introduction to dns
TRANSCRIPT
Introduction To DNS
everything you never wanted toknow about IP directory services
Linux Users Victoria, April 3rd 2007Jonathan Oxer
what is thedomain namesystem anyway?
Introduction To DNS Jonathan Oxer
it's like aphone book...kinda
Introduction To DNS Jonathan Oxer
DNS is (1)a directoryservice
Introduction To DNS Jonathan Oxer
DNS is (2)an identitymechanism
Introduction To DNS Jonathan Oxer
DNS is (3)a namespacestructure
Introduction To DNS Jonathan Oxer
DNS is (4)an abstractionlayer
Introduction To DNS Jonathan Oxer
think of thephone book...
Introduction To DNS Jonathan Oxer
mapshostnamestoIP addresses
Introduction To DNS Jonathan Oxer
mapsjon.oxer.com.auto221.133.213.151
Introduction To DNS Jonathan Oxer
forwardvsreverse
Introduction To DNS Jonathan Oxer
mapsjon.oxer.com.auto221.133.213.151
Introduction To DNS Jonathan Oxer
maps221.133.213.151tojon.oxer.com.au
Introduction To DNS Jonathan Oxer
simplebeginnings:
hosts.txt
Introduction To DNS Jonathan Oxer
...butphone books
Introduction To DNS Jonathan Oxer
...butphone booksdon't
Introduction To DNS Jonathan Oxer
...butphone booksdon't
Introduction To DNS Jonathan Oxer
scale
so modernDNS is managedlike a distributedphone book
Introduction To DNS Jonathan Oxer
DNS is (5)delegationof authority
Introduction To DNS Jonathan Oxer
a zonedefines an areaof authority
Introduction To DNS Jonathan Oxer
think of itas aninverted tree
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
anatomy ofa host name
Introduction To DNS Jonathan Oxer
(a host name isa record insidea domain name)
Introduction To DNS Jonathan Oxer
read right to left:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
yes, it reallyends in a dot!
Introduction To DNS Jonathan Oxer
root zone:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
top level domain:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
2nd level zone:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
3rd level zone:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
host name:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
back to that dot:jon.oxer.com.au.
Introduction To DNS Jonathan Oxer
ICANN's 13:the A to Mroot servers
Introduction To DNS Jonathan Oxer
root.hints
Introduction To DNS Jonathan Oxer
There can beonly 13
Introduction To DNS Jonathan Oxer
(UDP packetslimited to 512B)
Introduction To DNS Jonathan Oxer
A response withmore than 13entries > 512B
Introduction To DNS Jonathan Oxer
root serversreplicatedgloballyusing anycast
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
root serversdelegateccTLDs, gTLDs,and iTLDs
Introduction To DNS Jonathan Oxer
so what is thisdelegationof whichyou speak?
Introduction To DNS Jonathan Oxer
registries, registrars,resellers, registrants,InterNIC, ICANN,OpenSRS, oh my!
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
ICANN controlsthe registries
Introduction To DNS Jonathan Oxer
registries controlthe registrars
Introduction To DNS Jonathan Oxer
registrars controldelegations
Introduction To DNS Jonathan Oxer
domainallocationpolicies
Introduction To DNS Jonathan Oxer
ownorlease?
Introduction To DNS Jonathan Oxer
trademarksanddisputes
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
alt roots(alternativeDNS roots)
Introduction To DNS Jonathan Oxer
DNS worksbecause weagree to letit work
Introduction To DNS Jonathan Oxer
alt roots arejust alternativeagreements
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
criticalconceptalert!
Introduction To DNS Jonathan Oxer
authoritativevsrecursiveservers
Introduction To DNS Jonathan Oxer
authoritativeservers answerquestions aboutzones they own
Introduction To DNS Jonathan Oxer
recursiveresolvers queryother serverson your behalf
Introduction To DNS Jonathan Oxer
recursivelookups requiremultiple queries
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
cachinggood!
Introduction To DNS Jonathan Oxer
cachingbad!
Introduction To DNS Jonathan Oxer
bewarethecache
Introduction To DNS Jonathan Oxer
caching:in therecursiveDNS resolver
Introduction To DNS Jonathan Oxer
(Big Pond bad!Bad, I say!)
Introduction To DNS Jonathan Oxer
caching:in yourOSs resolverlibrary
Introduction To DNS Jonathan Oxer
caching:directlyinsideapplications
Introduction To DNS Jonathan Oxer
(IE verybad too!)
Introduction To DNS Jonathan Oxer
internationalisation
Introduction To DNS Jonathan Oxer
anatomy ofa zone[file]
Introduction To DNS Jonathan Oxer
; zone file for example.com.$TTL 2d ; 172800 TTL@ IN SOA ns1.example.com. hostmaster.example.com. ( 2007040304 ; serial 12h ; refresh 15m ; retry 3w ; expiry 3h ; minimum ) IN NS ns1.myprovider.com. IN NS ns1.example.com. IN MX 10 mail.example.net.homer IN A 192.168.254.3marge IN A 192.168.12.15www IN CNAME homervpn IN CNAME marge
Introduction To DNS Jonathan Oxer
types ofDNS records
Introduction To DNS Jonathan Oxer
A(address)
links names andIPv4 addresses
Introduction To DNS Jonathan Oxer
AAAA(address)
links names andIPv6 addresses
Introduction To DNS Jonathan Oxer
CNAME(canonical name)
aliases names toother names
Introduction To DNS Jonathan Oxer
MX(mail exchange)
name of machinefor mail delivery
Introduction To DNS Jonathan Oxer
NS(name server)
name of DNSserver for a zone
Introduction To DNS Jonathan Oxer
TXT(text)
arbitrary textstring
Introduction To DNS Jonathan Oxer
NAPTR(naming authpointer)
fun with regex
Introduction To DNS Jonathan Oxer
SOA(start of authority)
controls inter-serverdata synchronisation
Introduction To DNS Jonathan Oxer
SOA(Start OfAuthority)
Introduction To DNS Jonathan Oxer
SOA sets TTL(Time To Live)
Introduction To DNS Jonathan Oxer
TTL says howlong data maybe cached
Introduction To DNS Jonathan Oxer
SOA parameters
Serial: identifiesversion of SOA
Introduction To DNS Jonathan Oxer
SOA parameters
Refresh: secondsbetween updates
Introduction To DNS Jonathan Oxer
SOA parameters
Retry: seconds towait after failure
Introduction To DNS Jonathan Oxer
SOA parameters
Expire: secondsbefore data flushed
Introduction To DNS Jonathan Oxer
SOA parameters
Minimum: used nowfor negative caching
Introduction To DNS Jonathan Oxer
circulardependencies:self-delegation
Introduction To DNS Jonathan Oxer
the solution:glue records
Introduction To DNS Jonathan Oxer
breaking yourbrain: reverseDNS
Introduction To DNS Jonathan Oxer
Let's look up1.2.3.4!
Introduction To DNS Jonathan Oxer
4.3.2.1.in-addr.arpa.
Introduction To DNS Jonathan Oxer
security
Introduction To DNS Jonathan Oxer
DNScachepoisoning
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
Practical example:
Dr Evil wants to take overwww.bigbank.com
Introduction To DNS Jonathan Oxer
Dr Evil attack vector #1
redirecting the targetdomain's nameserver
Introduction To DNS Jonathan Oxer
(1)
Dr Evil creates asub-zone of a zone hecontrols, such asbigbank.dr-evil.com
Introduction To DNS Jonathan Oxer
(2)
Dr Evil delegates hisevil zone towww.bigbank.com
Introduction To DNS Jonathan Oxer
(3)
Dr Evil configures hisDNS server to returnthe wrong IP addressfor www.bigbank.com
Introduction To DNS Jonathan Oxer
(4)
Dr Evil issues a DNSlookup forbigbank.dr-evil.comto your DNS resolver
Introduction To DNS Jonathan Oxer
(5)
Your DNS server cachesthe evil IP and uses it forfuture requests forwww.bigbank.com
Introduction To DNS Jonathan Oxer
what happened? request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.
Additional section: www.bigbank.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
what happened? request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.
Additional section: www.bigbank.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
what happened? request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.
Additional section: www.bigbank.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
what happened? request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.
Additional section: www.bigbank.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
Dr Evil attack vector #2
redirect the NS recordof the target domain
Introduction To DNS Jonathan Oxer
compare this with... request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.
Additional section: www.bigbank.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
...alternative attack request:
bigbank.dr-evil.com. IN A response:Answer: (no response)
Authority section: bigbank.com. 3600 IN NS ns.dr-evil.com.
Additional section: ns.dr-evil.com. IN A 1.2.3.4
Introduction To DNS Jonathan Oxer
Dr Evil attack vector #3
DNS forgery:respond before thereal nameserver
Introduction To DNS Jonathan Oxer
not as easyas it sounds!
Introduction To DNS Jonathan Oxer
do abirthday attackagainst thenonce value
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
Start with the Taylor series approximationto the probability of a nonce value collisionwhere n is the number of attempts and H isthe number of unique outputs:
Invert the expression:
Now assigning a 0.5 probability of collision:
So it's obvious that for a 16 bit hash there are 65536outputs, ie: only 301 attempts are required to generatea collision by brute force!
Introduction To DNS Jonathan Oxer
Start with the Taylor series approximationto the probability of a nonce value collisionwhere n is the number of attempts and H isthe number of unique outputs:
Invert the expression:
Now assigning a 0.5 probability of collision:
So it's obvious that for a 16 bit hash there are 65536outputs, ie: only 301 attempts are required to generatea collision by brute force!
Introduction To DNS Jonathan Oxer
Start with the Taylor series approximationto the probability of a nonce value collisionwhere n is the number of attempts and H isthe number of unique outputs:
Invert the expression:
Now assigning a 0.5 probability of collision:
So it's obvious that for a 16 bit hash there are 65536outputs, ie: only 301 attempts are required to generatea collision by brute force!
301 attemptsagainst 2x16 hash
Introduction To DNS Jonathan Oxer
securezonetransfers
Introduction To DNS Jonathan Oxer
(mis?)usingDNS
Introduction To DNS Jonathan Oxer
TCP-over-DNS
Introduction To DNS Jonathan Oxer
dynamicDNS
Introduction To DNS Jonathan Oxer
SPF
Introduction To DNS Jonathan Oxer
useful tools
nslookup
Introduction To DNS Jonathan Oxer
useful tools
nslookup
Introduction To DNS Jonathan Oxer
useful tools
whois
Introduction To DNS Jonathan Oxer
useful tools
dig
Introduction To DNS Jonathan Oxer
DNS serversoftware
Introduction To DNS Jonathan Oxer
authoritativeand recursive:BIND,MaraDNS
Introduction To DNS Jonathan Oxer
authoritative:MyDNS,tinydns
Introduction To DNS Jonathan Oxer
recursive:dnscache
Introduction To DNS Jonathan Oxer
mastervsslave
Introduction To DNS Jonathan Oxer
firewall issues
port 53UDP and TCP
Introduction To DNS Jonathan Oxer
Introduction To DNS Jonathan Oxer
Introduction to DNS
Thankyou :-)questions?
Slides: jon.oxer.com.au/talksContact:Jonathan Oxer We're hiring! www.ivt.com.au/jobs