DNS

Question 1

Difference Authoritative and Cache/Recursive Resolver

Answer 1

Slide 07-27

Question 2

DNS Hierarchy

Answer 2

Root: .
TLD: com, de, net
SLD: google, ethz

Question 3

DNS Protocol

Answer 3

client server protocol operating on TCP/UDP port 53, no encryption, auth, or integritiy
–> DNSSec

Question 4

Name Server

Answer 4

Server that maps names to objects

• authoritative: server is authoritative for specific zone (ethz)
• caching/resolver: server resolves domains recursively, caches results

Question 5

DNS resolution process

Answer 5

1. client stub asks its resolver (typically ns of ISP)
2. resolver asks root server –> gives ns for top level domain (.ch)
3. resolver asks ns for TLD –> authoritative ns
4. resolver asks auth. ns –> ip, or error
5. resolver caches result.

Question 6

Domain name registrar

Answer 6

organization that manages reservation of second level domain names SLD, below a given TLD

Question 7

Distributed reflection

Answer 7

–>DDos on victim
DNS over UDP (fire and forget) generate DNS query with spoofed IP of the victim.
ANY request generates much larger answer than request
Mitigation: Source IP verification, response rate limiting, close open resolvers

Question 8

DNS Spoofing

Answer 8

• DNS request only auth. with TXID that is not encrypted and can be predictable
• attacker sniffs or predicts TXID and replies before leg. DNS resolves request
• A is first: no resolution necessary, can slow down leg. DNS

Question 9

Cache poisoning

Answer 9

Bad auth. name server adds resolution entries for other domain not originally asked for in additional section. resolver caches entries

Question 10

Domain Hijacking

Answer 10

compromise domain registrar and change registration entries

Question 11

Network attack

Answer 11

• Local host: compromise local host file of machine -> eg. disable anti virus systems
• WAN: attack poorly protected client router
• Attack DHCP exchange in local network: after client broadcasts DHCP discover, answer before the leg. DHCP server with compromised DNS

Question 12

Botnet control

Answer 12

• IP Flux: The FQDN of the CnC host has multiple IP addresses assigned
• Domain Flux: frequent change of multiple FQDN, domains registered with domain generation algorithm

Question 13

DNS tunneling

Answer 13

use DNS as a communication channel to bypass firewalls

-> data exfiltration and hidden communication

Question 14

Phantom domain attack

Answer 14

phantom domains are setup as part of attack, these deomains do not resolve or replies are very slow
-> degradation of server performance due to number of outstanding queries

Question 15

DNSSec

Answer 15

RRSig: signature for record set. Resolvers verify signature with public key stored in DNSKEY record.
DS: glues the chain to parent server
ISSUES:
- Amplification attacks easier
- je nachdem wo geprüft wird, ist die Verbindung bis da trotzdem nicht sicher.
- technical and political worries of how to manage master keys

Question 16

Mitigation of distributed reflection attack

Answer 16

host service on different location in the internet. hard for attacker to target all possible locations

Question 17

countermeasures against malicious local NS resolver

Answer 17

• use own hardcoded DNS server
• DoH
• DNSSec
• VPN tunneling traffic to secure endpoint

Question 18

DoH

Answer 18

Send DNS over HTTPS to prevent eavesdropping and manipulation of requests