Welcome Everyone @

Today Our Topics are:

DNS

(The Potential Problem for Complete Anonymity)

Transparent DNS Proxy(The Problem & The Solution)

How To Use Public DNS To Attack

# What is DNS ?

# And How Does it Work ?

# What is DNS:

It stands for Domain Name System. Whenever you try to open a website, your computer sends a query to your DNS server, and your DNS sends back the ip address of that website as reply.

# How Does it Work:

DNS doesn't require any connection establishment (or handshaking). Your computer sends a packet to port 53 of your DNS server with a query , sets your ip as source and the ip of your DNS as destination address. Then DNS sends back a packet as reply sets it's own ip as source and your ip as destination address.

The Picture Of DNS● Suppose your ip is 1.2.3.4 and DNS's ip is 6.7.8.9 and your computer

asking for the ip of www.abcd.com

Your pc

ip: 1.2.3.4Your DNS server

ip: 6.7.8.9

Source: 1.2.3.4

Query: what is the ip of www.abcd.com ?

Destination: 6.7.8.9

Source: 6.7.8.9

Result: ip is x.x.x.x

Destination: 1.2.3.4

How can I find my DNS ?● It depends on mainly on Operating System. If you use a router to

connect to Internet then you'll find the ip of your router in following results.

● Linux Users:

You can find your DNS entry in “resolv.conf” under “/etc” directory. Eg “/etc/resolv.conf”

● Windows Users (8/7/Vista/XP/NT/2003):

At DOS prompt type the command: C:\>ipconfig /all

Getting Bored! Everyone knows that. So Where is

The Problem ???

# Why it is a potential problem for complete anonymity ?

Your ISP (Internet Service Provider) log each

and every request you made to it's DNS server.

You might leak information about your ISP's DNS,

Even if you use proxy or vpn. It'll make tracing

you a lot easier.

You can check, whether your internet connection is leaking information about your DNS or not, at :

https://www.dnsleaktest.com

So whats the big deal ?

I can change DNS address manually, in my Operating System...

Here comes the story of Transparent DNS Proxy (A big threat for anonymity) .

Some ISPs are now using a technology to intercept all DNS lookup requests (TCP/UDP port 53) and transparently proxy the results. This effectively forces you to use their DNS service for all DNS lookups. This is called “Transparent DNS proxy” .

If your ISP is using this technology, you might be surprised to know that all your dns queries are getting

logged, even if you have changed your DNS settings to use an 'open' DNS service such as Google, and expecting that your queries are no longer being sent to your ISP's DNS

server.

Does my ISP uses Transparent DNS Proxy? How to detect?

Depending on your ISP’s configuration of the transparent proxy it might be anywhere from easy to close to impossible to detect a transparent proxy. If the tests shows that you do not have a transparent dns proxy, you might still be behind one.

But for sake of proof, we've tested a Tata Photon internet connection. We got same dns result even after changing the dns manually.

Then Whats the Solution !!!

Solution No 1: There is a tool (or program), that is freely available on internet named “dnscrypt-proxy” is might be your solution. Dnscrypt-proxy acts as a local service which can be used directly as your local resolver or as a DNS forwarder. It encrypts and authenticate requests using its own protocol and passing them to your preferred (dnscrypt-proxy supported) DNS server.

You can find a list of dnscrypt-proxy supported DNS servers at the following link:

http://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

For both linux and windows user, you can find this tool for your respective OS at the following link

http://download.dnscrypt.org/dnscrypt-proxy/

Solution No 2: If you use proxychains for anonymity You can change it's setting to resolve your queries from the DNS used by proxy servers.

Solution No 3: You can use such a vpn service that doesn't log any of your activity, and gives you protection from transparent DNS proxy. (Beware from some free vpns like “hotspotshield”, it doesn't give you full anonimity )

Solution No 4: Change Your Internet connection !!!

( Sorry Jokes Apart)

How to use public DNS to attack ?

At first let see some query types. Actually Dns doesn't handle queries of a single type. Few of those types and their meanings are:

Types Meanings

A –------> Asking for IPv4 (32 bit) address of a domain

AAAA –------> Asking for IPv6 (128 bit) address of a domain

NS --------> Asking for name server record of a domain

MX –------> Asking for mail exchange server record of a domain

» Etc» Etc

You can find a really big list of these query types handled by a DNS server here

http://en.wikipedia.org/wiki/List_of_DNS_record_types

There is a special type of DNS request called an ANY request. ANY requests ask the DNS resolver for ALL information that it currently knows about the domain which may include where the mail servers are (MX records), what the IP addresses are (A records) and so on. Attackers use this type of query to maximize the size of the response sent to the victim.

If we issue this command on a linux terminal, the result will be

So, you can see that a 64 byte query generated a 577 bytes of response.

Here the response we got almost 9 times more in size. If we 'dig' such a domain, that has more records the amount of traffic could be even 50 times more.

So just imagine what would gonna happen if we query about such hundreds of domain to hundreds of public DNS server ???

First it'll generate lots of amount of internet traffic.

And...

It'll crash your own System... !!!

OOPS !!!

To make it work you have to redirect all the traffic to your victim. For this you have to send forged packets to DNS server, where you replace the source address of the packets with your victim's ip address.

For example:

• suppose your ip is 1.2.3.4, and your victim's ip is 9.8.7.6, then you have to set '9.8.7.6' as the source ip to all of those packets.

You can write your own program to do that.

Dont know programming ? No problem you can find an open

source tool (with all usage details) to do that, at the following link.

You can write your own program to do that.

http://www.infosec-ninjas.com/tsunami

This is called “DNS Amplification”

“A recent attack measured by Cloudflare weighed in at 400Gbps, one of the largest attacks seen to date. That would require an attacker issuing over

200,000 of the above requests per second to open resolvers around the globe.”

(Source of information: http://labs.opendns.com/2014/03/17/dns-amplification-attacks/)

Protection: There are some organizations available on internet which gives protection from such attacks. To protect your domain from such kind of

attacks you take their service, and ofcourse it's not free.

Thank You. Question Please.

Created By Arup & Chiranjit

Gooooooood Byeeeeeee Everyone.Thanx to tolerate us.