Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis - - PowerPoint PPT Presentation

▶

Jul 02, 2023 138 likes •426 views

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider, Thorsten Holz Ruhr-University Bochum, Germany Motivation DNS: www.rub.de 134.147.64.10 Daily use on the Internet by every user Various

SLIDE 1

Large-scale Analysis of Infrastructure-leaking DNS Servers

Dennis Tatang, Carl Schneider, Thorsten Holz Ruhr-University Bochum, Germany

SLIDE 2

Motivation

DNS: www.rub.de

134.147.64.10

Daily use on the Internet by every user
Various studies: DDoS, Censorship, Measurements
Overlooked aspect: Leaking DNS servers to external queries with

internal network information

DIMVA 2019, Gothenburg

SLIDE 3

Reconnaissance

Information leakage part of active infrastructure reconnaissance
Goal: Get as much information as possible about a target network

DIMVA 2019, Gothenburg

SLIDE 4

Contributions

Measurement approach to find information leaking DNS servers
Systematic study on DNS servers that might expose internal network

information to external requests

Self-check for identifying information-leaking DNS servers

DIMVA 2019, Gothenburg

SLIDE 5

Domain Name System (DNS)

Distributed, hierarchy-based service
Primarily responsible for translation of domain names

into IP addresses (A, AAAA)

Reverse lookup (PTR)
Private IP ranges (10/8, 172.16/12, 192.168/16)

DIMVA 2019, Gothenburg

SLIDE 6

Idea

Using reverse DNS requests for internal resources
n Internet reachable DNS servers

DIMVA 2019, Gothenburg

SLIDE 7

Discovering Leaking DNS Servers

IPv4

Censys database

... ...

Private networks Scan server DNS server DNS server

DIMVA 2019, Gothenburg

SLIDE 8

Discovering Leaking DNS Servers

IPv4

Censys database

... ...

Private networks Scan server DNS server DNS server

DIMVA 2019, Gothenburg

3 requests per private IP range

SLIDE 9

General Measurement Results

2.000.000 4.000.000 6.000.000 8.000.000 10.000.000 2018-09-08 2018-10-08 2018-11-08 2018-12-08 2019-01-08

DIMVA 2019, Gothenburg

200.000 400.000 600.000 800.000 2018-09-08 2018-10-08 2018-11-08 2018-12-08 2019-01-08

SLIDE 10

Response Groups (1)

DIMVA 2019, Gothenburg

Localhost: “localhost.” Single: one host Emptyresponse: “.” IP: IP addresses Bogon: “bogon.” Arpa: Reverse DNS Constant: unique hostname for all hosts

SLIDE 11

Response Groups (2)

apple, iphone, ipad, samsung,

galaxy, home

DIMVA 2019, Gothenburg

Enduser: Keyword-based Other

SLIDE 12

Response Groups (3)

DIMVA 2019, Gothenburg

No information advantage Bogon Localhost Emptyresponse Constant Arpa IP Active hosts, used subnet Single Active hosts, used subnet, hostnames Enduser Other

SLIDE 13

General Measurement Results

100.000 200.000 300.000 400.000 500.000 600.000 2018-09-08 2018-10-08 2018-11-08 2018-12-08 2019-01-08 localhost single ip emptyresponse constant

ther

enduser arpa bogon

DIMVA 2019, Gothenburg

SLIDE 14

In-depth Analysis

Daemon information
AS numbers
Countries
Private IP ranges
Hostname pattern analysis

DIMVA 2019, Gothenburg

SLIDE 15

Daemon Information

10.000 20.000 30.000 40.000 50.000 60.000 70.000 80.000 2018-10-01 2018-11-01 2018-12-01 2019-01-01 dnsmasq BIND MS DNS PowerDNS

DIMVA 2019, Gothenburg

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 2018-10-01 2018-11-01 2018-12-01 2019-01-01 dnsmasq BIND MS DNS PowerDNS

SLIDE 16

AS Numbers & Countries

DIMVA 2019, Gothenburg

SLIDE 17

AS Numbers & Countries

DIMVA 2019, Gothenburg

SLIDE 18

Countries (normalized)

Country Share Count British Virgin Islands 80% 2,533 Macao 41% 898 Comoros 29% 14

DIMVA 2019, Gothenburg

SLIDE 19

Countries (normalized)

Country Share Count British Virgin Islands 80% 2,533 Macao 41% 898 Comoros 29% 14

DIMVA 2019, Gothenburg

Country Share China 9% USA 3% Romania 15% Russia 3.4%

SLIDE 20

Private IP Ranges

0% 20% 40% 60% 80% 100% 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12

DIMVA 2019, Gothenburg

SLIDE 21

Hostname Pattern Analysis

DIMVA 2019, Gothenburg

SLIDE 22

Hostname Pattern Analysis

DIMVA 2019, Gothenburg

Other 73 clusters Enduser 45 clusters

SLIDE 23

Example Hostname Patterns

<placeholder>.iPhone, <placeholder>.iPad
android-<placeholder>
amazon-<placeholder>
<placeholder>desktop, <placeholder>-PC
Other:
firewall<placeholder>, <placeholder>.dmz

DIMVA 2019, Gothenburg

SLIDE 24

Mitigation & Self-Check

DIMVA 2019, Gothenburg

SLIDE 25

Discussion

Share is about 3.9% - Absolute numbers up to 574,000 servers
Proper information leakage present with up to 158,000 servers
No implementation problem but rather a configuration problem
Number of potentially usable leaking DNS servers highest in the USA

DIMVA 2019, Gothenburg

SLIDE 26

Conclusion

Observed that misconfigured DNS servers might leak internal

information to external intruders without the need for an exploit or vulnerability (configuration issue)

Almost 4% of the DNS servers might leak such information
Not a major Internet security problem, but the absolute numbers

should be reduced

Data at https://github.com/RUB-SysSec/InfraLeakingDNS

DIMVA 2019, Gothenburg

SLIDE 27

Questions?

Dennis Tatang dennis.tatang@rub.de @dennis4its on Twitter

DIMVA 2019, Gothenburg

Conclusion

Observed that misconfigured DNS servers

might leak internal information to external intruders without the need for an exploit or vulnerability (configuration issue)

Almost 4% of the DNS servers might leak such

information

Not a major Internet security problem, but the

absolute numbers should be reduced

Data at https://github.com/RUB-

SysSec/InfraLeakingDNS