DNS Security Issues NES 554 for DNS Security

AliAlwesabi 25 views 39 slides May 10, 2024
Slide 1
Slide 1 of 39
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39

About This Presentation

DNS Security Issues NES 554 for DNS Security

Size: 741.85 KB
Language: en
Added: May 10, 2024
Slides: 39 pages

Slide Content

DNS and Security Issues NES 554

2 DNS: Domain Name System People: many identifiers: SSN, name, passport # Internet hosts, routers: IP address (32 bit) – 128.119.40.12 unique ID “name”, e.g., www.yahoo.com - used by humans Q: How to map between IP addresses and name ? Domain Name System: distributed database implemented in hierarchy of many name servers

3 DNS Why not centralize DNS? single point of failure traffic volume distant centralized database maintenance doesn’t scale! DNS services Hostname to IP address translation Host aliasing Canonical and alias names Many names for a single host Mail server aliasing Load distribution Replicated Web servers: set of IP addresses for one canonical name

4 Root DNS Servers com DNS servers org DNS servers edu DNS servers ucf.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com DNS servers pbs.org DNS servers Distributed, Hierarchical Database Client wants IP for www.amazon.com: Client queries a root server to find com DNS server Client queries “com” DNS server to get amazon.com DNS server Client queries amazon.com DNS server to get IP address for www.amazon.com

5 DNS: Root name servers b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) i Autonomica, Stockholm (plus 3 other locations) k RIPE London (also Amsterdam, Frankfurt) m WIDE Tokyo a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign, ( 11 locations) 13 root name servers worldwide

6 TLD and Authoritative Servers Top-level domain (TLD) servers: responsible for com, org, net, edu , etc , and all top-level country domains uk , fr , ca, jp . Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e.g., Web and mail). Can be maintained by organization or service provider (paid by the organization)

7 Local Name Server Does not strictly belong to hierarchy Each ISP (residential ISP, company, university) has one Also called “default name server” When a host makes a DNS query, query is sent to its local DNS server first Acts as a proxy (cache), forwards query into hierarchy

8 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 3 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server Iterative and Recursive queries Host at cis.poly.edu wants IP address for gaia.cs.umass.edu The query to root DNS rarely happens due to cache of all TLD DNS information at local DNS server recursive iterative

9 requesting host cis.poly.edu gaia.cs.umass.edu root DNS server local DNS server dns.poly.edu 1 2 4 5 6 authoritative DNS server dns.cs.umass.edu 7 8 TLD DNS server 3 Recursive queries recursive query: DNS client requires DNS server respond with either the requested resource record, or an error message stating that the record or domain name does not exist. iterative query: contacted server replies with name of server to contact “I don’t know this name, but ask this server” Reference: http://technet.microsoft.com/en-us/library/cc961401.aspx

10 DNS: caching and updating records once (any) name server learns mapping, it caches mapping cache entries timeout (disappear) after some time (keep fresh copy) TLD servers typically cached in local name servers Thus root name servers not often visited]

11 DNS records DNS: distributed db storing Resource Records (RR) Type=NS name is domain (e.g. foo.com) value is IP address of authoritative DNS server for this domain RR format: (name, value, type, ttl) Type=A name is hostname value is IP address Type=CNAME name is alias name for some “canonical” (the real) name www.ibm.com is really servereast.backup2.ibm.com value is canonical name Type=MX value is name of mailserver associated with name

12 DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header identification: 16 bit # for query, reply to query uses same # flags: query or reply recursion desired recursion available reply is authoritative

13 DNS protocol, messages (UDP 53) Name, type fields for a query RRs in response to query records for authoritative servers additional “helpful” info that may be used

Example Let’s check a web example using Wireshark! Check MX record: nslookup –type=MX just.edu.jo (Under Windows) dig mx just.edu.jo (Under Unix) 14

DNS main issues DNS amplification attacks Targeting Domain name system by DDoS attack DNS Man in the Middle Attack (redirection attack) DNS cache poisoning

DNS Security 17

Cybersquatting Cybersquatting is to register a domain in anticipation of that domain being desirable to another organization Intent to sell to that organization for big profit For example, someone registers www.burjkhalifa.com , since it was named at first www.burjdubai.com Sell it for big profit if it is true! Domain name purchase is cheap! Many organizations have to buy all related domain names to prevent cybersquatting A legitimate example: http://teaparty.com/ suspicious ones for tea party: http://tparty.com/ , http://t-party.com/ http://en.wikipedia.org/wiki/Cybersquatting 18

Typosquatting Register all possible typo domain names for another organization Should a user accidentally enter an incorrect website address, he may be led to an alternative website owned by a cybersquatter . Could lead to phishing attack (malicious), or increase web visits (not very malicious) For example, for “bankofamerica.com”, a cybersquatter could register: “bankamerica.com”, “bankoamerica.com”, “bankofamerican.com”, “bankfoamerica.com”, …… Domain name purchase is cheap! 19

OS DNS Cache Privacy Windows OS maintain a local DNS cache Command “ipconfig/ displaydns ” DNS cache reveals a user’s browsing history Even if the user deletes browsing cache and cookies Internet Explorer does not have its own DNS cache Cross-platform browser, such as Firefox, has its own DNS cache 20

Flush DNS cache

DNS Vulnerability Most DNS queries and responses are in plaintext No authentication is done for DNS response You really has no good way to tell if the DNS response you get are trustable or not! DNS is mostly relying on UDP packets IP address spoofing is very easy for UDP packets No seq / ack numbers 23

DNS Redirection There are 3 main different ways to do DNS redirection The first relies on redirecting the nameserver of the attacker's domain to the nameserver of the target domain, and then assigning this target nameserver a fake IP address. The second variant relies on redirecting the nameserver of another, unrelated domain to a fake nameserver . The third variant just involves “racing” the real nameserver to give an answer.

DNS redirection network attacker client local DNS server hub or WiFi 1 2 Client sends DNS query to its local DNS server; sniffed by attacker Attacker responds with bogus DNS reply Issues: Must spoof IP address: set to local DNS server (easy) Must match reply ID with request ID (easy) May need to stop reply from the local DNS server (harder)

DNS Cache Poisoning Basic idea: give DNS servers false records and get it cached DNS uses a 16-bit request identifier to pair queries with answers Cache may be poisoned when a name server: Disregards identifiers Has predictable ids Accepts unsolicited DNS records

DNS Cache Poisoning Procedure Eve wants to poison attack an ISP DNS server Eve transmits a DNS query to this server which in turn queries authoritative DNS on behalf of Eve. Eve simultaneously sends a DNS response(reply) to the server spoofing with the authoritative server’s IP The ISP’s DNS server accepts the forged response and caches a wrong DNS entry All downstream users of this ISP will be directed to the wrong website 27

Poisoning DNS Cache (1) Poisoning: Attempt to put bogus records into DNS name server caches Bogus records could point to attacker nodes Attacker nodes could phish But unsolicited replies are not accepted at a name server. Name servers use IDs in DNS messages to match replies to queries So can’t just insert a record into a name server by sending a DNS reply message. But can send a reply to a request.

Poisoning local DNS server (2) Local DNS Server (eg, Berkeley) Attacker in Australia: 17.32.8.9 1. DNS query poly.edu=? 3. DNS reply poly.edu= 17.32.8.9 2. iterative DNS queries authoritative DNS for poly.edu Goal: Put bogus IP address for poly.edu in local Berkeley DNS server 1) Attacker queries local DNS server 2) Local DNS makes iterative queries 3) Attacker waits for some time; sends a bogus reply, spoofing authoritative server for poly.edu.

Poisoning local DNS server (3) Poisoned local DNS server (eg, Berkeley) Attacker in Australia 17.32.8.9 1. DNS query ftp.poly.edu=? 2. DNS query ftp.poly.edu=? authoritative DNS for poly.edu DNS response can provide IP address of malicious server!

DNS Poisoning (4) Issues: Attacker needs to know sequence number in request message sent to upstream server Not easy! Attacker may need to stop upstream name server from responding So that server under attack doesn’t get suspicious Ping of death, DoS , overflows, etc

DNS Cache Poisoning Prevention Use random identifiers for queries Make it hard to guess the ID number Always check identifiers Port randomization for DNS requests Deploy DNSSEC DNSSEC authenticates the resolution of IP addresses with a cryptographic signature Discussed later! Challenging because it is still being deployed and requires reciprocity

DNS Cache Poisoning against Query ID Even if a DNS server checks response IDs and use random IDs, it is still vulnerable to the attack Attacker generates a flux of DNS requests and send the corresponding flux of DNS response back If one of the pair has matched ID, the attack is successful Birthday Paradox: the prob. Of two persons in 23 people share the same birthday is more than 50%! 33

Some Defenses Fact: Most DNS poisoning target local DNS (LDNS) server Solution: Configure LDNS to only accept requests from internal networks Why does it need to serve outside users? Source-port randomization (SPR) DNS query sent out will have two randomized numbers: Source port number (destination port always 53) Query ID number (16 bits) Check DNS response for both of these numbers 34

DNSSEC Guarantees: Authenticity of DNS answer origin Integrity of reply Authenticity of denial of existence Accomplishes this by signing DNS replies at each step of the way Uses public-key cryptography to sign responses Typically use trust anchors, entries in the OS to bootstrap the process

DNS Signing Hard-coded with TLD’s public keys TLDs serve as Certificate Authority

DNSSEC Deployment As the internet becomes regarded as critical infrastructure there is a push to secure DNS NIST is in the process of deploying it on root servers now May add considerable load to dns servers with packet sizes considerably larger than 512 byte size of UDP packets There are political concerns with the US controlling the root level of DNS

DDos DNS Attack Oct 21, 2002 Ping packets sent from bots to the 13 DNS root servers. Goal: bandwidth flood servers Minimal impact: DNS caching rate limiting at upstream routers: filter ping when they arrive at an excessive rate During attack, some networks filtered pings; corresponding root servers remained up. Root server attack is easy to defend: download root server database to local (default) name servers Not much data in root server; changes infrequently TLD servers are more volatile Similar kind of attack in May 2004, Feb 2007

DNS attacks: Summary DNS is a critical component of the Internet infrastructure But is surprisingly robust: DDoS attacks against root servers have been largely unsuccessful Poisoning and redirection attacks are difficult unless you can sniff DNS requests And even so, may need to stop DNS servers from replying DNS can be leveraged for reflection attacks against non-DNS nodes
Tags
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 25
  • Slides 39
  • Age 572 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
47 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category