar 5 Who can make such changes Entrusted Agents –A DNS operator who provides authoritative name service on behalf of a registrant –Registrars, ISPs, trusted 3rd parties, registrants IT Third parties –any DNS operator of any name server that processes the response along the return path from the authority name server to the client that issued the request

6 Sep 2008ALAC Webinar 6 Form 1: Synthesized DNS response An Entrusted agent operating as a zone authority –Receives a name query from a client –Determines the name does not exist in the zone file –Returns a name exists response containing an IP address mapping the entrusted agent chooses –Common implementation is to include a wildcard entry in the registrant's zone file All names not found resolve to an IP address the agent chooses

7 Sep 2008ALAC Webinar 7 Iterative resolver Client Root Name Server What is the IP address of ww.example.com? Ask one of these COM name servers What is the IP address of ww.example.com?.example.com does not exist synthesize DNS response return Answers Section with IP address = a.b.c.d What is the IP address of ww.example.com ww.example.com is at IP = a.b.c.d COM Name Server What is the IP address of ww.example.com? Ask example.com's name service provider ww.example.com's IP = a.b.c.d example.com's Entrusted Agent example.com zone file Synthesized DNS Response (Simplified)

8 Sep 2008ALAC Webinar 8 Form 2: "On the fly" response modification A third party NS operator –Examines DNS responses messages it attempts to resolve for a client –When it encounters a non-existent domain response the resolver Silently alters the response code from non-existent to name found Inserts an IP address mapping the third party chooses

9 Sep 2008ALAC Webinar 9 Iterative resolver Client Root Name Server What is the IP address of ww.example.com? Ask one of these COM name servers What is the IP address of ww.example.com? What is the IP address of ww.example.com ww.example.com is at IP = w.x.y.z COM Name Server What is the IP address of ww.example.com? Ask example.com's name service provider example.com's Entrusted Agent example.com zone file NXDomain Response Modification(Simplified) response says NXDomain: synthesize DNS response return Answers Section with IP address = w.x.y.z ww.example.com is non-existent domain

10 Sep 2008ALAC Webinar 10 Who has the means, motive and opportunity? WhoHowWhy Sponsoring registrarEntrusted agent (EA)Promote business Promote services Advertise Affiliate advertising "Enhance the user experience" Public DNS provider Third party NS operator ISP Third party NS operator or EA Web (proxy) operators Third party NS operator "for fee" DNS provider Third party NS operator or EA Domain registrantEAEnforce a policy Remedial Education Attackers"own" a DNS serverFun, fame, fortune…

11 Sep 2008ALAC Webinar 11 How are users affected? A modified DNS response –Signals a different state of the zone to the user than the registrant intended The non-existence of a name is not conveyed to the user The user concludes the host is operated by the registrant –Can result in inconsistent responses The response a user receives depends on the resolver it asks –Can cause address mapping conflicts when multiple NS operators alter responses An authority may add a host that has been redirected Resolvers caching a modified response for this name will return a different address from the one now in the authority zone file

12 Sep 2008ALAC Webinar 12 How are domain registrants affected? A modified DNS response –Alters the content the domain authority intended to have delivered Would you tolerate undisclosed modification of any other application content? Why should DNS messages be treated differently from mail, IMs or voice? –Has business and brand implications Redirection hosts benefit from the domain registrant's brand, reputation, site and link popularity, and sponsored link agreements… Operational instabilities Security implications ->

13 Sep 2008ALAC Webinar 13 Security Implications A modified DNS response –Subverts a "parent trusts the subdomain" security assumption common to web applications Applications assume that any host in my domain is trustworthy –Wrests security of hosts from the registrant A host is named in your domain but secured by "someone else How can I test and audit for (regulatory) compliance and policy conformance if I dont know or operate the hosts where my NXDOMAINs are redirected –Creates opportunities for attack via a host you cannot secure Phishing via false site injection Redirect hosts can intercept, monitor and analyze traffic (extract data) Redirect hosts can intercept cookies to acquire personal, credit or bank data –Facilitates attacks against brand Arent 3 rd level labels you don't control as dangerous as 2 nd level labels

14 Sep 2008ALAC Webinar 14 Other issues A Records today, what about tomorrrow? –Assumption is that most NXDomain responses are for web sites so they lead to "eyeballs" –Imagine a future of modified DNS responses that includes MX, NAPTR, SRV and other resource records Dueling rewrites –DNS responses can be processed by many third parties –Any party downstream from a synthesized response can rewrite the response –Interesting problem for error resolution marketeers Is this the tip of the iceberg? –How long before responses from other application servers are in play?

15 Sep 2008ALAC Webinar 15 SSAC Recommendations Synthesized responses at any level in the DNS have unanticipated and undesirable consequences for the registrant and user Registrants should choose an entrusted agent that asserts it will not modify DNS responses in its terms of service Registrants should study ways to provide end-to-end authenticated proof of non-existence of subdomains (DNSSEC) Entrusted agents should not inject DNS wildcards in a zone without informed consent and without fully informing the domain registrant of the risks this practices exposes Entrusted agents should provide opt-out mechanism that allows clients to receive the original DNS answers to their queries. Third parties should disclose that they practice NXDomain response modification and should provide opportunities for users to opt out

Download ppt "Sep 2008ALAC Webinar 1 DNS Response Modification David Piscitello Senior Security Technologist ICANN."

Similar presentations

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.

ICANN SSAC, Cairo Nov 2008 Page 1 Summary of Fast Flux Dave Piscitello ICANN SSAC.
Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom

CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom
Dangers on the Internet

Dangers on the Internet
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
Security and Information Assurance for the DNS Dan Massey USC/ISI.

Security and Information Assurance for the DNS Dan Massey USC/ISI.
Domain Name System: DNS

Domain Name System: DNS
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to www.google.com, but don’t know the IP addresswww.google.com Solution.

Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google