SlideShare ist ein Scribd-Unternehmen logo

DNS Security

Als PPTX, PDF herunterladen
I
inbroker

DNS Security Protocol Overview Secure Configuration DNS Infrastructure Abuse DNSSec

Technologie
1 von 46
DNS Security Spyridon Dosis June 2014 DNS Security 1
Outline • The DNS protocol / infrastructure / tools • DNS Protocol Attacks • Securing DNS • DNSSec • DNS abuse (fast-flux networks) June 2014 DNS Security 2
Domain Name Service (DNS) • A directory service for mapping host names to IP addresses (… and more) • Hierarchical structure (root node, TLDs {gTLD,ccTLD}, SLDs, etc.) • http://www.root-servers.org/ • 13 root servers (a-m.root-servers.net) – 350+ instances (anycasting) • Root-servers TLD master file (TLD authoritative servers) • Secure / non-public update process • Authority & Delegation • Fully Qualified Domain Names (www.example.com.) June 2014 DNS Security 3
DNS Queries • Authoritative Name Server • Provides authoritative answers • Resolvers • Issues queries e.g. to resolve names to IP addresses • Iterative • The DNS client asks the DNS server for an answer (e.g. cached) or a referral to the next delegation level ([caching] name server / resolver) • Stub-resolvers (e.g. in OS) can’t follow referrals • Recursive • The DNS client offloads the responsibility of finding an answer (success or fail) to the DNS server (caching / recursive name server / resolver) June 2014 DNS Security 4
DNS Queries • Reverse-mapping • IP-to-name resolution • Uses the reserved domain of IN-ADDR.ARPA for IPv4, IP6.ARPA for IPv6 • Prepend the reversed IP address (e.g. 1.1.168.192.<domain>.) • A number of use cases (e.g. email source verification, DNS blacklists etc.) June 2014 DNS Security 5
DNS Primer • DNS query workflow June 2014 DNS Security 6
DNS Primer • Zone & zone files • Operational entities under a domain (e.g. hosts, mail servers, services etc.) • Described with textual Resource Records (RRs) • RFC 1035 – Zone file and RR format • $TTL directive – Access load & change propagation • Sub-domains and sub-zones • Master and slave DNS servers • Master copy of the zone file • Replicated through zone transfers June 2014 DNS Security 7
DNS Transfer • Full Zone Transfer (AXFR) • Copies the complete zone file • Based on checking the serial number of the SOA RR on the master name server • Incremental Zone Transfer (IXFR) • Notify (NOTIFY) • Notify the NS RRs in the zone when updated • Dynamic Update • Dynamic DNS (DDNS) • Updating zone’s RRs from external sources • BIND-DLZ June 2014 DNS Security 8
DNS RRs • SOA (Start of Authority) • Zone’s properties • A / AAAA resource record • Maps hostname to IPv4 / IPv6 address • NS • Authoritative name servers for the domain • MX • Mail servers for the domain • CNAME • Alias for an existing host defined by an A RR • PTR, TXT, SRV June 2014 DNS Security 9
DNS Software • ISC BIND • Microsoft DNS Server • NSD (name server functionality) • PowerDNS (authoritative-only name server) • Unbound (resolver functionality) • UDP Port 53 • 512-byte performance-wise limit on messages • EDNS0 (RFC 2671) for 4096-byte messages • TCP Port 53 • Zone maintenance operations June 2014 DNS Security 10
DNS-related Utilities • DIG – Domain Information Groper & nslookup • DNS name resolution using default or specific nameserver • (e.g. dig @8.8.8.8 hostname) • Reverse lookups • dig –x 193.10.9.6 • Find a domain’s mail servers • dig dsv.su.se MX June 2014 DNS Security 11
DNS-related Utilities • WHOIS • Query & Response Protocol (RFC 3912) • Information about the registration of a domain, IP address range, autonomous system June 2014 DNS Security 12
DNS Server Impersonation • Spoofing a DNS server’s answer • Server-to-server communication • Client-to-server communication • Spoofing the source IP address of the DNS reply with the legitimate DNS server’s one • DNS Pharming • Modifying the DNS server settings on the client or the DHCP server (e.g. WAP) • Rogue DNS Server • Combined with DHCP starvation / rogue DHCP server in LANs June 2014 DNS Security 13
DNS ID Hacking • Essential in order for the DNS reply to be accepted by the resolver is that the reply ID matches the request ID (DNS protocol header field), match the source port and query section and the authority and additional sections are within the requested domain (bailiwick checking) • Sniff it if in the same LAN (hub or MitM) • Send some requests to the resolver to better estimate the ID June 2014 DNS Security 14
DNS Cache poisoning • Trick a DNS server into caching a false hostname-IP mapping • E.g. link www.google.com with the attacker’s IP address • Spoof NS entry of target domain to attacker’s IP • Query : www.example.com • (Attacker) Answer : example.com. 86400 IN NS www.example.com. www.example.com. 604800 IN A 10.10.10.20 • Patch your servers (better source port and query ID randomization, rejecting “out-of-zone” information June 2014 DNS Security 15
DNS Security Threats • Zone file (malicious) / DNS server configuration corruption • Unauthorized zone file dynamic updates • Spoofing in zone transfers • Resolver cache poisoning / data interception June 2014 DNS Security 16
Securing DNS • Keep up-to-date the DNS server software • Do not communicate the software version • Disable unneeded features (e.g. zone transfer or notify by out-of-band update mechanism for multiple master name servers) • Explicit over default server configuration • Deny-all global options and allow per zone • Run the server software with least privileges • Run multiple servers with different software June 2014 DNS Security 17
Split (Horizon) DNS • Two sets of name server records • For internal clients • For external clients • ‘Hide’ internal servers to external sources • Provide different answers based on the requester’s source address • Server-based or software-based June 2014 DNS Security 18
Open Resolvers • Resolve queries even for zones it is not authoritative for • Perform recursive lookups for external clients • Can be abused to participate in DDoS / leak internal information June 2014 DNS Security 19
DNS Reflection Attacks • Spoofed IP source address • DNS server replies to the victim (spoofed IP source address of the DNS query) • Packet size amplification • <100 byte request • 2-4kb reply • Distributed reflection attacks • 28m potential DNS resolvers (http://openresolverproject.org/) • Spamhaus received a 300Gb/s DDoS June 2014 DNS Security 20
DNS Amplification Attack June 2014 DNS Security 21 Image taken from http://securitytnt.com/dns-amplification-attack/
DNS Amplification Counter-Measures • BCP-38 • Prevent outbound packets with spoofed source IP address • Responsibility of the ISP • Rate-limiting controls • Allow recursion for resolvers only to internal hosts • No recursion for authoritative DNS servers June 2014 DNS Security 22
DNSSec • How can a client trust a query’s response? • Rogue server response • Poisoned cached response • Response modification by a MitM • DNSSec enables a security-aware name server to verify the authenticity and integrity of query results • Response originating from the requested zone • Integrity of received data • Proof of nonexistence for NXDOMAIN responses • Leverages PKI and specialized RRs • RRSIG, DNSKEY, NSEC June 2014 DNS Security 23
DNSSec Principles • Both the authoritative zone server and the querying resolver must support DNSSec • The zone file is cryptographically signed (a Secure Entry Point) • The public key (ZSK and KSK) is stored as the DNSKEY RR • RRsets are digitally signed (adding the RRSIG RR) • The records are ordered by canonical name and chained through the NSEC RR June 2014 DNS Security 24
DNSSec Workflow • The authoritative nameserver signs the zone’s records with its private key (ZSK and KSK) • The security-aware resolver uses the respective zone’s public key for signature validation • How to transfer the public key to the resolver? • Publish the public key as a DNSKEY RR • Transfer the public key using an out-of-band process (trusted anchor) June 2014 DNS Security 25
DNSSec Validation • Secure • Trusted anchor is present and the received data have been validated successfully • Insecure • Trusted anchor is present but no secure link to the delegated node (e.g. sub-domain) • Bogus • Trusted anchor is present but the received data have not been validated successfully • Indeterminate • No trusted anchor for this domain June 2014 DNS Security 26
DNSSec Chains of Trust • Delegated Signer RR • Authenticating the NS RRs that point to the child domain by importing the child’s KSK • The root zone has been signed in July 2010 • Several gTLDs and ccTLDs as well • The validating resolver follows the chain from the root to the signed zone • Need for a single root-key as trusted anchor June 2014 DNS Security 27
Secure Zone Maintenance • Need to resign the zone when • A change is made to the zone records (e.g. SOA RR serial number) • The signature expires (RRSIG RRs have a start time and expire after a period of time e.g. 30d) • Signing keys rollover • Updating the DS record of the parent • Updating the trusted anchor of security-aware resolvers June 2014 DNS Security 28
Fast-flux networks June 2014 DNS Security 29
Fast-flux Networks • A distributed system • Master server(s) – motherships -> Controller nodes • Infected/controlled hosts • Name resolution services • Traffic proxying • Delivery of malware • Additional operational services (e.g. registration, availability checkers) • Main goal: • Make the malicious network harder to discover through layers of traffic redirection • Defeat IP-based ACL approaches June 2014 DNS Security 30
Fast-flux Use Cases • Hosting phishing sites directly on a compromised host and advertise its DNS name or IP address through mass-emailing/spear phishing - BUSTED • Attempts for server address obfuscation, proxy servers with partial success • Simplicity & A Business Model • Decoupling the malicious content delivery from the fast-flux network operator • Difficult to track down • Random compromised hosts, no traffic logging, live proxying without remaining artifacts June 2014 DNS Security 31
Single-flux • Multiple compromised hosts’ IP addresses are mapped to a certain DNS hostname (A records) • Compromised hosts act as front-end/reverse proxy for the malicious web server. • Round robin DNS (e.g. 10 random hosts per DNS reply) -> robustness in case of disconnected hosts • Short DNS TTLs (e.g. <5m) -> dynamism June 2014 DNS Security 32
Single-flux June 2014 DNS Security 33 Image taken from http://www.honeynet.org/papers/ff
Single-flux Example June 2014 DNS Security 34 • Query A • Query B Images taken from http://www.honeynet.org/papers/ff
Double-flux • Advancement over single-flux, compromised hosts appear as authoritative name servers for the specific DNS domain name. (NS records) • Automated updating of the authoritative name servers records (e.g. registrar API) • Additional layer of redundancy, availability • Compromised host acting as authoritative nameserver also is a front-end/proxy for the mothership June 2014 DNS Security 35
Double-flux June 2014 DNS Security 36 Image taken from http://www.honeynet.org/papers/ff
Double-flux Example • Query A • Query B June 2014 DNS Security 37 Images taken from http://www.honeynet.org/papers/ff
Fast-flux Case Studies • Warezov/Stration (2007) • Malware variants mainly used for spam purposes • Phone-home for fetching updates (AV-evasion) • DNS services and download sites behind fast-flux • Storm (2007) • UDP-based P2P C&C botnet • Generating image-based spam instead of template- based messaging • Adopting fast-flux networking scheme June 2014 DNS Security 38
Fast-flux detection • DNS monitoring of suspicious domain names • Short TTLs • Number of A records / response • Number of NS records / response • Diversity of IPs/networks/ASNs • Presence of broadband/dialup networks • Detect upstream mothership node communication • Probe user networks for HTTP,DNS proxying capabilities (e.g. accompanied with IDS or NetFlow monitoring) June 2014 DNS Security 39
Fast-flux mitigation • Block TCP 80 / UDP 53 into user-land networks • Block traffic to controller infrastructure (motherships, registration, availability checkers) • Stricter DNS registrar policies • DNS Blackhole / BGP route injection against the controller infrastructure • Passive DNS monitoring for A and NS records from user networks • Control scripted name server configuration updates / minimum acceptable TTL • Reputation systems for DNS June 2014 DNS Security 40
Fast-flux Next Gen • Slower change rate of IP addresses • 61% with > 60minutes/IP • More registrars, domain name space expansion, lower registration costs • Increased sharing of IP addresses and authoritative name servers among fast-flux domains • Dual-purpose compromised hosts (acting as proxy and DNS servers in parallel) • N-flux (ns*.flux.com, ns*.ns*.flux.com etc.) • Single IP address with TTL=0 • Fast-flux like benign systems • E.g. BitCoin DNS seed / node discovery (e.g. seed.bitcoin.sipa.be) • NTP DNS round-robin technique for picking a network time server • Content Delivery Networks (CDNs) • Anti-censorship solutions June 2014 DNS Security 41
Domain Generation Algorithms • Algorithms employed by malware for periodically generating large numbers of domain names • Used for contacting the controller nodes (e.g. updating their capabilities, fetch commands) • Contacts a subset of the list, controllers register few new domains sporadically -> NXDomain-based detection • Avoids ‘hard-coded’ domain names in the binary (e.g. string dumping) • Even if the algorithm is reverse-engineered, sinkholing 1000s of future domains is challenging • Mostly date-based algorithms • Some even used Twitter APIs employing past trending topics • Examples, Conficker, Torpig, murofet June 2014 DNS Security 42
Custom DNS Servers • Malware performs name resolutions against criminal-controlled DNS Servers • Different view for the malware and the security researcher • May appear as non-existent domain through the public DNS infrastructure • Ability to use legitimate domain names for the botnet controllers (e.g. *.google.com) • False-negatives in security products June 2014 DNS Security 43
Fluxing Domain Names • Rogue ISPs removing malicious domain names soon after they get added in botnet tracking services (e.g. abuse.ch) • Malware switches to backup URLs if the main C&C is not reachable • Maintain a low profile on the law enforcement radar / low number of active botnet controllers June 2014 DNS Security 44
Wildcard DNS records • Many-to-one mapping • E.g. *.example.com. <IP address> • Used in phishing campaigns • Evade host-name based blacklists June 2014 DNS Security 45
Thank you! Questions? 46June 2014 DNS Security

Empfohlen

DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Domain name server
Domain name serverDomain name server
Domain name serverMobile88
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 

Empfohlen

DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
Presentation on dns
Presentation on dnsPresentation on dns
Presentation on dnsAnand Grewal
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
Dns security
Dns securityDns security
Dns securityDhaval Kapil
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Domain name server
Domain name serverDomain name server
Domain name serverMobile88
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNSPhilippe Camacho, Ph.D.
 
Domain name system
Domain name systemDomain name system
Domain name systemNifras Ismail
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)Atikur Rahman
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemGurkamal Rakhra
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNSThousandEyes
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
DNS
DNSDNS
DNSFTC
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Dns presentation
Dns presentationDns presentation
Dns presentationAnurag Pandey
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To LinuxIshan A B Ambanwela
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name SystemABDUL GAFOOR K V
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
slide on DNS
slide on DNSslide on DNS
slide on DNSwebhostingguy
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
DNS Record
DNS RecordDNS Record
DNS Recordkangting21
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;Barry Greene
 
Dns
DnsDns
DnsSanoj Kumar
 
Dns
DnsDns
DnsPatruni Chidananda Sastry
 
LDAP
LDAPLDAP
LDAPKhemnath Chauhan
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 

Weitere ähnliche Inhalte

Was ist angesagt?

Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)Atikur Rahman
 
DNS
DNSDNS
DNSFTC
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackFatima Qayyum
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web ServersSam Bowne
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Topics in network security
Topics in network securityTopics in network security
Topics in network securityNasir Bhutta
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;Barry Greene
 

Was ist angesagt? (20)

Domain name system
Domain name systemDomain name system
Domain name system
 
Domain name system (dns)
Domain name system (dns)Domain name system (dns)
Domain name system (dns)
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Intro to DNS
Intro to DNSIntro to DNS
Intro to DNS
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
DNS
DNSDNS
DNS
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Dns presentation
Dns presentationDns presentation
Dns presentation
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
Ch 10: Hacking Web Servers
Ch 10: Hacking Web ServersCh 10: Hacking Web Servers
Ch 10: Hacking Web Servers
 
slide on DNS
slide on DNSslide on DNS
slide on DNS
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Topics in network security
Topics in network securityTopics in network security
Topics in network security
 
DNS Record
DNS RecordDNS Record
DNS Record
 
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
BIND’s New Security Feature: DNSRPZ - the &quot;DNS Firewall&quot;
 
Dns
DnsDns
Dns
 
Dns
DnsDns
Dns
 
LDAP
LDAPLDAP
LDAP
 

Andere mochten auch

DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsJonas Bonér
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.Taras Matyashovsky
 
Etsy Activity Feeds Architecture
Etsy Activity Feeds ArchitectureEtsy Activity Feeds Architecture
Etsy Activity Feeds ArchitectureDan McKinley
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M usersJongyoon Choi
 
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...LinkedIn - A Professional Network built with Java Technologies and Agile Prac...
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...LinkedIn
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & FeaturesDataStax Academy
 
Big Data in Real-Time at Twitter
Big Data in Real-Time at TwitterBig Data in Real-Time at Twitter
Big Data in Real-Time at Twitternkallen
 
Introduction to Apache ZooKeeper
Introduction to Apache ZooKeeperIntroduction to Apache ZooKeeper
Introduction to Apache ZooKeeperSaurav Haloi
 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcachedJurriaan Persyn
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to RedisDvir Volk
 
Hazelcast
HazelcastHazelcast
Hazelcastoztalip
 
Distributed applications using Hazelcast
Distributed applications using HazelcastDistributed applications using Hazelcast
Distributed applications using HazelcastTaras Matyashovsky
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification ZafiyetiMehmet VAROL
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
From distributed caches to in-memory data grids
From distributed caches to in-memory data gridsFrom distributed caches to in-memory data grids
From distributed caches to in-memory data gridsMax Alexejev
 

Andere mochten auch (19)

DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
Scalability, Availability & Stability Patterns
Scalability, Availability & Stability PatternsScalability, Availability & Stability Patterns
Scalability, Availability & Stability Patterns
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.
 
Etsy Activity Feeds Architecture
Etsy Activity Feeds ArchitectureEtsy Activity Feeds Architecture
Etsy Activity Feeds Architecture
 
facebook architecture for 600M users
facebook architecture for 600M usersfacebook architecture for 600M users
facebook architecture for 600M users
 
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...LinkedIn - A Professional Network built with Java Technologies and Agile Prac...
LinkedIn - A Professional Network built with Java Technologies and Agile Prac...
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
Big Data in Real-Time at Twitter
Big Data in Real-Time at TwitterBig Data in Real-Time at Twitter
Big Data in Real-Time at Twitter
 
Introduction to Apache ZooKeeper
Introduction to Apache ZooKeeperIntroduction to Apache ZooKeeper
Introduction to Apache ZooKeeper
 
Introduction to memcached
Introduction to memcachedIntroduction to memcached
Introduction to memcached
 
Introduction to Redis
Introduction to RedisIntroduction to Redis
Introduction to Redis
 
Hazelcast
HazelcastHazelcast
Hazelcast
 
Distributed applications using Hazelcast
Distributed applications using HazelcastDistributed applications using Hazelcast
Distributed applications using Hazelcast
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification Zafiyeti
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
From distributed caches to in-memory data grids
From distributed caches to in-memory data gridsFrom distributed caches to in-memory data grids
From distributed caches to in-memory data grids
 
Morning at Lohika
Morning at LohikaMorning at Lohika
Morning at Lohika
 

Ähnlich wie DNS Security

23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01velimamedov
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleLuis Garay
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerDNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerKumar Ashutosh
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and ServersThousandEyes
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosDaniel Toomey
 
Implementing Domain Name
Implementing Domain NameImplementing Domain Name
Implementing Domain NameNapoleon NV
 

Ähnlich wie DNS Security (20)

Introduction to DNS
Introduction to DNSIntroduction to DNS
Introduction to DNS
 
Dn sonly
Dn sonlyDn sonly
Dn sonly
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
Chapter4 configuringandmanagingthednsserverrole-140520003253-phpapp01
 
DNS Security Strategy
DNS Security StrategyDNS Security Strategy
DNS Security Strategy
 
Chapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server roleChapter 4 configuring and managing the dns server role
Chapter 4 configuring and managing the dns server role
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DNSSEC in Windows DNS Server
DNSSEC in Windows DNS ServerDNSSEC in Windows DNS Server
DNSSEC in Windows DNS Server
 
6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and Servers
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx2_Chapter 2_DNS.pptx
2_Chapter 2_DNS.pptx
 
08Mapping.ppt
08Mapping.ppt08Mapping.ppt
08Mapping.ppt
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Private DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid ScenariosPrivate DNS Infrastructure Support in Hybrid Scenarios
Private DNS Infrastructure Support in Hybrid Scenarios
 
Implementing Domain Name
Implementing Domain NameImplementing Domain Name
Implementing Domain Name
 

Kürzlich hochgeladen

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Kürzlich hochgeladen (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

DNS Security

  • 1. DNS Security Spyridon Dosis June 2014 DNS Security 1
  • 2. Outline • The DNS protocol / infrastructure / tools • DNS Protocol Attacks • Securing DNS • DNSSec • DNS abuse (fast-flux networks) June 2014 DNS Security 2
  • 3. Domain Name Service (DNS) • A directory service for mapping host names to IP addresses (… and more) • Hierarchical structure (root node, TLDs {gTLD,ccTLD}, SLDs, etc.) • http://www.root-servers.org/ • 13 root servers (a-m.root-servers.net) – 350+ instances (anycasting) • Root-servers TLD master file (TLD authoritative servers) • Secure / non-public update process • Authority & Delegation • Fully Qualified Domain Names (www.example.com.) June 2014 DNS Security 3
  • 4. DNS Queries • Authoritative Name Server • Provides authoritative answers • Resolvers • Issues queries e.g. to resolve names to IP addresses • Iterative • The DNS client asks the DNS server for an answer (e.g. cached) or a referral to the next delegation level ([caching] name server / resolver) • Stub-resolvers (e.g. in OS) can’t follow referrals • Recursive • The DNS client offloads the responsibility of finding an answer (success or fail) to the DNS server (caching / recursive name server / resolver) June 2014 DNS Security 4
  • 5. DNS Queries • Reverse-mapping • IP-to-name resolution • Uses the reserved domain of IN-ADDR.ARPA for IPv4, IP6.ARPA for IPv6 • Prepend the reversed IP address (e.g. 1.1.168.192.<domain>.) • A number of use cases (e.g. email source verification, DNS blacklists etc.) June 2014 DNS Security 5
  • 6. DNS Primer • DNS query workflow June 2014 DNS Security 6
  • 7. DNS Primer • Zone & zone files • Operational entities under a domain (e.g. hosts, mail servers, services etc.) • Described with textual Resource Records (RRs) • RFC 1035 – Zone file and RR format • $TTL directive – Access load & change propagation • Sub-domains and sub-zones • Master and slave DNS servers • Master copy of the zone file • Replicated through zone transfers June 2014 DNS Security 7
  • 8. DNS Transfer • Full Zone Transfer (AXFR) • Copies the complete zone file • Based on checking the serial number of the SOA RR on the master name server • Incremental Zone Transfer (IXFR) • Notify (NOTIFY) • Notify the NS RRs in the zone when updated • Dynamic Update • Dynamic DNS (DDNS) • Updating zone’s RRs from external sources • BIND-DLZ June 2014 DNS Security 8
  • 9. DNS RRs • SOA (Start of Authority) • Zone’s properties • A / AAAA resource record • Maps hostname to IPv4 / IPv6 address • NS • Authoritative name servers for the domain • MX • Mail servers for the domain • CNAME • Alias for an existing host defined by an A RR • PTR, TXT, SRV June 2014 DNS Security 9
  • 10. DNS Software • ISC BIND • Microsoft DNS Server • NSD (name server functionality) • PowerDNS (authoritative-only name server) • Unbound (resolver functionality) • UDP Port 53 • 512-byte performance-wise limit on messages • EDNS0 (RFC 2671) for 4096-byte messages • TCP Port 53 • Zone maintenance operations June 2014 DNS Security 10
  • 11. DNS-related Utilities • DIG – Domain Information Groper & nslookup • DNS name resolution using default or specific nameserver • (e.g. dig @8.8.8.8 hostname) • Reverse lookups • dig –x 193.10.9.6 • Find a domain’s mail servers • dig dsv.su.se MX June 2014 DNS Security 11
  • 12. DNS-related Utilities • WHOIS • Query & Response Protocol (RFC 3912) • Information about the registration of a domain, IP address range, autonomous system June 2014 DNS Security 12
  • 13. DNS Server Impersonation • Spoofing a DNS server’s answer • Server-to-server communication • Client-to-server communication • Spoofing the source IP address of the DNS reply with the legitimate DNS server’s one • DNS Pharming • Modifying the DNS server settings on the client or the DHCP server (e.g. WAP) • Rogue DNS Server • Combined with DHCP starvation / rogue DHCP server in LANs June 2014 DNS Security 13
  • 14. DNS ID Hacking • Essential in order for the DNS reply to be accepted by the resolver is that the reply ID matches the request ID (DNS protocol header field), match the source port and query section and the authority and additional sections are within the requested domain (bailiwick checking) • Sniff it if in the same LAN (hub or MitM) • Send some requests to the resolver to better estimate the ID June 2014 DNS Security 14
  • 15. DNS Cache poisoning • Trick a DNS server into caching a false hostname-IP mapping • E.g. link www.google.com with the attacker’s IP address • Spoof NS entry of target domain to attacker’s IP • Query : www.example.com • (Attacker) Answer : example.com. 86400 IN NS www.example.com. www.example.com. 604800 IN A 10.10.10.20 • Patch your servers (better source port and query ID randomization, rejecting “out-of-zone” information June 2014 DNS Security 15
  • 16. DNS Security Threats • Zone file (malicious) / DNS server configuration corruption • Unauthorized zone file dynamic updates • Spoofing in zone transfers • Resolver cache poisoning / data interception June 2014 DNS Security 16
  • 17. Securing DNS • Keep up-to-date the DNS server software • Do not communicate the software version • Disable unneeded features (e.g. zone transfer or notify by out-of-band update mechanism for multiple master name servers) • Explicit over default server configuration • Deny-all global options and allow per zone • Run the server software with least privileges • Run multiple servers with different software June 2014 DNS Security 17
  • 18. Split (Horizon) DNS • Two sets of name server records • For internal clients • For external clients • ‘Hide’ internal servers to external sources • Provide different answers based on the requester’s source address • Server-based or software-based June 2014 DNS Security 18
  • 19. Open Resolvers • Resolve queries even for zones it is not authoritative for • Perform recursive lookups for external clients • Can be abused to participate in DDoS / leak internal information June 2014 DNS Security 19
  • 20. DNS Reflection Attacks • Spoofed IP source address • DNS server replies to the victim (spoofed IP source address of the DNS query) • Packet size amplification • <100 byte request • 2-4kb reply • Distributed reflection attacks • 28m potential DNS resolvers (http://openresolverproject.org/) • Spamhaus received a 300Gb/s DDoS June 2014 DNS Security 20
  • 21. DNS Amplification Attack June 2014 DNS Security 21 Image taken from http://securitytnt.com/dns-amplification-attack/
  • 22. DNS Amplification Counter-Measures • BCP-38 • Prevent outbound packets with spoofed source IP address • Responsibility of the ISP • Rate-limiting controls • Allow recursion for resolvers only to internal hosts • No recursion for authoritative DNS servers June 2014 DNS Security 22
  • 23. DNSSec • How can a client trust a query’s response? • Rogue server response • Poisoned cached response • Response modification by a MitM • DNSSec enables a security-aware name server to verify the authenticity and integrity of query results • Response originating from the requested zone • Integrity of received data • Proof of nonexistence for NXDOMAIN responses • Leverages PKI and specialized RRs • RRSIG, DNSKEY, NSEC June 2014 DNS Security 23
  • 24. DNSSec Principles • Both the authoritative zone server and the querying resolver must support DNSSec • The zone file is cryptographically signed (a Secure Entry Point) • The public key (ZSK and KSK) is stored as the DNSKEY RR • RRsets are digitally signed (adding the RRSIG RR) • The records are ordered by canonical name and chained through the NSEC RR June 2014 DNS Security 24
  • 25. DNSSec Workflow • The authoritative nameserver signs the zone’s records with its private key (ZSK and KSK) • The security-aware resolver uses the respective zone’s public key for signature validation • How to transfer the public key to the resolver? • Publish the public key as a DNSKEY RR • Transfer the public key using an out-of-band process (trusted anchor) June 2014 DNS Security 25
  • 26. DNSSec Validation • Secure • Trusted anchor is present and the received data have been validated successfully • Insecure • Trusted anchor is present but no secure link to the delegated node (e.g. sub-domain) • Bogus • Trusted anchor is present but the received data have not been validated successfully • Indeterminate • No trusted anchor for this domain June 2014 DNS Security 26
  • 27. DNSSec Chains of Trust • Delegated Signer RR • Authenticating the NS RRs that point to the child domain by importing the child’s KSK • The root zone has been signed in July 2010 • Several gTLDs and ccTLDs as well • The validating resolver follows the chain from the root to the signed zone • Need for a single root-key as trusted anchor June 2014 DNS Security 27
  • 28. Secure Zone Maintenance • Need to resign the zone when • A change is made to the zone records (e.g. SOA RR serial number) • The signature expires (RRSIG RRs have a start time and expire after a period of time e.g. 30d) • Signing keys rollover • Updating the DS record of the parent • Updating the trusted anchor of security-aware resolvers June 2014 DNS Security 28
  • 29. Fast-flux networks June 2014 DNS Security 29
  • 30. Fast-flux Networks • A distributed system • Master server(s) – motherships -> Controller nodes • Infected/controlled hosts • Name resolution services • Traffic proxying • Delivery of malware • Additional operational services (e.g. registration, availability checkers) • Main goal: • Make the malicious network harder to discover through layers of traffic redirection • Defeat IP-based ACL approaches June 2014 DNS Security 30
  • 31. Fast-flux Use Cases • Hosting phishing sites directly on a compromised host and advertise its DNS name or IP address through mass-emailing/spear phishing - BUSTED • Attempts for server address obfuscation, proxy servers with partial success • Simplicity & A Business Model • Decoupling the malicious content delivery from the fast-flux network operator • Difficult to track down • Random compromised hosts, no traffic logging, live proxying without remaining artifacts June 2014 DNS Security 31
  • 32. Single-flux • Multiple compromised hosts’ IP addresses are mapped to a certain DNS hostname (A records) • Compromised hosts act as front-end/reverse proxy for the malicious web server. • Round robin DNS (e.g. 10 random hosts per DNS reply) -> robustness in case of disconnected hosts • Short DNS TTLs (e.g. <5m) -> dynamism June 2014 DNS Security 32
  • 33. Single-flux June 2014 DNS Security 33 Image taken from http://www.honeynet.org/papers/ff
  • 34. Single-flux Example June 2014 DNS Security 34 • Query A • Query B Images taken from http://www.honeynet.org/papers/ff
  • 35. Double-flux • Advancement over single-flux, compromised hosts appear as authoritative name servers for the specific DNS domain name. (NS records) • Automated updating of the authoritative name servers records (e.g. registrar API) • Additional layer of redundancy, availability • Compromised host acting as authoritative nameserver also is a front-end/proxy for the mothership June 2014 DNS Security 35
  • 36. Double-flux June 2014 DNS Security 36 Image taken from http://www.honeynet.org/papers/ff
  • 37. Double-flux Example • Query A • Query B June 2014 DNS Security 37 Images taken from http://www.honeynet.org/papers/ff
  • 38. Fast-flux Case Studies • Warezov/Stration (2007) • Malware variants mainly used for spam purposes • Phone-home for fetching updates (AV-evasion) • DNS services and download sites behind fast-flux • Storm (2007) • UDP-based P2P C&C botnet • Generating image-based spam instead of template- based messaging • Adopting fast-flux networking scheme June 2014 DNS Security 38
  • 39. Fast-flux detection • DNS monitoring of suspicious domain names • Short TTLs • Number of A records / response • Number of NS records / response • Diversity of IPs/networks/ASNs • Presence of broadband/dialup networks • Detect upstream mothership node communication • Probe user networks for HTTP,DNS proxying capabilities (e.g. accompanied with IDS or NetFlow monitoring) June 2014 DNS Security 39
  • 40. Fast-flux mitigation • Block TCP 80 / UDP 53 into user-land networks • Block traffic to controller infrastructure (motherships, registration, availability checkers) • Stricter DNS registrar policies • DNS Blackhole / BGP route injection against the controller infrastructure • Passive DNS monitoring for A and NS records from user networks • Control scripted name server configuration updates / minimum acceptable TTL • Reputation systems for DNS June 2014 DNS Security 40
  • 41. Fast-flux Next Gen • Slower change rate of IP addresses • 61% with > 60minutes/IP • More registrars, domain name space expansion, lower registration costs • Increased sharing of IP addresses and authoritative name servers among fast-flux domains • Dual-purpose compromised hosts (acting as proxy and DNS servers in parallel) • N-flux (ns*.flux.com, ns*.ns*.flux.com etc.) • Single IP address with TTL=0 • Fast-flux like benign systems • E.g. BitCoin DNS seed / node discovery (e.g. seed.bitcoin.sipa.be) • NTP DNS round-robin technique for picking a network time server • Content Delivery Networks (CDNs) • Anti-censorship solutions June 2014 DNS Security 41
  • 42. Domain Generation Algorithms • Algorithms employed by malware for periodically generating large numbers of domain names • Used for contacting the controller nodes (e.g. updating their capabilities, fetch commands) • Contacts a subset of the list, controllers register few new domains sporadically -> NXDomain-based detection • Avoids ‘hard-coded’ domain names in the binary (e.g. string dumping) • Even if the algorithm is reverse-engineered, sinkholing 1000s of future domains is challenging • Mostly date-based algorithms • Some even used Twitter APIs employing past trending topics • Examples, Conficker, Torpig, murofet June 2014 DNS Security 42
  • 43. Custom DNS Servers • Malware performs name resolutions against criminal-controlled DNS Servers • Different view for the malware and the security researcher • May appear as non-existent domain through the public DNS infrastructure • Ability to use legitimate domain names for the botnet controllers (e.g. *.google.com) • False-negatives in security products June 2014 DNS Security 43
  • 44. Fluxing Domain Names • Rogue ISPs removing malicious domain names soon after they get added in botnet tracking services (e.g. abuse.ch) • Malware switches to backup URLs if the main C&C is not reachable • Maintain a low profile on the law enforcement radar / low number of active botnet controllers June 2014 DNS Security 44
  • 45. Wildcard DNS records • Many-to-one mapping • E.g. *.example.com. <IP address> • Used in phishing campaigns • Evade host-name based blacklists June 2014 DNS Security 45