comp.org.uk

Networking | Programming | Security | Linux | Computer Science | About

DNS Attacks

The Domain Name System (DNS) is a general-purpose service used both on the Internet and on organizations’ internal networks. DNS servers translate fully qualified domain names (FQDNs) to IP addresses that identify the host computer.

For example, to connect to Web sites, users need access to an authoritative DNS server for the system domain they are trying to reach. If a user enters the FQDN www.comp.org.uk, the authoritative DNS server for comp.org.uk needs to respond with the correct IP addresses for the computer whose hostname is www.

In terms of network security, DNS is important because it gives network administrators another tool for blocking unwanted communication. With firewalls, Web browsers, and proxy servers, administrators can block DNS names of Web sites and other sites that contain offensive or unsuitable content. Proxy servers are devices that protect internal clients through the use of network address translation. In addition, networks that use DNS servers need to allow DNS traffic when packet filtering is set up.

DNS Attacks

Attackers can exploit DNS in many ways, including buffer overflow attacks, zone transfer attacks, and cache poisoning attacks.

DNS Buffer Overflow Attack

In a DNS buffer overflow attack, an overly long DNS name is sent to the server. When the server is unable to process or interpret the DNS name, it cannot process other requests.

Zone Transfer Attacks

DNS zone files contain a list of every DNS-configured host on a network as well as their IP addresses. Microsoft DNS-enabled networks also list all services running on DNS- configured hosts. When an attacker attempts to penetrate a network, the DNS zone file can provide a list of exploitable targets on that network. When configuring DNS servers connected to the Internet, you should disable zone transfers to all hosts except those that are internal to the network. Internal hosts must be able to transfer zone information to update their records.

DNS Cache Posioning Attack

A DNS cache poisoning attack exploits the fact that every DNS packet contains a Query section and a Reply section. An older, more vulnerable server has stored answers sent in response to requests to connect to DNS addresses. Attackers can break into the cache to dis- cover the DNS addresses of computers on the network. Most DNS servers, however, have been patched to eliminate this vulnerability.

A newer DNS cache poisoning exploit was discovered by Dan Kaminsky in 2008. This exploit involves the spoofing of transaction IDs, which are supposed to prevent hackers from assigning their own IP addresses to a domain. DNS uses transaction IDs in the range of 0 to 65535. If a hacker sends multiple, slightly varied requests to a name server (such as requests to resolve 1.test.com, 2.test.com, and so on), eventually the domain can be spoofed by matching the ID. Once the attacker correctly matches the transaction ID, he can direct all traffic for that site to a site of his choosing. An attacker can also pollute top-level domains using this vulnerability. Prior to releasing details of the exploit, Kaminsky notified vendors and allowed them time to develop a patch that focused on randomizing port numbers.

DNSSEC

Originally, the DNS infrastructure did not have optimum security. In 2005, the first implementations of DNSSEC (DNS Security) were rolled out in Sweden in the .se domain. DNSSEC uses cryptographic techniques to enable authentication and data integrity of DNS packets, eliminating vulnerabilities that allow exploitations such as cache poisoning.

Unfortunately, DNSSEC is still not widely used, partly because an enormous amount of work is required to revise existing DNS implementations and to establish the complex cryptographic infrastructure.


Published on Wed 03 December 2014 by Mal Torrance in Security with tag(s): DNS