Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division
Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation of easy to remember addresses into the addresses that computers understand. www.intypedia.com 217.76.128.47 2
DNS Architecture Hierarchical Structure top-level domains Client 3
DNS Architecture Hierarchical Structure Root servers: distributed worldwide and of critical security Top-level domains (TLD) General (.com,.edu,.org,.net ) National (.es,.fr,.us,.co.uk ) Domain Resolution Iterative or recursive query DNS Records 4
DNS Architecture DNS Records The database inside every DNS server uses records to organize the information record A, AAAA, CNAME, HINFO, MX, NS, PTR, SOA, SPF A = Address used to translate host server names into IPv4 addresses CNAME = Canonical Name used to create additional host server names or aliases for the domain's host servers MX (registry) = Mail Exchange associates a domain name with a list of mail exchange servers for that domain PTR = Pointer also known as 'reverse record', does the opposite of record A; it translates IP addresses into domain names 5
Flow of a Domain Request (Web Browser) DNS Operating System's "Hosts" File Operating System Cache Browser Cache 6
Basic Attacks Changing the "hosts" file Targeted User's Operating System Changing the DNS query commands Changing the DNS in the Internet connection settings Attacked DNS Changing logs 7
Pharming and its Purposes Attacks related to the resolution of domains are called Pharming Redirecting traffic directed to a legitimate server to a bogus one, for example: Stealing user names and passwords to access websites that require login, like: banks, social networks, online games, etc. Intercepting communications 8
DNS Cache Poisoning Attack Attacker 4 1 Legitimate DNS 2 Attacking DNS 5 3 6 Victim 9
DNS ID Spoofing with Sniffing Attack 4 1 3 Bogus Web Server Victim 2 Legitimate DNS Legitimate Web Server Attacker 10
DNS Cache Snooping Attack The attacker sends queries to a DNS to find out the domains it has in its cache Knowing the domains others have visited: banks, political parties, medical information... Makes it easier to perform other attacks like phishing, social engineering or exploitation of vulnerabilities 11
Man-in-the-middle Attack 1 2 4 3 Victim Attacker Legitimate Web Server 12
Safe Use of Domain Resolution (End Users) Local access control to the OS Updating the OS and software Installing and configuring an antivirus and a firewall Avoid installing software that isn't trusted Being aware of security alerts that browsers show us in the server certificates that are used in HTTPS connections 13
Securing the DNS (1 of 2) Secure Access Control User awareness of the existence and methods of social engineering Traceability of who, what and when the information contained in the DNS is modified Effective monitoring system 14
Securing the DNS (2 of 2) Using the latest versions of the software associated with the DNS and performing regular updates Configuring the DNS appropriately Limiting, if possible, the networks from which the DNS cache is accessible 15
Contact: info@intypedia.com