Domain Name System (DNS) TODAY & TOMORROW PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Overview o o o o o o o o o o o o o History How It Works DNS Packet Structure DNS Features DNS Security Evolution, Early Days Current DNS Issues Bailiwick Defined BIND 9.6 Or Later Guilty Parties DNS Exploit, Dan Kaminiski BIND 8 Or Earlier Kaminski's Results What Can Save Us? History Pre-DNS o Hosts file Stanford Research Institute (SRI) FTP History Continued 1983 o Paul Mockapetris, Inventor o RFCs 882 & 883 1984 o Berkeley & UNIX 1985 o Kevin Dunlap, Digital Equipment Corporation (DEC) o Berkeley Internet Name Domain (BIND) 1987 o RFCs1034 &1035 1990s o BIND ported to Windows NT How it Works Distributed Databases o Local machine Hosts file Linux - /etc/hosts Mac - /private/etc/hosts Windows %SystemRoot%\system32\drivers\etc\ Local cache Active memory Browser cache How It Works Continued Distributed Databases o Not on local machine UDP request 100 bytes ISP DNS responds ISPs ISP DNS responds Core DNS responds DNS Packet Structure DNS Features Name server responds with all sub-domains o microsoft.com, o secure.microsoft.com o update.microsoft.com Compression (~3x) Redundancy Round-robin assignment Entry expiration (3,600 seconds) o 3,600 second default o Defined by name server The "big 13 root servers" contain main DNS entries always o .com, .net, .tv, .info, .gov, .mil, etc. o http://www.isoc.org/briefings/020/zonefile.shtml DNS Security Evolution, Early Days No bad guys in 1983 Transaction ID (TID) o Incremental counting integer o Random TID Port 53 o Incoming port 53 o Port 53 outgoing o Random outgoing port, Dan Bernstein Current DNS Issues DNS Poisoning o First response wins o No TCP o Transaction IDs – 16-bits o Ports – 16-bits DNS Controllers o ICANN o US Commerce Department o Verisign o 13 core servers Bailiwick Defined o "The neighborhood of the domain" Bailiwicked Domain Attack o In Bailiwick microsoft.com update.microsoft.com security.microsoft.com All acceptable DNS entries o Not in Bailiwick google.com yahoo.com These entries are thrown away BIND 9.6 Or Later Example of current version of BIND Guilty Parties Guilty Parties o Any DNS not randomizing ports o OpenWRT software Secure Services o OpenDNS o djbdns o Simple router software DNS Exploit, Dan Kaminski Cache miss at ISP o Find DNS IPs for example.com ns1.example.com (1.1.1.1) ns2.example.com (1.1.1.2) o Send query of bogus machine aaa.example.com o ISPs DNS queries example.com for fake comp Note UDP outgoing port from ISP (7649) o Send 100 UDP packets with random TIDs to ISP at port 7649 with your IP 1.1.1.100 as location for example.com BIND 8 Or Earlier Example of older versions of BIND Kaminski's Results Repeat the exploit for any domain In 30 seconds, you control the entire domain Works because o New IPs are in bailiwick o New IPs replace old ones at ISP o Make TTL really big Maximum of 2,147,483,647 seconds 68+ Years Never expires o Nothing appears wrong URL bar is http://www.google.com Displayed site is google.com What Can Save Us? SSL certificates o Cannot be duplicated o Must be examined If available, force HTTPS Most sites don't support either solution Test your ISP o entropy.dns-oarc.net/test Questions