SlideShare a Scribd company logo

A curious case of broken DNS responses (Coloclue Presents - Nov 2019)

Babak Farrokhi
Babak Farrokhi

Talk by Babak Farrokhi on large scale DNS Sinkholing and mitigation methods

Internet
1 of 26
Download to read offline
A curious case of broken DNS responses Babak Farrokhi Perforlabs Coloclue Presents - Nov 2019
About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder (Perl/Python/C/Go/…) ● Internet Security Researcher (Mostly BGP and DNS) @farrokhi
Prologue ● I never trust any ISP or anyone on Internet ● Most people ignore strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
Down the rabbit hole...
Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Didn’t mean to reinvent the wheel (couldn’t find any wheel) ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the path ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
Back to the case of broken MX ● Rogue name-server also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
The logic behind DNS traffic redirection
What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
Questions?
Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi
Bonus slide
Evil-doers are not necessarily very smart % dig +short -t A TwiTTer.com @8.8.8.8 104.244.42.193 104.244.42.1 % dig +short -t A twitter.com @8.8.8.8 10.10.34.34

Recommended

A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75Babak Farrokhi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Doing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthDoing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
 
How the internet works
How the internet worksHow the internet works
How the internet worksSharon Chen
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)PROIDEA
 

Recommended

A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75A curious case of broken dns responses - RIPE75
A curious case of broken dns responses - RIPE75Babak Farrokhi
 
Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
 
Doing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthDoing Horrible Things with DNS - Web Directions South
Doing Horrible Things with DNS - Web Directions SouthTom Croucher
 
How the internet works
How the internet worksHow the internet works
How the internet worksSharon Chen
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb osint + python: extracting information from tor network and darkweb
osint + python: extracting information from tor network and darkweb Jose Manuel Ortega Candel
 
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)
CONFidence 2018: Detecting Phishing from pDNS (Irena Damsky)PROIDEA
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Pycon Sec
Pycon SecPycon Sec
Pycon Secguesta762e4
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdfTECHNOLOGY CONTROL CO.
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesJose Manuel Ortega Candel
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_miki koganei
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekinge2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekingeProf. Wim Van Criekinge
 
C# to python
C# to pythonC# to python
C# to pythonTess Ferrandez
 
Collision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platformsCollision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platformsBerescu Ionut
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands shortSayed Ahmed
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmSimone Onofri
 
theday, windows hacking with commandline
theday, windows hacking with commandlinetheday, windows hacking with commandline
theday, windows hacking with commandlineidsecconf
 
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testersChristian Martorella
 
Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.atAlex Mayrhofer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 

More Related Content

What's hot

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sightRob Gillen
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesJose Manuel Ortega Candel
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PROIDEA
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS DefenseJames Dickenson
 
Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_miki koganei
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykNazar Tymoshyk, CEH, Ph.D.
 
2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekinge2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekingeProf. Wim Van Criekinge
 
Collision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platformsCollision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platformsBerescu Ionut
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineeringslicklash
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands shortSayed Ahmed
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmSimone Onofri
 
theday, windows hacking with commandline
theday, windows hacking with commandlinetheday, windows hacking with commandline
theday, windows hacking with commandlineidsecconf
 
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 

What's hot (20)

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Python build your security tools.pdf
Python build your security tools.pdfPython build your security tools.pdf
Python build your security tools.pdf
 
Darkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden servicesDarkweb + Python: discover, analyze and extract information from hidden services
Darkweb + Python: discover, analyze and extract information from hidden services
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
PLNOG 17 - Patryk Wojtachnio - DDoS mitygacja oraz ochrona sieci w środowisku...
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
 
Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_Compact ordered dict__k_lab_meeting_
Compact ordered dict__k_lab_meeting_
 
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy BilykSecurity Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
Security Hole #11 - Unusual security vulnerabilities - Yuriy Bilyk
 
2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekinge2016 bioinformatics i_io_wim_vancriekinge
2016 bioinformatics i_io_wim_vancriekinge
 
C# to python
C# to pythonC# to python
C# to python
 
Collision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platformsCollision vulnerability for hash data structures in web platforms
Collision vulnerability for hash data structures in web platforms
 
Cryptography (under)engineering
Cryptography (under)engineeringCryptography (under)engineering
Cryptography (under)engineering
 
linux networking commands short
linux networking commands shortlinux networking commands short
linux networking commands short
 
Introduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmmIntroduzione ai network penetration test secondo osstmm
Introduzione ai network penetration test secondo osstmm
 
theday, windows hacking with commandline
theday, windows hacking with commandlinetheday, windows hacking with commandline
theday, windows hacking with commandline
 
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 

Similar to A curious case of broken DNS responses (Coloclue Presents - Nov 2019)

Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.atAlex Mayrhofer
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationCTruncer
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationCTruncer
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.Leszek Mi?
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgrebalaskas
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance NetworkingDhaval Patel
 
Designate - Operators Deep Dive
Designate - Operators Deep DiveDesignate - Operators Deep Dive
Designate - Operators Deep DiveGraham Hayes
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
44 con slides
44 con slides44 con slides
44 con slidesgeeksec80
 

Similar to A curious case of broken DNS responses (Coloclue Presents - Nov 2019) (20)

Encrypted DNS research @ nic.at
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
 
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
Egress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data ExfiltrationEgress-Assess and Owning Data Exfiltration
Egress-Assess and Owning Data Exfiltration
 
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
May The Data Stay with U! Network Data Exfiltration Techniques - Brucon 2017.
 
dns.workshop.hsgr
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
DNSTap Webinar
DNSTap WebinarDNSTap Webinar
DNSTap Webinar
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
Uber mobility - High Performance Networking
Uber mobility - High Performance NetworkingUber mobility - High Performance Networking
Uber mobility - High Performance Networking
 
Designate - Operators Deep Dive
Designate - Operators Deep DiveDesignate - Operators Deep Dive
Designate - Operators Deep Dive
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
44 con slides
44 con slides44 con slides
44 con slides
 

Recently uploaded

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 

Recently uploaded (20)

Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 

A curious case of broken DNS responses (Coloclue Presents - Nov 2019)

  • 1. A curious case of broken DNS responses Babak Farrokhi Perforlabs Coloclue Presents - Nov 2019
  • 2. About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder (Perl/Python/C/Go/…) ● Internet Security Researcher (Mostly BGP and DNS) @farrokhi
  • 3. Prologue ● I never trust any ISP or anyone on Internet ● Most people ignore strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
  • 4. Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
  • 5. Down the rabbit hole...
  • 6. Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 7. Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
  • 8. dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Didn’t mean to reinvent the wheel (couldn’t find any wheel) ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
  • 9. ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
  • 10. First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
  • 11. dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the path ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
  • 12. Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
  • 13. Back to the case of broken MX ● Rogue name-server also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 14. Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
  • 15. Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
  • 16. Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
  • 17. The logic behind DNS traffic redirection
  • 18. What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
  • 19. Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
  • 20.
  • 21. Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
  • 22. Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
  • 24. Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi
  • 26. Evil-doers are not necessarily very smart % dig +short -t A TwiTTer.com @8.8.8.8 104.244.42.193 104.244.42.1 % dig +short -t A twitter.com @8.8.8.8 10.10.34.34