The Domain Name System

Similar documents
Domain Name System (or Service) (DNS) Computer Networks Term B10

The Domain Name System

DNS: Domain Name System

Domain Name System Richard T. B. Ma

How To Map Between Ip Address And Name On A Domain Name System (Dns)

CMPE 80N: Introduction to Networking and the Internet

Domain Name System DNS

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Domain Name System (DNS) RFC 1034 RFC

Chapter 2 Application Layer

The Application Layer: DNS

CS 43: Computer Networks Naming and DNS. Kevin Webb Swarthmore College September 17, 2015

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

FTP: the file transfer protocol

DNS and P2P File Sharing

DNS. Spring 2016 CS 438 Staff 1

Domain Name System (DNS) Reading: Section in Chapter 9

DNS: Domain Name System

Domain Name System (DNS)

internet technologies and standards

Internet-Praktikum I Lab 3: DNS

DATA COMMUNICATOIN NETWORKING

Naming and the DNS. Focus. How do we name hosts etc.? Application Presentation Topics. Session Domain Name System (DNS) /URLs

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

C 1. Last Time. CSE 486/586 Distributed Systems Domain Name System. Review: Causal Ordering. Review: Causally Ordered Multicast.

Domain Name System (DNS)

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting

Domain Name System (DNS) Fundamentals

1 DNS Packet Structure

2.5 DNS The Internet s Directory Service

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Network programming, DNS, and NAT. Copyright University of Illinois CS 241 Staff 1

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Ch 6: Networking Services: NAT, DHCP, DNS, Multicasting, NTP

NET0183 Networks and Communications

DNS at NLnet Labs. Matthijs Mekking

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

DNS and electronic mail. DNS purposes

Application Layer. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross

Teldat Router. DNS Client

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

How-to: DNS Enumeration

The Domain Name System

DNS : Domain Name System

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Motivation. Users can t remember IP addresses. Implemented by library functions & servers. - Need to map symbolic names (

Internetworking with TCP/IP Unit 10. Domain Name System

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

The Domain Name System

Network(Security(Protocols(

CS3600 SYSTEMS AND NETWORKS

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

DNS Conformance Test Specification For Client

3. The Domain Name Service

KB Windows 2000 DNS Event Messages 1 Through 1614

DNS Domain Name System

CS244A Review Session Routing and DNS

CSE 127: Computer Security. Network Security. Kirill Levchenko

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Computer Networks & Security 2014/2015

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

Securing DNS Infrastructure Using DNSSEC

Hostnames. HOSTS.TXT was a bottleneck. Once there was HOSTS.TXT. CSCE515 Computer Network Programming. Hierarchical Organization of DNS

DNS Pharming Attack Lab

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

The Domain Name System (DNS)

Forouzan: Chapter 17. Domain Name System (DNS)

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

The Domain Name System from a security point of view

Domain Name System Security

Computer Networks Prof. S. Ghosh Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture - 34 DNS & Directory

Understanding DNS (the Domain Name System)

FTP: the file transfer protocol

CS3250 Distributed Systems

HW2 Grade. CS585: Applications. Traditional Applications SMTP SMTP HTTP 11/10/2009

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary

Introduction to Network Operating Systems

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

CSE/ISE 311: Systems Administra5on Networking 2

1 Introduction: Network Applications

Application-layer protocols

THE DOMAIN NAME SYSTEM DNS

Transcription:

The Domain Name System 3035/GZ01 Networked Systems Kyle Jamieson Lecture 10 Department of Computer Science University College London

Today 1. The Domain Name System (DNS) 2. DNS security: Cache poisoning agacks of 08 3. Coursework 2 Intro: Ben s local DNS server

The Domain Name System (DNS) People have many idennfiers Name, passport number, mailing address Internet hosts and routers 1. IP address (32 bit), used for addressing datagrams 2. Name (e.g. www.yahoo.com) used by humans QuesNon: how to map between IP address and name? IP = DNS_RESOLVE(domain_name)! 3

Naming in computer systems Name- mapping algorithm N 1 N 4 N 2 N 3 N 5 resolver V 1 V 4 V 3 V2 V 5 Namespace Set of values root Flat namespace: no context in name!microsoft, ucl, google! Path name: includes context in name ginger.pedantic.edu.! /usr/bin/vi! Context K&R, Chapter 2, Section B, second paragraph!

DNS names are resolved recursively Absolute path name: /usr/bin/vi 1. name = usr, context = / (root) 2. name = bin, context = /usr! 3. name = vi, context = /usr/bin! Absolute DNS name: sipb.mit.edu.! 1. name = edu, context =. (root) 2. name = mit, context =.edu! 3. name = sipb, context = mit.edu.!

Would- be design #1: the directory IP = DNS_RESOLVE(domain_name)! ftp hosts.txt user1.isp.net! ftp hosts.txt user2.isp.net! hosts.txt! web.mit.edu: 18.12.1.12! lxr.linux.no: 23.2.33.12! d.ja.net: 198.22.11.1!

Would- be design #2: centralized server IP = DNS_RESOLVE(domain_name)! Could this work?

The Domain Name System A database implemented by many name servers (NS) Distributed Replicated Hierarchical. com. uk. edu. ac.uk. cmu.edu. DelegaNon follows namespace hierarchy ucl.ac.uk. ee.ucl.ac.uk. cs.ucl.ac.uk.

The DNS namespace is hierarchical Root:. Top- level domain (TLD): com. uk. edu. ac.uk. ucl.ac.uk. cmu.edu. mit.edu. ee.ucl.ac.uk. cs.ucl.ac.uk. www.cs.ucl.ac.uk.

DNS resource record (RR): Overview DNS is a distributed database storing resource records RR includes: (name, type, value, time-to-live) Type = A (address) name is hostname value is IP address Type = NS (name server) name is domain (e.g. cs.ucl.ac.uk) value is hostname of authoritanve name server for this domain Type = CNAME name is an alias for some canonical (real) name e.g. www.cs.ucl.ac.uk is really haig.cs.ucl.ac.uk value is canonical name Type = MX (mail exchange) value is name of mail server associated with domain name pref field discriminates between mulnple MX records

Many uses of DNS Hostname to IP address translanon IP address to hostname translanon ( reverse lookup ) Host name aliasing Canonical hostname, alias host names point to canonical Can be arbitrarily many aliases Mail server locanon Lower pref fields are preferred Handles mail server primary- backup arrangement Content distribunon networks Load balancing among servers with different IP addresses Complex, hierarchical arrangements are possible

Root name servers 13 root name servers worldwide Responsible for the root of the DNS namespace Well- known to all NS s: e NASA Mt View, CA f Internet Software C. Palo Alto, CA (and 36 other locations) a Verisign, Dulles, VA c Cogent, Herndon, VA (also LA) d U Maryland College Park, MD g US DoD Vienna, VA h ARL Aberdeen, MD j Verisign (21 locations) A.ROOT- SERVERS.NET. IN A 198.41.0.4 B.ROOT- SERVERS.NET. IN A 192.228.79.201 C.ROOT- SERVERS.NET. IN A 192.33.4.12... M.ROOT- SERVERS.NET. IN A 202.12.27.33 k RIPE London (also 16 other locations) i Autonomica, Stockholm (plus 28 other locations) m WIDE Tokyo (also Seoul, Paris, SF) b USC-ISI Marina del Rey, CA l ICANN Los Angeles, CA

TLD and AuthoritaOve Servers Top- level domain (TLD) servers Responsible for com, org, net, edu, etc, and all top- level country domains: uk, fr, ca, jp Network Solu=ons maintains servers for com TLD Educause for edu TLD AuthoritaNve DNS servers An organizanon s DNS servers, providing authoritanve informanon for organizanon s servers Can be maintained by organizanon or service provider

Local name servers Do not strictly belong to hierarchy Each ISP (residennal ISP, company, university) has one Also called default or caching name server When host makes DNS query, query is sent to its local DNS server Acts as proxy, forwards query into hierarchy Does work for the client

DNS in operaoon Most queries and responses are UDP datagrams Two types of queries: www.scholarly.edu? Recursive: Client NS Answer: www.scholarly.edu A 10.0.0.1 IteraOve: Client www.scholarly.edu? NS Referral:.edu NS 10.2.3.1

A recursive DNS lookup (simplified). (root) authority 198.41.0.4 edu.: NS 192.5.6.30 no.: NS 158.38.8.133 uk.: NS 156.154.100.3 www.scholarly.edu? Contact 192.5.6.30 for edu. www.scholarly.edu? edu. authority 192.5.6.30 scholarly.edu.: NS 12.35.1.1 pedannc.edu.: NS 19.31.1.1 Contact 12.35.1.1 for scholarly.edu. www.scholarly.edu? Client. (root): NS 198.41.0.4 edu.: NS 192.5.6.30 scholarly.edu.: NS 12.35.1.1 scholarly.edu. authority 12.35.1.1 www.scholarly.edu.: A 12.35.2.30 imap.scholarly.edu.: A 12.35.2.31 www.scholarly.edu.: A 12.35.51.30

Local NS does clients work Root NS Local NS TLD NS AuthoritaOve NS 1. Clients make recursive queries to local NS 2. Local NS processing: Local NS sends iteraove queries to other NS s or, finds answer in cache 3. Local NS responds with an answer to the client s request Clients

Recursive versus iteraove queries Recursive query Less burden on client More burden on server (has to resolve the query) IteraOve query More burden on client Less burden on server (refers to another) Most root and TLD servers will not answer (reduce load) Local NS answers recursive query

A recursive query in the wild $ dig @a.root-servers.net www.freebsd.org +norecurse! ; <<>> DiG 9.4.3-P3 <<>> @a.root-servers.net www.freebsd.org +norecurse! ; (1 server found)! ;; global options: printcmd! ;; Got answer:! ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57494! ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12!! ;; QUESTION SECTION:! ;www.freebsd.org.!!in!a!! ;; AUTHORITY SECTION:! org.!!!172800!in!ns!b0.org.afilias-nst.org.! org.!!!172800!in!ns!d0.org.afilias-nst.org.!! ;; ADDITIONAL SECTION:! b0.org.afilias-nst.org.!172800!in!a!199.19.54.1! d0.org.afilias-nst.org.!172800!in!a!199.19.57.1!! ;; Query time: 177 msec! ;; SERVER: 198.41.0.4#53(198.41.0.4)! ;; WHEN: Wed Oct 28 07:32:02 2009! ;; MSG SIZE rcvd: 435! Glue record

A recursive query in the wild (2) $ dig @199.19.54.1 www.freebsd.org +norecurse! ; <<>> DiG 9.4.3-P3 <<>> @a0.org.afilias-nst.org www.freebsd.org +norecurse! ; (1 server found)! ;; global options: printcmd! ;; Got answer:! ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39912! ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 0!! ;; QUESTION SECTION:! ;www.freebsd.org.!!in!a!! ;; AUTHORITY SECTION:! freebsd.org.!!86400!in!ns!ns1.isc-sns.net.! freebsd.org.!!86400!in!ns!ns2.isc-sns.com.! freebsd.org.!!86400!in!ns!ns3.isc-sns.info.!! ;; Query time: 128 msec! ;; SERVER: 199.19.56.1#53(199.19.56.1)! ;; WHEN: Wed Oct 28 07:38:40 2009! ;; MSG SIZE rcvd: 121! No glue record provided for ns1.isc- sns.net, so need to go off and resolve, then restart the query

A recursive query in the wild (3) $ dig @ns1.isc-sns.net www.freebsd.org +norecurse! ; <<>> DiG 9.4.3-P3 <<>> @ns1.isc-sns.net www.freebsd.org +norecurse! ; (1 server found)! ;; global options: printcmd! ;; Got answer:! ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17037! ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5!! ;; QUESTION SECTION:! ;www.freebsd.org.!!in!a!! ;; ANSWER SECTION:! www.freebsd.org.!3600!in!a!69.147.83.33!! ;; AUTHORITY SECTION:! freebsd.org.!!3600!in!ns!ns2.isc-sns.com.! freebsd.org. freebsd.org.!!!3600!3600!in!ns!ns1.isc-sns.net.!!in!ns!ns3.isc-sns.info.!! ;; ADDITIONAL SECTION:! ns1.isc-sns.net.!3600!in!a!72.52.71.1! ns2.isc-sns.com. ns3.isc-sns.info.!3600!3600!in!a!in!a!38.103.2.1!!63.243.194.1!

DNS: caching and updaong records Once any name server learns mapping, it caches mapping Subsequent requests are served from the cache Cached entries Nmeout aoer some Nme (TTL field) TLD servers typically cached in local name servers, thus root name servers are not ooen visited Update/noNfy mechanisms under design by IETF Caching interacts with load balancing Caching has security implicanons, as we will see later

InserOng records into DNS Example: new startup Network Utopia Register name networkutopia.com at DNS registrar (e.g., Network SoluNons) Provide names, IP addresses of authoritanve name server (primary and secondary) Registrar inserts two RRs into.com TLD server: A.GTLD- SERVERS.NET (networkutopia.com, dns1.networkutopia.com, NS) (dns1.networkutopia.com, 212.212.212.1, A) Network Utopia inserts authoritanve A, MX records: dns1.networkutopia.com (networkutopia.com, mail.networkutopia.com, MX) (www.networkutopia.com, 212.212.212.3, A)

DNS protocol operaoon Most queries and responses via UDP, server port 53 Source port UDP length Query ID Source IP DesNnaNon IP Dest port UDP cksum Q A T R R R opcode A C D A Z rcode IP header UDP header DNS payload

DNS server state UDP socket listening on port 53 Client 10.0.0.1 10.0.0.1 10.0.0.3 11001 53 UDP length 11 UDP cksum QopcoATRR R de A C D A Z rcod e 10.0.0.3 10.1.0.1 10.0.0.3 3300110.1.0.1 53 33001 53 UDP length UDP cksum UDP length UDP cksum Q 23001 R 23001 opcoatrr de C Z rcod A D A QopcoATRR e R de A C D A Z rcod e TLD NS 10.1.0.1 Client 10.0.0.2 10.0.0.2 10.0.0.3 22002 53 UDP length 22 UDP cksum QopcoATRR R de A C D A Z rcod e Local NS 10.0.0.3 10.2.0.1 10.0.0.3 53 10.2.0.1 33002 33002 UDP length 53 QopcoATRR 23002 UDP R de cksum A C D A QopcoATRR 23002 de C Z rcod R A D A e UDP length UDP cksum Z rcod e TLD NS 10.2.0.1 Local NS at least needs to keep state associaong Query ID which query (if any)

DNS resource record (RR): Detail rdata: data associated with the RR type: determines the meaning of rdata class: always IN (Internet) 0 1 2 3 4 5 6 7 8 9 1 0 1 2 3 4 5 name (variable length) type class Gl rdlength rdata (variable length)

DNS protocol message Message formats completely specified in RFC 1035 hgp://www.iep.org/rfc/rfc1035.txt Query and reply messages have idenncal format QuesOon secoon: query for name server Answer secoon: RRs answering the quesnon Authority secoon: RRs that point to an authoritanve NS AddiOonal secoon: glue RRs Header QuesNon secnon Answer secnon Authority secnon AddiNonal secnon

DNS protocol header Query ID: 16- bit idennfier shared between query, reply Flags word QR: query (0) or response (1) opcode: standard query (0) AA: authoritanve answer TC: truncanon RD: Recursion desired RA: Recursion available Z: (reserved and zeroed) rcode: response code; ok (0) 0 1 2 3 4 5 6 7 8 9 1 0 1 2 3 4 5 Query ID A T R R opcode A C D A Z rcode qdcount qdcount: number of quesnon entries (QEs) in message ancount: number of RRs in the answer secnon nscount: number of RRs in the authority secnon arcount: number of RRs in the addinonal secnon Q R ancount nscount arcount

Today 1. The Domain Name System (DNS) 2. DNS security: Cache poisoning a]acks of 08 3. Coursework 2 Intro: Ben s local DNS server

DNS security Why do you trust your web browser? Summer 2008: Kaminsky DNS vulnerability

2005 DNS cache poisoning: Impact 500-1000 medium- to- large size organizanons were affected 10 large (1000+) person organizanons Affected domain names: americanexpress.com! citicards.com! billpay.quickbooks.com! adp.com! hrblockemail.com! orbitz.com! sabre.com! tickets.com! [Source: Internet Storm Center]

ImplicaOons of subverong DNS 1. Redirect vicnm s web traffic to rogue servers 2. Redirect vicnm s email to rogue email servers (MX records in DNS) Does Secure Sockets Layer (SSL) provide protecnon? Yes and No Yes user will get wrong cernficate warnings if SSL is enabled No SSL not enabled or user ignores warnings No how is SSL trust established? By email!

PredicOng the next query ID Root NS TLD NS Next query ID = Query ID + 1 VicOm NS Source port UDP length Query ID ns.badguy.com? Bad guy s network Dest port UDP cksum Q A T R R R opcode A C D A Z rcode ns.badguy.com? ns.badguy.com Clients

DNS cache poisoning, version 1 Root NS TLD NS IP = Barclay s IP, QID = 5001 Barclay s NS VicOm NS www.barclays.co.uk? www.barclays.co.uk? QID = 5001 IP = bad guy s IP, QID = 5001 IP = bad guy s IP, QID = 5002 Bad guy s network IP = bad guy s IP, QID = 5003 Clients

DNS cache poisoning, version 1 Requirements for successful exploit AGacker has to know the UDP source port the vicnm NS sent the query on (otherwise UDP drops the forged reply) ca. 2008, NS s used a well- known source port! AGacker has to guess the Query ID Countermeasure: name servers now use random query IDs Older servers used an easily- guessable pseudorandom number generator AGacker s forged replies have to arrive first Name can t already be in vicnm s cache

Kaminsky DNS cache poisoning step A]acking authority records one level higher in the DNS hierarchy barclays.co.uk NS ns1.barclays.co.uk ns1.barclays.co.uk A 10.0.0.1 Root NS ns.co.uk ns1.barclays.co.uk 10.0.0.1 VicOm NS www123.barclays.co.uk? www123.barclays.co.uk? QID = 3817 Bad guy s network ns1.badguy.com 10.2.0.2 ns1.barclays.co.uk A 10.2.0.2 QID = 39183 Clients

Kaminsky DNS cache poisoning Compromise the enore domain instead of just an IP Repeat the step K Nmes to make success more likely Use fresh uncached query each Nme www123.barclays.co.uk www1234.barclays.co.uk www12345.barclays.co.uk How likely is the agack to work? Pr( guess correct query id) = Pr guess wrong query id K times 1 65,535 ( ) = % 1 # $ 1 & ( 65,535' K K 4 0.99994 40 0.9994 400 0.994 4,000 0.94 40,000 0.54 Pr(Wrong K Omes)

Cache poisoning: increasing the odds barclays.co.uk NS ns1.barclays.co.uk ns1.barclays.co.uk A 10.0.0.1 Root NS ns.co.uk ns1.barclays.co.uk 10.0.0.1 VicOm NS www123.barclays.co.uk? www1234.barclays.co.uk? www123.barclays.co.uk? QID = 3817 www1234.barclays.co.uk? QID = 48917 ns1.barclays.co.uk A 10.2.0.2 QID = 39183 ns1.barclays.co.uk A 10.2.0.2 QID = 715 Bad guy s network ns1.badguy.com 10.2.0.2 Clients

Cache poisoning: increasing the odds Send a flurry of L queries and L forged responses Random query IDs everywhere Pr( one query/response pair matches) = Pr guess wrong query id L times 1 65,535 ( ) = % 1 # $ # = % 1 $ 1 & ( 65,535' 1 & ( 65,535' # L % & ( $ 2' L(L 1) 2 In pracnce, takes about 10 minutes L Pr(Every forgery wrong) 10 0.9994 100 0.926 290 0.54

MiOgaOng DNS cache poisoning Randomize UDP source port of local NS query Reply checking: 1. Kernel network stack matches desnnanon port of TLD server s reply with UDP source port of local NS s query 2. DNS server matches query ID of reply with query id of request MS DNS server pre- allocates 2,500 UDP ports for requests Pr( correct guess) = " 1 %" 1 % $ ' $ ' # 65,000& # 2,500& 6 10 9 Source IP DesNnaNon IP Source port Dest port UDP length UDP cksum Q A T R R Query ID R opcode A C D A Z rcode

Today 1. The Domain Name System (DNS) 2. DNS security: Cache poisoning agacks of 08 3. Coursework 2 Intro: Ben s local DNS server

Ben s local name server: Structure Single- threaded, only one client acnve at a Nme Two sockets: one for incoming recursive queries (ss); the other for outgoing iteranve queries (cs) Client Ben's DNS server Other DNS server Server socket ss Client socket cs ss.bind(port 53) rq ss.recvfrom( ) cs.sendto( ) iq rr cs.recvfrom( )... ss.sendto( ) ir

17 th November: Midterm exam NEXT TIME

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information