Security of Domain Name System (DNS)

Security of Domain Name System (DNS)


Hi and welcome. Domain Name System or DNS
is a hierarchical & distributed naming system for resources hosted on
the internet/ in a private network In this video, I will discuss the
security of domain name system including its architecture, DNS Query
resolution process, DNS security extension (DNSSEC), attacks against DNS and Counter Measures. Before moving further,
please turn on the subtitles for this video. In order to establish communication with a destination system, the sender system needs the
logical and physical addresses of the destination system but these addresses
are very difficult to remember therefore we use naming system provided by the DNS which is human friendly. This addressing system is based on numbers or hexadecimal values e.g. MAC address of the destination system which is Layer 2 address (Data Link Layer of OSI Model) MAC address is the permanent physical address. Moreover we also need the logical
address e.g. IP (Internet Protocol) address of the destination system which operates at
layer 3 (Network Layer of OSI Model). IP Address is a logical & temporary address of the destination system. Address Resolution Protocol (ARP) is used to translate the IP address into its MAC address. Reverse ARP is used to translate the MAC address into its IP address. MAC is a permanent
and physical address but some network interface cards (NIC) provide the
facility to change the MAC address of a system and once this change is supported
by the network interface card (NIC), then this change occurs at hardware level and once
this change is supported by the operating system (OS) then this change only happens in the memory of the system. IP address can also change by DHCP server or by the administrator or an administrator may also statically assign an IP address to
a system. This is all for the addressing but these MAC & IP addresses are very difficult to remember by a human being, therefore we
use another layer of naming system which operates at layer 7 of OSI model (Application Layer). Domain Name System (DNS) provides naming system/ system names (logical & temporary like IP). Domain name system (DNS) translates domain names into IP and then Address Resolution Protocol (ARP) translates the IP into MAC address. DNS Reverse lookups carry out reverse translation of IP addresses into Fully Qualified Domain Names (FQDNs). This is only possible if the PTR Record
is defined in the resource record, because PTR Record has linkage b/w IP address & Fully Qualified Domain Name (FQDN). Domain Name can be changed by the administrator (like IP address). DNS is a hierarchical naming system e.g. www.google.com is a fully qualified domain name (FQDN), and it is hierarchical and it has three parts that is .com, then Google and then www now the .com is top-level domain (TLD) and there are 7 x top-level domains
like .com, .org, .edu, .mil, .gov, .net and .int (2 x Letter Country Code like .us) there are also newer top-level domains which are mentioned over here Second part (middle part) is the Google which is the Registered Domain
which one has to registered with a domain registrar. 3rd part is www which is a subdomain/ hostname/ multi- sectioned (server1.group3.bldg5.mycompany.com) Fully qualified domain name (FQDN) can have maximum of 253 characters ieach section separated by dot (.) can have a maximum of 63 characters (letters, numbers & hyphens). Zone file contains the resource record of a domain and Primary Authoritative Name Server contains/ manages zone file for a particular domain and the secondary authoritative nameserver
has also access to this loan file but but this access is read-only. Once we talk about DNS Query resolution process, so earlier we used the host file which
were static and not scalable but now the dynamic DNS Query revolution has replaced this host file process and this is done on run-time to find the IP address against a fully qualified domain name (FQDN) So first of all, we perform the lookup in the local cache a on the system which comprises of
host file and old DNS responses of current session. So if the IP address of
the fully qualified domain name (FQDN) is found in the local cache then that system is
approached based upon its IP address but if this is not the case, then this
dynamic DNS Query is performed by client to the DNS server and this DNS
server is configured in the IP configuration of the DNS client and this
DNS Query is performed using UDP port 53 now the
zone file transfer is performed between the DNS servers and this zone file
contains the record of a particular domain and this zone file is very
sensitive and therefore it is performed using TCP port 53, moreover TCP port 53 can also be used if the responses to normal DNS
queries exceed 512 bytes DNS Security Extensions (DNSSEC) provides authentication of DNS responses by digitally signing these DNS
responses therefore it counters the false DNS
responses or the name server abuses but this DNSSEC does not provide
confidentiality, it only provides authentication and integrity of DNS data now there are certain attacks against
DNS and the main attack is the DNS poisoning that you poison or corrupt the
DNS data by either attacking the DNS servers or it’s a zone file or by
performing man-in-the-middle and other mechanisms and techniques so one technique is that, you corrupt the zone file of a DNS server for a particular
domain and then this name server sends the false responses to client and then
client is redirected to the false IP/ Server. DNS poisoning can also be performed by setting up a rogue DNS server (pharming or DNS spoofing) because you are
spoofing legitimate DNS server Rouge DNS server sends the false IP before the response from the real server is sent so this false response contains the
same Query Rd (QID) or the same transaction ID (TxID) which was earlier
initiated by the DNS client, which is seeking the IP address of a
fully qualified domain name (FQDN) After receiving the false reply, client
closes the DNS Query session and if it later on receives the real response then
this real response is dropped because there is no active session. DNS Pharming setups a malicious website (domain) and user is redirected to this malicious website, so this malicious website may be set up for targeted users e.g. a specific company. In 2008, a vulnerability was demonstrated by a security researcher known as Dan Kaminsky (Dan Kaminsky vulnerability), he demonstrated this vulnerability in 2008 in Blackhat conference so this vulnerability targeted the name server of particular domain by poisoning is cashe
so this name server is also known as recursive name server because this
recursive name server does not have the IP address of the destination system
which is asked by its client therefore it sends this Query to another name server
so by corrupting cache of this recursive name server, this recursive
name server redirects the user to a wrong IP address . So what happens that, this attack targeted the cache of this recursive name server by injecting the
false information about the authoritative name server of a
particular domain. so if a client asks recursive name server for
a particular web site which is not in the domain of this recursive name server
and for which it has to ask another name server then it asks the wrong
authoritative name server since the cache recursive name server is corrupted with the false IP of the authoritative name
server of another domain. Due to this vulnerability, the recursive name server each time approach the wrong or the malicious name server for asking
resources related to a particular domain. now another attack is by corrupting the
hosts file of the client so this client is then redirected to the false IP or to
a malicious website. Another attack is by corrupting the IP configuration for the name server of a client, for redirecting it to false DNS server. another attack is by corrupting the web browser of the client so that it is
redirected to rogue proxy server and this proxy server will redirect user to
malicious phishing website. Another attack is by hijacking the domain name, by changing the registration of a legitimate domain This can be performed using cross-site request forgery (XSRF), to steal current session (of domain owner) and then changing the registration of a particular domain. Domain Hijacking also be performed by exploiting vulnerability in a Domain Registrar System. another attack which
is actually not an attack and it is not an unlawful activity is that, once a
domain registration is expired for a particular domain then a third
party hires/ gets this domain registration so this is not unlawful but it is
unethical but since it is possible due to the oversight by the real owner therefore it is not unlawful,
but after getting the registration for the targeted domain, the
third party may set up the same website for faking to clients and targeting
clients for the real website. what are the counter measures ! basically there are two categories of counter measures, and first category is by limiting the DNS Queries and zone file transfer and second category is by deploying NIDS which is network-based intrusion detection system
to detect any malicious DNS traffic and by deploying DNS security extension (DNSSEC) and by hardening the client and server. One we talk about limiting the DNS
Queries and Zone file transfer then it is possible by blocking the inbound
DCP port 53 i.e. by blocking the zone file request from external systems which
are requesting this zone file for your domain and also by blocking the outbound
UDP 53 which is used to Query the domains from external servers and also by blocking the inbound responses from external servers so that the malicious servers cannot send the malicious DNS responses for wrong information and by allowing the outbound TCP port 53
to limited external servers that is for zone file request to limited and trusted
external servers These are the list of resource records which are found on in a zone file so on the left side you
can see the names of these records and on the right side you can see what
information each resource record category contains. Addressing Record (A) links the fully qualified domain name to an ipv4 address (32-bit( and this second addressing record (AAAA) links the fully
qualified domain name to ipv6 address (128-bit) Pointer record (PTR) links the IP address to its fully qualified domain name (FQDN) and it is used for reverse lookups of DNS and this canonical name links the aliases of
a particular fully qualified domain name (FQDN) MX is the mail exchange IP
related to a fully qualified domain name and this NS is the IP address of
the authoritative nameserver and in Dan’s Kaminsky attack this
authoritative name server IP was replaced with malicious or fake IP of a
malicious name server of a particular domain. Start of Authority (SOA) record contains the information about a zone file.

Leave a Reply

Your email address will not be published. Required fields are marked *