PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński

1 | © 2015 All Rights Reserved.
DNS - Co nowego w świecie DNS-o-zaurów?
Adam Obszyński
CCIE, CISSP

Agent’a
W poprzednich odcinkach.
Czyli jak to dawniej bywało.
Sekcja „Q”.
Czy będą jakieś nowe zabawki lub ciasteczka?
Licencja na zabijanie.
Nowożytne bakterie i wirusy.
Jej wysokość popularność.
Nowe domeny i ciekawe kolizje.

Agent’a
Sekcja KJU aka „Q”.

History – a very short one
• 1971 - /etc/hosts & FTP…
• 1983 – DNS has been introduced
• 1996 – DNS NOTIFY & IXFR – The Second Generation
• 1997 - Dynamic Updates in the DNS – 3rd Generation
• Google.com registered!
• Then DNSSEC era begins…

Agent’a
Sekcja „Q”.

Cookies
http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html

DNS Cookies
https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-00 od Listopad 2006

DNS Cookies
• Provides weak authentication of queries and responses. Weak brother
of TSIG.
• No protection against “in-line” attackers. No protection against anyone
who can see the plain text queries and responses.
• Requires no setup or configuration, just protocol behavior.
• Intended to great reduce
̶ Forged source IP address traffic amplification DOS attacks.
̶ Forged source IP address recursive server work load DOS attacks.
̶ Forged source IP address reply cache poisoning attacks.

DNS COOKIE Option
• A new Option to the OPT-RR
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION-CODE TBD | OPTION-LENGTH = 18 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Resolver Cookie upper half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Resolver Cookie lower half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Server Cookie upper half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Server Cookie lower half |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Error Code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Resolver & Server views
Resolver:
̶ Resolver puts a COOKIE in queries with
- A Resolver Cookie that varies with server
– Truncated HMAC(server-IP-address, resolver secret)
- The resolver cached Server Cookie for that Cookie if it has one
̶ Resolver ignores all replies that do not have the correct Resolver Cookie
̶ Caches new Server Cookie and retries query if it gets a Bad Cookie error
with a correct Resolver Cookie
Server:
̶ Server puts a COOKIE in replies with
- A Server Cookie that varies with resolver
– Truncated HMAC(resolver-IP-address, server secret)
- The Resolver Cookie if there was one in the corresponding query

Example
Resolver Server
Query: RC:123, SC:???,E:0
ErrReply: RC:123, SC:789, E:BadC
Query: RC:123, SC:789,E:0
AnsReply: RC:123, SC:789,E:0
SC:789
RC:123
RC:123
ForgedReply: RC:???, SC:???,E:0
ForgedQuery: RC:XYZ, SC:???,E:0
ErrReply: RC:XYZ, SC:789, E:BadC RC:XYZ

DNSSEC & DANE::SMIME
https://tools.ietf.org/html/draft-ietf-dane-smime-07
Given that the DNS administrator for a domain name is authorized to give
identifying information about the zone, it makes sense to allow that administrator
to also make an authoritative binding between email messages purporting to
come from the domain name and a certificate that might be used by someone
authorized to send mail from those servers. The easiest way to do this is to use
the DNS.
The SMIMEA DNS resource record (RR) is used to associate an end entity
certificate or public key with the associated email address, thus forming a
"SMIMEA certificate association".

ICANN 51

Testy:
DANE / TLS:
https://www.had-pilot.com/dane/danelaw.html
SMIME & DANE:
https://dane.sys4.de/smtp/mail.unitybox.de

Agent’a

Evolution of DNS DDoS Attacks
• DNS based DDoS attacks are constantly evolving
• Get registrar
account access
• Change NS + add
nice TTL ;-)
• “Phantom”
domains don’t
respond
• Servers keeps
waiting
• Misbehaving domains
lock-up DNS resolvers
with open connections
• Resource exhaustion
• Botnets launch
attacks on one
specific target
• Target domain
DDoS’d, resolver
resources
exhausted
• Uses randomly
generated strings
• Exhausts limit on
outstanding DNS
queries
Registrar / NIC
Phantom Domain
Random Sub-
domain / NXD
CPE Botnet
Based
Domain Lock-up

.MYNIC Registrar case
By Hasnul Hasan
ICANN 49
+
MonitorYOUR
delegations
….
fromoutside;-)

Basic NXDOMAIN Attack
• The attacker sends a flood of queries to
a DNS server to resolve a non-existent
domain/domain name.
• The recursive server tries to locate this
non-existing domain by carrying out
multiple domain name queries but does
not find it.
• In the process, its cache is filled up with
NXDOMAIN results.
Impact:
• Slower DNS server response time for
legitimate requests
• DNS server also spends valuable
resources as it keeps trying to repeat
the recursive query to get a resolution
result.

Random Subdomain Attack (Slow Drip)
• Infected clients create queries by
prepending randomly generated
subdomain strings to the victim’s
domain. E.g. xyz4433.plnog.pl
• Each client may only send a
small volume of these queries to
the DNS recursive server1
• Harder to detect
• Multiple of these infected clients
send such requests
Impact
• Responses may never come
back from these non-existing
subdomains2
• DNS recursive server waits for
responses, outstanding query
limit exhausted
• Target domain’s auth server
experiences DDoS
How the attack works
Victim Domain
e.g. plnog.pl
Bot/bad clients
Queries with random
strings prefixed to victim's
domain
e.g. xyz4433.plnog.pl
Flood of queries
for non-existent
subdomains
DNS recursive
Servers (ISP)
DDoS on
target victim
Resource
exhaustion
on recursive
servers

Domain Lock-up Attack
• Resolvers and domains are setup by attackers to establish TCP-based
connections with DNS resolvers
• When DNS resolver requests a response, these domains send “junk”
or random packets to keep them engaged
• They also are deliberately slow to respond to requests keeping the
resolvers engaged. This effectively locks up the DNS server resources.
Impact
• DNS resolver establishing these connections with the misbehaving
domains exhausts its resources

Botnet Based Attacks from CPE Devices
• Random Subdomain attacks that use botnets to target all traffic to
one site or domain
• Attack involves compromised devices like CPE switches, routers
• Supplied by ISPs
• Supplied by Customer
• These malware infected CPE devices form botnet to send multiple
DDoS traffic to say xyz123.plnog.pl
Impact
• Victim domain experiences DDoS
• DNS resolver resources exhausted
• When CPE devices are compromised,
many other bad things can happen like
• SSL proxy – login credentials theft etc.
• Launch point for attacks against Customer PCs
and environments, i.e. expanding the compromise

Phantom Domain Attack
• “Phantom” domains are setup as part of
attack
• DNS resolver tries to resolve multiple
domains that are phantom domains
• These phantom domains may not send
responses or they will be slow
Impact
• Server consumes resources while waiting
for responses, eventually leading to
degraded performance or failure
• Too many outstanding queries

Newest Attacks – What You can do?
#1 Upstream delays
• For traffic to “slow” servers and zones (NS)
 Any server that exceeded the limit of responsiveness should
sent fewer queries
#2 Recursive timeout
• Timeout for recursive name lookup should be lowered to free up
DNS resolver resources
• Prevents maxing out on the number of outstanding DNS queries
#3 Dynamic Limiting of Bad Clients
• If a client generates too many costly responses (NXDOMAIN,
NXRRset, ServFail)
 Drop or limit it’s traffic
#4 Block or Blacklist
• You have to wait for user call or observe syslog

Eliminate open resolvers ;-)
https://dnsscan.shadowserver.org/

Eliminate broken software…

SPAM/Attacks with Domains less then 24h old
Henry Stern, Farsight | ICANN50 | London

Agent’a

DNS - Collision with Roaming Leak
Search List or Split Brain DNS + New TLD == Leak Issue
www.firma.exampleInternal DNS,
AD, etc.
New TLDs
!!!
collision
!!!
collision
New & nice Loopback address: 127.0.53.53
Encourages to “look this up”
https://icann.org/namecollision
https://newgtlds.icann.org/newgtlds.csv

Q?

THE END
of
“DNS…”
TOPIC WILL* RETURN IN
PLNOG 2015 KRAKÓW
* - maybe ;-)

PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński

Similar to PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński (20)

Recently uploaded

Recently uploaded (12)

PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński

Editor's Notes