The domain name system

The DNS cryptographic keys are being changed these days. That’s exciting, but I will get back to that in another post!

DNS (Domain name system) servers translate internet domain names into IP addresses. When you would like to visit a webpage, say www.example.com, your computer (the DNS resolver) needs to find out the IP address of this site. It sends a query to the DNS primary server, asking for the IP address. If the primary DNS server doesn’t know the answer, it asks another DNS server such as a root server and if that doesn’t know, it might ask the namespace server. It keeps asking other DNS servers until they get an answer or replies that it wasn’t found. When one DNS server asks another one on behalf of a client, this is called recursion. (Sanders, 2010b, Radware, 2012)

Below I list a few ways of how the DNS can be compromised. Security aspects to consider avoiding these situations are for example:

  • The use of DNSSEC that uses digitally signed DNS records
  • Not use DNS for networks that need high security
  • Use intrusion detections systems such as IDS
  • Hard-code the ARP cache
  • Monitor ARP traffic using security programs
  • Security-systems that detect spoofing and untrusted websites
  • Firewalls that detect tunnelling

(Sanders, 2010a, Sanders, 2010b, McDowell, 2013)

DoS attack – Denial of Service (DNS Amplification Attack or Flood attack)
First, the attacker uses another person’s IP to send the query and ask as the DNS resolver. In other words, the attacker poses as another person. Then the attacker finds an internet domain that has many DNS records. Now, sending a DNS query to get all the IP records of example.com’s DNS records will take some time. Using a couple of machines, the attacker can now send repeated DNS queries to the DNS server, who will send much larger replies as the list of domain names are long. With all of these incoming queries, the victim’s server will need to start re-assembling the packets. The victim’s servers become so busy handling these fake requests that legitimate users will face a denial of service when trying to view the webpage. (Radware, 2012) E-mail accounts can also experience this kind of attack through spamming the account so that legitimate e-mails can’t come through, but this is not DNS-related. (McDowell, 2013)

ddos-attack

DoS attack. Image source (Radware, 2012)

 

Man-in-the-Middle Attacks (MIMT)
This is an advanced eavesdropping that can lead to other attacks. During a MIMT attack, the victim’s computer believes it is communicating directly with the correct other part, but in reality all the information goes through an attacker’s machine.

There are different types of MIMT attacks, and I will list some here:

  • ARP Cache Poisoning or ARP Poison routing:
    Devices using ARP will accept updates at any time and this means that a device can send ARP reply packets to another host and force the other side to update its ARP cache. Sending an ARP reply without a request in the first place, is called a «gratuitous» ARP. Sending a few of these can result in a host thinking they communicate with another true host but is in fact communicating with a middle-man. A common tool for this use is «Cain & Abel» from Oxid.it. This will allow you to get hold of the ARP and manipulate it to your will. Then you are free to eavesdrop on all communication.

 

arp-spoofing

ARP cache poisoning. Image source (Sanders, 2010a)

 

  • DNS spoofing:
    Another man-in-the-middle attack is called DNS spoofing. This is when false DNS information is sent to a host so that when they try to browse to a website, they will receive another website residing at a different IP. In other words, this false site is posing as being the real one. When a victim PC says “where is the access point”, attacker says “that’s me”. In other words, all traffic goes through the attacker. (Sanders, 2010a) If the user logs in with any credentials on this fake site, all of this information will be logged and most likely be misused on the real site quite soon after the user gave the hackers the information. A common tool for this is Ettercap, where you can install various plug-in such as dns_spoof plugin. It can tell to look for DNS queries for example for www.google.com and then supply a false IP address to take the user to where you want.

DNS Tunnelling
Captive portal systems are often used in coffee shops and hotels etc. It will block all external usage of the internet until you have signed up or entered a voucher code. DNS tunnelling often works on these networks – if you do an nslookup on a domain name and you receive a public IP address (as opposed to private addresses such as the ones starting with 192, 172 or 10) then you should be able to use tunnelling. It may also be used to bypass company proxies. (Rekhter et al., 1996) Obviously, the proxies are in place for a reson so bypassing them might break the company’s rules and regulations.

Say that User A is behind a company firewall only allowing traffic through port 53. The max length of a DNS query is 255 characters and 63 characters per label: label3.label2.label1.example. (Mazerik, 2014)  To use tunnelling, you need control of an external DNS server to add records of mapping to it – in this example picture, the Iodine server. At User A’s machine there needs to be a tunnelling client and once the connection is setup, a proxy can be used for uninterrupted connection. However, it will be slow speed as DNS traffic has limited bandwidth and is only meant to be able to pass small data packets like requests and replies. DNS Tunnelling tools include Dns2tcp, Iodine, DNSCat and DNScapy. (Mazerik, 2014, Gohr, 2008)

 

tunnellinh

Example of DNS tunnelling setup. Image source (Mazerik, 2014)

Conclusion:

Dns interception seems to be widely available if one knows where to look. There are ways to protect oneself against it but there are many aspects and directions to consider. Cyber security becomes more and more important and this goes to show why – as more banks, booking services and other sensitive sites are online, the more we need to consider our own and our customer’s data.

 

 

Bibliography

Gohr, A. (2008) DNS Tunneling made easy [splitbrain.org] [Online] Available from: http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple (Accessed: 01.09.2016).

Mazerik, R. (2014) DNS Tunnelling – InfoSec Resources [Online] Available from: http://resources.infosecinstitute.com/dns-tunnelling/ (Accessed: 01.95.2016).

McDowell, M. (2013) Security Tip (ST04-015) Understanding Denial-of-Service Attacks [Online] United states computer emergency readiness team. Available from: https://www.us-cert.gov/ncas/tips/ST04-015 (Accessed: 01.09.2016).

Radware. (2012) DNS Amplification Attack [Video] Available from: https://www.youtube.com/watch?v=xTKjHWkDwP0 (Accessed: 01.09.2016).

Rekhter, Y., Moskowitx, B., Karrenberg, D., de Groot, G. J. and Lear, E. (1996) ‘Request for Comments: 1918, Address Allocation for Private Internets’

Sanders, C. (2010a) Understanding Man-in-the-Middle Attacks – ARP Cache Poisoning (Part 1) [Online] Available from: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part1.html (Accessed: 01.09.2016).

Sanders, C. (2010b) Understanding Man-In-The-Middle Attacks – Part2: DNS Spoofing [Online] Available from: http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Understanding-Man-in-the-Middle-Attacks-ARP-Part2.html (Accessed: 01.09.2016).

Image source: Succo, Pixelbay, CC public domain licence. https://pixabay.com/en/stature-pc-access-locked-data-fig-935628/