Security Attacks Using DNS Vulnerabilities Talk by Faisal

Security Attacks Using DNS Vulnerabilities Talk by Faisal Ahmad Khan BUITEMS Cyber Security Week December 5 -7, 2017

DNS: Domain Name System People: many identifiers: v SSN, name, passport # Internet hosts, routers: v v IP address (32 bit) used for addressing datagrams “name”, e. g. , www. yahoo. com - used by humans Q: map between IP addresses and name ? Domain Name System: r distributed database implemented in hierarchy of many name servers r application-layer protocol host, routers, name servers to communicate to resolve names (address/name translation) v note: core Internet function, implemented as application-layer protocol v complexity at network’s “edge” 2

DNS services r Hostname to IP address translation r Host aliasing v Canonical and alias names r Mail server aliasing r Load distribution v Replicated Web servers: set of IP addresses for one canonical name DNS is Hierarchical Why not centralize DNS? r single point of failure r traffic volume r distant centralized database r Maintenance 06 a DNS. ppt 3

Distributed, Hierarchical Database Root DNS Servers com DNS servers yahoo. com amazon. com DNS servers org DNS servers pbs. org DNS servers edu DNS servers poly. edu umass. edu DNS servers Client wants IP for www. amazon. com; 1 st approx: r Client queries a root server to find “com” DNS server r Client queries com DNS server to get “amazon. com” Authoritative DNS server r Client queries amazon. com DNS server to get IP address for “www. amazon. com” 06 a DNS. ppt 4

DNS: Root name servers r contacted by local name server that can not resolve Top_Level name (eats in www. macdonalds. eats) r Originally there were 7 Top-Level domains (com, org, edu, mil, gov, info, arpa) Now there are hundreds ( us, uk, cn, tv, name, . . . ) r ICANN assigns domain names (www. icann. org) a Verisign, Dulles, VA c Cogent, Herndon, VA (also Los Angeles) d U Maryland College Park, MD k RIPE London (also Amsterdam, g US Do. D Vienna, VA Frankfurt) i Autonomica, Stockholm (plus 3 h ARL Aberdeen, MD j Verisign, ( 11 locations) other locations) m WIDE Tokyo e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 17 other locations) 13 root name servers worldwide b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA 06 a DNS. ppt 5

TLD and Authoritative Servers r Top-level domain (TLD) servers: responsible for com, org, net, edu, etc, and all top-level country domains uk, fr, ca, jp. v Network Solutions, Inc. maintains servers for com TLD v Educause maintains servers for edu TLD r Authoritative DNS servers: organization’s DNS servers, providing authoritative hostname to IP mappings for organization’s servers (e. g. , Web and mail). v Can be maintained by organization or service provider v Every “Autonomous System” (AS) must have two (backup). r Local DNS servers: organization’s DNS servers located on various subnets to provide DNS lookups for hosts on the subnet. May not be accessible from outside the subnet. Their IP addresses are part of the host's network configuration (manual or DHCP). PC looks first at “hosts” file. DNS Hack #0, add false info to it. 6

Local Name Server r Does not strictly belong to hierarchy r Each ISP (residential ISP, company, university) has one. v Also called “default name server” or “resolver” r When a host makes a DNS query, query is sent to its local DNS server Acts as a proxy, forwards query into hierarchy. v Today a DNS proxy (resolver) is built into most DSL and cable-modem routers v DNS Hack #1: Change DNS configured IP to IP of attacker-controlled server (Windows Registry or UNIX /etc/resolv. conf) 06 a DNS. ppt 7

Example root DNS server r Host at cis. poly. edu 2 wants IP address for 3 gaia. cs. umass. edu TLD DNS server 4 r Host sends a "recursionrequested" query 5 request to dns. poly. edu. r Local DNS server does a local DNS server "recursive" search. This dns. poly. edu requires contacting 6 7 1 8 several other DNS servers before the final answer is given to host. authoritative DNS server requesting host dns. cs. umass. edu cis. poly. edu $ nslookup gaia. cs. umass. edu answer 128. 119. 245. 12 gaia. cs. umass. edu 06 a DNS. ppt 8

root DNS server A 3. NSLTD. COM Non-recursive queries norecurse or "iterated" query: r contacted server local DNS server dns. poly. edu replies with name of server to contact r “I don’t know this name, but ask this server” requesting host 3 2 1 authoritative DNS server NS 1. umass. edu 4 5 6 cis. poly. edu gaia. cs. umass. edu $ nslookup -norecurse -v gaia. cs. umass. edu A 3. NSLTD. COM $ nslookup -norecurse -v gaia. cs. umass. edu NS 1. umass. com answer 128. 119. 245. 12 06 a DNS. ppt 9

“dig” with “+trace” will show the entire recursive lookup. copeland$ dig +trace www. google. com. ; <<>> Di. G 9. 8. 3 -P 1 <<>> +trace www. google. com. ; ; global options: +cmd. 495753 IN NS e. root-servers. net. . 495753 IN NS c. root-servers. net. . 495753 IN NS a. root-servers. net. . (11 lines deleted) ; ; Received 496 bytes from 128. 61. 244. 254#53(128. 61. 244. 254) in 13 ms. . . com. 172800 IN NS h. gtld-servers. net. com. 172800 IN NS j. gtld-servers. net. com. 172800 IN NS e. gtld-servers. net. . (11 lines deleted) ; Received 504 bytes from 192. 58. 128. 30#53(192. 58. 128. 30) in 138 ms google. com. 172800 IN NS ns 2. google. com. 172800 IN NS ns 1. google. com. 172800 IN NS ns 3. google. com. 172800 IN NS ns 4. google. com. ; ; Received 168 bytes from 192. 55. 83. 30#53(192. 55. 83. 30) in 56 ms www. google. com. 300 IN A 74. 125. 196. 104 www. google. com. 300 IN A 74. 125. 196. 105. . . (4 lines deleted) ; ; Received 128 bytes from 216. 239. 36. 10#53(216. 239. 36. 10) in 64 ms 10

DNS: caching and updating records r once (any) name server learns a mapping, it caches the mapping (Domain’s DNS = IP) v cache entries timeout (disappear) after some time (usually 20 minutes) v TLD servers typically cached longer in local name servers • Thus root name servers not often visited r update/notify mechanisms under design by IETF v RFC 2136 v http: //www. ietf. org/html. charters/dnsind-charter. html DNS Hack #0: Add a “name -> IP” entry in the UNIX /etc/hosts file, or Windows Registry file. 06 a DNS. ppt 11

DNS records DNS: distributed db storing resource records (RR) RR format: (name, value, type, ttl) r Type=A (AAAA for IPv 6) r Type=CNAME v name is hostname v name is alias name for some “canonical” (the real) name v value is IP address www. ibm. com is really r Type=NS servereast. backup 2. ibm. com v name is domain (e. g. v value is canonical name foo. com) v value is hostname of r Type=MX authoritative name v value is name of mailserver for this domain associated with name 06 a DNS. ppt 12

DNS protocol, messages DNS protocol : query and reply messages, both with same message format msg header r identification: 16 bit # for query, reply to query uses same # r flags: v query or reply v recursion desired v recursion available v reply is authoritative 06 a DNS. ppt 13

DNS protocol, messages Name, type fields for a query * RRs in response to query records for authoritative servers additional “helpful” info that may be used 14

Inserting records into DNS r Example: just created startup “Network Utopia” r Register name networkuptopia. com at a registrar (e. g. , Network Solutions) v v Need to provide registrar with names and IP addresses of your authoritative name server (primary and secondary) Registrar inserts two RRs into the. com TLD server: (networkutopia. com, dns 1. acme. com, NS) (dns 1. acme. com, 212. 1, A) r Put in authoritative server Type A record for www. networkuptopia. com and Type MX record for networkutopia. com into dns 1. acme. com (DNS service) DNS Hack #2 Register a domain like “myserver. ru”, have links in email like www. usbank. com. 273846. myserver. ru. 06 a DNS. ppt 15

>whois nt. com Whois Server Version 2. 0 Domain names in the. com and. net domains can now be registered with many different competing registrars. Go to http: //www. internic. net for detailed information. Domain Name: NT. COM Registrar: GODADDY. COM, INC. Whois Server: whois. godaddy. com Referral URL: http: //registrar. godaddy. com Name Server: NS-GUY 2. NORTELNETWORKS. COM Name Server: NS-HAR 2. NORTELNETWORKS. COM Status: client. Delete. Prohibited Status: client. Renew. Prohibited Status: client. Transfer. Prohibited Status: client. Update. Prohibited Updated Date: 20 -jan-2009 Creation Date: 28 -sep-1990 Expiration Date: 27 -sep-2010 >>> Last update of whois database: Fri, 20 Feb 2009 13: 33: 26 UTC <<< 16

DNS Cache Poisoning root DNS server www. bigbank. com 33. 22. 11. 44 3 4 5 TLD DNS server - IP = 87. 65. 43. 21 1 Spoofed Request for no. bigbank. com source IP = 12. 34. 56. 78 local DNS server dns. poly. edu 8 requesting host cis. poly. edu IP = 12. 34. 56. 78 2 Spoofed Response - source IP = 87. 65. 43. 21 Auth. DNS for bigbank. com =66. 66. 66 authoritative DNS server dns. bigbank. com Future requests for all URLs in bigbank. com go to =66. 66. 66 www. bigbank. phisher. com 66. 66. 66 17

wireshark Display of DNS Response ID is random nonce used to authenticate Response to Query 18

DNS protocol, spoofed messages <Name, type fields for a query 32 bits -> * RRs in response to query records for authoritative servers additional “helpful” info that may be used * 16 -bit ID is used to match responses to requests. To spoof, • use 1 request and 65, 536 responses, or • use 256 requests and 256 responses (Birthday attack). 06 a DNS. ppt 19

DNS Cache Poisoning - Anticipated Attack m o c. nn . c w w w p u. 66 k 6 o 6 L. 66 66. 6 Time UDP Connection closed -> 66. 66. 66 cached www. cnn. com -> 64. 236. 90. 21 (not noticed) om c. n. cn m www cnn. com w w. cn om ww. cnn. c m www. cnn. co www n. com. cn w w w Local DNS . 66 6 6 66. 66 6 66. 6. 66 6 6. 6. 66 66 6 66. 66 6 66. 6 0. 21 9. 6. 23 4 6 is is is NS-CNN. COM Sends a Request for a URL, and N fake Replies with random IDs Correct guess of <- ID Nonce Probable no. of hits = N / 65, 354 Hacker 20

DNS Cache Poisoning – Bellovin Birthday Attack Time Local DNS -> caches www. cnn. com = 66. 66. 66 k Loo up om c. n cn. w ww 66. 6. 66 6 6 is 6. 6 6 m 6. o 6 c 6 n. 6. 6 s n i 6 c. . 6 6 m www. cnn. co is 66. 66. 6. . 6 m 66 www. cnn. com is 66 66. 6. o. 6 www. cnn. c m is 66. 66 66 www cnn. com is 66 66. 6. o 6 6. www. cnn. c m is 6. 66. 6 www. cnn. co is 66 6. 6. 21 m 66. 6 0 w o 9 c w. 236. cnn com is 4 w 6 w. is w cnn. w * Local DNS ww. com n n. c sends 260 www * <- Sending 260 requests for same domain, cnn. com, and N Replies with fake Auth. N. S. IP address. with random IDs <- Correct guess of one ID. Probable no. of hits 260*N/(2^16) =1 if N =252 Prob(hits>0)=0. 63 Total packets = 512 queries with different IDs. DOS Attack Local DNS NS-CNN. COM Hacker DNS Hack #3: Change DNS IP configured in local cache. 21

Fast-Flux DNS (Botnet Distributed Phishing) • Botmaster registers his DNS server, with the “ru” TLD (Top Level DNS) as the Authority for “bg 4589. ru” • Botnet hosts sent out email to lure victims to a Phishing Web site www. bny. com. bg 4589. ru (IP 23. 45. 67. 89 ) • Problem: as soon as BNY Network Security person sees one of the emails, they do a DNS lookup (get 23. 45. 67. 89), a “whois”, and shut the 23. 45. 67. 89 host down. • Solution: vary the IP address returned to one of a thousand botnet Web servers. • Problem: BNY Net. Sec repeatedly does DNS lookups to get a complete list of botnet hosts. • Solution: After several lookups from the same IP, have many other bots do a Distributed Denial of Service attack (DDo. S) for several days against BNY Net. Sec. DNS Hack #4: Use a Fast Flux DNS to prevent total shutdown. 22

Fast Flux DNS root DNS server URL in Phish -> One of Many bots r Host at poly. edu wants IP address for www. urhckd. com r Host sends a "recursionrequested" query request to dns. poly. edu. r [Host is doing a nonrecursive search] r Local DNS server does a "recursive" search. This requires contacting several other DNS servers before the final answer is given to host. Note: the dot after "com" below is necessary to avoid getting the same cached answer from dns. poly. edu. 2 3 4 TLD DNS server 5 Fast Flux - many IP’s of bot Phishing sites. local DNS server dns. poly. edu 1 8 requesting host $ nslookup www. urhckd. com. answer 78. 82. 245. 12 joe. poly. edu 7 6 authoritative DNS server dns. urhcked. com $ nslookup www. urhckd. com. answer 53. 119. 24. 124 06 a Adapted from “Computer Networking: A Top Down Approach Featuring the Internet”, by Jim Kurose & Keith Ross DNS. ppt 23

Five DNS Hacks DNS Hack #0 – modify /etc/resolv. conf or Windows’ Registry, to change the IP of the Local DNS Server. DNS Hack #1 – add a line to /etc/hosts or Windows’ Registry. DNS Hack #2 – In URL link, hide the actual domain: e. g. , http: //www. usbank. com. customer. dhs 5134. hk DNS Hack #3 – Fast-Flux DNS: gives different IP every time. DNS Hack #4 – Poison the Local DNS Server’s cache (using a “Birthday” Attack) 24