DNS Security

Security IssueswithDomain Name Systems By: Abhishek Singh MS-011 Umang Sharma MS-019 Flow of presentation Introduction to DNS Attacks onDNS Security Measures to prevent Attacks DNSSEC Conclusion2Scheme of PresentationOverview of DNSAttacks on DNS:-DNS Cache PoisoningDNS ID SpoofingClient FloodingDNS Dynamic Update VulnerabilitiesInformation LeakageCompromise of DNS servers authoritative dataDNSSEC--- Security Measures to Prevent Attacks on DNS.Conclusion.3Overview of DNSThe Domain Name SystemCreated in 1983 by Paul Mockapetris (RFCs 1034 and 1035), modified, updated, and enhanced by a myriad of subsequent RFCsWhat Internet users use to reference anything by name on the InternetThe mechanism by which Internet software translates names to addresses and vice versa.

4Overview of DNSUsers generally prefer names to numbersComputers prefer numbers to namesDNS provides the mapping between the twoI have x, give me yDNS is NOT a directory service.Resolves Internet host names into IP addresses and vice versa.

5DOMAIN HIERARCHYDomain is a part of hierarchy identified by a domain name.Zone is a collection of domain information contained in the domain database fileRoot domain is at the top of a domain hierarchyThe root domain are top level domains and there are:Com- commercial organizationEdu- Educational Organization

6DOMAIN HIERARCHY CONTD..Gov-Government OrganizationMil- Military OrganizationNet- Networking OrganizationsOrg- Non profit OrganizationInt International OrganizationDomain name is written from most specific(machine name) to least specific (top machine name) to least specific (top-level domain) separated by dotFully qualified domain name (FQDN) starts with machine name and ends top level domain.

7DOMAIN HIERARCHY CONTD..

8DNS ROOT NAME SERVERContacted by local name server that cannot resolve nameRoot name server :contacts authoritive name server if name mapping not known Gets mappingReturns mapping to local name server

9DNS SOFTWAREDNS software is the Berkeley Internet Name Domain(BIND) softwareBIND is a client/server architectureThe client server is called the resolverResolver queries the name serverThe server software is called the name serverName server responds to the resolvers queries10RESOLVERThere are two types of resolver Lookups Occurs when client requests information about a machine from local Dns server -Recursive lookups -Iterative lookupsZone transfer occurs when Dns name server request from another dns name server .

11DNS Resource Record

12DNS Operation StepsThe client need information about a machine and sends its request to local DNS name server

Local DNS name server receives the request from the client and examines its cache to see if it knows the response then it forwards to the client

If not , the local name server forwards the request to an authoritative DNS sever

Once the local name server receives the response , it saves the response for future use

Then local name server forwards the response to the client.13NAME SERVERThere are three configurable type of name servers Primary name serversAlso called an Authoritive serverResponsible for maintaining accurate information about specific domain hierarchy-Secondary name serverReceives or retrieves a complete information for given zone from a primary name serverAnswers queries about that zone with authority-Caching name serverCashes the response to the queries for later useUsually it is used with primary or secondary server

14

15

16Attacks on DNSDNS Cache PoisoningDNS ID SpoofingClient FloodingDNS Dynamic Update VulnerabilitiesInformation LeakageCompromise of DNS servers authoritative data17Attacks on DNSDNS Cache PoisoningDNS A receives a query that it does not have an answer to, so it asks DNS B.DNS B replies with wrong information or if it does not have the answer, it puts in the additional records section of the response records that do not relate to the answer.DNS A accepts the response of DNS B without performing any checks and puts corrupted records in its cache.Tools used to perform attacks- Cain & Abel.

18Attacks on DNS:- DNS Cache Poisoning

19

DNS Cache Poisoning Attack20Security Measures to prevent DNS Cache PoisoningThere are three checkpoints for it:-The port number used by DNS queries should not randomized.The ID number used for DNS queries should not randomized.The DNS server should be allowed to reply to recursive DNS queries originated from the outside.

21Security Measures to prevent DNS Cache PoisoningTools used to perform checks:-porttest.dns-oarc.net tool by DNS-OARC.txidtest.dns-oarc.net tool by DNS-OARC.Cross-Pollination Scan tool by IANA.22Attacks on DNSDNS ID SpoofingMachine X needs to know the IP of machine YX assigns a random identification number (16 bits) to the request it sends to the DNS and expects this number to be present in the DNS replyAn attacker using a sniffer, intercepts the DNS request and sends the reply to X containing the correct identification number but with an IP of his choice.

23Attacks on DNS

24Attacks on DNSDNS ID Spoofing without a sniffer (the Birthday Paradox)The identification number has 65535 possible values.An attacker sends n queries for www.cnn.com and the victim DNS sends n queries to ns.cnn.comThe attacker sends n spoofed replies from ns.cnn.com to the victim DNSBecause of the Birthday Paradox, the probability of one the n replies containing a correct identification number increases rapidly for small n.

25Attacks on DNSQueries100200400650750Chances0.07280.26210.70480.96040.9865

26Tips for Preventing DNS Spoofing

Maintain the DNS software Up-to-Date.Allow updates and zone transfers from trusted sources.Maintain a Separate DNS server for public services and for internal services.Use secure key for signing the updates received from other DNS server. This will avoid updates from untrusted sources.

27Attacks on DNSClient Flooding:Client sends a DNS query.Attacker send thousands of responses made to appear as if originating from the DNS server.Client accepts responses because it lacks the capability to verify the response origin.28Attacks on DNSInformation Leakage:Zone transfers can leak information concerning internal networks.Or an attacker can query one by one every IP address in a domain space to learn unassigned IP addresses.If a system trusts an entire IP network, rather than specify every host that it trusts, then that system may be vulnerable to an attack using an unassigned IP address.29Attacks on DNSCompromise of DNS servers authoritative data:DNS server has some vulnerabilities not related to DNS.Attacker gets administrative privileges on DNS Server.Attacker modifies zone information for which the DSN server is authoritative.30DNSSECDNSSEC: Domain Name System SECurity Extensions31DNSSEC TIMELINE1993: Discussion of secure DNS begins 1994: First draft of possible standard published 1997: RFC 2065 published (DNSSEC is an IETF standard) 1999: RFC 2535 published (DNSSEC standard is revised) 2005: Total rewrite of standards published 32What DNSSEC Does!

DNSSEC uses public key cryptography and digital signatures to provide: Data origin authentication Did this DNS response really come from the .com zone? Data integrity Did an attacker (e.g., a man-in-the-middle) modify the data in this response since it was signed? Bottom line: DNSSEC offers protection against spoofing of DNS data33

34DNSSEC MECHANISMDNSSEC is a mechanism enabling the validation and authentication of the origin and integrity of DNS data.DNSSEC mechanisms are based on asymmetric cryptography keys exchanged between the authoritative Name server and DNS client or resolverAll keys generated are contained within the DNS zone with new RR types (resource record).

35

DNSSEC MECHANISMEach signed zone and RR is associated to two cryptography keys, also known as key pair: Confidential private key: This key is used to sign data authenticity and integrity by signing the Resource Records Sets. This key is confidential.Public key: This key is used to decrypt data that was encrypted with the private key to verify data authenticity and integrity

36

37

38

DNSSec brings benefits in two key points:

Origin authenticationIntegrity checking39ConclusionDNS plays a vital role in Internet architecture , since present DNS specification did not include proper security and it is vulnerable to attacks , so we should used proper security measures to prevent all DNS attacks.Also the attacker and defender should work on same platform for better performance.

40References:-http://blog.cloudshield.com/2009/02/05/security-issues-with-dns/http://www.sans.org/reading_room/whitepapers/dns/security-issues-dns_1069http://compsec101.antibozo.net/papers/dnssec/dnssec.html

41Thank You.42