Lecture 15: DNS Cache Poisoning and DNSSEC Flashcards
What is DNS cache poisoning?
Attacker spoofs a DNS response and the results are stored in an upstream DNS cache
The poisoned records may redirqect clients to malicious servers
What does it mean that cache poisoning is self-cleaning?
Poisoned DNS records will go stale when their TTL expires and the DNS resolver or cache re-fetches them
Why can you not count on the TTL to handle DNS cache posioning?
DNS TTL can be very long
Up to 68 years
What are the goals of cache posioning?
Redirect users
- Send them to a website that tries to execute malware
- Send users to non-existent servers or joke/advertisement pages
- Use look a like web pages to steal login or other user info
How could an attack install malicious DNS resolver onto a client machine?
- Use a bot or remote access to set the DNS resolver of the machine remotely
- Physically have access to the machine
How can you mitigate cache posioning and bad resolvers?
Compare records returned from different DNS sources (resovlers)
Make DNS call twice to 2 different DNS resolvers, if they dont match you may have a poisoned cache
What is DNSSEC or Domain Name System Security Extensions?
A DNS protocol that provides authentication for DNS responses via message signing and chains of trust
How does DNSSEC prevent cache poisoning?
Uses public key cryptography to sign DNS responses to prevent spoofing by an attacker
What is the DNS Chain?
The DNS servers we follow when making a request
- Root DNS Server
- TLD DNS Server
- Authoritative DNS Server
How does DNSSEC work with the DNS chain?
Passes along verification information along each step in the DNS chain
How does signing DNS requests work in DNSSEC?
When you request records from a DNS server, it will sign it using a private key from a public/private key pair
What are DNSSEC signatures stored?
RRSIG
Resource Record SIGnature
What key signing algorithms are considered obsolete?
- RSA
- MD5
What key signing algorithms are used today?
- RSA/SHA-1
- SHA-256
- SHA-512
- ECDSA
What is the DNSKEY record?
Matching public key of the private key used to generate the RRSIG
What is the benefit of using a public key when providing a signature?
User can verify that the signature provided in RRSIG is legitimate
How does the chain of trust that DNSSEC uses for verification work?
Has of signing key is stored in a DS record in the DNS record of the next server up in the hierarchy
What does the TLD server do in the chain of trust?
Returns DS records that prove the authoritative DNS server key is legit
What does the root server do in the chain of trust?
Returns DS records that prove the TLD server key is legit
The chain of trust ultimately bubbles up to __ server
root
What is the advantage of being able to work backwards up the chain of trust until you hit the publicaly known root DNS key
Ensures that each signed record from the root server on down can be authenticated using the DS records
DNSKEY of the __ level DNS server are published and well known
root
What are the root DNS keys also known as?
Trust anchors
What is the only anchor you technically need?
The root key
What is the small hole in protection in the DNSSEC system?
When a request doesnt return records in the response and has nothing to sign
What is the NXDOMAN or NODATA problem in DNSSEC?
DNS server return a NXDOMAIN or NODATE error if there are no records for a domain
Since they are empty theres no signatures
Theres no good way of authenticating records with no records so they can be forged
What record type was created as a work around for requests that don’t return any records?
NSEC
How do NSEC records work?
They explicitly state which domains exist on a given DNS server
If a client requests a domain that doesn’t exist, the NSEC records are returned and signed
What is the problem with NSEC and data leakage?
NSEC records explicitly tell users whether domains exist or not
What record type was created in order to fix the problem with NSEC and data leakage? How does it fix the problem?
NSEC3
Replaces the explicit domain reference with a has of the domain
What are the drawbacks to DNSSEC?
- No privacy for DNS, only provides authentication
- Increases size of DNS responses due to hashes and signatures being exchanges
- Clients must be ready to switch to non-DNSSEC if it isn’t being used- breaking the chain of trust
