A curious case of broken dns responses - RIPE75

Babak Farrokhi
Babak FarrokhiUNIX Systems and Network Architect at Imen Pardis Technologies
A curious case of broken DNS responses Babak Farrokhi RIPE 75
About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder @farrokhi
Prologue ● When it comes to network, I always have trust issues ● Most people ignore those strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
Down the rabbit hole...
Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Not intended to re-invent the wheel ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the journey ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
Back to the case of broken MX ● Rogue nameserver also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
The logic behind DNS traffic redirection
What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
Questions?
Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi
1 of 23

A curious case of broken dns responses - RIPE75

Download to read offline
Internet

Talk by Babak Farrokhi on large scale DNS Sinkholing and mitigation methods Link to video: https://ripe75.ripe.net/archives/video/105/

Babak Farrokhi
Babak FarrokhiUNIX Systems and Network Architect at Imen Pardis Technologies

Recommended

A curious case of broken DNS responses (Coloclue Presents - Nov 2019) by
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)A curious case of broken DNS responses (Coloclue Presents - Nov 2019)
A curious case of broken DNS responses (Coloclue Presents - Nov 2019)Babak Farrokhi
117 views26 slides
Building an Automated Behavioral Malware Analysis Environment using Free and ... by
Building an Automated Behavioral Malware Analysis Environment using Free and ...Building an Automated Behavioral Malware Analysis Environment using Free and ...
Building an Automated Behavioral Malware Analysis Environment using Free and ...Jim Clausing
599 views46 slides
2 netcat enum-pub by
2 netcat enum-pub2 netcat enum-pub
2 netcat enum-pubCassio Ramos
4K views28 slides
3 scanning-ger paoctes-pub by
3 scanning-ger paoctes-pub3 scanning-ger paoctes-pub
3 scanning-ger paoctes-pubCassio Ramos
3K views13 slides
Humantalk Angers 14 Mars by
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
350 views13 slides
tit by
tittit
titChristian Heinrich
1.9K views21 slides

More Related Content

What's hot

skipfish by
skipfishskipfish
skipfishChristian Heinrich
4.3K views36 slides
How to send DNS over anything encrypted by
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encryptedMen and Mice
5.5K views45 slides
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS by
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSMen and Mice
3.5K views63 slides
Network commands by
Network commandsNetwork commands
Network commandsDr. Mahadev Gawas
342 views9 slides
DNSSEC signing Tutorial by
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial Men and Mice
5.5K views52 slides
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve... by
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
111 views99 slides

What's hot(20)

skipfish by Christian Heinrich
skipfishskipfish
skipfish
Christian Heinrich4.3K views
How to send DNS over anything encrypted by Men and Mice
How to send DNS over anything encryptedHow to send DNS over anything encrypted
How to send DNS over anything encrypted
Men and Mice5.5K views
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS by Men and Mice
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice3.5K views
Network commands by Dr. Mahadev Gawas
Network commandsNetwork commands
Network commands
Dr. Mahadev Gawas342 views
DNSSEC signing Tutorial by Men and Mice
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice5.5K views
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve... by Felipe Prado
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado111 views
Defcon by OpenDNS
DefconDefcon
Defcon
OpenDNS1.7K views
Linux networking commands by Sayed Ahmed
Linux networking commandsLinux networking commands
Linux networking commands
Sayed Ahmed412 views
New DNS Traffic Analysis Techniques to Identify Global Internet Threats by OpenDNS
New DNS Traffic Analysis Techniques to Identify Global Internet ThreatsNew DNS Traffic Analysis Techniques to Identify Global Internet Threats
New DNS Traffic Analysis Techniques to Identify Global Internet Threats
OpenDNS3.7K views
Namespaces for Local Networks by Men and Mice
Namespaces for Local NetworksNamespaces for Local Networks
Namespaces for Local Networks
Men and Mice1.6K views
Handy Networking Tools and How to Use Them by Sneha Inguva
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
Sneha Inguva213 views
網路偵錯 by atifans
網路偵錯網路偵錯
網路偵錯
atifans383 views
End-to-End Analysis of a Domain Generating Algorithm Malware Family by CrowdStrike
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike9K views
DNS High-Availability Tools - Open-Source Load Balancing Solutions by Men and Mice
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice4.7K views
Hacking the swisscom modem by Cyber Security Alliance
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance17.4K views
SMTP STS (Strict Transport Security) vs. SMTP with DANE by Men and Mice
SMTP STS (Strict Transport Security) vs. SMTP with DANESMTP STS (Strict Transport Security) vs. SMTP with DANE
SMTP STS (Strict Transport Security) vs. SMTP with DANE
Men and Mice3.2K views
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP... by APNIC
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
Passive DNS Collection -- the 'dnstap' approach, by Paul Vixie [APNIC 38 / AP...
APNIC1.6K views
The DNSSEC KSK of the root rolls by Men and Mice
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
Men and Mice987 views
Hiding in plain sight by Rob Gillen
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen1.3K views
Encrypted DNS - DNS over TLS / DNS over HTTPS by Alex Mayrhofer
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer903 views

Similar to A curious case of broken dns responses - RIPE75

Encrypted DNS research @ nic.at by
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.atAlex Mayrhofer
96 views27 slides
DNS Survival Guide. by
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
102 views53 slides
DNS Survival Guide by
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
403 views53 slides
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38] by
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
3.2K views38 slides
Dns protocol design attacks and security by
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
3.7K views49 slides
dns.workshop.hsgr by
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgrebalaskas
2.7K views42 slides

Similar to A curious case of broken dns responses - RIPE75(20)

Encrypted DNS research @ nic.at by Alex Mayrhofer
Encrypted DNS research @ nic.atEncrypted DNS research @ nic.at
Encrypted DNS research @ nic.at
Alex Mayrhofer96 views
DNS Survival Guide. by Qrator Labs
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
Qrator Labs102 views
DNS Survival Guide by APNIC
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
APNIC403 views
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38] by APNIC
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC3.2K views
Dns protocol design attacks and security by Michael Earls
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
Michael Earls3.7K views
dns.workshop.hsgr by ebalaskas
dns.workshop.hsgrdns.workshop.hsgr
dns.workshop.hsgr
ebalaskas2.7K views
Building OpenDNS Stats by George Ang
Building OpenDNS StatsBuilding OpenDNS Stats
Building OpenDNS Stats
George Ang785 views
6 app-tcp by Olivier Bonaventure
6 app-tcp6 app-tcp
6 app-tcp
Olivier Bonaventure3K views
Resolution for a Faster Site by Ido Safruti
Resolution for a Faster SiteResolution for a Faster Site
Resolution for a Faster Site
Ido Safruti893 views
Penetration Testing Boot CAMP by Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert1.1K views
Short Introduction to IPv6 by Martin Schütte
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
Martin Schütte1.9K views
Servers and Processes: Behavior and Analysis by dreamwidth
Servers and Processes: Behavior and AnalysisServers and Processes: Behavior and Analysis
Servers and Processes: Behavior and Analysis
dreamwidth525 views
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown! by EC-Council
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
EC-Council663 views
What Goes In Must Come Out: Egress-Assess and Data Exfiltration by CTruncer
What Goes In Must Come Out: Egress-Assess and Data ExfiltrationWhat Goes In Must Come Out: Egress-Assess and Data Exfiltration
What Goes In Must Come Out: Egress-Assess and Data Exfiltration
CTruncer4.5K views
Network State Awareness & Troubleshooting by APNIC
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
APNIC988 views
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018 by Seunghyun Lee
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Pinot: Realtime OLAP for 530 Million Users - Sigmod 2018
Seunghyun Lee3.1K views
Eme diagnostic by Wei Cheng Lok
Eme diagnosticEme diagnostic
Eme diagnostic
Wei Cheng Lok583 views
Designing High Performance RTC Signaling Servers by Daniel-Constantin Mierla
Designing High Performance RTC Signaling ServersDesigning High Performance RTC Signaling Servers
Designing High Performance RTC Signaling Servers
Daniel-Constantin Mierla542 views
Debugging Ruby Systems by Engine Yard
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
Engine Yard4.3K views
Hotsos Advanced Linux Tools by Kellyn Pot'Vin-Gorman
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
Kellyn Pot'Vin-Gorman800 views

Recently uploaded

ATPMOUSE_융합2조.pptx by
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptxkts120898
35 views70 slides
IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
414 views22 slides
Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
110 views18 slides
The Dark Web : Hidden Services by
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden ServicesAnshu Singh
14 views24 slides
hamro digital logics.pptx by
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptxtupeshghimire
10 views36 slides
How to think like a threat actor for Kubernetes.pptx by
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptxLibbySchulze1
5 views33 slides

Recently uploaded(9)

ATPMOUSE_융합2조.pptx by kts120898
ATPMOUSE_융합2조.pptxATPMOUSE_융합2조.pptx
ATPMOUSE_융합2조.pptx
kts12089835 views
IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC414 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat110 views
The Dark Web : Hidden Services by Anshu Singh
The Dark Web : Hidden ServicesThe Dark Web : Hidden Services
The Dark Web : Hidden Services
Anshu Singh14 views
hamro digital logics.pptx by tupeshghimire
hamro digital logics.pptxhamro digital logics.pptx
hamro digital logics.pptx
tupeshghimire10 views
How to think like a threat actor for Kubernetes.pptx by LibbySchulze1
How to think like a threat actor for Kubernetes.pptxHow to think like a threat actor for Kubernetes.pptx
How to think like a threat actor for Kubernetes.pptx
LibbySchulze15 views
information by khelgishekhar
informationinformation
information
khelgishekhar10 views
Marketing and Community Building in Web3 by Federico Ast
Marketing and Community Building in Web3Marketing and Community Building in Web3
Marketing and Community Building in Web3
Federico Ast14 views
Affiliate Marketing by Navin Dhanuka
Affiliate MarketingAffiliate Marketing
Affiliate Marketing
Navin Dhanuka17 views

A curious case of broken dns responses - RIPE75

  • 1. A curious case of broken DNS responses Babak Farrokhi RIPE 75
  • 2. About me ● Unix SA (FreeBSD, Solaris, Linux) since 1996 ● IP Networking since 1997 ● FreeBSD Ports Team since 2004 ● Enthusiastic coder @farrokhi
  • 3. Prologue ● When it comes to network, I always have trust issues ● Most people ignore those strange network behaviors ● Only a few people take the red pill and go down the rabbit hole...
  • 4. Observation ● Outgoing SMTP fails due to MX lookup failures ○ only certain domains (e.g. twitter.com) ● Local resolver returns “incorrect” response ● Public Resolver (e.g. Google) also returned incorrect response ● I needed to look deeper into this
  • 5. Down the rabbit hole...
  • 6. Strange responses from public resolvers This is not what I expected to get from a public resolver: % dig +short -t A twitter.com @8.8.8.8 10.10.34.34 % dig +short -t A ripe.net @8.8.8.8 193.0.6.139 % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 7. Need to take a closer look Not obvious at first glance, but time delta is strange... % tcpdump -ttt -c2 -nqr ripe.pcap reading from PCAP-NG file ripe.pcap 00:00:00.000000 IP 192.168.0.132.53425 > 8.8.8.8.53: UDP, length 27 00:00:00.138933 IP 8.8.8.8.53 > 192.168.0.132.53425: UDP, length 75 % tcpdump -ttt -c2 -nqr twitter.pcap reading from PCAP-NG file twitter.pcap 00:00:00.000000 IP 192.168.0.132.58418 > 8.8.8.8.53: UDP, length 29 00:00:00.028077 IP 8.8.8.8.53 > 192.168.0.132.58418: UDP, length 45
  • 8. dnsping - A new tool is born ● Started as a humble Python script to solve my own problem ● Not intended to re-invent the wheel ● Similar user experience as the legacy PING % ./dnsping.py -s 8.8.8.8 -c3 ripe.net dnsping.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 32 bytes from 8.8.8.8: seq=0 time=200.371 ms 32 bytes from 8.8.8.8: seq=1 time=217.320 ms 32 bytes from 8.8.8.8: seq=2 time=236.644 ms --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=200.371 ms, avg=218.112 ms, max=236.644 ms, stddev=18.149 ms
  • 9. ICMP vs DNS Response Times % ping -q -c10 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes --- 8.8.8.8 ping statistics --- 10 packets transmitted, 10 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 124.237/155.044/227.499/31.464 ms % ./dnsping.py -q -s 8.8.8.8 -c3 twitter.com dnsping.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A --- 8.8.8.8 dnsping statistics --- 3 requests transmitted, 3 responses received, 0% lost min=12.934 ms, avg=21.355 ms, max=29.425 ms, stddev=8.251 ms
  • 10. First anomaly ● Different domain names being treated differently ● A rogue name server impersonating as Google Resolver ● The rogue name server is close to me (given response times) ● Where is it? And how can I find out?
  • 11. dnstraceroute: Traceroute tool for DNS protocol ● Similar to legacy traceroute, but for DNS protocol ● Send out actual DNS queries and expect a response ● Using TTL trick to map the journey ● Could not use legacy traceroute with UDP probes ○ The traffic redirection is based on DNS “payload”
  • 12. Real vs Rogue DNS Servers % ./dnstraceroute.py -s 8.8.8.8 ripe.net dnstraceroute.py DNS: 8.8.8.8:53, hostname: ripe.net, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.912 ms 2 * 3 192.168.10.105 (192.168.10.105) 15.792 ms 4 172.17.2.1 (172.17.2.1) 17.063 ms 5 172.17.2.9 (172.17.2.9) 11.245 ms 6 172.19.18.5 (172.19.18.5) 24.862 ms 7 172.19.17.2 (172.19.17.2) 18.972 ms 8 10.201.177.41 (10.201.177.41) 13.261 ms 9 10.10.53.190 (10.10.53.190) 14.240 ms 10 185.100.209.117 (185.100.209.117) 176.592 ms 11 * 12 de-cix.fra.google.com (80.81.192.108) 152.757 ms 13 108.170.251.193 (108.170.251.193) 90.347 ms 14 google-public-dns-a.google.com (8.8.8.8) 185.401 ms % ./dnstraceroute.py -s 8.8.8.8 twitter.com dnstraceroute.py DNS: 8.8.8.8:53, hostname: twitter.com, rdatatype: A 1 192.168.0.1 (192.168.0.1) 3.160 ms 2 * 3 192.168.10.105 (192.168.10.105) 5.985 ms 4 172.17.2.1 (172.17.2.1) 8.535 ms 5 172.17.2.9 (172.17.2.9) 20.617 ms 6 172.19.18.5 (172.19.18.5) 7.823 ms 7 * 8 * 9 google-public-dns-a.google.com (8.8.8.8) 19.557 ms
  • 13. Back to the case of broken MX ● Rogue nameserver also returns “broken” responses ● Only to certain type of queries (e.g. MX) % dig -t MX twitter.com @8.8.8.8 ;; Got bad packet: bad label type 45 bytes 40 10 81 80 00 01 00 01 00 00 00 00 07 74 77 69 @............twi 74 74 65 72 03 63 6f 6d 00 00 0c 00 01 c0 0c 00 tter.com........ 0c 00 01 00 00 03 79 00 03 41 41 41 00 ......y..AAA.
  • 14. Looking at packets again... ● Response to MX request is malformed ○ Server responded with PTR response ○ RDLENGTH is 3 but RDATA field contains 4 bytes ■ Additional byte was always NULL ■ Seems like a bug in code ● Queried top 10,000 domain names [1], received 139 broken responses [2]
  • 15. Uncovering the rouge resolver address ● Query TXT record from maxmind.test-ipv6.com ● It tells you the public address of your resolver ○ The address should belong to Google (AS15169) ○ Anything else means MITM ● Using RIPE Atlas to see if this is a regular practice % dig +short -t TXT maxmind.test-ipv6.com @8.8.4.4 "ip='74.125.74.14' as='15169' isp='Google' country='FI'"
  • 16. Is it just me? Let's ask RIPE Atlas ● 500 Probes worldwide - 484 Replied (DNS/UDP/IPv4) ○ 475 Good (Req. from Google address space) ~98% ○ 9 Bad (Req. from non-Google address space) ~2% ● Same 500 probes - 484 Replied (DNS/TCP/IPv4) ○ 479 Good ~99% ○ 5 Bad ~1%
  • 17. The logic behind DNS traffic redirection
  • 18. What is the motivation? There are mainly two reasons: 1. Privacy protection (The Good) ○ Prevent sending request to use have your end-point IP address as its source address ○ Filter out malwares looking for their C&C 2. DNS based service redirection (The Evil) ○ Restrict your access ○ Redirect your traffic
  • 19. Countermeasures ● Force local resolver to use TCP ● DNSCrypt (dnscrypt.org) ○ OpenDNS supports it, desktop clients available ● DNS over TLS/DTLS (RFC 7858 and 8094) ○ DNS Privacy Project (dnsprivacy.org) offers tutorials, tools, recommendations and test servers ● DNSSEC ○ From top 100 domain names only 2 of them are signed [3] ○ What if the rogue nameserver does not validate DNSSEC?
  • 20. Final words ● Don’t trust a public DNS resolver, use your own ○ There ain't no such thing as a free lunch (TANSTAAFL) ○ Stub resolvers are easy to setup and use (e.g. Stubby) ● Don’t trust your upstream, encrypt as much as possible ○ DNS contains important information ○ As per RFC7258: “Pervasive Monitoring Is an Attack”
  • 21. Tools of the trade ● dnsping, dnstraceroute and dnseval are part of “dnsdiag toolkit” on GitHub [4] ○ Looking for feedback and ideas from community ● Combining with other tools (e.g. RIPE Atlas) to perform more complex behavior analysis ● Suggestion: dnstraceroute in RIPE Atlas probes?
  • 23. Resources [1] https://github.com/opendns/public-domain-lists [2] https://gist.github.com/farrokhi/0b56ae06813391be9164 [3] https://gist.github.com/farrokhi/1d9de9df5877aaf9c42fc14412a4b0f8 [4] https://github.com/farrokhi/dnsdiag Also my articles on RIPE Labs discussion the same issue: ● https://labs.ripe.net/Members/babak_farrokhi