1 / 18

Domain Name System (DNS)

Domain Name System (DNS). Today & Tomorrow Presented By: James Speirs Charles Higby Brady Redfearn. Overview. History How It Works DNS Packet Structure DNS Features DNS Security Evolution, Early Days Current DNS Issues Bailiwick Defined  BIND 9.6 Or Later  Guilty Parties

anika
Download Presentation

Domain Name System (DNS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain Name System (DNS) Today & Tomorrow Presented By: James Speirs Charles Higby Brady Redfearn

  2. Overview • History • How It Works • DNS Packet Structure • DNS Features • DNS Security Evolution, Early Days • Current DNS Issues • Bailiwick Defined  • BIND 9.6 Or Later  • Guilty Parties • DNS Exploit, Dan Kaminiski  • BIND 8 Or Earlier  • Kaminski's Results • What Can Save Us?

  3. History • Pre-DNS • Hosts file • Stanford Research Institute (SRI) • FTP

  4. History Continued • 1983 • Paul Mockapetris, Inventor • RFCs 882 & 883 • 1984 • Berkeley & UNIX  • 1985  • Kevin Dunlap, Digital Equipment Corporation (DEC)  • Berkeley Internet Name Domain (BIND) • 1987 • RFCs1034 &1035 • 1990s • BIND ported to Windows NT

  5. How it Works • Distributed Databases • Local machine • Hosts file • Linux - /etc/hosts • Mac - /private/etc/hosts • Windows - %SystemRoot%\system32\drivers\etc\ • Local cache • Active memory • Browser cache

  6. How It Works Continued • Distributed Databases • Not on local machine • UDP request • 100 bytes • ISP DNS responds • ISPs ISP DNS responds • Core DNS responds

  7. DNS Packet Structure

  8. DNS Features • Name server responds with all sub-domains • microsoft.com,  • secure.microsoft.com • update.microsoft.com • Compression (~3x) • Redundancy • Round-robin assignment • Entry expiration (3,600 seconds) • 3,600 second default • Defined by name server • The "big 13 root servers" contain main DNS entries always • .com, .net, .tv, .info, .gov, .mil, etc. •  http://www.isoc.org/briefings/020/zonefile.shtml

  9. DNS Security Evolution, Early Days • No bad guys in 1983 • Transaction ID (TID) • Incremental counting integer • Random TID •  Port 53 • Incoming port 53 • Port 53 outgoing • Random outgoing port, Dan Bernstein

  10. Current DNS Issues • DNS Poisoning • First response wins • No TCP • Transaction IDs – 16-bits • Ports – 16-bits • DNS Controllers • ICANN • US Commerce Department  • Verisign • 13 core servers

  11. Bailiwick • Defined • "The neighborhood of the domain" • Bailiwicked Domain Attack • In Bailiwick • microsoft.com • update.microsoft.com • security.microsoft.com • All acceptable DNS entries • Not in Bailiwick • google.com • yahoo.com • These entries are thrown away

  12. BIND 9.6 Or Later Example of current version of BIND

  13. Guilty Parties • Guilty Parties • Any DNS not randomizing ports • OpenWRT software • Secure Services • OpenDNS • djbdns • Simple router software

  14. DNS Exploit, Dan Kaminski • Cache miss at ISP • Find DNS IPs for example.com • ns1.example.com (1.1.1.1) • ns2.example.com (1.1.1.2) • Send query of bogus machine • aaa.example.com • ISPs DNS queries example.com for fake comp • Note UDP outgoing port from ISP (7649) • Send 100 UDP packets with random TIDs to ISP at port 7649 with your IP 1.1.1.100 as location for example.com

  15. BIND 8 Or Earlier Example of older versions of BIND

  16. Kaminski's Results • Repeat the exploit for any domain • In 30 seconds, you control the entire domain • Works because  • New IPs are in bailiwick • New IPs replace old ones at ISP • Make TTL really big • Maximum of 2,147,483,647 seconds • 68+ Years • Never expires • Nothing appears wrong • URL bar is http://www.google.com • Displayed site is google.com

  17. What Can Save Us? • SSL certificates • Cannot be duplicated • Must be examined • If available, force HTTPS • Most sites don't support either solution • Test your ISP • entropy.dns-oarc.net/test

  18. Questions ?

More Related