domain name system dns learning goal
play

Domain Name System (DNS) Learning Goal Foundations of DNS Security - PowerPoint PPT Presentation

IN3210 Network Security Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity and Authenticity Confidentiality 2 Foundations of DNS 3 Domain Name System Directory services for name


  1. IN3210 – Network Security Domain Name System (DNS)

  2. Learning Goal ⚫ Foundations of DNS ⚫ Security in DNS: − Integrity and Authenticity − Confidentiality 2

  3. Foundations of DNS 3

  4. Domain Name System ⚫ Directory services for name resolution ⚫ Requirements: − support for “real” names (e.g. server01) and “logical” names (e.g. www.uio.no) − support for different kinds of services (e.g. mail) and address formats (e.g. IPv4, IPv6) − distributed data base − local cache Host name ⚫ DNS: − RFC 1034 IP address − RFC 1035 4

  5. Name Space Definition ⚫ Domain Name Space − tree structure "unnamed root" top-level edu … … gov mil no domains … … uio ruter … − nodes have a "label": 1 – 63 byte − length of root node label = 0 mn − nodes with common parent must not have the same label 5

  6. Name Space Definition ⚫ Terminology − Domain Name ▪ dot-separated sequence of labels along path in the name space tree, read from leaf to root ▪ e.g. mn.uio.no − Domain ▪ "A domain is identified by a domain name and consists of that part of the domain name space that is at or below the domain name which specifies the domain." − Subdomain ▪ "A domain is a subdomain of another domain if it is contained within that domain. This relationship can be tested by seeing if the subdomain's name ends with the containing domain's name. For example, A.B.C.D is a subdomain of B.C.D, C.D, D, and ""." 6

  7. Country Code TLDs (ccTLDs) Image Source: Wikipedia

  8. Generic TLDs (gTLDs) ⚫ „Classic“ gTLD: − .com (commercial) − .edu (educational) − .org (non-commercial) − .arpa (incl. the reserved domain for reverse lookup: in-addr.arpa) ⚫ „New“ gTLDs: − since 2012: hundreds of gTLDs (e.g. 50 from Amazon, 50 from Google) − Examples: .google, .fun, .berlin, .nyc, . ストア , 書籍 8

  9. Name Space Definition ⚫ Zone concept … no … … uio … mn jus med (mn is actually not an own zone; here just shown for the purpose of illustrating multiple zones inside an organization) 9

  10. Name Space Definition ⚫ Zone concept − A sub tree of the DNS tree can be defined as zone − A zone is managed by a single organization − A zone operates name server which store information on: ▪ DNS names inside that zone (“authoritative information”) ▪ Further zones “below” that zone (“glue records”) − Example: ▪ NO zone ▪ Managed by Norid ▪ Manages all names inside the zone (e.g. www.nic.no) ▪ Contains information (“glue records”) on all zones below the NO node (i.e. all .no domains) 10

  11. Name Space Definition ⚫ Responsible for “no" TLD: UNINETT Norid 11

  12. Name Space Definition ⚫ Root name servers − Root zone name servers hold a list of names and IP addresses of the name servers for all top-level domains (TLDs). − TLD resolution requires using a root server to obtain the responsible authoritative server. − Currently (2019): ▪ 13 root name servers (with names in the form <letter>.root-servers.net, where <letter> ranges from A to M) ▪ operated by 12 independent root server operators ▪ 948 instances http://root-servers.org/ 12

  13. from http://root-servers.org/ 13

  14. Name Resolution ⚫ Name Servers − Per zone: two name servers, "primary" and "secondary" − Names servers provide information per node of the related zone ▪ "authoritative data" for "own" zone ▪ "glue data" for querying name servers of delegated subzones − Common data format (for storing and transmitting DNS data) ▪ Resource Records (RRs) 14

  15. Name Resolution ⚫ Resource Records (RRs) − common format owner type class TTL rdata ▪ owner domain name where the RR is found encoded 16 bit value that specifies the RR type, e.g . ▪ type A a host address CNAME alias name ("canonical name") MX identifies a mail exchange for the domain NS authoritative name server for the domain SOA identifies the start of a zone of authority ▪ class encoded 16 bit value for a protocol family IN the Internet system CH the Chaos system 15

  16. Name Resolution ⚫ Resource Records (RRs) − common format owner type class TTL rdata ▪ TTL TTL (Time To Live) describes how long a RR can be cached before it should be discarded. ▪ RDATA type and sometimes class dependent data, e.g. for A for the IN class: a 32 bit IP address MX a 16 bit preference value followed by a host name willing to act as a mail exchange for the owner domain. NS a host name. 16

  17. Name Resolution $ORIGIN example.com. ; names not end in a trailing period (.) ⚫ Zone file ; are appended with example.com. $TTL 2d ; default ttl sample 1 @ IN SOA < some parameters > IN NS dns1.example.com. IN NS dns2.example.com. IN MX 10 mail.example.com. IN MX 20 mail2.example.com. IN A 10.0.1.5 server1 IN A 10.0.1.5 server2 IN A 10.0.1.7 dns1 IN A 10.0.1.2 dns2 IN A 10.0.1.3 ftp IN CNAME server1 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server2

  18. Name Resolution $ORIGIN example.com. ⚫ Zone file $TTL 2d @ IN SOA < some parameters > sample 2 IN NS ns1.example.com. IN NS ns2.example.com. IN MX 10 mail.example.com. ns1 IN A 192.168.0.3 ns2 IN A 192.168.0.4 mail IN A 192.168.0.5 ... ; we define two name servers for the "us" sub-domain $ORIGIN us.example.com. @ IN NS ns3.us.example.com. IN NS ns1.example.com. ; sub-domain address records for name server only - glue record ns3 IN A 10.10.0.24

  19. DNS Services and Protocol ⚫ Name resolution interactions DNS protocol Application gethostbyname Primary other name Resolver Name Server servers (Client) zone transfer Cache other name Secondary Name Server servers 19

  20. DNS Services and Protocol ⚫ Resolution − Client request: recursive resolution, i.e. let the name server scan other name servers and return a complete response − Name server to name server request: iterative resolution, i.e. name server collects (partial) responses from other name servers 20

  21. DNS Services and Protocol ⚫ Name resolution interactions http://www.mn.uio.no/ root Name Server Application ① no ② no Name Server Resolver Name Server (Client) ③ recursive iterative uio uio Name Server List of root name ④ servers mn mn Name Server 21

  22. DNS Caching ⚫ Forwarding every request to the authoritative server would produce a large amount of traffic ⚫ Every DNS resolver stores DNS responses in a local cache ⚫ Subsequent requests for same resource will be answered from the cache ⚫ Entry is erased from the cache after expiration of TTL Name Server mn Name IP Expires Name Server ... ... ... www.mn.uio.no 129.240.118.130 2019-03-14 12:45:06 ... ... ... 22

  23. DNS Service and Protocol ⚫ DNS protocol − Query/Answer protocol − port 53 − TCP or UDP (most common) 23

  24. DNS Service and Protocol

  25. Other Ressource Records ⚫ TXT: − Arbitrary text − Typical usage: ▪ SPAM interception (see chapter “email”) ▪ Domain verification (e.g. certificate registration, some enterprise services) − Example: uio.no. 43200 IN TXT "v=spf1 mx ip4:129.240.10.0/25 include:spf.uio.no ?all" uio.no. 43200 IN TXT "google-site-verification=cDsrExFpfrxrzZukaw2Pyi4J7nQ4Y" uio.no. 43200 IN TXT "dropbox-domain-verification=eovcv1nrw2n5" uio.no. 43200 IN TXT "University of Oslo, Norway" ⚫ PTR: − Reverse lookup: IP address to DNS name 25

  26. Security in DNS: Integrity and Authenticity 26

  27. DNS Cache Poisoning Client (maybe also the attacker) www.evil.net? IP address for DNS server for example.org IP address for www.evil.net ? www.evil.net: 10.1.2.4 www.example.org: 10.1.2.3 DNS server Name IP Expires DNS server for (victim) ... ... ... evil.net www.example.org 10.1.2.3 2019-03-14 12:45:06 (attacker) ... ... ... 27

  28. DNS Cache Poisoning ⚫ Attack result: − Legitimate DNS server stores (wrong) IP address for example.org until the TTL has expired − DNS request for example.org to this DNS server returns the wrong IP address − Client accessed the attacker’s server ⚫ Obstacle for this attack: − Attacker must wait for a request for evil.net ⚫ Countermeasure: − DNS resolver accepts only responses for requested names + siblings (e.g. request example.org, response www.example.org) 28

  29. DNS Cache Poisoning Client (attacker) www.example.com ? Using source IP www.example.com: address of A IP address for (IP spoofing) 10.1.2.3 IP address for www.example.com ? A www.example.com: 10.9.8.7 too late DNS server DNS server for (victim) example.com 29

  30. DNS Cache Poisoning ⚫ Countermeasure: − Query ID ▪ request and response must have same transaction ID 30

  31. DNS Cache Poisoning Client (attacker) www.example.com ? www.example.com: Must have same IP address for transaction ID 10.1.2.3 IP address for www.example.com ? A www.example.com: 10.9.8.7 DNS server DNS server for (victim) example.com 31

Recommend


More recommend