Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview - PowerPoint PPT Presentation

Resilient Networking 6: Attacks on DNS 1

Chapter Outline  Overview of DNS  Known attacks on DNS – Denial-of-Service – Cache Poisoning  Securing DNS – Split-Split-DNS – DNSSEC 2

DNS – The Domain Name System  Naming Service for (almost all) Internet traffic  Lookup of (resolve) – Host-Addresses – Mail-Servers – Alias Names – Alternative Name Servers – …  Distributed Database consisting of multitude of servers 3

DNS – Names  People: many identifiers: Domain Name System:  Distributed database implemented – SSN, name, passport #  Internet hosts, routers: in hierarchy of many name servers  Application-layer protocol: hosts, – IP address (32 bit) - used for addressing datagrams routers, name servers communicate to resolve names – “Name”, e.g., www.yahoo.com (address/name translation) - used by humans  Q: Map between IP addresses – Note: core Internet function, implemented as application- and name ? layer protocol – Complexity at network’s “edge” 4

DNS – what does it do? DNS services Why not centralize DNS?  Hostname to IP address translation  Single point of failure  Host aliasing  Traffic volume  Distant centralized database – Canonical and alias names  Mail server aliasing  Maintenance  Load distribution  does not scale! – Replicated Web servers: set of IP addresses for one canonical name What does this „ it scales “ mean anyways!? 5

DNS – Data Organization: Domains / Zones “.” com org edu google bbc mit caltech  Structured Namespace  Hierarchical organization in sub domains/zones  Sourced at “root zone” (“.”)  Parent zones maintain pointers to child zones ( “zone cuts” )  Zone data is stored as “Resource Records” (RR) 6

Distributed, Hierarchical Database Root DNS Servers de DNS servers org DNS servers edu DNS servers poly.edu umass.edu pbs.org google.de uni-hamburg.de DNS servers DNS servers DNS servers DNS servers DNS servers Client wants IP for www.iss.informatik.uni-hamburg.de; 1 st approx:  Client queries a root server to find de DNS server  Client queries de DNS server to get uni-hamburg .de DNS server  Client queries uni-hamburg.de DNS server to get IP address for www.iss.uni-hamburg.de 7

DNS: Root Name Servers  Contacted by local name server that can not resolve name  Root name server: – Contacts authoritative name server if name mapping not known – Gets mapping – Returns mapping to local name server So, how many root nameservers are there actually? (physically) a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD k RIPE London (also Amsterdam, Frankfurt) g US DoD Vienna, VA h ARL Aberdeen, MD i Autonomica, Stockholm (plus 3 j Verisign, ( 11 locations) other locations) m WIDE Tokyo e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) 13 root name servers worldwide b USC-ISI Marina del Rey, CA [A..M].ROOT-SERVERS.NET l ICANN Los Angeles, CA 8

Anycast for load distribution, 13 addresses are used by several hundreds of servers at distinct DNS: Root Name Servers places of earth http://www.circleid.com/posts/dns_root_servers_google_maps/ 9

DNS – Components  Authoritative Server – Server maintaining authoritative content of a complete DNS zone – Top-Level-Domain (TLD) servers & auth servers of organization’s domains – Pointed to in parent zone as authoritative – Possible load balancing: master/slaves  Recursive (Caching) Server – Local proxy for DNS requests – Caches content for specified period of time (soft-state with TTL) – If data not available in the cache, request is processed recursively  Resolver – Software on client’s machines (part of the OS) – Windows-* and *nix: Stub resolvers • Delegate request to local server • Recursive requests only, no support for iterative requests 10

DNS – Message Format 0 1 2 3 Identification Flags and Codes Question Count Answer Record Count Name Server (Auth Record) Count Additional Record Count Questions Answers Authority Additional Information Q/R OPCode AA TC RD RA Zero RespCode 16 17 21 22 23 24 25 28 31   Q/R Query/Response Flag RD Recursion Desired Flag   Operation Code RA Recursion Available Flag   AA Auth. Answer Flag Zero (three resv. bits)   TC Truncation Flag Response Code 11

DNS – Header Fields  Identifier: a 16-bit identification field generated by the device that creates the DNS query. It is copied by the server into the response, so it can be used by that device to match that query to the corresponding reply  Query/Response Flag: differentiates between queries and responses (0 ~ Query, 1 ~ Response)  Operation Code: specifies type of message (Query, Status, Notify, Update)  Authoritative Answer Flag (AA): set to 1 if the answer is authoritative  Truncation Flag: When set to 1, indicates that message was truncated due to its length (might happen with UDP, requestor can then decide to ask again with TCP as transport service)  Recursion Desired: set to 1 if requester desired recursive processing  Recursion Available: set to 1 if server supports recursive queries 12

DNS – Resource Records  Atomic entries in DNS are called “Resource Records” (RR)  Format: <name> [<ttl>] [<class>] <type> <rdata>  name (domain name of resource)  ttl (Time-to-live)  class (used protocol): IN (Internet), CH (Chaosnet )…  type (record type): A (Host-Address), NS (Name Server), MX (Mail Exchange), CNAME (Canonical Name), AAAA (IPv6-Host-Address), DNAME (CNAME, IPv6)  rdata (resource data): Content! (What did we want to look up?) 14

DNS Records DNS: Distributed DB storing resource records (RR) RR Format: (name, value, type, ttl)  Type=A  Type=MX – name is hostname – value is name of mailserver associated with name – value is IP address  Type=CNAME  Type=NS – name is alias name for some – name is domain (e.g. foo.com) “canonical” (the real) name – value is IP address of – www.ibm.com is really authoritative name server for this domain – servereast.backup2.ibm.com – value is canonical name 15

DNS: Caching and Updating Records  Once (any) name server learns mapping, it caches mapping – Cache entries timeout (disappear) after some time – TLD servers typically cached in local name servers – Thus, root name servers not often visited  Update/notify mechanisms designed by IETF – RFC 2136 – http://www.ietf.org/html.charters/dnsind-charter.html 18

Inserting Records Into DNS  Example: just created startup “Network Utopia”  Register name networkutopia.com at a registrar (e.g., Network Solutions) – Need to provide registrar with names and IP addresses of your authoritative name server ( primary and secondary ) – Registrar inserts two RRs into the com TLD server: (networkutopia.com, dns1.networkutopia.com, NS) (dns1.networkutopia.com, 212.212.212.1, A)  Add authoritative server Type A record for www.networkutopia.com and Type MX record for networkutopia.com 19

DNS – Recursive and Iterative Queries DNS HEADER (send) - Identifier: 0x027B - Flags: 0x00 (Q ) - Opcode: 0 (Standard query) - Return code: 0 (No error) - Number questions: 1 - Number answer RR: 0 - Number authority RR: 0 - Number additional RR: 0 root DNS server QUESTIONS (send) (A.ROOT-SERVERS.NET) - Queryname: (3)www(3)iss(10)informatik(11)uni-hamburg(2)de 2 - Type: 1 (A) iterative Auth DNS server - Class: 1 (Internet) 3 (TLD: dns-3.dfn.d) 4 local (caching) DNS server Auth DNS server 5 (via dhcp) iterative (TUD: dns1.uni-hamburg.de) 6 recursive 1 7 iterative 8 www.iss.informatik.uni-hamburg.de ip-92-50-90-182.unitymediagroup.de 20