1 / 13

DNS Security

DNS Security. Fundamental Problems of Network Security. Internet was designed without security in mind Initial design focused more on how to make it work, than on how to prevent abuses Initial environment mostly consisted of research institutions---assumption on the benign behaviors of users

felicianol
Download Presentation

DNS Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Security

  2. Fundamental Problems of Network Security • Internet was designed without security in mind • Initial design focused more on how to make it work, than on how to prevent abuses • Initial environment mostly consisted of research institutions---assumption on the benign behaviors of users • Fundamental security problem of current network technology: • Has no way of telling whether the resource is located “correctly,” or the information is transferred “correctly” • Has no data authentication and confidentiality protection

  3. Example Security Problems by Incorrect Resource Location • DNS poisoning • BGP routing vulnerabilities • ARP poisoning • ARP (Address Resolution Protocol) is used to query for the MAC address associated with an IP address • Any device attached physically to a subnet can claim to be the “owner” of the IP • IP Spoofing • Routers typically do not check source IP addresses • A packet can claim to be coming from any IP address • Spam email

  4. Fundamental Problems of TCP/IP • No authentication for received messages • No encryption for transmitted messages • Applying cryptographic techniques can help • But must engineer very carefully

  5. The Domain Name System • Basic Internet Database • Maps names to IP addresses • Also stores IPv6 addresses, mail servers, service locators, Enum (phone numbers), etc. • Data organized as tree structure. • Each zone is the authority for its local data. Root edu com uk usf cisco ibm co www Borrowed from slides of Prof. Dan Massey at Colorado State University

  6. Domain Name Service • Provides binding between URL and IP address • Both forward and reverse mapping • Divide URL space into zones; Each name server handles mapping in its zone • DNS Resource Record (RR) • Can be viewed as tuples of the form <name, TTL, class, type, data> • types: A (IP address) MX (mail servers) NS (name servers) PTR (reverse look up)

  7. DNS Protocol What is the IP address of www.usf.edu? root Server Go ask 192.41.162.30 What is the IP address of www.usf.edu? ISP NS Server for edu (192.41.162.30) What is the IP address of www.usf.edu? Go ask 131.247.100.1 What is the IP address of www.usf.edu? 131.247.182.171 ISP’s DNS Resolver NS Server for usf.edu (131.247.100.1)

  8. Example • Response from the .edu NS server Delegation of authority ;; QUESTION SECTION: ;www.usf.edu. IN A ;; AUTHORITY SECTION: usf.edu. 172800 IN NS mother.usf.edu. usf.edu. 172800 IN NS ziggy.usf.edu. usf.edu. 172800 IN NS clemson-ns1.usf.edu. ;; ADDITIONAL SECTION: mother.usf.edu. 172800 IN A 131.247.100.1 ziggy.usf.edu. 172800 IN A 131.247.1.40 clemson-ns1.usf.edu. 172800 IN A 205.186.58.129 … Glue records

  9. DNS Security Problems • A DNS resolver has no way to determine if the response of a query does come from the legitimate server • It will accept a response if • The port number matches the source port of the request • Has the correct Transaction ID (TXID). • It will accept all RR’s that are in the queried server’s bailiwick • The bailiwick is the domain in which the server has authority according to the referral path

  10. DoS flooding DNS queries faked responses recursive query Classical DNS Poisoning ISP What is the IP address of www.usf.edu? What is the IP address of www.usf.edu? 131.247.182.171 Recursive DNS resolver NS Server for usf.edu

  11. Conditions for classical DNS poisoning attacks • Must guess right the correct source-port number • Must guess right the correct TXID (16 bits) • The fake response must arrive before the legitimate response • If any of the above fails, the attack fails and there will be no chance to attack again until the TTL expires

  12. Kaminsky Attack (2008) 1.1.1.1 What is the IP address of foo.usf.edu? usf.edu. NS www.usf.edu www.usf.edu A 1.1.1.1 ISP What is the IP address of foo.usf.edu? No such url Recursive DNS resolver NS Server for usf.edu

  13. Implication of Kaminsky Attack • Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning • No longer needs to wait for TTL to expire • The attacker can control when and what queries are issued • A complete domain may be hijacked • Even TLD’s are vulnerable • Only needs 10 secs to succeed

More Related