Network and Communications Security (IN3210/IN4210) Domain ...

Network and Communications Security (IN3210/IN4210)

Domain Name System (DNS)

Foundations of DNS

3


Domain Name System

● Directory services for name resolution

● Requirements:

− support for “real” names (e.g. server01) and “logical” names (e.g. www.uio.no)

− support for different kinds of services (e.g. mail) and address formats (e.g. IPv4, IPv6)

− distributed data base

− local cache

● DNS:

− RFC 1034

− RFC 1035

4

Host name

IP address


Name Space Definition

● Domain Name Space− tree structure

− nodes have a "label": 1 – 63 byte

− length of root node label = 0

− nodes with common parentmust not have the same label

5

edu gov mil no

uio ruter

…

…

"unnamed root"

…

…

…

mn

top-leveldomains



● Terminology

− Domain Name▪ dot-separated sequence of labels along path in the name space tree, read from leaf to root

▪ e.g. mn.uio.no

− Domain▪ "A domain is identified by a domain name and consists of that part of the domain name space

that is at or below the domain name which specifies the domain."

− Subdomain▪ "A domain is a subdomain of another domain if it is contained within that domain. This

relationship can be tested by seeing if the subdomain's name ends with the containing domain's name. For example, A.B.C.D is a subdomain of B.C.D, C.D, D, and ""."

6


Imag

e So

urc

e: W

ikip

edia

Country Code TLDs (ccTLDs)

7


Generic TLDs (gTLDs)

● „Classic“ gTLD:

− .com (commercial)

− .edu (educational)

− .org (non-commercial)

− .arpa (incl. the reserved domain for reverse lookup: in-addr.arpa)

● „New“ gTLDs:

− since 2012: hundreds of new gTLDs (e.g., 50 from Amazon, 50 from Google)

− Examples: .google, .fun, .berlin, .nyc, .ストア, 書籍

8



● Zone concept

9

no

uio

…

…

mn

…

jus med …

(mn is actually not an own zone; here just shown for the purpose of illustrating multiple zones inside an organization)



● Zone concept

− A sub tree of the DNS tree can be defined as zone

− A zone is managed by a single organization

− A zone operates name server which store information on:▪ DNS names inside that zone (“authoritative information”)

▪ Further zones “below” that zone (“glue records”)

− Example:▪ NO zone

▪ Managed by Norid

▪ Manages all names inside the zone (e.g. www.nic.no)

▪ Contains information (“glue records”) on all zones below the NO node (i.e. all .no domains)

10



● Responsible for “no" TLD:

● UNINETT Norid

11



● Root name servers

− Root zone name servers hold a list of names and IP addresses of the name servers for all top-level domains (TLDs).

− TLD resolution requires using a root server to obtain the responsible authoritative server.

− Currently (2020): ▪ 13 root name servers (with names in the form <letter>.root-servers.net, where <letter> ranges

from A to M)

▪ operated by 12 independent root server operators

▪ 1326 instances

12


from http://root-servers.org/

13

http://root-servers.org/


Name Resolution

● Name Servers

− Per zone: two name servers, "primary" and "secondary"

− Names servers provide information per node of the related zone▪ "authoritative data" for "own" zone

▪ "glue data" for querying name servers of delegated subzones

− Common data format (for storing and transmitting DNS data)▪ Resource Records (RRs)

14


Name Resolution

● Resource Records (RRs)

− common format

▪ owner domain name where the RR is found

▪ type encoded 16 bit value that specifies the RR type, e.g.A a host address

CNAME alias name ("canonical name")MX identifies a mail exchange for the domain NS authoritative name server for the domain SOA identifies the start of a zone of authority

▪ class encoded 16 bit value for a protocol familyIN the Internet system

CH the Chaos system

15

owner type class TTL rdata


Name Resolution

● Resource Records (RRs)

− common format

▪ TTL TTL (Time To Live) describes how long (in seconds)a RR can be cached before it should be discarded.

▪ RDATA type (and sometimes class) dependent data, e.g. forA for the IN class: a 32 bit IP address

MX a 16 bit preference value followed by a host name willing to act as a mail exchange for the owner domain.

NS a host name.

16

owner type class TTL rdata


Name Resolution

● Zone file sample 1

$ORIGIN example.com.

; names not end in a trailing period (.)

; are appended with example.com.

$TTL 86400 ; = 24 h

@ IN SOA < some parameters >

IN NS dns1.example.com.

IN NS dns2.example.com.

IN MX 10 mail.example.com.

IN MX 20 mail2.example.com.

server1 IN A 10.0.1.5

server2 IN A 10.0.1.7

dns1 IN A 10.0.1.2

dns2 IN A 10.0.1.3

ftp IN CNAME server1

mail IN CNAME server1

mail2 IN CNAME server2

www IN CNAME server2


Name Resolution

● Zone file sample 2

$ORIGIN example.com.

$TTL 86400

@ IN SOA < some parameters >

IN NS ns1.example.com.


IN MX 10 mail.example.com.

ns1 IN A 192.168.0.3

ns2 IN A 192.168.0.4

mail IN A 192.168.0.5

...

; we define two name servers for the "us" sub-domain

$ORIGIN us.example.com.

@ IN NS ns3.us.example.com.


; sub-domain address records for name server only - glue record

ns3 IN A 10.10.0.24


DNS Services and Protocol

● Name resolution interactions

19

Primary Name Server

Secondary Name Server

Resolver(Client)

Cache

Application

other nameservers

zonetransfer

gethostbyname

DNS protocol

other nameservers



● Resolution

− Client request: recursive resolution,i.e., let the name server scan other name servers and return a complete response

− Name server to name server request: iterative resolution,i.e., name server collects (partial) responses from other name servers

20



● Name resolution interactions

21

Name ServerResolver

(Client)

Application

uioName Server

rootName Server

noName Server

mnName Server

①

②

③

④

no

uio

mn

recursive iterative

http://www.mn.uio.no/

List of root name

servers


DNS Caching

● Forwarding every request to the authoritative server would produce a large amount of traffic

● Every DNS resolver stores DNS responses in a local cache

● Subsequent requests for same resource will be answered from the cache

● Entry is erased from the cache after expiration of TTL

22

Name Server

mnName Server

Name IP Expires

... ... ...

www.mn.uio.no 129.240.118.130 2019-03-14 12:45:06

... ... ...


DNS Service and Protocol

● DNS protocol

− Query/Answer protocol

− port 53

− TCP or UDP (most common)

23


DNS Service and Protocol


Other Ressource Records

● TXT:

− Arbitrary text

− Typical usage:▪ SPAM interception (see chapter “email”)

▪ Domain verification (e.g., certificate registration, some enterprise services)

− Example:uio.no. 43200 IN TXT "v=spf1 mx ip4:129.240.10.0/25 include:spf.uio.no ?all"uio.no. 43200 IN TXT "google-site-verification=cDsrExFpfrxrzZukaw2Pyi4J7nQ4Y"uio.no. 43200 IN TXT "dropbox-domain-verification=eovcv1nrw2n5"uio.no. 43200 IN TXT "University of Oslo, Norway"

● PTR:

− Reverse lookup: IP address to DNS name

25

Security in DNS: Integrity and Authenticity

26


DNS Cache Poisoning(1. Version)

27

Client(maybe also the attacker)

DNS server forevil.net

(attacker)

DNS server(victim)

IP address forwww.evil.net ?

IP ad

dress

for

ww

w.evil.n

et?

www.example.org: 10.1.2.3

www.evil.net: 10.1.2.4

Name IP Expires

... ... ...

www.example.org 10.1.2.3 2019-03-14 12:45:06

... ... ...

DNS server forexample.org


DNS Cache Poisoning (1. Version)

● Attack result:

− Legitimate DNS server stores (wrong) IP address for example.org until the TTL has expired

− DNS request for example.org to this DNS server returns the wrong IP address

− Client accessed the attacker’s server

● Countermeasure:

− DNS resolver accepts only responses for requested names + siblings (e.g. request example.org, response www.example.org)

28


Client(attacker)


DNS server(victim)

IP address forwww.example.org ?

IP ad

dress

for

ww

w.exam

ple.o

rg ?


ww

w.exam

ple.o

rg:1

0.1

.2.3


29

too late

Using source IP address of A(IP spoofing)

A

Name IP Expires

... ... ...

www.example.org 10.1.2.3 2019-03-14 …

... ... ...



● Countermeasure:

− Query ID▪ request and response must have same transaction ID

30


Client(attacker)


DNS server(victim)


IP ad

dress

for

ww

w.exam

ple.o

rg ?


ww

w.exam

ple.o

rg:1

0.1

.2.3


31

Must have same transaction ID



● Countermeasure:− Query ID

▪ request and response must have same query ID

▪ originally: ID is incremented for every request → easy to guess

▪ nowadays (since 2000): ID is chosen randomly

● Still attacks possible:− “just” 216 possibilities

− However: rather slow procedure for the attacker:1. Send request

2. Guess query ID + send response

3. if wrong ID: authoritative response is in the cachea) wait until cache has expired (between seconds and days)

b) back to 1.

32


Client(attacker)


DNS server(victim)


IP ad

dress

for

ww

w.exam

ple.o

rg ?


ww

w.exam

ple.o

rg:1

0.1

.2.3


33

Stored in Cache

Wrong query ID – ignored

Name IP Expires

... ... ...

www.example.org 10.9.8.7 2019-03-14 …

... ... ...


DNS Cache Poisoning

● Dan Kaminsky attack (2008):1. Send request for non-existing hostname (e.g., pqz123.example.org)

2. Guess query ID

3. Send response for targeted hostname (e.g., www.example.org)

4. If wrong ID: back to 1.

● Effect:− No storage in cache → high frequency of attacks

● Countermeasure:− Choose source UDP port randomly (before always port 53)

− Now: 232 possibilities for query ID + source port

− Attack harder, but still possible (e.g. distributed attack by botnet)

34


DNSSEC

● Domain Name System Security Extensions

● Goal: ensures authenticity and integrity of DNS records

● History

− 1993: first discussions and requirement analysis in IETF

− 1997/1999: first RFCs

− 2005: completely new approach: RFCs 4033 – 4035

− 2010: DNSSEC supported by all root servers

− 2013: Google Public DNS enables DNSSEC validation by default

35


DNSSEC

● Basic idea: hierarchy of signed zones

36

orgedu gov mil

example … …

www


DNSSEC

● Defines new RR types:

− DNSKEY:▪ a public key

− DS:▪ reference to a key in a sub-zone

− RRSIG:▪ a digital signature

− NSEC, NSEC3:▪ reference to „next“ existing name

37


.org.

.example.org.

DNSKEY

Key Tagexa-ksk

Public Key

DNSKEY

Key Tagexa-zsk

Public Key

RRSIG

Key Tagexa-ksk

Signature

RRSIG

Key Tagexa-zsk

Signature

RRSIG

Key Tagorg-zsk

Signature

NS

ns.example.org

.example.org A

250.0.0.1

ns.example.org DS

Key Tagexa-ksk

.example.org

A

250.0.0.8

www.example.org

Key Signing Key(Secure Entry Point) Zone Signing Key

DNSKEY

Key Tagorg-zsk

Public Key

Zone Signing Key

org-zsk

exa-ksk

exa-zsk

250.0.0.8

(root)

38


DNSSEC: NSEC

● What about responses to non-existing names?

− Must also be secured!

− Signing „xyz does not exists“ during runtime too expensive

− Instead: signed chain of all existing name

− name1 → name2 → name4 → name5 → name1

39

Sou

rce

(Exa

mp

le):

Wik

iped

ia

name2 A 172.27.182.17RRSIG A 1 3 1000 20060616062444 (

20060517062444 9927 example.org.mMBIXxXU6…uv9aFcPaMyILJg== )

NSEC name4 A RRSIG NSECRRSIG NSEC 1 3 10000 20060616062444 (

20060517062444 9927 example.org.vlDpyqQF8b…QoBh4eGjbW49Yw== )


DNSSEC: NSEC

● Example:

− Request: “name3”

− Response: “name2 → name4” (signed)

● Problem:

− Adversary can gradually learn all host names (“zone walking”)

40


DNSSEC: NSEC3

● Calculating hash values of all existing names:− h(name1) = 5238

− h(name2) = 1298

− h(name4) = 3056

− h(name5) = 2149

● Creating and signing an ordered list of hash values:− 1298 → 2149 → 3056 → 5238

● Request:− name3 with h(name3) = 4578

● Response:− 3056 → 5238 signed; proves that 4578 (i.e. name3) does not exist, but does not

reveal name2 or name4

41


DNSSEC: Deployment

43

Sou

rce:

htt

ps:

//w

ww

.inte

rnet

soci

ety.

org

/


DNSSEC: Deployment

44

Sou

rce:

htt

ps:

//st

ats.

lab

s.ap

nic

.net

/dn

ssec

(3

0 d

ayav

erag

e (1

1/0

2/2

01

9 -

12

/03

/20

19

)


DNSSEC: Deployment

45

Sou

rce:

htt

ps:

//d

nss

ec-a

nal

yzer

.ver

isig

nla

bs.

com

/uio

.no


DNS AmplificationAttack

46

DNS server

Client A(attacker)

Client B(victim)

AN

Y RR

ww

w.exam

ple.o

rg ?

IN NS ns1.example.org.

IN NS ns2.example.org.

IN MX 10 mail.example.org.

ns1 IN A 192.168.0.3

ns2 IN A 192.168.0.4

mail IN A 192.168.0.5

...

...

Using source IP address of B(IP spoofing)

Network and Communications Security (IN3210/IN4210) 47

Sou

rce:

htt

ps:

//b

log.

clo

ud

flar

e.co

m/r

fc8

48

2-s

ayin

g-go

od

bye

-to

-an

y/


DNS AmplificationAttack(DNSSEC)

48

DNS server

Client A(attacker)

Client B(victim)

IP ad

dress

for

ww

w.exam

ple.o

rg ?

www A 172.27.182.17

RRSIG A 1 3 1000 20060616062444 (

20060517062444 9927 example.org.

mMBIXxXU6…uv9aFcPaMyILJg== )

NSEC www2 A RRSIG NSEC

RRSIG NSEC 1 3 10000 20060616062444 (

20060517062444 9927 example.org.

vlDpyqQF8b…QoBh4eGjbW49Yw== )

...

Using source IP address of B(IP spoofing)


DNSSEC – Summary

● Disadvantages:

− High complexity

− Large response messages▪ DNS amplification

▪ TCP instead of UDP

− Still no browser support

− No confidentiality protection

● Advantages:

− Stops DNS spoofing attacks

− Can be used as trust anchor for PKIs (DANE)

49

Security in DNS: Confidentiality

50


Privacy Concerns

● DNS messages are not protected from eavesdropping (even with DNSSEC!)

● DNS request are an easy way of tracking users (e.g., by the ISP or intelligence services)

51

Imag

e So

urc

e: h

ttp

s://

hac

ks.m

ozi

lla.o

rg/2

01

8/0

5/a

-car

too

n-i

ntr

o-t

o-d

ns-

ove

r-h

ttp

s/


DoH and DoT

● Two protocols for adding confidentiality to DNS:− DNS over HTTPS (DoH)

− DNS over TLS (DoT)

● Creates a protected connection between DNS resolver and DNS server

● DoH vs. DoT − DoT uses service specific port (853)

▪ might be filtered by firewall/attacker

− DoH uses standard HTTPS port (443)▪ usually, no filtering

▪ easy integration into existingWeb server deployment

52

DNS over HTTPS

DNS

HTTP

TLS

TCP

IP

DNS over TLS

DNS

TLS

TCP

IP


DoH and DoT

● Problem: Not very widespread

● Possible solution: using public (recursive) name server:

− 8.8.8.8 (Google)

− 1.1.1.1 (Cloudflare)

● Remaining/new problems

− trust in DNS server required (even more data for Google?)

− no “local” DNS entries (e.g., company Intranet)

● Also, a “problem”:

− No DNS blocking at the provider

53

Imag

e So

urc

e: C

lou

dfl

are

Network and Communications Security (IN3210/IN4210) Domain ...

Documents

Transcript of Network and Communications Security (IN3210/IN4210) Domain ...