Talk by Jonathan Oxer at Linux Users Victoria in April 2007 about how DNS works. Covers authoritative and recursive DNS, delegation, and attack vectors including cache poisoning and DNS forgery. More information at http://jon.oxer.com.au/talks/id/66
The Future of Software Development - Devin AI Innovative Approach.pdf
Introduction to DNS
1. Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 Jonathan Oxer <jon@ivt.com.au>
2. what is the domain name system anyway? Introduction To DNS Jonathan Oxer < [email_address] >
3. it's like a phone book ...kinda Introduction To DNS Jonathan Oxer < [email_address] >
4. DNS is (1) a directory service Introduction To DNS Jonathan Oxer < [email_address] >
5. DNS is (2) an identity mechanism Introduction To DNS Jonathan Oxer < [email_address] >
6. DNS is (3) a namespace structure Introduction To DNS Jonathan Oxer < [email_address] >
7. DNS is (4) an abstraction layer Introduction To DNS Jonathan Oxer < [email_address] >
8. think of the phone book... Introduction To DNS Jonathan Oxer < [email_address] >
9. maps hostnames to IP addresses Introduction To DNS Jonathan Oxer < [email_address] >
10. maps jon.oxer.com.au to 221.133.213.151 Introduction To DNS Jonathan Oxer < [email_address] >
11. forward vs reverse Introduction To DNS Jonathan Oxer < [email_address] >
12. maps jon.oxer.com.au to 221.133.213.151 Introduction To DNS Jonathan Oxer < [email_address] >
13. maps 221.133.213.151 to jon.oxer.com.au Introduction To DNS Jonathan Oxer < [email_address] >
81. anatomy of a zone[file] Introduction To DNS Jonathan Oxer < [email_address] >
82. ; zone file for example.com. $TTL 2d ; 172800 TTL @ IN SOA ns1.example.com. hostmaster.example.com. ( 2007040304 ; serial 12h ; refresh 15m ; retry 3w ; expiry 3h ; minimum ) IN NS ns1.myprovider.com. IN NS ns1.example.com. IN MX 10 mail.example.net. homer IN A 192.168.254.3 marge IN A 192.168.12.15 www IN CNAME homer vpn IN CNAME marge Introduction To DNS Jonathan Oxer < [email_address] >
83. types of DNS records Introduction To DNS Jonathan Oxer < [email_address] >
84. “ A” (address) links names and IPv4 addresses Introduction To DNS Jonathan Oxer < [email_address] >
85. “ AAAA” (address) links names and IPv6 addresses Introduction To DNS Jonathan Oxer < [email_address] >
86. “ CNAME” (canonical name) aliases names to other names Introduction To DNS Jonathan Oxer < [email_address] >
87. “ MX” (mail exchange) name of machine for mail delivery Introduction To DNS Jonathan Oxer < [email_address] >
88. “ NS” (name server) name of DNS server for a zone Introduction To DNS Jonathan Oxer < [email_address] >
89. “ TXT” (text) arbitrary text string Introduction To DNS Jonathan Oxer < [email_address] >
90. “ NAPTR” (naming auth pointer) fun with regex Introduction To DNS Jonathan Oxer < [email_address] >
91. “ SOA” (start of authority) controls inter-server data synchronisation Introduction To DNS Jonathan Oxer < [email_address] >
92. SOA (Start Of Authority) Introduction To DNS Jonathan Oxer < [email_address] >
93. SOA sets TTL (Time To Live) Introduction To DNS Jonathan Oxer < [email_address] >
94. TTL says how long data may be cached Introduction To DNS Jonathan Oxer < [email_address] >
95. SOA parameters Serial : identifies version of SOA Introduction To DNS Jonathan Oxer < [email_address] >
96. SOA parameters Refresh : seconds between updates Introduction To DNS Jonathan Oxer < [email_address] >
97. SOA parameters Retry : seconds to wait after failure Introduction To DNS Jonathan Oxer < [email_address] >
98. SOA parameters Expire : seconds before data flushed Introduction To DNS Jonathan Oxer < [email_address] >
99. SOA parameters Minimum : used now for negative caching Introduction To DNS Jonathan Oxer < [email_address] >
108. Practical example: Dr Evil wants to take over “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >
109. Dr Evil attack vector #1 redirecting the target domain's nameserver Introduction To DNS Jonathan Oxer < [email_address] >
110. (1) Dr Evil creates a sub-zone of a zone he controls, such as “ bigbank.dr-evil.com” Introduction To DNS Jonathan Oxer < [email_address] >
111. (2) Dr Evil delegates his evil zone to “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >
112. (3) Dr Evil configures his DNS server to return the wrong IP address for “www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >
113. (4) Dr Evil issues a DNS lookup for “ bigbank.dr-evil.com” to your DNS resolver Introduction To DNS Jonathan Oxer < [email_address] >
114. (5) Your DNS server caches the evil IP and uses it for future requests for “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >
115. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
116. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
117. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
118. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
120. Dr Evil attack vector #2 redirect the NS record of the target domain Introduction To DNS Jonathan Oxer < [email_address] >
121. compare this with... request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
122. ...alternative attack request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.com. 3600 IN NS ns.dr-evil.com. Additional section: ns.dr-evil.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >
123. Dr Evil attack vector #3 DNS forgery: respond before the real nameserver Introduction To DNS Jonathan Oxer < [email_address] >
124. not as easy as it sounds! Introduction To DNS Jonathan Oxer < [email_address] >
125. do a “ birthday attack” against the nonce value Introduction To DNS Jonathan Oxer < [email_address] >
126. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!
127. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!
128. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!
129. 301 attempts against 2 x16 hash Introduction To DNS Jonathan Oxer < [email_address] >