Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

TU 2 IT-Sicherheit > DNS Security > Flashcards

DNS Security Flashcards

1
Q

Domain definition

A

Logical part of the Internet with a globally unique name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Subdomain definition

A

A domain with a name below other domain in the DNS hierarchy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Zone definition

A
  • Parts of a domain under one authority
  • Excluding subdomains under some other authority
  • “Authority” is usually a registry or large organization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

DNS Records - Common Format

A
  • Name
  • Type
  • Class
  • Time to Live (TTL)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

DNS Cache Poisoning

A
  • Attacker feeds forged values into a DNS cache
    -> Compromises authenticity of records in cache
  • impersonation of an authoritative name server using poisoned infrastructure data or of a service in the target domain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Bailiwick Rule

A
  • Countermeasure against DNS Cache Poisoning
  • Resolvers must discard records with names that are not equal to or a a subdomain of the NS owner name from the last referral
  • ”.”: May pass records with any owner name
  • “org.”: May only pass records in the “org.” domain
  • “example.org”: May only pass records in the “example.org” domain
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MITM DNS Cache Poisoning

A
  • Attack on recursive resolvers on the Internet
    -> e.g. via BGP Prefix Hijacking
    -> Commonly requires a well-funded attacker
  • Attack on stub resolvers in the local network
    -> e.g. using known attack vectors (ARP cache poisoning)
  • Or in open WLAN (not a proper MITM but still very capable)
  • Requires little resources and works with common soft- and hardware
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

MITM DNS Cache Poisoning Countermeasures: DNSSEC

A
  • DNSSEC:
    -> protects RRsets using cryptographic signatures (authentication of data origin)
    -> construction of a chain of trust in the DNS tree
    -> Does not provide confidentiality and only limited availability
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DNSSEC Downsides

A
  • response size increases considerably
  • increased administrative overhead
  • both server and client need to support it
  • only experimental support in stub resolvers and forwarders
  • slow rate of adoption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

MITM DNS Cache Poisoning Countermeasures: DoH/DoT

A
  • DoT: DNS over TLS: Secure transport of DNS messages via TLS or DTLS
  • DoH: DNS over HTTPS: Secure Transport of DNS messages via HTTPS (oftentimes directly from a browser)
  • Both:
    -> provide secure transport (data confidentiality, limited integrity, authenticity of endpoints)
    -> Suitable to secure communication between stub resolvers and forwarders/recursive resolvers (too slow for iterative resolution)
    -> Do not provide authenticity of data
    -> Relatively young standard
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Off-Path DNS Cache Poisoning

A
  • Attacker needs to guess the correct 16 bit transaction ID in the DNS header
  • 16 bit UDP destination port in the spoofed response must be equal to the UDP source port from the request by the resolver at the NS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Off-Path DNS Cache Poisoning Kaminsky’s Attack: Attack procedure

A
  1. Send a request for “[nonce].vict.im IN A?” to the resolver
  2. Spoof responses following the above format from the victim NS IP
    -> Send multiple, each with a different transaction ID
  3. If unsuccessful, go to 1
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Off-Path DNS Cache Poisoning Kaminsky’s Attack: Countermeasures

A
  • Randomization of the UDP source port
  • Proper randomization of the transaction ID
    -> Not practically guessable with the common bandwiths in the near future
    -> Challenge-response mechanism, using a 32 bit random number
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

DNS: Fragmentation attack

A
  • Applicability:
    -> Attacker can pre-implant second fragment
    -> IPID not always predictable
    -> Fragmentation: Not all NS respond to ICMP, not all resolvers accept fragments
  • Mitigations:
    -> Proper random IPID allocation at NS
    -> Raising minimum fragment sizes emitted by name servers to >512 bytes
    -> Raising minimum fragment sizes accepted at resolvers
  • Countermeasures: DNSSEC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

DNS Tunneling

A
  • Covert (verstecken) transmission of arbitrary data via DNS communication
  • Exfiltration of stolen data from a compromised network
  • Circumvention of firewalls and blocked networks
  • Covert communication of bots with their bot master
  • How it works:
    -> The attacker sets up a domain and authoritative NS as end point
    -> a malicious client encodes data in queried names
    -> resolvers pass these data to the authoritative server and deliver responses back to the client
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

DNS Tunneling: Prevention

A
  • Queried names are oftentimes suspicious
  • Uncommonly much DNS traffic to one or few domains
  • Individual systems causing uncommonly much DNS traffic
    -> Can be countered by firewalls/IDS with anomaly detection
17
Q

DNS Amplification DDoS

A
  • Reflection: attacker system sends DNS requests with spoofed victim IP address to a multitude of servers
  • Amplification: Responses to the victim are much larger than their requests
  • Attack traffic volume overloads the infrastructure of the victim system
18
Q

DNS Amplification DDoS - Mitigations

A
  • As victim:
    -> create capacity reserves at nets and systems yourself
    -> use specialized transit services with strong infrastructure
  • As an abused DNS service:
    -> minimize response size to keep the amplification factor low
    -> hard to achieve, esp. when using DNSSEC
  • Against the attacker:
    -> Filtering packets with spoofed sender address in the origin networks
    -> Botnet takedown
19
Q

Sender Policy Framework

A
  • Purpose: Prevent reception of unauthorized mail from a sender domain
  • How it works:
    -> Domain operator specifies what systems are allowed to send mail from this domain
    -> Receiving mail server fetches this record upon receiving mail
    -> Reception is denied if the sender system is not authorized by that
  • Caveats:
    -> Not that often used in commercial context to not block legitimate mail
  • Uses the DNS (depends on its security)
20
Q

DNS Sinkholing

A

Detection and prevention of communication to malicious domains by redirecting an IP traffic for blacklisted domains using a firewall/IPS

TU 2 IT-Sicherheit (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions