DNS Security Flashcards
Domain definition
Logical part of the Internet with a globally unique name
Subdomain definition
A domain with a name below other domain in the DNS hierarchy
Zone definition
- Parts of a domain under one authority
- Excluding subdomains under some other authority
- “Authority” is usually a registry or large organization
DNS Records - Common Format
- Name
- Type
- Class
- Time to Live (TTL)
DNS Cache Poisoning
- Attacker feeds forged values into a DNS cache
-> Compromises authenticity of records in cache - impersonation of an authoritative name server using poisoned infrastructure data or of a service in the target domain
Bailiwick Rule
- Countermeasure against DNS Cache Poisoning
- Resolvers must discard records with names that are not equal to or a a subdomain of the NS owner name from the last referral
- ”.”: May pass records with any owner name
- “org.”: May only pass records in the “org.” domain
- “example.org”: May only pass records in the “example.org” domain
MITM DNS Cache Poisoning
- Attack on recursive resolvers on the Internet
-> e.g. via BGP Prefix Hijacking
-> Commonly requires a well-funded attacker - Attack on stub resolvers in the local network
-> e.g. using known attack vectors (ARP cache poisoning) - Or in open WLAN (not a proper MITM but still very capable)
- Requires little resources and works with common soft- and hardware
MITM DNS Cache Poisoning Countermeasures: DNSSEC
- DNSSEC:
-> protects RRsets using cryptographic signatures (authentication of data origin)
-> construction of a chain of trust in the DNS tree
-> Does not provide confidentiality and only limited availability
DNSSEC Downsides
- response size increases considerably
- increased administrative overhead
- both server and client need to support it
- only experimental support in stub resolvers and forwarders
- slow rate of adoption
MITM DNS Cache Poisoning Countermeasures: DoH/DoT
- DoT: DNS over TLS: Secure transport of DNS messages via TLS or DTLS
- DoH: DNS over HTTPS: Secure Transport of DNS messages via HTTPS (oftentimes directly from a browser)
- Both:
-> provide secure transport (data confidentiality, limited integrity, authenticity of endpoints)
-> Suitable to secure communication between stub resolvers and forwarders/recursive resolvers (too slow for iterative resolution)
-> Do not provide authenticity of data
-> Relatively young standard
Off-Path DNS Cache Poisoning
- Attacker needs to guess the correct 16 bit transaction ID in the DNS header
- 16 bit UDP destination port in the spoofed response must be equal to the UDP source port from the request by the resolver at the NS
Off-Path DNS Cache Poisoning Kaminsky’s Attack: Attack procedure
- Send a request for “[nonce].vict.im IN A?” to the resolver
- Spoof responses following the above format from the victim NS IP
-> Send multiple, each with a different transaction ID - If unsuccessful, go to 1
Off-Path DNS Cache Poisoning Kaminsky’s Attack: Countermeasures
- Randomization of the UDP source port
- Proper randomization of the transaction ID
-> Not practically guessable with the common bandwiths in the near future
-> Challenge-response mechanism, using a 32 bit random number
DNS: Fragmentation attack
- Applicability:
-> Attacker can pre-implant second fragment
-> IPID not always predictable
-> Fragmentation: Not all NS respond to ICMP, not all resolvers accept fragments - Mitigations:
-> Proper random IPID allocation at NS
-> Raising minimum fragment sizes emitted by name servers to >512 bytes
-> Raising minimum fragment sizes accepted at resolvers - Countermeasures: DNSSEC
DNS Tunneling
- Covert (verstecken) transmission of arbitrary data via DNS communication
- Exfiltration of stolen data from a compromised network
- Circumvention of firewalls and blocked networks
- Covert communication of bots with their bot master
- How it works:
-> The attacker sets up a domain and authoritative NS as end point
-> a malicious client encodes data in queried names
-> resolvers pass these data to the authoritative server and deliver responses back to the client
DNS Tunneling: Prevention
- Queried names are oftentimes suspicious
- Uncommonly much DNS traffic to one or few domains
- Individual systems causing uncommonly much DNS traffic
-> Can be countered by firewalls/IDS with anomaly detection
DNS Amplification DDoS
- Reflection: attacker system sends DNS requests with spoofed victim IP address to a multitude of servers
- Amplification: Responses to the victim are much larger than their requests
- Attack traffic volume overloads the infrastructure of the victim system
DNS Amplification DDoS - Mitigations
- As victim:
-> create capacity reserves at nets and systems yourself
-> use specialized transit services with strong infrastructure - As an abused DNS service:
-> minimize response size to keep the amplification factor low
-> hard to achieve, esp. when using DNSSEC - Against the attacker:
-> Filtering packets with spoofed sender address in the origin networks
-> Botnet takedown
Sender Policy Framework
- Purpose: Prevent reception of unauthorized mail from a sender domain
- How it works:
-> Domain operator specifies what systems are allowed to send mail from this domain
-> Receiving mail server fetches this record upon receiving mail
-> Reception is denied if the sender system is not authorized by that - Caveats:
-> Not that often used in commercial context to not block legitimate mail - Uses the DNS (depends on its security)
DNS Sinkholing
Detection and prevention of communication to malicious domains by redirecting an IP traffic for blacklisted domains using a firewall/IPS