domain name system dns learning goal
play

Domain Name System (DNS) Learning Goal Foundations of DNS Security - PowerPoint PPT Presentation

Oct 15, 2023 •213 likes •727 views

IN3210 Network Security Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity and Authenticity Confidentiality 2 Foundations of DNS 3 Domain Name System Directory services for name

  1. IN3210 – Network Security Domain Name System (DNS)

  2. Learning Goal ⚫ Foundations of DNS ⚫ Security in DNS: − Integrity and Authenticity − Confidentiality 2

  3. Foundations of DNS 3

  4. Domain Name System ⚫ Directory services for name resolution ⚫ Requirements: − support for “real” names (e.g. server01) and “logical” names (e.g. www.uio.no) − support for different kinds of services (e.g. mail) and address formats (e.g. IPv4, IPv6) − distributed data base − local cache Host name ⚫ DNS: − RFC 1034 IP address − RFC 1035 4

  5. Name Space Definition ⚫ Domain Name Space − tree structure "unnamed root" top-level edu … … gov mil no domains … … uio ruter … − nodes have a "label": 1 – 63 byte − length of root node label = 0 mn − nodes with common parent must not have the same label 5

  6. Name Space Definition ⚫ Terminology − Domain Name ▪ dot-separated sequence of labels along path in the name space tree, read from leaf to root ▪ e.g. mn.uio.no − Domain ▪ "A domain is identified by a domain name and consists of that part of the domain name space that is at or below the domain name which specifies the domain." − Subdomain ▪ "A domain is a subdomain of another domain if it is contained within that domain. This relationship can be tested by seeing if the subdomain's name ends with the containing domain's name. For example, A.B.C.D is a subdomain of B.C.D, C.D, D, and ""." 6

  7. Country Code TLDs (ccTLDs) Image Source: Wikipedia

  8. Generic TLDs (gTLDs) ⚫ „Classic“ gTLD: − .com (commercial) − .edu (educational) − .org (non-commercial) − .arpa (incl. the reserved domain for reverse lookup: in-addr.arpa) ⚫ „New“ gTLDs: − since 2012: hundreds of gTLDs (e.g. 50 from Amazon, 50 from Google) − Examples: .google, .fun, .berlin, .nyc, . ストア , 書籍 8

  9. Name Space Definition ⚫ Zone concept … no … … uio … mn jus med (mn is actually not an own zone; here just shown for the purpose of illustrating multiple zones inside an organization) 9

  10. Name Space Definition ⚫ Zone concept − A sub tree of the DNS tree can be defined as zone − A zone is managed by a single organization − A zone operates name server which store information on: ▪ DNS names inside that zone (“authoritative information”) ▪ Further zones “below” that zone (“glue records”) − Example: ▪ NO zone ▪ Managed by Norid ▪ Manages all names inside the zone (e.g. www.nic.no) ▪ Contains information (“glue records”) on all zones below the NO node (i.e. all .no domains) 10

  11. Name Space Definition ⚫ Responsible for “no" TLD: UNINETT Norid 11

  12. Name Space Definition ⚫ Root name servers − Root zone name servers hold a list of names and IP addresses of the name servers for all top-level domains (TLDs). − TLD resolution requires using a root server to obtain the responsible authoritative server. − Currently (2019): ▪ 13 root name servers (with names in the form <letter>.root-servers.net, where <letter> ranges from A to M) ▪ operated by 12 independent root server operators ▪ 948 instances http://root-servers.org/ 12

  13. from http://root-servers.org/ 13

  14. Name Resolution ⚫ Name Servers − Per zone: two name servers, "primary" and "secondary" − Names servers provide information per node of the related zone ▪ "authoritative data" for "own" zone ▪ "glue data" for querying name servers of delegated subzones − Common data format (for storing and transmitting DNS data) ▪ Resource Records (RRs) 14

  15. Name Resolution ⚫ Resource Records (RRs) − common format owner type class TTL rdata ▪ owner domain name where the RR is found encoded 16 bit value that specifies the RR type, e.g . ▪ type A a host address CNAME alias name ("canonical name") MX identifies a mail exchange for the domain NS authoritative name server for the domain SOA identifies the start of a zone of authority ▪ class encoded 16 bit value for a protocol family IN the Internet system CH the Chaos system 15

  16. Name Resolution ⚫ Resource Records (RRs) − common format owner type class TTL rdata ▪ TTL TTL (Time To Live) describes how long a RR can be cached before it should be discarded. ▪ RDATA type and sometimes class dependent data, e.g. for A for the IN class: a 32 bit IP address MX a 16 bit preference value followed by a host name willing to act as a mail exchange for the owner domain. NS a host name. 16

  17. Name Resolution $ORIGIN example.com. ; names not end in a trailing period (.) ⚫ Zone file ; are appended with example.com. $TTL 2d ; default ttl sample 1 @ IN SOA < some parameters > IN NS dns1.example.com. IN NS dns2.example.com. IN MX 10 mail.example.com. IN MX 20 mail2.example.com. IN A 10.0.1.5 server1 IN A 10.0.1.5 server2 IN A 10.0.1.7 dns1 IN A 10.0.1.2 dns2 IN A 10.0.1.3 ftp IN CNAME server1 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server2

  18. Name Resolution $ORIGIN example.com. ⚫ Zone file $TTL 2d @ IN SOA < some parameters > sample 2 IN NS ns1.example.com. IN NS ns2.example.com. IN MX 10 mail.example.com. ns1 IN A 192.168.0.3 ns2 IN A 192.168.0.4 mail IN A 192.168.0.5 ... ; we define two name servers for the "us" sub-domain $ORIGIN us.example.com. @ IN NS ns3.us.example.com. IN NS ns1.example.com. ; sub-domain address records for name server only - glue record ns3 IN A 10.10.0.24

  19. DNS Services and Protocol ⚫ Name resolution interactions DNS protocol Application gethostbyname Primary other name Resolver Name Server servers (Client) zone transfer Cache other name Secondary Name Server servers 19

  20. DNS Services and Protocol ⚫ Resolution − Client request: recursive resolution, i.e. let the name server scan other name servers and return a complete response − Name server to name server request: iterative resolution, i.e. name server collects (partial) responses from other name servers 20

  21. DNS Services and Protocol ⚫ Name resolution interactions http://www.mn.uio.no/ root Name Server Application ① no ② no Name Server Resolver Name Server (Client) ③ recursive iterative uio uio Name Server List of root name ④ servers mn mn Name Server 21

  22. DNS Caching ⚫ Forwarding every request to the authoritative server would produce a large amount of traffic ⚫ Every DNS resolver stores DNS responses in a local cache ⚫ Subsequent requests for same resource will be answered from the cache ⚫ Entry is erased from the cache after expiration of TTL Name Server mn Name IP Expires Name Server ... ... ... www.mn.uio.no 129.240.118.130 2019-03-14 12:45:06 ... ... ... 22

  23. DNS Service and Protocol ⚫ DNS protocol − Query/Answer protocol − port 53 − TCP or UDP (most common) 23

  24. DNS Service and Protocol

  25. Other Ressource Records ⚫ TXT: − Arbitrary text − Typical usage: ▪ SPAM interception (see chapter “email”) ▪ Domain verification (e.g. certificate registration, some enterprise services) − Example: uio.no. 43200 IN TXT "v=spf1 mx ip4:129.240.10.0/25 include:spf.uio.no ?all" uio.no. 43200 IN TXT "google-site-verification=cDsrExFpfrxrzZukaw2Pyi4J7nQ4Y" uio.no. 43200 IN TXT "dropbox-domain-verification=eovcv1nrw2n5" uio.no. 43200 IN TXT "University of Oslo, Norway" ⚫ PTR: − Reverse lookup: IP address to DNS name 25

  26. Security in DNS: Integrity and Authenticity 26

  27. DNS Cache Poisoning Client (maybe also the attacker) www.evil.net? IP address for DNS server for example.org IP address for www.evil.net ? www.evil.net: 10.1.2.4 www.example.org: 10.1.2.3 DNS server Name IP Expires DNS server for (victim) ... ... ... evil.net www.example.org 10.1.2.3 2019-03-14 12:45:06 (attacker) ... ... ... 27

  28. DNS Cache Poisoning ⚫ Attack result: − Legitimate DNS server stores (wrong) IP address for example.org until the TTL has expired − DNS request for example.org to this DNS server returns the wrong IP address − Client accessed the attacker’s server ⚫ Obstacle for this attack: − Attacker must wait for a request for evil.net ⚫ Countermeasure: − DNS resolver accepts only responses for requested names + siblings (e.g. request example.org, response www.example.org) 28

  29. DNS Cache Poisoning Client (attacker) www.example.com ? Using source IP www.example.com: address of A IP address for (IP spoofing) 10.1.2.3 IP address for www.example.com ? A www.example.com: 10.9.8.7 too late DNS server DNS server for (victim) example.com 29

  30. DNS Cache Poisoning ⚫ Countermeasure: − Query ID ▪ request and response must have same transaction ID 30

  31. DNS Cache Poisoning Client (attacker) www.example.com ? www.example.com: Must have same IP address for transaction ID 10.1.2.3 IP address for www.example.com ? A www.example.com: 10.9.8.7 DNS server DNS server for (victim) example.com 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Domain analysis Domain analysis Goal: build an object-oriented model of the real- world

Domain analysis Domain analysis Goal: build an object-oriented model of the real- world

Domain analysis Domain analysis Goal: build an object-oriented model of the real- world system (or imaginary world) Slicing the soup: OOA vs. OOD OOA concerned with what, not how OOA activities focus on the domain

536 views • 32 slides
Domain analysis l Goal: build an object-oriented model of the real- world system (or imaginary

Domain analysis l Goal: build an object-oriented model of the real- world system (or imaginary

Domain analysis l Goal: build an object-oriented model of the real- world system (or imaginary world) l Slicing the soup: OOA vs. OOD OOA concerned with what , not how OOA activities focus on the domain layer l Common OOA

500 views • 33 slides
Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The

Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System q The directory system for the Internet v Used by other application layer protocols v via socket programming q Maps a hostname to an IP address v Host

431 views • 19 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides
Board Update August 5, 2019 Dr. Ken Wallace Maine Township High School District 207 Kens

Board Update August 5, 2019 Dr. Ken Wallace Maine Township High School District 207 Kens

Board Update August 5, 2019 Dr. Ken Wallace Maine Township High School District 207 Kens Goals Overview Domain Goal 1 . Instructional Program Domain Goal 2. Financial Leadership Domain Goal 3. Communication Domain Goal 4. Situational

486 views • 14 slides
Learning Goals 1 Practice Questions 1 3 2 The Holmes scenario 2 1 Learning Goals 1

Learning Goals 1 Practice Questions 1 3 2 The Holmes scenario 2 1 Learning Goals 1

CS 486/686 Probabilities by Xinda Li and Alice Gao 2 Given a description of a domain or a probabilistic model for the domain, determine whether two variables are unconditionally independent. Given a description of a domain or a

316 views • 13 slides
Strong Baselines for Neural Semi-supervised Learning under Domain Shift Sebastian Ruder Barbara

Strong Baselines for Neural Semi-supervised Learning under Domain Shift Sebastian Ruder Barbara

Strong Baselines for Neural Semi-supervised Learning under Domain Shift Sebastian Ruder Barbara Plank Learning under Domain Shift 2 Learning under Domain Shift State-of-the-art domain adaptation approaches 2 Learning under Domain Shift

1.37k views • 112 slides
Name service Domain Name System (DNS) Name : identifier Need a system: Name IP

Name service Domain Name System (DNS) Name : identifier Need a system: Name IP

Name service Domain Name System (DNS) Name : identifier Need a system: Name IP address computers, services, remote objects, files, users, When the size of Internet was small, . a host file: two columns. a

375 views • 10 slides
Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name

Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name

Chapter 24 Chapter 24 Chapter 24 The Domain Name System The Domain Name System The Domain Name System (DNS) (DNS) (DNS) Raj Jain The Ohio State University Columbus, OH 43210 Jain@CIS.Ohio-State.Edu http://www.cis.ohio-state.edu/~jain/

812 views • 35 slides
About domain controllers Interaction diagrams Not usually a domain concept Dynamic

About domain controllers Interaction diagrams Not usually a domain concept Dynamic

About domain controllers Interaction diagrams Not usually a domain concept Dynamic views of interacting objects Added to the model during design Starts by system event ( external message ) They tie the system to external

75 views • 5 slides
Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts ,

Query Log Analysis Detecting Anomalies in DNS Tra ffi c at a TLD Resolver Pieter Robberechts , Maarten Bosteels, Jesse Davis and Wannes Meert Goal and Context Goal and Context The QLAD System Results Conclusion DNS The Domain Name System

659 views • 26 slides
DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen -

DNS Domain Name System Seminar in distributed Computing 2007/08 Lucien Hansen - lhansen@ethz.ch Overview Naming and Binding of Network Destinations Terminology Examples Interpretation Development of the Domain Name System

427 views • 30 slides
A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System

A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System

A Censorship Resistant and Fully Decentralized Name System The GNU Alternative Domain System Martin Schanzenbach Masters Thesis October 5, 2012 Martin Schanzenbach (TUM) GNU Alternative Domain System 1 Secure, Memorable, Global:

387 views • 19 slides
Transfer Learning from APP Domain to News Domain for Dual Cold-Start Recommendation Jixiong Liu 1

Transfer Learning from APP Domain to News Domain for Dual Cold-Start Recommendation Jixiong Liu 1

Transfer Learning from APP Domain to News Domain for Dual Cold-Start Recommendation Jixiong Liu 1 , Jiakun Shi 1 , Wanling Cai 1 , Bo Liu 2 , Weike Pan 1 Qiang Yang 2 and Zhong Ming 1 { 1455606137,1033150729,382970614 } @qq.com, {

475 views • 23 slides
Naming Domain Name System Guevara Noubir Fundamentals of

Naming Domain Name System Guevara Noubir Fundamentals of

Naming Domain Name System Guevara Noubir Fundamentals of Computer Networks Northeastern University DNS 1 Domain Name System DNS is a fundamental

179 views • 15 slides
Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling Workshop on Graphical Modeling Language Development at ECMFA 2012 Janne Vatjus-Anttila, Jari Kreku, Kari Tiensyrj VTT Technical Research Centre of

320 views • 20 slides
CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content

CompSci 356: Computer Network Architectures Lecture 23: Domain Name System (DNS) and Content distribution networks Chapter 9.3.1 Xiaowei Yang xwy@cs.duke.edu Overview Domain Name System Content Distribution Networks DNS attacks

610 views • 57 slides
Dictionaries, Manifolds and Domain Adaptation for Image and Video- based Recognition Rama

Dictionaries, Manifolds and Domain Adaptation for Image and Video- based Recognition Rama

Dictionaries, Manifolds and Domain Adaptation for Image and Video- based Recognition Rama Chellappa University of Maryland Student and the teachers Major points Training and testing data come from different distributions.

780 views • 53 slides
Supporting Multi-domain Use Cases with ALTO Danny A. Lachos * Christian E. Rothenberg * Qiao Xiang

Supporting Multi-domain Use Cases with ALTO Danny A. Lachos * Christian E. Rothenberg * Qiao Xiang

ANRW19 - July 22, 2019 Montreal, Quebec, Canada Supporting Multi-domain Use Cases with ALTO Danny A. Lachos * Christian E. Rothenberg * Qiao Xiang Y. Richard Yang Brje Ohlman # Sabine Randriamasy Farni Boten &amp; Luis M.

356 views • 34 slides
DIVA: Domain Invariant Variational Autoencoders In collaboration with Jakub Tomczak, Christos

DIVA: Domain Invariant Variational Autoencoders In collaboration with Jakub Tomczak, Christos

DIVA: Domain Invariant Variational Autoencoders In collaboration with Jakub Tomczak, Christos Louizos and Max Welling Why do we care about domain generalization/invariance? Domain shift in medical imaging Patient 1 (Rajaraman et al., 2018)

366 views • 34 slides
What is domain adaptation?

What is domain adaptation?

A Two-Stage Approach to Domain Adaptation for Statistical Classifiers Jing Jiang &amp; ChengXiang Zhai Department of Computer Science University of Illinois at Urbana-Champaign What is domain adaptation?

523 views • 20 slides
Module 18: Protection Goals of Protection Domain of Protection Access Matrix

Module 18: Protection Goals of Protection Domain of Protection Access Matrix

Module 18: Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based Systems Language-Based Protection Silberschatz, Galvin, and Gagne

314 views • 16 slides
A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le Pochat , Tim Van hamme, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyski NDSS 2020, 25 February 2020

244 views • 23 slides
A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer

A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer

A Fully Abstract Domain Model for the -Calculus Ian Stark BRICS Department of Computer Science University of Aarhus Denmark July 1996 The Issue Languages like CCS and the -calculus provide an algebraic approach to concurrency:

560 views • 15 slides

More recommend