Domain Name System Flashcards
Define
Host Names
DNS
Mnemonic/easily memorable for humans
Define
Domain Name System
DNS
Provides translation from host name to IP address
DNS is what type of distributed database that leverages what?
DNS
A performance-critical distributed database that leverages caches
Why is DNS needed?
DNS
For SOP assumptions and web security
What is the hiearchy of name servers?
DNS
Root servers > Authoritative name servers > Local Name resolver
Where are root servers?
DNS
Hardcoded into other servers
What are root servers for?
DNS
Top-level domains (TLD)
What are authoritative name servers for?
DNS
Subdomains
What does local name resolvers do?
DNS
Caches name resolution results
What does the local name resolver go to for non-cached names?
DNS
Authoritative name servers
Describe
DNS Lookup
DNS
- Client requests information
- Local resolver fetches from Root DNS => TLD DNS server => Authoritative DNS sever
- Local resolver returns information to client
Describe
Components of DNS Packet
DNS
Source/dest ports, length, checksum, query ID, questions/answers, authority, additional info
List DNS Resource Records
DNS
- Address Mapping (A)
- Canonical Name (CNAME)
- Mail Exchanger (ME)
- Name Server (NS)
- Start of Authority (SOA)
Define
DNS Resource Record: Address Mapping (A)
DNS
Maps host to IP Address
Define
DNS Resource Record: Canonical Name (CNAME)
DNS
Maps host to alias
Define
DNS Resource Record: Mail Exchanger (ME)
DNS
Directs email to a specific server
Define
DNS Resource Record: Start of Authority (SOA)
DNS
Specifies core information (name server, email of domain admin)
Define
DNS Caching
DNS
Holds the responses for repeated translations
Describe
DNS Caching: Negative Queries
DNS
Non-existing host names
Limitation of DNS Caching
DNS
Cache will periodically time out
Who controls the DNS cache and what happens to it at every record?
DNS
DNS cache is controlled by data owner and it is passed with every record
Define
Kamisky Blind Spoofing
DNS
Injecting forged replies with different IDs in hopes of matching victim’s queries
Defenses against Kamisky Blind Spoofing
DNS
- Usage of random source ports
- Increased entorpy/load of DNS
Components of DNS Query
DNS
- Question includes query
- ID
- Answer section = resource record + IP addr of domain name + lifetime of cache to answer
- Authority of host name servers behind the answers
- Additional section = supplemental info
When sent over UDP, DNS is unable to protect what?
DNS
CIA
Two DNS threats
DNS
Malicious DNS server and eavesdropping
Describe
DNS Threat: Malicious DNS Server
DNS
Fools the user to answer DNS queries on a fake DNS server to gain access to information
Defenses against Malicious DNS Server
DNS
Client doesn’t accept record in the Additional Section if domain of user doesn’t match their request
Describe
DNS Threat: Eavesdropping for off-path attackers
DNS
Blind spoofs and races against actual DNS server using Additional field
What do off-path eavesdroppers need for an DNS eavesdropping attack?
DNS
The port (typically 53) and the ID
How do off-path attackers obtain ID for DNS eavesdropping attack?
DNS
Trick the user into submitting a lookup query into the DNS
Defense against Eavesdropping
DNS
Censorship
Describe
DNS Security Extensions (DNSSEC)
DNS
Providing an origin of authentication and integrity through a chain of trust
Describe
DNSSEC’s Chain of Trust
DNS
Each lookup level is signed with a DNS private key and vouched by public keys of the upper layers
What is the order for the DNSSEC Chain of Trust?
DNS
DNS => DNSKEY => DS => …
Where are the root public keys for the DNSSEC?
DNS
Hardwired into the servers
Two types of DNSSEC Keys
DNS
Key-Signing Keys (KSK) and Zone-Signing Keys (ZSK)
Define
Key-Signing Keys (KSK)
DNS
DNSKEY/public key zones
