DNS Common Abuses Written by Luminaire Thursday, 24 February 2005 http://www.linuxexposed.com/Articles/Security/DNS-Common-Abuses-4.html
DNS, or the domain name system is one of the core protocols on the internet. Without DNS we would all be stuck remembering the addresses of our favorite web and mail servers. While being a key part of the internet, DNS still remains out of view from the majority of internet users. DNS� predecessor, hosts.txt still exists in almost every modern operating system, but it is now more of a fallback. Originally when the internet consisted of only several hundred networks, the existed one central file, hosts.txt, that contained the names and addresses of all hosts on the fledgling internet. When new networks or hosts were connected to the network their names and addresses were added to hosts.txt. Every network on the internet would periodically download the updated copy of hosts.txt so that they were able to access the new networks or hosts that were being added. This solution soon proved to be inadequate as the internet began to grow faster and faster. A new solution was needed, and that solution was DNS. The Domain Name System is a distributed database that relies on several root servers for connectivity. Each network or domain has several central servers, to which each host on the network is configured to query. When a host in a domain attempts to resolve a name, which is to attempt to find its address, that domains name server attempts to track down the information by finding the closest name server to the target, and asking that server for the information. If the local name server doesn�t know any close name servers it simply asks the root name servers. The beauty of this system is that the load is spread out. There are eight central name servers, and at least three more per country that are responsible for the country specific domains, such as .ca. This system has several main advantages over hosts.txt. First of all the actual load of querying the servers is spread out between many authoritative name servers, or name servers responsible for a domain. Secondly updates to a domain only have to done at the name server authoritative for that domain. From a glance DNS seems to be the perfect solution, however as usual this is not the case. General Exploits and Use -Explain query/response DNS relies on a query response system. A domain or zone has at least one primary server, and several slaves. The zone should be configured so that each host on the network queries one of the slaves or the master, and the slave/master will return the next closest server to the target lookup. There is however another mode servers can operate in, which is when they are permitted to do recursive lookups. When a server is configured to allow recursive lookups hosts querying it can ask it to look up a target, and the name server will follow the path of name servers until it retrieves the address of the target host. As you can imagine this is much more resource intensive, so it best common practice to disable recursive lookups, except for internal hosts. -Zone transfers When attackers attempt to penetrate a network, much like when a person is attempting to explore a new city, the best tool to have is a map. DNS zone transfers provide a map for hackers to go by when exploring networks. DNS zone files contain a list of every DNS configured host on a network as well as their IP address. Even worse is Microsoft�s implementation of DNS, which provides a list of all services running on the DNS configured hosts. These records provide a list of exploitable targets to an intruder. When configuring DNS servers that are connected to the internet is it best to disable zone transfers to all hosts except slaves, which must be able to transfer the zone to update their records. This can be accomplished using an Access Control List which would contain the IP addresses of all your slave name servers. Only the hosts contained in that list are able to transfer the zone. -ICMP unreachable for DNS servers Although the ICMP echo is the most well known ICMP message, there are several others types of ICMP message, one of which is used to exploit DNS servers. The message that I speak of is the Server Unreachable message. It is possible to disrupt all network communication on a network by denying access to the DNS servers. By intercepting every DNS lookup request and responding with Server Unreachable messages the attacker fools the hosts on the networking into thinking the DNS servers are down. Unfortunately there aren�t many ways of preventing this attack, however the attack is easy to react to. When a large amount of Server Unreachable messages are detected on a network steps can be taken to disconnect the source of those messages such as disabling the attackers switch port. These attacks usually rely on the attack ARP poisoning the network, so another way of tracking potential attacks is to use a utility such as arpwatch to monitor when the MAC address of the gateway or the DNS servers has been changed. Once again, the attacker can be traced back to their switch port and that port can be disabled. Of course there are many other ways to stop these attackers however the quickest solution on enterprise networks is to track down the switch port and disabling it. -spoofs and redirects Spoofs and redirects are a sophisticated way of modifying network traffic. DNS spoofing and redirecting go hand in hand, so I will refer to this attack as DNS spoofing henceforth. DNS Spoofing occurs when a host on a network intercepts all DNS requests intended for the server. The interceptor modifies the DNS response to return the IP address of another site, the site the interceptor wants to direct traffic to. In essence the attacker would make www.microsoft.com appear to be www.linux.org just by changing the server�s response to the client. Usually this attack is performed in conjunction with an ARP spoof. -Cache Poisoning DNS Cache Poisoning is another sophisticated attack that acts in much the same way as spoofing. The end result of Cache poisoning, henceforth referred to as poisoning, is the same are spoofing, however the results are achieved in a different manner. Instead of intercepting traffic a client will query the server for a host, but include the response in the query. The server will cache, or temporarily register this address for the host, which will achieve the same results as DNS spoofing, however without the mess of an ARP storm. Cache poisoning has many implementations. The most basic implementation of cache poisoning can be attempted on servers that do not track DNS lookup requests that they have sent. These weak servers can be exploited by simply sending an DNS response containing the IP address of a hostname that the attacker wishes to redirect traffic to. More advanced implementations of this attack involved forging a request, or forging the source IP to make the response look like it originated from the authoritative name server. Regardless of the implementation, the result stays the same. Defense Against the Dark Arts -Updating and patching Of course the same litany heard everywhere. Software bugs are never totally eradicated at release, and for this reason it is crucial to update your DNS servers to the most recent version, and apply all security patches. Many critical flaws in DNS servers such as BIND are easily preventable if the server is patches frequently. -ACL�s DNS ACL�s combined with DNS views are a great defense against intruders mapping your network. ACL�s, or access control lists contain a list of internet name servers, who are permitted to carry out a certain action. They can also be used to contain a list of all internal clients. In the first instance the server has an ACL of all internal name servers both masters and slaves. When a request comes in for a zone transfer the server compares the IP address of the server with the permitted servers in the ACL. If the requester is permitted to transfer the zone the zone is transferred. Otherwise the request is ignored. When DNS views are used to represent all internal and external hosts in a network and ACL is created containing the valid IP range of all internal hosts. A second ACL is created that matches every other host on the internet. The two groups are allowed access to one of two copies of the zone files. The external hosts making requests of the name server will only be allowed to see hosts that are deemed to be publicly accessible by the network administrator. The hosts that match the internal list will be allowed to browse any of the hosts in the zone, and make requests of them. -Network monitoring When charged with administering a large network, network administrators should do the same thing that any other new manager does, which is to learn the lay of the land. By learning the lay of the land I mean learning what normal traffic is on the network, what a normal work load on the network server, and DNS servers look like. This is by far the best defense against spoofing and other network attacks such as using �Server Unreachable� packets to make the servers appear offline. By detecting a spike in ICMP packets, or massive amounts of ARP packets, and taking steps to disconnect the source network integrity can be maintained. Detecting and responding to these attacks are the only way currently available to defend against them. Conclusion In the above paper I have present several features of DNS to make the reader familiar with the basics of the Domain Name System. I have also covered several well known and wide spread attacks that are used to exploit DNS. These attacks are by no means theoretical. In truth they grow more and more common as attackers become more sophisticated. The suggested defense methods outlined at the end of each section cover only the basic recommendations that can be used to thwart attackers. The alarming fact is that these defenses, some of which are simply good practice when administering large networks, are not followed on many critical networks. Due to either misconceptions about attackers and network security, or simply lack of training attackers gain more and more ground over network administrators. In today�s massive high speed networks these attacks are even more effective, because while the efforts of attackers is whole hearted network administrators are slow and not very committed to the defense of their networks. If you administer a domain you are highly encouraged to follow the above steps, as well as researching more common attacks and their defenses, and putting that knowledge to good use. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
