Domain Name System
(DNS)
TODAY &
TOMORROW
PRESENTED BY:
JAMES SPEIRS
CHARLES HIGBY
BRADY REDFEARN
Overview
o
o
o
o
o
o
o
o
o
o
o
o
o
History
How It Works
DNS Packet Structure
DNS Features
DNS Security Evolution, Early Days
Current DNS Issues
Bailiwick Defined
BIND 9.6 Or Later
Guilty Parties
DNS Exploit, Dan Kaminiski
BIND 8 Or Earlier
Kaminski's Results
What Can Save Us?
History

Pre-DNS
o Hosts file
 Stanford Research Institute (SRI)
 FTP
History Continued
1983
o Paul Mockapetris, Inventor
o RFCs 882 & 883
 1984
o Berkeley & UNIX
 1985
o Kevin Dunlap, Digital Equipment Corporation
(DEC)
o Berkeley Internet Name Domain (BIND)
 1987
o RFCs1034 &1035
 1990s
o BIND ported to Windows NT

How it Works

Distributed Databases
o Local machine
 Hosts file
 Linux - /etc/hosts
 Mac - /private/etc/hosts
 Windows %SystemRoot%\system32\drivers\etc\
 Local cache
 Active memory
 Browser cache
How It Works Continued

Distributed Databases
o Not on local machine
 UDP request
 100 bytes
 ISP DNS responds
 ISPs ISP DNS responds
 Core DNS responds
DNS Packet Structure
DNS Features
Name server responds with all sub-domains
o microsoft.com,
o secure.microsoft.com
o update.microsoft.com
 Compression (~3x)
 Redundancy
 Round-robin assignment
 Entry expiration (3,600 seconds)
o 3,600 second default
o Defined by name server
 The "big 13 root servers" contain main DNS entries
always
o .com, .net, .tv, .info, .gov, .mil, etc.
o http://www.isoc.org/briefings/020/zonefile.shtml

DNS Security Evolution, Early Days
No bad guys in 1983
 Transaction ID (TID)
o Incremental counting integer
o Random TID
 Port 53
o Incoming port 53
o Port 53 outgoing
o Random outgoing port, Dan Bernstein

Current DNS Issues
DNS Poisoning
o First response wins
o No TCP
o Transaction IDs – 16-bits
o Ports – 16-bits
 DNS Controllers
o ICANN
o US Commerce Department
o Verisign
o 13 core servers

Bailiwick
Defined
o "The neighborhood of the domain"
 Bailiwicked Domain Attack
o In Bailiwick
 microsoft.com
 update.microsoft.com
 security.microsoft.com
 All acceptable DNS entries
o Not in Bailiwick
 google.com
 yahoo.com
 These entries are thrown away

BIND 9.6 Or Later
Example of current version of BIND
Guilty Parties
Guilty Parties
o Any DNS not randomizing ports
o OpenWRT software
 Secure Services
o OpenDNS
o djbdns
o Simple router software

DNS Exploit, Dan Kaminski

Cache miss at ISP
o Find DNS IPs for example.com
 ns1.example.com (1.1.1.1)
 ns2.example.com (1.1.1.2)
o Send query of bogus machine
 aaa.example.com
o ISPs DNS queries example.com for fake comp
 Note UDP outgoing port from ISP (7649)
o Send 100 UDP packets with random TIDs to ISP at
port 7649 with your IP 1.1.1.100 as location for
example.com
BIND 8 Or Earlier
Example of older versions of BIND
Kaminski's Results
Repeat the exploit for any domain
 In 30 seconds, you control the entire domain
 Works because
o New IPs are in bailiwick
o New IPs replace old ones at ISP
o Make TTL really big
 Maximum of 2,147,483,647 seconds
 68+ Years
 Never expires
o Nothing appears wrong
 URL bar is http://www.google.com
 Displayed site is google.com

What Can Save Us?
SSL certificates
o Cannot be duplicated
o Must be examined
 If available, force HTTPS
 Most sites don't support either solution
 Test your ISP
o entropy.dns-oarc.net/test

Questions