DNS Security Flashcards
1
Q
Domain definition
A
Logical part of the Internet with a globally unique name
2
Q
Subdomain definition
A
A domain with a name below other domain in the DNS hierarchy
3
Q
Zone definition
A
- Parts of a domain under one authority
- Excluding subdomains under some other authority
- “Authority” is usually a registry or large organization
4
Q
DNS Records - Common Format
A
- Name
- Type
- Class
- Time to Live (TTL)
5
Q
DNS Cache Poisoning
A
- Attacker feeds forged values into a DNS cache
-> Compromises authenticity of records in cache - impersonation of an authoritative name server using poisoned infrastructure data or of a service in the target domain
6
Q
Bailiwick Rule
A
- Countermeasure against DNS Cache Poisoning
- Resolvers must discard records with names that are not equal to or a a subdomain of the NS owner name from the last referral
- ”.”: May pass records with any owner name
- “org.”: May only pass records in the “org.” domain
- “example.org”: May only pass records in the “example.org” domain
7
Q
MITM DNS Cache Poisoning
A
- Attack on recursive resolvers on the Internet
-> e.g. via BGP Prefix Hijacking
-> Commonly requires a well-funded attacker - Attack on stub resolvers in the local network
-> e.g. using known attack vectors (ARP cache poisoning) - Or in open WLAN (not a proper MITM but still very capable)
- Requires little resources and works with common soft- and hardware
8
Q
MITM DNS Cache Poisoning Countermeasures: DNSSEC
A
- DNSSEC:
-> protects RRsets using cryptographic signatures (authentication of data origin)
-> construction of a chain of trust in the DNS tree
-> Does not provide confidentiality and only limited availability
9
Q
DNSSEC Downsides
A
- response size increases considerably
- increased administrative overhead
- both server and client need to support it
- only experimental support in stub resolvers and forwarders
- slow rate of adoption
10
Q
MITM DNS Cache Poisoning Countermeasures: DoH/DoT
A
- DoT: DNS over TLS: Secure transport of DNS messages via TLS or DTLS
- DoH: DNS over HTTPS: Secure Transport of DNS messages via HTTPS (oftentimes directly from a browser)
- Both:
-> provide secure transport (data confidentiality, limited integrity, authenticity of endpoints)
-> Suitable to secure communication between stub resolvers and forwarders/recursive resolvers (too slow for iterative resolution)
-> Do not provide authenticity of data
-> Relatively young standard
11
Q
Off-Path DNS Cache Poisoning
A
- Attacker needs to guess the correct 16 bit transaction ID in the DNS header
- 16 bit UDP destination port in the spoofed response must be equal to the UDP source port from the request by the resolver at the NS
12
Q
Off-Path DNS Cache Poisoning Kaminsky’s Attack: Attack procedure
A
- Send a request for “[nonce].vict.im IN A?” to the resolver
- Spoof responses following the above format from the victim NS IP
-> Send multiple, each with a different transaction ID - If unsuccessful, go to 1
13
Q
Off-Path DNS Cache Poisoning Kaminsky’s Attack: Countermeasures
A
- Randomization of the UDP source port
- Proper randomization of the transaction ID
-> Not practically guessable with the common bandwiths in the near future
-> Challenge-response mechanism, using a 32 bit random number
14
Q
DNS: Fragmentation attack
A
- Applicability:
-> Attacker can pre-implant second fragment
-> IPID not always predictable
-> Fragmentation: Not all NS respond to ICMP, not all resolvers accept fragments - Mitigations:
-> Proper random IPID allocation at NS
-> Raising minimum fragment sizes emitted by name servers to >512 bytes
-> Raising minimum fragment sizes accepted at resolvers - Countermeasures: DNSSEC
15
Q
DNS Tunneling
A
- Covert (verstecken) transmission of arbitrary data via DNS communication
- Exfiltration of stolen data from a compromised network
- Circumvention of firewalls and blocked networks
- Covert communication of bots with their bot master
- How it works:
-> The attacker sets up a domain and authoritative NS as end point
-> a malicious client encodes data in queried names
-> resolvers pass these data to the authoritative server and deliver responses back to the client
16
Q
DNS Tunneling: Prevention
A
- Queried names are oftentimes suspicious
- Uncommonly much DNS traffic to one or few domains
- Individual systems causing uncommonly much DNS traffic
-> Can be countered by firewalls/IDS with anomaly detection
17
Q
DNS Amplification DDoS
A
- Reflection: attacker system sends DNS requests with spoofed victim IP address to a multitude of servers
- Amplification: Responses to the victim are much larger than their requests
- Attack traffic volume overloads the infrastructure of the victim system
18
Q
DNS Amplification DDoS - Mitigations
A
- As victim:
-> create capacity reserves at nets and systems yourself
-> use specialized transit services with strong infrastructure - As an abused DNS service:
-> minimize response size to keep the amplification factor low
-> hard to achieve, esp. when using DNSSEC - Against the attacker:
-> Filtering packets with spoofed sender address in the origin networks
-> Botnet takedown
19
Q
Sender Policy Framework
A
- Purpose: Prevent reception of unauthorized mail from a sender domain
- How it works:
-> Domain operator specifies what systems are allowed to send mail from this domain
-> Receiving mail server fetches this record upon receiving mail
-> Reception is denied if the sender system is not authorized by that - Caveats:
-> Not that often used in commercial context to not block legitimate mail - Uses the DNS (depends on its security)
20
Q
DNS Sinkholing
A
Detection and prevention of communication to malicious domains by redirecting an IP traffic for blacklisted domains using a firewall/IPS
