Session 4: DNS Flashcards
What address resolution technique was used before the invention of DNS?
Before DNS came around, operators had to download a file called hosts.txt over FTP to determine the static IP-address of other devices connected to, at the time, Arpanet. As such an approach is not scaleable it was eventually dropped and replaced with a distributed database which eventually evolved in to the DNS system we know today.
What were the original design objectives of DNS?
The primary design objectives of DNS were:
Scaleability
Decentralized maintenance
Robustness to faults
Globally consistent resolution (names are resolved identically everywhere)
What is DNS Hierarchical Namespace?
A DNS Namespace is a datastructure akin to an inverted tree where the root node is known as the apex of a namespace. All subnodes are known as domains (such .com, .no, .xyz, etc).
What is a DNS zone?
A name space is typically seperated into a set of zones containing a small set of domains, i.e., one zone may contain the domains (.no, .se, .dk).
Every DNS zone must have atleast one authrative DNS server, which is a server that knows all the names in the zone, and is therefore capable of handling all queries requesting domain name resolution for a given website contained within DNS zone.
Most domain zones, however, have more than one authoritative server to facilitate load balancing and ensure that the zone does not have a single point of failure.
What are recursive DNS servers?
Recursive DNS servers is a type of DNS server which resolve a domain even if has to search outside the zone in which it operates. This means that a DNS server will reach out to a DNS root server if the domain queried does not exist in the DNS server’s zone. Only when the recursive DNS server has learnt the IP address of the requested domain will it reply to the query.
How can DNS be exploited for DDoS attacks?
Maybe somewhat suprisingly, DNS servers have been known the be utilized for carrying out DDoS attacks.
Through a technique known as amplication, attackers can overwhelm their victims by sending tremendous amounts of DNS queries whilst portraying themselves as the victim. If the victim has the IP address X, then the attacker will set X as the source address for the 64-byte DNS query. This will trick the DNS server into sending its reply to the victim. As replies to DNS requests are often significantly larger, attackers can acheive an amplication effect and consequently drown the victim in DNS replies.
What is DNS cache poisoning?
Local DNS resolvers cache the results from previous queries. This ensures that a DNS resolver does not need to query other DNS servers every single time it receives a query since many of the most popular domains are already temporarily stored in the resolvers cache.
DNS cache poisoning is a technique malicious actors can use to exploit this caching feature. First the attacker requests the IP address for some domain from the local DNS, then it sends massive amounts of traffic toward the DNS resolver trying to mimic a reply from another DNS server. As poorly configured DNS servers often accept the first reply attackers can “poison” the cache of the DNS resolver by providing an IP address to the resolver before a legitimate DNS server. If succesful, future requests for the domain will receive the false IP address supplied by the attackers instead of the IP address of the machine hosting the real domain.
How does modern DNS ensure confidentiality and integrity
Today, some DNS servers use public key cryptography as this ensures both confidentiality and integrity. DNS security is the most wide spread in Europe as many regions still practice bad security for their DNS servers.
DNS use two types of keys:
Signing keys are used to sign the requested records themselves (so we know that it is legitimate and not some spoofing attempt). These keys are used by authoritative DNS servers and ensure that the reply really was sent from a proper DNS server.
Zone keys function the same as signing keys but they are specific to one server, but to the entire zone.
Through signing records with both the signing and zone private keys recipients of DNS replies can be certain of its legitimacy as both the responding server and the zone in which it resides can be verified.
What are the three main roles DNS severs can fill?
Typically a DNS server is either a:
- Database server, i.e., an authoritative server containing repositories for domain data.
- A DNS Cache which temporarily stores domain translations learnt from authoritative DNS servers.
- A DNS agent which is responsible for monitoring the domains with dynamically assigned IP addresses and ensure that the authoritative DNS server is kept up to date with the correct IP address for a given domain.
What is a DNS Root Server?
DNS root servers sit at the very top of the distributed DNS system and are capable of accepting any DNS query through pointing the requesting DNS resolver toward the correct DNS zone, i.e., authoritative DNS server capable of translating the domain.
Atleast one root server must be known to DNS resolver for it to be able to perform translations.
What is DNS spoofing?
DNS Spoofing is a technique similar to cache poisoning where an attacker tries to update the entry in an autoritative DNS server with a malicious IP address.
DNS queries now include a 16-bit random transaction ID which must be matched by replies to be accepted.
However, as the transaction ID only uses 16-bits, which yields 65,535 possible IDs, they can still be guessed by attackers. As this is a relatively low number, a sufficient number of guesses makes it highly probable that a correct ID will eventually be found.
More precisely, the probability of guessing a wrong ID once is P(1) = 65534/65535,
twice is P(2) = P(1) * 65533/65535,
and n-times is P(n) = P(n-1) * 65535-n/65535.
When reaches 600 the probability of not having found a correct ID is 10 %, i.e., P(600) = 0.1. Meaning there is 90 % probability of having found a correct ID.
This is why attackers must send many replies to a DNS server to “ensure” success.
