TODAY & TOMORROWTODAY & TOMORROW

PRESENTED BY:PRESENTED BY:JAMES SPEIRSJAMES SPEIRS

CHARLES HIGBYCHARLES HIGBYBRADY REDFEARNBRADY REDFEARN

Domain Name Domain Name System (DNS)System (DNS)

OverviewOverviewo HistoryHistoryo How It WorksHow It Workso DNS Packet StructureDNS Packet Structureo DNS Features DNS Features o DNS Security Evolution, Early DaysDNS Security Evolution, Early Dayso Current DNS IssuesCurrent DNS Issueso Bailiwick Defined Bailiwick Defined o BIND 9.6 Or Later BIND 9.6 Or Later o Guilty PartiesGuilty Partieso DNS Exploit, Dan Kaminiski DNS Exploit, Dan Kaminiski o BIND 8 Or Earlier BIND 8 Or Earlier o Kaminski's ResultsKaminski's Resultso What Can Save Us? What Can Save Us?

HistoryHistory Pre-DNSPre-DNS

o Hosts fileHosts file Stanford Research Institute (SRI) Stanford Research Institute (SRI) FTPFTP

History ContinuedHistory Continued 19831983

o Paul Mockapetris, InventorPaul Mockapetris, Inventoro RFCs 882 & 883RFCs 882 & 883

19841984o Berkeley & UNIX Berkeley & UNIX 

1985 1985 o Kevin Dunlap, Digital Equipment Corporation Kevin Dunlap, Digital Equipment Corporation

(DEC) (DEC) o Berkeley Internet Name Domain (BIND)Berkeley Internet Name Domain (BIND)

19871987o RFCs1034 &1035RFCs1034 &1035

1990s1990so BIND ported to Windows NTBIND ported to Windows NT

How it WorksHow it Works Distributed DatabasesDistributed Databases

o Local machineLocal machine Hosts file Hosts file

Linux - /etc/hostsLinux - /etc/hosts Mac - /private/etc/hostsMac - /private/etc/hosts Windows - %SystemRoot%\system32\drivers\Windows - %SystemRoot%\system32\drivers\

etc\etc\ Local cacheLocal cache

Active memoryActive memory Browser cacheBrowser cache

How It Works ContinuedHow It Works Continued Distributed DatabasesDistributed Databases

o Not on local machineNot on local machine UDP requestUDP request

100 bytes100 bytes ISP DNS respondsISP DNS responds ISPs ISP DNS respondsISPs ISP DNS responds Core DNS respondsCore DNS responds

DNS Packet StructureDNS Packet Structure

DNS FeaturesDNS Features Name server responds with all sub-domainsName server responds with all sub-domains

o microsoft.com, microsoft.com, o secure.microsoft.comsecure.microsoft.como update.microsoft.comupdate.microsoft.com

Compression (~3x)Compression (~3x) RedundancyRedundancy Round-robin assignmentRound-robin assignment Entry expiration (3,600 seconds)Entry expiration (3,600 seconds)

o 3,600 second default3,600 second defaulto Defined by name serverDefined by name server

The "big 13 root servers" contain main DNS entries The "big 13 root servers" contain main DNS entries alwaysalwayso .com, .net, .tv, .info, .gov, .mil, etc..com, .net, .tv, .info, .gov, .mil, etc.o   http://www.isoc.org/briefings/020/zonefile.shtmlhttp://www.isoc.org/briefings/020/zonefile.shtml

DNS Security Evolution, Early DNS Security Evolution, Early DaysDays No bad guys in 1983No bad guys in 1983 Transaction ID (TID)Transaction ID (TID)

o Incremental counting integer Incremental counting integer o Random TIDRandom TID

  Port 53Port 53o Incoming port 53Incoming port 53o Port 53 outgoingPort 53 outgoingo Random outgoing port, Dan BernsteinRandom outgoing port, Dan Bernstein

Current DNS IssuesCurrent DNS Issues DNS PoisoningDNS Poisoning

o First response winsFirst response winso No TCPNo TCPo Transaction IDs – 16-bitsTransaction IDs – 16-bitso Ports – 16-bitsPorts – 16-bits

DNS ControllersDNS Controllerso ICANNICANNo US Commerce Department US Commerce Department o Verisign Verisign o 13 core servers 13 core servers

BailiwickBailiwick DefinedDefined

o "The neighborhood of the domain""The neighborhood of the domain" Bailiwicked Domain AttackBailiwicked Domain Attack

o In BailiwickIn Bailiwick microsoft.commicrosoft.com update.microsoft.comupdate.microsoft.com security.microsoft.comsecurity.microsoft.com All acceptable DNS entries All acceptable DNS entries

o Not in BailiwickNot in Bailiwick google.comgoogle.com yahoo.comyahoo.com These entries are thrown awayThese entries are thrown away

BIND 9.6 Or LaterBIND 9.6 Or Later

Example of current version of BINDExample of current version of BIND

Guilty PartiesGuilty Parties Guilty Parties Guilty Parties

o Any DNS not randomizing portsAny DNS not randomizing portso OpenWRT software OpenWRT software

Secure ServicesSecure Serviceso OpenDNSOpenDNSo djbdnsdjbdnso Simple router softwareSimple router software

DNS Exploit, Dan DNS Exploit, Dan KaminskiKaminski Cache miss at ISPCache miss at ISP

o Find DNS IPs for example.com Find DNS IPs for example.com ns1.example.com (1.1.1.1)ns1.example.com (1.1.1.1) ns2.example.com (1.1.1.2)ns2.example.com (1.1.1.2)

o Send query of bogus machineSend query of bogus machine aaa.example.comaaa.example.com

o ISPs DNS queries example.com for fake compISPs DNS queries example.com for fake comp Note UDP outgoing port from ISP (7649)Note UDP outgoing port from ISP (7649)

o Send 100 UDP packets with random TIDs to ISP at Send 100 UDP packets with random TIDs to ISP at port 7649 with your IP 1.1.1.100 as location for port 7649 with your IP 1.1.1.100 as location for example.comexample.com

BIND 8 Or EarlierBIND 8 Or Earlier

Example of older versions of BINDExample of older versions of BIND

Kaminski's ResultsKaminski's Results Repeat the exploit for any domainRepeat the exploit for any domain In 30 seconds, you control the entire domainIn 30 seconds, you control the entire domain Works because Works because 

o New IPs are in bailiwick New IPs are in bailiwick o New IPs replace old ones at ISPNew IPs replace old ones at ISPo Make TTL really bigMake TTL really big

Maximum of 2,147,483,647 secondsMaximum of 2,147,483,647 seconds 68+ Years68+ Years Never expiresNever expires

o Nothing appears wrongNothing appears wrong URL bar is http://www.google.comURL bar is http://www.google.com Displayed site is google.comDisplayed site is google.com

What Can Save Us?What Can Save Us? SSL certificatesSSL certificates

o Cannot be duplicatedCannot be duplicatedo Must be examined Must be examined

If available, force HTTPSIf available, force HTTPS Most sites don't support either solution Most sites don't support either solution Test your ISPTest your ISP

o entropy.dns-oarc.net/testentropy.dns-oarc.net/test

QuestionsQuestions