introduction to dns

Introduction To DNS

everything you never wanted toknow about IP directory services

Linux Users Victoria, April 3rd 2007Jonathan Oxer

what is thedomain namesystem anyway?

Introduction To DNS Jonathan Oxer

it's like aphone book...kinda


DNS is (1)a directoryservice


DNS is (2)an identitymechanism


DNS is (3)a namespacestructure


DNS is (4)an abstractionlayer


think of thephone book...


mapshostnamestoIP addresses


mapsjon.oxer.com.auto221.133.213.151


forwardvsreverse


mapsjon.oxer.com.auto221.133.213.151


maps221.133.213.151tojon.oxer.com.au


simplebeginnings:

hosts.txt


...butphone books


...butphone booksdon't


...butphone booksdon't


scale

so modernDNS is managedlike a distributedphone book


DNS is (5)delegationof authority


a zonedefines an areaof authority


think of itas aninverted tree



anatomy ofa host name


(a host name isa record insidea domain name)


read right to left:jon.oxer.com.au.


yes, it reallyends in a dot!


root zone:jon.oxer.com.au.


top level domain:jon.oxer.com.au.


2nd level zone:jon.oxer.com.au.


3rd level zone:jon.oxer.com.au.


host name:jon.oxer.com.au.


back to that dot:jon.oxer.com.au.


ICANN's 13:the A to Mroot servers


root.hints


There can beonly 13


(UDP packetslimited to 512B)


A response withmore than 13entries > 512B


root serversreplicatedgloballyusing anycast



root serversdelegateccTLDs, gTLDs,and iTLDs


so what is thisdelegationof whichyou speak?


registries, registrars,resellers, registrants,InterNIC, ICANN,OpenSRS, oh my!



ICANN controlsthe registries


registries controlthe registrars


registrars controldelegations


domainallocationpolicies


ownorlease?


trademarksanddisputes



alt roots(alternativeDNS roots)


DNS worksbecause weagree to letit work


alt roots arejust alternativeagreements



criticalconceptalert!


authoritativevsrecursiveservers


authoritativeservers answerquestions aboutzones they own


recursiveresolvers queryother serverson your behalf


recursivelookups requiremultiple queries



cachinggood!


cachingbad!


bewarethecache


caching:in therecursiveDNS resolver


(Big Pond bad!Bad, I say!)


caching:in yourOSs resolverlibrary


caching:directlyinsideapplications


(IE verybad too!)


internationalisation


anatomy ofa zone[file]


; zone file for example.com.$TTL 2d ; 172800 TTL@ IN SOA ns1.example.com. hostmaster.example.com. ( 2007040304 ; serial 12h ; refresh 15m ; retry 3w ; expiry 3h ; minimum ) IN NS ns1.myprovider.com. IN NS ns1.example.com. IN MX 10 mail.example.net.homer IN A 192.168.254.3marge IN A 192.168.12.15www IN CNAME homervpn IN CNAME marge


types ofDNS records


A(address)

links names andIPv4 addresses


AAAA(address)

links names andIPv6 addresses


CNAME(canonical name)

aliases names toother names


MX(mail exchange)

name of machinefor mail delivery


NS(name server)

name of DNSserver for a zone


TXT(text)

arbitrary textstring


NAPTR(naming authpointer)

fun with regex


SOA(start of authority)

controls inter-serverdata synchronisation


SOA(Start OfAuthority)


SOA sets TTL(Time To Live)


TTL says howlong data maybe cached


SOA parameters

Serial: identifiesversion of SOA


SOA parameters

Refresh: secondsbetween updates


SOA parameters

Retry: seconds towait after failure


SOA parameters

Expire: secondsbefore data flushed


SOA parameters

Minimum: used nowfor negative caching


circulardependencies:self-delegation


the solution:glue records


breaking yourbrain: reverseDNS


Let's look up1.2.3.4!


4.3.2.1.in-addr.arpa.


security


DNScachepoisoning



Practical example:

Dr Evil wants to take overwww.bigbank.com


Dr Evil attack vector #1

redirecting the targetdomain's nameserver


(1)

Dr Evil creates asub-zone of a zone hecontrols, such asbigbank.dr-evil.com


(2)

Dr Evil delegates hisevil zone towww.bigbank.com


(3)

Dr Evil configures hisDNS server to returnthe wrong IP addressfor www.bigbank.com


(4)

Dr Evil issues a DNSlookup forbigbank.dr-evil.comto your DNS resolver


(5)

Your DNS server cachesthe evil IP and uses it forfuture requests forwww.bigbank.com


what happened? request:

bigbank.dr-evil.com. IN A response:Answer: (no response)

Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com.

Additional section: www.bigbank.com. IN A 1.2.3.4



















redirect the NS recordof the target domain


compare this with... request:





...alternative attack request:


Authority section: bigbank.com. 3600 IN NS ns.dr-evil.com.

Additional section: ns.dr-evil.com. IN A 1.2.3.4



DNS forgery:respond before thereal nameserver


not as easyas it sounds!


do abirthday attackagainst thenonce value



Start with the Taylor series approximationto the probability of a nonce value collisionwhere n is the number of attempts and H isthe number of unique outputs:

Invert the expression:

Now assigning a 0.5 probability of collision:

So it's obvious that for a 16 bit hash there are 65536outputs, ie: only 301 attempts are required to generatea collision by brute force!











301 attemptsagainst 2x16 hash


securezonetransfers


(mis?)usingDNS


TCP-over-DNS


dynamicDNS


SPF


useful tools

nslookup


useful tools

nslookup


useful tools

whois


useful tools

dig


DNS serversoftware


authoritativeand recursive:BIND,MaraDNS


authoritative:MyDNS,tinydns


recursive:dnscache


mastervsslave


firewall issues

port 53UDP and TCP



Introduction to DNS

Thankyou :-)questions?

Slides: jon.oxer.com.au/talksContact:Jonathan Oxer We're hiring! www.ivt.com.au/jobs

introduction to dns

Technology