TCP/IP: DNS the Domain Name System Domain Hierarchy Servers

• Database that primarily maps IP addresses (147.188.192.42) to names (www.cs.bham.ac.uk) and viceversa – Nice properties: distributed, coherent, reliable, autonomous, and hierarchical • DNS namespace has tree structure TCP/IP: DNS – Domain is a node in this tree – All nodes except the root have labels (e.g., www) – Fully qualified name: nodes labels, bottom up, each followed by a dot • Nodes are grouped (clique) into zones (administrative boundaries) – Apex is called the “start of authority” Network Security – Bottom edges with other zones below them are “delegation points” – Bottom nodes with no other zones below them are “leaf nodes” Lecture 8 – Each zone is served by authority servers • Nodes store actual content in resource records (RRs) – RR: name, class, type, TTL, and data – Data can map IP to host name and viceversa – Data can specify the mail server for domain • More: P. Vixie, “DNS Complexity ”, ACM Queue, 2007 Eike Ritter Network Security - Lecture 8 2

Domain hierarchy Mapping names to IPs and viceversa

Can a host name be mapped to many IP addresses? . (root) • – Yes. For example, load balancing $ nslookup www.google.com Name: www.l.google.com Address: 209.85.143.99 Name: www.l.google.com arpa com net uk Address: 209.85.143.104 • Can an IP address be mapped to many domain names? – Yes. For example web hosting in-addr google lloydstsb co ac (Some) domains seen at 74.125.53.132: amomsrantings.blogspot.com, bloxee.blogspot.com, 147 google bham culturadohashi.blogspot.com, ocedeloguxuf.blogspot.com, 188 opensocial.googleusercontent.com, www-blogger-, ads.gmodules.com,, www.gmodules.com, … 192 ph cs – Tool: Passive DNS replication @ BFK 42

Eike Ritter Network Security - Lecture 8 3 Eike Ritter Network Security - Lecture 8 4

Servers Clients

• Primary authoritative server • Often called “resolvers” – Authoritative for a zone – Loads mappings from local configuration (file on disk) • Most often they do not cache (“stub • Secondary authoritative server resolver”) – Backup • Rely on recursive service of their designated – Their zone data comes to them from primary servers via a zone transfer procedure full resolver $ cat /etc/resolv.conf • Recursive and caching server search cs.bham.ac.uk – Caches query results until their TTL expires nameserver 147.188.192.4 nameserver 147.188.192.8 – Implements the recursive algorithm needed to locate a RR • Tools: nslookup, dig, host

Eike Ritter Network Security - Lecture 8 5 Eike Ritter Network Security - Lecture 8 6 Queries Example

$ dig google.com • Recursive • Specify the information ;; Got answer: – Client asks the server to respond requested (type of query) ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34072 with either the requested resource − A: address of host ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0 record or error message if none − NS: authoritative name server for exists domain ;; QUESTION SECTION: ;google.com. IN A – If DNS server does not have the − CNAME: canonical name queried information, it queries other servers until it gets the − MX: mailer for host ;; ANSWER SECTION: information (or the query fails) − TXT google.com. 300 IN A 209.85.143.99 • Iterative • Are identified by ID field (16 bits) google.com. 300 IN A 209.85.143.104 – Client asks the server to respond • Can be done over UDP or TCP ;; AUTHORITY SECTION: with the best answer it can − Typically UDP; TCP for larger google.com. 172800 IN NS ns4.google.com. provide, given its cache or zone responses google.com. 172800 IN NS ns1.google.com. data google.com. 172800 IN NS ns2.google.com. – If DNS server does not have the google.com. 172800 IN NS ns3.google.com. queried information, it may respond with a referral to server ;; Query time: 21 msec that may have it ;; SERVER: 147.188.192.4#53(147.188.192.4) ;; WHEN: Wed Feb 2 18:29:31 2011 ;; MSG SIZE rcvd: 132

Eike Ritter Network Security - Lecture 8 7 Eike Ritter Network Security - Lecture 8 8

Example DNS query

% dig +norecurse google.com ;; Got answer: 13:30:08.018705 IP 10.4.130.214.51103 > 147.188.128.102.53: 1313+ A? ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52597 google.com. (28) ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 13:30:08.047483 IP 147.188.128.102.53 > 10.4.130.214.51103: 1313 5/13/0 ;; QUESTION SECTION: A 74.125.230.114, A 74.125.230.115, A 74.125.230.116, A 74.125.230.112, ;google.com. IN A A 74.125.230.113 (319)

;; AUTHORITY SECTION: com. 172794 IN NS i.gtld-servers.net. com. 172794 IN NS e.gtld-servers.net. com. 172794 IN NS l.gtld-servers.net. com. 172794 IN NS c.gtld-servers.net. com. 172794 IN NS h.gtld-servers.net. com. 172794 IN NS d.gtld-servers.net. com. 172794 IN NS b.gtld-servers.net. com. 172794 IN NS g.gtld-servers.net. com. 172794 IN NS f.gtld-servers.net. com. 172794 IN NS a.gtld-servers.net. com. 172794 IN NS k.gtld-servers.net. com. 172794 IN NS j.gtld-servers.net. com. 172794 IN NS m.gtld-servers.net.

Eike Ritter Network Security - Lecture 8 9 Eike Ritter Network Security - Lecture 8 10

DNS spoofing Defense: double reverse lookup ns1.example.com server2.example.com 172.16.48.2 • Given IP address I 1, obtains the name N ns1.evil.com 2.-3. – Mapping is provided by name server responsible 1. for I 1, which may well be completely untrustworthy Assumption: server1 trusts connection from • Given N, obtain its address I .example.com 2 1) attacker connects to server1 – Mapping is provided by name server responsible Attacker: from 6.6.6.6 server1.example.com 6.6.6.6 2) server1 looks up the name 172.16.48.1 for N. In the scenario before, this name server is associated with 6.6.6.6 trusted 3) ns1.evil.com replies “server2.example.com” 4) Server1 grants access to • Check if I 1 = I2 attacker Eike Ritter Network Security - Lecture 8 11 Eike Ritter Network Security - Lecture 8 12 DNS hijacking DNS hijacking

• DNS does not provide any means of authentication A 74.125.230.115

• Racing against the queried named server it is A? google.com possible to provide a fake IP address/domain name mapping A 172.16.48.1

– Attacker could mount attack against client ns1.example.com – Attacker could mount attack against name server Victim: Attacker: • The attacker needs to set correctly the request ID 172.16.48.2 172.16.48.1 – Easy if attack done on the same LAN (sniffing) – Need to guess if done blindly

Eike Ritter Network Security - Lecture 8 13 Eike Ritter Network Security - Lecture 8 14

DNS amplification attack DNS poisoning

• Certain queries can cause large responses • Certain DNS implementations used to cache – TXT, ANY query – Queries for “.” (root) anything contained in a DNS reply • Most typically, queries done over UDP • Malicious DNS server would return a reply with • Do you see a problem here? (remember smurf attacks?) additional answers that would poison the • DNS amplification attack: victim’s cache – The attacker spoofs the source IP address to be the address of the victim – Query for foo.com answered with additional section – Sends these “expensive” queries to a large number of servers containing the IP address of bank.com – Servers will send the response to the victim, overloading it • Defenses: – Can you use it to bypass the double reverse lookup? – Don’t allow open recursive servers, that is recursive servers that respond queries from external clients • Solution: only accept additional information that – Respond to expensive queries from untrusted parties with shorter error is relative to the domain being queried (bailiwick messages (REFUSED answer, instead of providing the list of root servers) check)

Eike Ritter Network Security - Lecture 8 15 Eike Ritter Network Security - Lecture 8 16

DNS poisoning Kaminsky attack

A? google.com • Attacker forces recursive resolver ID = 1234 • Technique to “speed up” the poisoning attack to initiate a DNS query ns.victim.com ns.google.com • Attacker sends query for 000001.bank.com • As the resolver is waiting for • Recursive server recursively attempts to answer the query contacting answer from authority resolver, authoritative server of bank.com (ID = 1234) attacker forges answers • Attacker sends a number of spoofed responses (trying to guess the correct • Attacker needs to guess all the ID) with 2 parts: transactional elements used in – Answer for 000001.bank.com is arbitrary the victim’s query – Authority section that claims a malicious IP is the NS for the bank.com zone – Query ID • If the attacker guesses the ID and port number, Bailiwick check passes – Port number IN A google.com • If success, victim will store wrong 172.16.48.1 • If the attacker is unsuccessful, the correct answer (likely, NXDOMAIN) arrives first and is accepted IP-domain mapping ID = 1234 • If attacker looses the race, he will • But now attacker can simply try again, querying for 000002.bank.com have to wait until the correct – Attacker does not need to wait for TTL to expire response expires (TTL field) – Order of several days, typically Attacker 172.16.48.1

Eike Ritter Network Security - Lecture 8 17 Eike Ritter Network Security - Lecture 8 18 PGP

• Alice signs a message as follows: $ gpg –s –a msg.txt and sends it to Bob via regular email • What security properties are guaranteed? – Integrity?

In form of a quiz – Confidentiality? – Authenticity? TCP/IP RECAP • Would anything change if Alice signed the message in binary format, i.e., without using the –a flag?

Eike Ritter Network Security - Lecture 8 19 Eike Ritter Network Security - Lecture 8 20

IP addresses IP

You’re monitoring traffic between A and C. What are the values of IP • Looking at logs of network traffic of the datagrams that you expect? School web server (147.188.192.42), you Src IP: ?, Dst IP: ? notice a bunch of ICMP echo messages Src ether: ?; Dst ether: ? directed to it. They all have the source IP address set to 192.168.1.1. What do you do?

– Look up the IP to notify the admin of the A: B: C: corresponding network 172.16.48.2 172.16.48.1 172.16.48.3 – Drink another coffee: there’s nothing you can do 00:11:22:33:44:02 00:11:22:33:44:01 00:11:22:33:44:03 – Filter packets from reserved network addresses

Eike Ritter Network Security - Lecture 8 21 Eike Ritter Network Security - Lecture 8 22

libpcap IP options

• Our forensic team just recovered the • Briefly explain why most routers drop IP following snippet of code from the hard disk packets with the IP source routing option of the old administrator. What was the purpose of the code (port 23 is the telnet port)? #!/bin/bash tcpdump –i eth0 –s0 port 23 –w dump.pcap

Eike Ritter Network Security - Lecture 8 23 Eike Ritter Network Security - Lecture 8 24 Scanning TCP

• Briefly explain the traffic found in the • You have been hired to implement the TCP/IP following trace stack in the new iPosh. You are tired of

12:31:38.707533 ARP, Request who-has 172.16.48.130 tell 172.16.48.139, reading RFCs and decide that for picking Initial length 28 12:31:38.708077 ARP, Reply 172.16.48.130 is-at 00:0c:29:27:25:40, length 46 Sequence Numbers you will use the following 12:31:38.708083 IP 172.16.48.139.39844 > 172.16.48.130.80: tcp 0 12:31:38.708116 IP 172.16.48.139.60408 > 172.16.48.130.443: tcp 0 formula: 12:31:38.708567 IP 172.16.48.130.80 > 172.16.48.139.39844: tcp 0 ISN = # packets sent + src_port + src_ip + dst_port + dst_ip 12:31:38.708582 IP 172.16.48.139.39844 > 172.16.48.130.80: tcp 0 12:31:38.708615 IP 172.16.48.130.443 > 172.16.48.139.60408: tcp 0 • Is this a good idea? 12:31:38.708806 IP 172.16.48.139.39844 > 172.16.48.130.80: tcp 0

Eike Ritter Network Security - Lecture 8 25 Eike Ritter Network Security - Lecture 8 26

TCP DNS

• You are studying the ISN generator of the iPosh2 and • You are monitoring queries to your DNS you derive the following graph. What is your onclusion on the security of the device? server, when you notice the following series of queries: A? asdasdsa.example.com A? gdfgfoger.example.com A? p34339ds.example.com A? p03jsdss.example.com • What is your analysis?

Eike Ritter Network Security - Lecture 8 27 Eike Ritter Network Security - Lecture 8 28