DNSSpoofing_2
-
Upload
jennifer-hansen -
Category
Documents
-
view
214 -
download
0
Transcript of DNSSpoofing_2
-
7/30/2019 DNSSpoofing_2
1/17
Domain Name System DNS Cache Poisoning Defences
DNS Spoofing / Poisoning and Relevant Defences(CSE 4482: Computer Security Management)
Benjamin Klein & Prakanth Thangeswaran
York University
Department of Computer Science and Engineering
December 7, 2010
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 1 / 14
mailto:[email protected]:[email protected]://www.yorku.ca/http://www.yorku.ca/http://www.yorku.ca/mailto:[email protected]:[email protected]://find/ -
7/30/2019 DNSSpoofing_2
2/17
Domain Name System DNS Cache Poisoning Defences
Outline
1 Domain Name System
2 DNS Cache Poisoning
3 Defences
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 2 / 14
http://find/ -
7/30/2019 DNSSpoofing_2
3/17
Domain Name System DNS Cache Poisoning Defences
Outline
1 Domain Name SystemOverviewResolverResource Records
2 DNS Cache Poisoning
3 Defences
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 3 / 14
http://find/ -
7/30/2019 DNSSpoofing_2
4/17
Domain Name System DNS Cache Poisoning Defences
Domain Name System
Whenever we communicate using IP, we need IP addresses to address thedestination.
Do you know the IP of the YorkU webserver?
Its 130.63.236.137. . .
easy to remember, isnt it?
designed by Paul Mockapetris in 1983
specified in RFC1 1034 and 1035
translates FQDN2
into IP addresses
1Request for Comments2Fully Qualified Domain Name, e.g. www.yorku.ca
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14
D i N S DNS C h P i i D f
http://find/ -
7/30/2019 DNSSpoofing_2
5/17
Domain Name System DNS Cache Poisoning Defences
Domain Name System
Whenever we communicate using IP, we need IP addresses to address thedestination.
Do you know the IP of the YorkU webserver?
Its 130.63.236.137. . .
easy to remember, isnt it?
designed by Paul Mockapetris in 1983
specified in RFC1 1034 and 1035
translates FQDN2
into IP addresses
1Request for Comments
2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14
D i N S t DNS C h P i i D f
http://find/ -
7/30/2019 DNSSpoofing_2
6/17
Domain Name System DNS Cache Poisoning Defences
Domain Name System
Whenever we communicate using IP, we need IP addresses to address thedestination.
Do you know the IP of the YorkU webserver?
Its 130.63.236.137. . .
easy to remember, isnt it?
designed by Paul Mockapetris in 1983
specified in RFC1 1034 and 1035
translates FQDN2
into IP addresses
1Request for Comments
2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
7/17
Domain Name System DNS Cache Poisoning Defences
Domain Name System
Whenever we communicate using IP, we need IP addresses to address thedestination.
Do you know the IP of the YorkU webserver?
Its 130.63.236.137. . .
easy to remember, isnt it?
designed by Paul Mockapetris in 1983
specified in RFC1 1034 and 1035
translates FQDN
2
into IP addresses
1Request for Comments
2Fully Qualified Domain Name, e.g. www.yorku.caDecember 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 4 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/http://goback/ -
7/30/2019 DNSSpoofing_2
8/17
Domain Name System DNS Cache Poisoning Defences
DNS Resolver
ExampleYou type http://www.thestar.com to visit the Toronto Star
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 5 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
9/17
Domain Name System DNS Cache Poisoning Defences
DNS Resource Records
fundamental information unit in DNS
different types of RR
A (IPv4 address)MX (mail exchange server)
NS (hostname of authoritative name server). . .
Example A-RR
www.yorku.ca. 3600 IN A 130.63.236.137
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 6 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
10/17
Domain Name System DNS Cache Poisoning Defences
Outline
1 Domain Name System
2 DNS Cache PoisoningOverview
Packet InterceptionID Guessing and Query Prediction
3 Defences
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 7 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
11/17
y g
DNS Cache Poisoning
DNS was not designed with security in mind
classes of transactions: usage vs administrative transactions
usage transactions (obviously most present in DNS traffic)
Query: A asks B for the IP of a particular FQDNResponse: B gives A the requested IP
DNS Cache Poisoning: An attacker replies to A with a faked IP (to
divert traffic to another computer) and A stores it in its cache
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 8 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
12/17
y g
Packet Interception
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 9 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
13/17
ID Guessing and Query Prediction
If we cant intercept traffic, we still can guess!
UDP Port and Transaction ID are 16-bit fields each
232 possible values suitable for brute-force
in most cases, the client UDP port can be predicted from previous
traffic observations 2
16
values
we also have to guess QNAMEs3 and QTYPEs4
attack is only successful if the resolvers behaviour is predictable
3query domain name (e.g. www.yorku.ca)
4query type (A, MX, NS,. . .
)December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 10 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
14/17
Outline
1 Domain Name System
2 DNS Cache Poisoning
3 DefencesDNSSEC
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 11 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
15/17
DNS Security Extension (DNSSEC)
introduced 1999 in RFC 2535 (updated by RFC 4033 later)
provides data integrity and authentication
all replies in DNSSEC are digitally signed using public-keycryptography
required no change to the DNS protocol beyond the addition of newresource types
DNSSEC Resource Records
RRSIG: stores the signatureDNSKEY: stores the public key that was used
. . .
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 12 / 14
Domain Name System DNS Cache Poisoning Defences
http://find/ -
7/30/2019 DNSSpoofing_2
16/17
References
RFC 1035: DOMAIN NAMES - IMPLEMENTATION ANDSPECIFICATIONhttp://www.ietf.org/rfc/rfc1035.txt
RFC 4033: DNS Security Introduction and Requirementshttp://www.ietf.org/rfc/rfc4033.txt
Kim Davies: 2008 DNS Cache Poisoning Vulnerabilityhttp://www.iana.org/about/presentations/
davies-cairo-vulnerability-081103.pdf
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 13 / 14
Domain Name System DNS Cache Poisoning Defences
http://www.ietf.org/rfc/rfc1035.txthttp://www.ietf.org/rfc/rfc4033.txthttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.iana.org/about/presentations/davies-cairo-vulnerability-081103.pdfhttp://www.ietf.org/rfc/rfc4033.txthttp://www.ietf.org/rfc/rfc1035.txthttp://find/http://goback/ -
7/30/2019 DNSSpoofing_2
17/17
Q & A
Any questions left?
Benjamin Klein Prakanth Thangeswaran
December 7, 2010 B. Klein & P. Thangeswaran: DNS Spoofing / Poisoning and Relevant Defences 14 / 14
mailto:[email protected]:[email protected]:[email protected]:[email protected]://find/http://goback/