Lecture 15: DNS Cache Poisoning and DNSSEC

Question 1

What is DNS cache poisoning?

Answer 1

Attacker spoofs a DNS response and the results are stored in an upstream DNS cache

The poisoned records may redirqect clients to malicious servers

Question 2

What does it mean that cache poisoning is self-cleaning?

Answer 2

Poisoned DNS records will go stale when their TTL expires and the DNS resolver or cache re-fetches them

Question 3

Why can you not count on the TTL to handle DNS cache posioning?

Answer 3

DNS TTL can be very long

Up to 68 years

Question 4

What are the goals of cache posioning?

Answer 4

Redirect users

• Send them to a website that tries to execute malware
• Send users to non-existent servers or joke/advertisement pages
• Use look a like web pages to steal login or other user info

Question 5

How could an attack install malicious DNS resolver onto a client machine?

Answer 5

• Use a bot or remote access to set the DNS resolver of the machine remotely
• Physically have access to the machine

Question 6

How can you mitigate cache posioning and bad resolvers?

Answer 6

Compare records returned from different DNS sources (resovlers)

Make DNS call twice to 2 different DNS resolvers, if they dont match you may have a poisoned cache

Question 7

What is DNSSEC or Domain Name System Security Extensions?

Answer 7

A DNS protocol that provides authentication for DNS responses via message signing and chains of trust

Question 8

How does DNSSEC prevent cache poisoning?

Answer 8

Uses public key cryptography to sign DNS responses to prevent spoofing by an attacker

Question 9

What is the DNS Chain?

Answer 9

The DNS servers we follow when making a request

• Root DNS Server
• TLD DNS Server
• Authoritative DNS Server

Question 10

How does DNSSEC work with the DNS chain?

Answer 10

Passes along verification information along each step in the DNS chain

Question 11

How does signing DNS requests work in DNSSEC?

Answer 11

When you request records from a DNS server, it will sign it using a private key from a public/private key pair

Question 12

What are DNSSEC signatures stored?

Answer 12

RRSIG

Resource Record SIGnature

Question 13

What key signing algorithms are considered obsolete?

Answer 13

• RSA
• MD5

Question 14

What key signing algorithms are used today?

Answer 14

• RSA/SHA-1
• SHA-256
• SHA-512
• ECDSA

Question 15

What is the DNSKEY record?

Answer 15

Matching public key of the private key used to generate the RRSIG

Question 16

What is the benefit of using a public key when providing a signature?

Answer 16

User can verify that the signature provided in RRSIG is legitimate

Question 17

How does the chain of trust that DNSSEC uses for verification work?

Answer 17

Has of signing key is stored in a DS record in the DNS record of the next server up in the hierarchy

Question 18

What does the TLD server do in the chain of trust?

Answer 18

Returns DS records that prove the authoritative DNS server key is legit

Question 19

What does the root server do in the chain of trust?

Answer 19

Returns DS records that prove the TLD server key is legit

Question 20

The chain of trust ultimately bubbles up to __ server

Answer 20

root

Question 21

What is the advantage of being able to work backwards up the chain of trust until you hit the publicaly known root DNS key

Answer 21

Ensures that each signed record from the root server on down can be authenticated using the DS records

Question 22

DNSKEY of the __ level DNS server are published and well known

Answer 22

root

Question 23

What are the root DNS keys also known as?

Answer 23

Trust anchors

Question 24

What is the only anchor you technically need?

Answer 24

The root key

Question 25

What is the small hole in protection in the DNSSEC system?

Answer 25

When a request doesnt return records in the response and has nothing to sign

Question 26

What is the NXDOMAN or NODATA problem in DNSSEC?

Answer 26

DNS server return a NXDOMAIN or NODATE error if there are no records for a domain

Since they are empty theres no signatures

Theres no good way of authenticating records with no records so they can be forged

Question 27

What record type was created as a work around for requests that don’t return any records?

Answer 27

NSEC

Question 28

How do NSEC records work?

Answer 28

They explicitly state which domains exist on a given DNS server

If a client requests a domain that doesn’t exist, the NSEC records are returned and signed

Question 29

What is the problem with NSEC and data leakage?

Answer 29

NSEC records explicitly tell users whether domains exist or not

Question 30

What record type was created in order to fix the problem with NSEC and data leakage? How does it fix the problem?

Answer 30

NSEC3

Replaces the explicit domain reference with a has of the domain

Question 31

What are the drawbacks to DNSSEC?

Answer 31

• No privacy for DNS, only provides authentication
• Increases size of DNS responses due to hashes and signatures being exchanges
• Clients must be ready to switch to non-DNSSEC if it isn’t being used- breaking the chain of trust