DNS Name Server and Protocol

and attacks
Himani Singh

Agenda
DNS introduction
Type of DNS severs
DNS protocols
DNS Attacks

DNS Intro
Domain Name System
DNS is a naming system that maps an easily

remembered name to a routable IP address for

any resource (host or service) that is connected to
Internet.
Example URL:
Name: google.com
Addresses: 2607:f8b0:4005:802::1005
74.125.239.135, 74.125.239.137;

Example Implementations
Berkeley Internet Name Domain system (BIND)
Microsoft server from NT 4.0, 2003 and 2008
RFCs 882, 883, 1034 and 1035

DNS Intro
Domain Name Systems architecture is a
database and a set of protocols.
The database
Contains the data for any resource (or service)
including host names and domain names.
Is hierarchical
Is distributed over multiple servers.
The protocol defines the mechanism for
Query

the database
Update the database
Replicate the information among the servers to
keep identical records

DNS Database
The hierarchical system of DB is like a tree where

each level can either be a branch or a leaf

A leaf is information about a host/service
A branch can be a domain namespace. Domain names

consist of labels
e.g, mail.fortinet.com
DNS resource information is stored in the database in

the form of Resource Records(RR)

All RRs have a predefined format
Many types of records

FQDN
A fully qualified domain name (FQDN) identifies the host

position within DNS tree by specifying the full name

e.g., support.fortinet.com/home.aspx

DNSs Database Structure

Second-level domain
Individual or organization name for use on the Internet.
Example: Fortinet.com

Fortinet=>organization name.

Sub domain:
An additional name an organization can create to
divide their domain into departments, locations, etc.
cs.yale.edu or support.fortinet.com
Host or Resource name:
Identify a specific resource or service

At least one IP address is associated.

Name:
mail.fortinet.com
Address:
208.91.113.80

DNSs Database Structure

Root:
Top of the tree, indicated by dot .

http://www.fortinet.com.

Top level Domain:

The length is fixed except country.
Type of organization, country, or place

Com
Edu
Org
Net
Gov
Mil
Arpa
xx

Commercial organizations
Educational
Non-profit organizations
Networks (he backbone of the Internet)
Government ( non Military)
Military government
Reverse DNS
Country codes like us, au, ca,

http://csis.pace.edu/~marchese/CS865/Lectures/Chap5/Chapter5a.htm

Resource Records fields

Name

Name of the node

Type

RR type, 2 octal

Class

RR Class, 2 octal

TTL

Time to live, 32 bit integer. Time

interval till RR can be used before
it need to revalidate by source or
primary server.
length in octets of the RDATA field

RDLENGTH
RDATA

https://www.ietf.org/rfc/rfc1035.txt

Variable length that describe the

resource, like IP address for
address records, or priority and
hostname for MX records

Resource Records types( most used)

Type
A
NS
CNAME

Description
Host
authoritative
name server
canonical name
for an alias

Value Class
1
Internet (IN)

Data
Host IP address/owner name

F11
IN
Owner name

Internet (IN)

Name Server DNS name(NS

SRI-NIC.ARPA)
Owner name (alias Name). The DNS lookup
will continue by retrying the lookup with the
new name.
ftp.fortinet.com. IN CNAME ftp1.fortinet.com.
primary name server and the email address of
the person responsible for the domain ( owner
name ).
Refresh Interval
Retry Interval ,Expire Time, Minimum TTL
Well know service description

Make a start of
zone authority. It
needs in all zone
file.

WKR

Well know service 11

description
Domain name
12
pointer

Internet (IN)
Internet (IN)

Contains a textual name. It bounds to names

built from numerical IP addresses, and used
for reverse mapping from an IP address to a
textual name
73.0.0.26.IN-ADDR.ARPA. PTR SRINIC.ARPA.

Main exchange

Internet (IN)

Owner Name,Mail Exchange Server DNS

Name.
FQDN for a host will accept SMTP mail.

MX

TXT

Test string

15

16

Internet (IN)

10.1.1.11

SOA

PTR

Internet (IN)

SRI-NIC.ARPA. MX
0 SRI-NIC.ARPA
Used to be Txt, but now this record more
often carries machine-readable data

Resource Records Description

SOA Resource Records
Every zone contains a Start of Authority RR at the beginning of

the zone.
This record contains information about the
Owner
Minimum TTL
Class and Type
Retry time a secondary server will wait before retrying
Authoritative server (primary server), serial number (updated number),

refresh, administrator, expiry and more

Example
noam.reskit.com. IN SOA (
noamdc1.noam.reskit.com. ; authoritative server for the zone
administrator.noam.reskit.com. ; zone admin e-mail
; (responsible person)
5099 ; serial number
3600 ; refresh (1 hour)
600 ; retry (10 mins)
86400 ; expire (1 day)
60 ) ; minimum TTL (1 min) )
http://www.zytrax.com/books/dns/ch6/mydomain.html

Resource Records for Window 2008 DNS

Reverse lookup
A reverse lookup is a query of the DNS for domain names when the IP address is known.

4.0.10.18.IN-ADDR.ARPA.

PTR GW.LCS.MIT.EDU.

DNS Zone and zone file

The DNS scheme allow a namespace to be split into

multiple zones and keep it on the same server. The split
into zones helps
Performance
Delegate management into departments

Those zones store information about DNS domains (or

subdomains)
A zone stores information about all names that end
with the zone root domain name in a file called the
zone file
A zone file contains multiple Resource Records; the first
record is the Start of Authority (SOA)
SOA contains the primary DNS nameserver
A zone file may contain other zone information if added

zone file
IN

SOA

MIL.
EDU.

SRI-NIC.ARPA. HOSTMASTER.SRI-NIC.ARPA. (
870611
;serial
1800
;refresh every 30 min
300
;retry every 5 min
604800
;expire after a week
86400)
;minimum of a day
NS
A.ISI.EDU.
NS
C.ISI.EDU.
NS
SRI-NIC.ARPA
86400
NS
SRI-NIC.ARPA.
86400
NS
A.ISI.EDU.
86400
86400

NS
NS

SRI-NIC.ARPA.
C.ISI.EDU.

SRI-NIC.ARPA.

A
A
MX
HINFO

26.0.0.73
10.0.0.51
0 SRI-NIC.ARPA.
DEC-2060 TOPS20

ACC.ARPA.

A
HINFO
MX

26.6.0.65
PDP-11/70 UNIX
10 ACC.ARPA.

USC-ISIC.ARPA.

CNAME

C.ISI.EDU.

73.0.0.26.IN-ADDR.ARPA. PTR
SRI-NIC.ARPA.
65.0.6.26.IN-ADDR.ARPA. PTR
ACC.ARPA.
51.0.0.10.IN-ADDR.ARPA. PTR
SRI-NIC.ARPA.
52.0.0.10.IN-ADDR.ARPA. PTR
C.ISI.EDU.
103.0.3.26.IN-ADDR.ARPA. PTR
A.ISI.EDU.
A.ISI.EDU. 86400 A
26.3.0.103
C.ISI.EDU. 86400 A
10.0.0.52

Zone transfer
Zone transfer is achieved by copying the

zone file from one DNS server to a second

DNS server
There are two types of zone file replication.
Full zone transfer (AXFR) replicates the

entire zone file.

Incremental zone transfer (IXFR) replicates
only records that have been modified.

.com

DNS ZONE example

example.co
m
NorthA.example.com

Asia.example.co
m
Sale.NorthA.example.com
west.asia.example.co
m
East.asia.example.co
m

Authoritative, Non-Authoritative and Caching

Authoritative DNS
Is the authoritative source for all name query/request made for zone, the

record is been configure by the original source. It is also possible that

same DNS server can be primary on one zone and secondly for other.
The secondary server can respond to any authoritative request that allow
the load balance.

Non-Authoritative
This is not a delegated server for its existing zone but it have record

information from other servers.

It cant respond to requests in a authoritative manor.

Caching
If DNS server receive a request for a record that he dont have, it does

the recursive query to get information.

Server hold this information locally in a temporary file is called Cache.
The data is only response till time-to-live (TTL) >0.
Caching can response as 'authoritative' if the data came from zonemaster otherwise non-authoritative.

DNS servers type

Root name server:
This is a top level server, this provided the information on top level. The list

of root servers are http://www.root-servers.org/

Primary server (or master)
When domain names are registered with registrar, it required to give the

address for primary and at least one secondly server.

In a Primary servers zone file is updated by local source in comparison to
Secondary ( slave) get data from external ( either master or form network).
That is, master DNS server is the Authoritative server for one or more zones.
A zone can have any number of masters, the only condition is that zone files
should be synchronized.
In case of multiple master, one server is primary master.
Master respond for a Queries with AA bit set if it is authoritative server for that
zone.
Delegation: I know the zone you are asking for, I know how to find it.

When a nameserver doesn't have the contents of a zone, but knows how to find
the owner, it's said todelegateservice of that zone to another nameserver.

Primary and Secondary server

Primary
Server

Request/ response

Zone
file

Primary
Server

Update on the
based SOA serial
number

Secondary
Zone
file

DNS server type

Secondary (or slave)
A read-only copy of the primary zone
It get zone data using zone transfer operation
Provide the load balance and fault Torrance
Respond as authoritative for all the zone it is define
as slave as well as define as authoritative
Record refresh
Slave refresh there zone records when expiry time is reached
In case it cant reach primary server before expiry it will not

respond to query.

Zone changed is propagated to all the servers with

NS records in zone file.

BIND implementation is name it as slave and later
called as secondary.

DNS server type

Slave can be master
If the slave is sitting as public facing and real master can be
hidden,
To provide resilience, two such servers is needed. In that case
one slave will get zone information from real master and
other can get form pretend master.
Stub
Read only copy for limited RR read-only copy of the primary

zone that contains only the resource records that identify the
DNS servers that are authoritative for a DNS domain name
Forward DNS
A forward, Proxy, Client or Remote server simply forwards
requests to another DNS server.
It does store the cache and respond fast.
Useful in slow networks.

DNS Protocol
Protocol
Mostly done by UDP, TCP Port 53
Request response system
Response in one message

Type of messages
Queries
Responses
Updates

Query
Query can be send by
Client to DNS server
Between two servers
There are two types of DNS queries :
Recursive
Mostly DNS client makes this kind of query. DNS
server can response with local information or
make request to another server.
Iterative
Respond with the best local information either
local zone files or caching.
If the DNS serve is not authoritative for that name,
this response is called as referral.

Query
When a DNS server receive a query for a

resource, it send a response as following

If it is master for that zone
If it is slave that has record (or cache)that is not

expired
If neither a Master nor a Slave then it will act as
configured
If caching and recursive queries are allowed, server will

response with answer or an error.

If caching and Iterative queries are allowed, server will
response with answer or an error.
If not caching is allowed then server will return an
referral or an error.

DNS recursive query example

Iterative Query

ISP local
recursiv
e Name
Server
(recursio
n
desired=
1)
8

2 IP for www.abc.com
3. Referral to next server who may
know
4 IP for www.abc.com
5. Still do not know, one of authoritative
server

.
Name server
Com
Name serer

6 . IP for www.abc.com
7 IP is 1.2.3.4

Example.com

Recursive

Resolver
1. ISP's nameserver knows that it's not
authoritative forabc.com, so it can't look it up in
its local zone database. It also doesn't find the
name it its cache of recently-seen data,

8 Recursive server will add this to its own cache

.
Answer is non-authoritative.

DNS protocol
Header (12 byte)
Question (variable)
Answer(variable )
Authority (variable)
Additional(variable)

Questions are Name, Type, Class

Answers are RRs that match the Name, Type, Class. If
multiple RRs with the same labels, there can be multiple
answer.
Authority RRs pointing toward an authority
Additional RRs are records that can be useful to the client.

Header and query answer

Name (variable)

Name of the object , domain ar zone. All information

associated with this name.
Type (2 Byte)

code value specifying the type of resource record.

Class ( 2 byte)
class of the resource record
Time to Live( 4 byte)
number of seconds that the record should be retained in the cache.

RDLength (2 byte)

Indicates the size of the RData field, in bytes

Resource Data (variable)
data portion of the resource record.

DNS response capture

DNS update message

The DNS update message format uses a

header defining the update operation to be

performed and a resource record set that
contains the update.

DNS Request capture from wireshark

DNS request

and
response

DNS Answer

DNS Security Extensions

DNSSEC adds four new resource record types:
Resource Record Signature (RRSIG),
DNS Public Key (DNSKEY),
Delegation Signer (DS), and N
Next Secure (NSEC) ( Please see RFC 4034) RFC 4034.

Two New DNS header flags

Checking Disabled (CD)
Authenticated Data (AD).

To support DNSSEC
Support for DNSSEC OK (DO) EDNS header bit so

resolver can indicate the support for DENSEC RRs.

DNS also required EDNSO support ( rfc 2671), By adding
DENSEC RR, the message size can be larger than 512.
Potential DDoS amplified attack

DNS Security Extensions

DNSSEC adds security to the Domain

Name System.
DNSSEC was created to protect DNS with
internet attacks like DNS cache poisoning
It is a set of extensions of DNS and
provides
Origin the authentication of DNS data
Data integrity ( not privacy)
Authenticated denial of existence

DNS attacks
DNS DDoS Attacks
The percentage of DNS attacks(72%) is little less than

Http(82%)
DNS attacks includes
DNS cache poisoning attack
attacker injects the malicious DNS data into the recursive DNS
servers
redirect all incoming traffic to a server of their choosing

UDP Flood
DNS exploits
Man in the middle :Attacker one or more authoritative

DNS servers for a domain and sniff the traffic.

DNS tunneling
Amplification

DNS cache poisoning attacks

Now this cache can be changed to fake
record.
What is DNS cashes poisoning
Try to Insert a Fake address record for a

internet domain.
Server will keep in the cache or pass to
cache server
In the case of success, subscriber link is
redirected o fake server/location.
User may not suspect because url seems to correct.
This fake record can be spade to other DNS server

Kashpureff Attack(BIND name server)

1.
2.
3.
4.

5.
6.
7.

It was in 1997, Four people including Kashpureff started the DNS service called AlterNIC.
Use recursive name server to alter the cache.
Resolver( evil) asked for the very limited query from the recursive server so that
rescursive-server will go to that alternative server to resolve that query.
Now AlterNic server will send the answer, but at the same time it will send the additional
records with completely unrelated resource record to DNS recursive address. Suppose
the Rrecord is for www.fooback.com
DNS Recursive server will keep that data on its cache and pass to any host that does the
query.
Host will go to fake Website, that was resolved by AlrerNic, or any other attacker controlled
DNS
Solution:
1.

BIND patch that will not accept the unrelated recourse records.

1
4

DNS recursive server

3
Cache Server

Resolver

Addit
io

2
nal in
forma
tion

Alternate
server
AlterNIC

DNS cache poisoning attacks message ID

DNS server will believe the response if the query ID is same.
Those MessageID(QID) are not random enough.
Most system has pseudo-random number generator, and most of the

time, next random number is quite predictable.

How

it is done

acceptsresponses to pending queries

Response on the same port as the request was send, otherwise network stack will not

deliver it.
Question session match Question
QueryID match QueryID
Send the normal query and check the QueryID
Now

Guess the queryID for next query

Make a query for DNS some valuable domain like bankofamerica.com

DNS-Recursive server will send the request to resolve this address.
Attacker will spoof all dns next 20 possible QID and send to DNS-server.
That response should go before real response comes back.
If successful, fake address is been inserted.

Solution : Bind patch and randomized the QID.

Victim name server with spoofed QID

Mitigation: randomized the query ID.

Dan Kaminsky attack

The possible QID, 65542 IDs . It can be done by brute force.
Used to called Birthday paradox, possibility that two people having same

BD is 99.7%
Possibility that n people will have same bday is more.
p(n) = (364/365)* (363/365) * (366-n)/365
So if we have 20 people that having the same Bday is about 40%.
hijack the authority records
Same as before but rather then putting A record, it adds a delegates

to another nameserver via Authority records. Basically ask this DNS

server that might know it.
The server is own by attacker.
The authority data may well contain the
"real"bankofsteve.comnameserver hostnames, but the gluepoints
those nameservers at badguy IPs. This is the crucial poisoning,
because a Query ID match means that the victim believes that
badguy's nameservers are authoritative for bankofsteve.com.
The bad guy nowowns the entire zone.

Kaminsky attack

Kaminsky attack Fix and DNSSEC

Query ID = 16 bit, so easy to get into trouble.
randomizing the source port.

ports are 2500( 2 to the power 11)

Kaminsky attack
DNS was such trusting that any one could

inster a location.
Singing certificate I know who and I am not

inserting a record if the you can prove who

you are
Trust certificate and key
Hard to deploy, need to change the key

Mordent DDoS attacks amplification

Example of DNS attack
Reflection and amplification
Reflection
Spoof the victim address in DNS query
Have bots army to send the DNS replay to victim address.

Amplification
Send the small query that can result into larger data. The simple

query of 64 byte can result into 400 byte.

Example query
dig ANY abc.com @208.67.220.220
Response<<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> 9.7.3 ANY sjsu.edu
@208.67.220.220 TXT= query
;; global options: +cmd
--many lines are deleted
; Query time: 14 msec
;; Query time: 1 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Wed Aug 13 17:01:06 2014

Mordent DDoS attacks amplification

How it is achieved
Many open resolver over the internet
Use DNS TXT resource record
DNS protocol extension DENSEC is used, as by
nature those are big records.
Amplification factor is approximately 70.1
Use the bot army to spoof the victim address, use
open resolver with recursive query, look for txt
response and send the send the request.

http://securityaffairs.co/wordpress/3184/cyber-crime/anonymous-dns-amplification-attacks-for-operation-globalblackout.html

Solutions
Any cast -- network addressing and routing methodology in which datagram's

from a single sender are routed to the topologically nearest node in a

group of potential receivers.
Use any cast for DNS
Why, because in a distributed DNS server environment, only some
DNS server will come under attack but other server or over all DNS
server should be fine.
Identify and block
RRL Response Rate limiting:

RRL helps mitigate DNS denial-of-service attacks by reducing the rate at which
authoritative servers respond to high volumes of malicious queries. The RRL mechanism
is part of BIND 9.10, and was available as a software build option in BIND 9.9.4.

A DDoS system

if the request has a pattern like same source, same name, class and type, that is most
likely is a attack( in a normal scenario once a query is made, that will be cashed on nonauthoritative servers and will not be sending it again and again)

limit the number of query for that source

Very short TTL and heavy response

Solutions
Very short TTL and heavy response
Message size
Watch for bigger message and close
DNS query types (such as ANY) to be re-transmitted using TCP.
Force to use TCP connection.
RFC 2827(bcp38 )
Our ISP should follow the best practice 38(BP38) on the network,

and watch for traffic.

According to the BBP38, if a packet dont belong to internal
network then it should not be coming from internal-network.
Non-existing domain
Negative response

Reference
Dan Kaminsky'sBlack Hat presentation(PowerPoint)

Excellent reading.
DNS and BIND, O'Reilly The definitive book on DNS.
TCP/IP Illustrated, Volume 1: The Protocols , W. Richard
Stevens the definitive book on TCP/IP.
DNS Cache Poisoningat Wikipedia
http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.htm
l
http://securityaffairs.co/wordpress/3184/cybercrime/anonymous-dns-amplification-attacks-foroperation-global-blackout.html
DNS Cache Poision
http://en.wikipedia.org/wiki/AlterNIC
https://ripe66.ripe.net/presentations/164-ripe66-dns.pdf