18/I, | : 011.7281.

281
rnids.rs | . | kancelarija@rnids.rs

DNS

2015.



. ,
, ,
. , ,
, IP (Internet Protocol) .
DNS (Domain Name System)
. (DNS)
. DNS-
,
. , ,
IP . , DNS IP
IP ().
DNS :

DNS , ,
. DNS ,
,
. ,
,
DNS-.
, DNS ,
,
. DNS ,
!
,
DNS .

DNS

2/19

DNS
DNS-
.
, ,
IP . ,
DNS .
,
. ,
, . (
) IP
DNS .
DNS-
. DNS root
(TLD), : .rs, .ca, .se, .com, .net, .
TLD DNS
(.co.rs, rnids.rs, cisco.com,). ,
DNS

TLD

DNS
DNS .
DNS ( DNS DNS
).

DNS

3/19

www.rnids.rs, DNS IP
-. DNS
IP www.rnids.rs
DNS , (cached DNS ),
. DNS , IP
, DNS
, DNS .
, www.rnids.rs,
DNS , ,
DNS , root ,
, root . Root ,
, DNS DNS
, .
. ,RS, root IP DNS
, TLD (Top Level Domain), :
com, net, org, edu, it, uk, se, de, , ...
DNS , DNS ,
, (resolve) IP
root . Root IP
www.rnids.rs, , DNS ()
DNS .RS. DNS
DNS .RS,
IP www.rnids.rs, DNS
rnids.rs. DNS DNS
rnids.rs, IP www.rnids.rs,
(
) .
IP 100

DNS .

DNS

4/19

 IP 87.237.205.199
.
;; global options: printcmd
.
16730 IN NS a.root-servers.net.
.
16730 IN NS l.root-servers.net.
.
16730 IN NS h.root-servers.net.
.
16730 IN NS b.root-servers.net.
.
16730 IN NS k.root-servers.net.
.
16730 IN NS f.root-servers.net.
.
16730 IN NS c.root-servers.net.
;; Received 228 bytes from 82.117.194.2#53(82.117.194.2) in 12 ms
rs.
172800 IN NS l.nic.rs.
rs.
172800 IN NS k.nic.rs.
rs.
172800 IN NS h.nic.rs.
rs.
172800 IN NS g.nic.rs.
rs.
172800 IN NS f.nic.rs.
rs.
172800 IN NS d.nic.rs.
rs.
172800 IN NS b.nic.rs.
rs.
172800 IN NS a.nic.rs.
;; Received 460 bytes from 198.41.0.4#53(a.root-servers.net) in 18 ms
rnids.rs.
3600 IN NS ns1.nic.rs.
rnids.rs.
3600 IN NS ns2.rnids.rs.
rnids.rs.
3600 IN NS odisej.telekom.rs.
rnids.rs.
3600 IN NS ns1.rnids.rs.
;; Received 221 bytes from 194.146.106.114#53(l.nic.rs) in 0 ms
www.rnids.rs.
3600 IN CNAME web-server.rnids.rs.
web-server.rnids.rs. 3600 IN A
87.237.205.199
rnids.rs.
3600 IN NS ns1.nic.rs.
rnids.rs.
3600 IN NS odisej.telekom.rs.
rnids.rs.
3600 IN NS ns1.rnids.rs.
rnids.rs.
3600 IN NS ns2.rnids.rs.
;; Received 262 bytes from 147.91.8.6#53(ns1.nic.rs) in 14 ms

DNS

DNS

5/19

DNS .
, DNS DNS
, ,
. ,
, .
DNS-,
,
,
.
, , DNS
,
, .
DNS ,

.
,
,
DNS , , DNS ,
IP .
, anti-spam Spamhaus
DDoS (Distributed Denial of Service) .
Cyberbunker
Spamhausa.
300Gb ?
Open Resolver Project 20
DNS
, .
, DNS 30 , DNS
100 200 . DNS UDP
, ,
(spoofing) IP
, IP . DNS
, IP .
DNS DNS
,
DNS . Cloudflare

DNS

6/19

 ,
Spamhaus, 65000 DNS
.
DNS
, . , Syrian Electronic
Army (SEA), ,
, DNS
Melbourne IT
, New York Times, Washington Post, Financial Times, Twitter,
BBC-, AP- Reuters-, .

, .
, New York Times-,
,
-.
Melbourne IT ,
DNS ,
.

,
.
, DNS , ,

,
.
DNS :

DoS DDoS

DNS DDoS

DNS (man in the middle)

" " (cache poisoning)

DNS

DNS

7/19

DoS DDoS

.
()
. , ,

.

.

, Denial of Service (DoS) ,
. DoS
, .
, ,
, DNS
. DoS
,
. ,
.
DoS
.
, DoS . , DoS
Distributed Denial of Service (DDoS)
, , DoS
. , (DoS),
.
:

() .

DNS

8/19

 DoS ,
DDoS .
DDoS
.
DDoS
( botnet). botnet
,

.
DDoS ,
.
, ()
.

- ,
, . botnet .
DDoS
, , ,
,
. DDoS :

DDoS ,
DDoS (DRDoS) .

DDoS (botnetu),
, .
(), ,
, ( flooding) .
DDoS (spoofed) IP
,
(firewall).

DNS

9/19

Napada

Botnet
(zombiji)

rtva

DDoS

DDoS , DRDoS
, ,
(),
. DDoS


.
DNS
, DDoS (amplified DDoS) .
DNS ( )
DNS . DNS
( DNS )
DDoS .
DNS DNS
. RNIDS-,
RCUB-, 10000 DNS , .RS
. , . 20
.

DNS

10/19

Napada

Botnet
(zombiji)

Reflektori

rtva

DDoS (DRDoS)

DoS/DDoS
.
, .

DDoS ,

.
DDoS : ; ;
.

, ,

.

IP
adresom (Network Ingress Filtering RFC 2827)
. ,
-
.
,

DNS

11/19

 DoS/DDoS
.

,
. ,

.

Cache poisoning
DNS
. DNS
DNS (
IP )
DNS (caching).
DNS
IP .
DNS
DNS .
(cache poisoning).
,
.

DNS . cache poisoning
DNS ,
, DNS DNS
DNS .
, DNS
DNS
.
, DNS (TTL time to
live) DNS , .

DNS

12/19

Cache poisoning

DNS DNS
. DNS
DNS
(transaction ID) .

("Birthday Paradox"), ,
23 , 50%.


, 1,2 i
( i=365).
16 n ,
, n/65536 . ,

DNS DNS
,
.
:
1 (1)
= 1 (1 ) 2

DNS

13/19

 t ( 65536), n
. ,
n/65536 ( n=700 1,07%),
birthday attack , 700
100% .
- . 300
(
) 50% .

IP :
.

DNS DNS
. , DNS
.
DNS , DNS

,
.
:
10:54:12.423228 192.168.1.2.33748 > 66.218.71.63.53: 21345 [1au] A? www.yahoo.com. (42) (DF)
10:54:21.313293 192.168.1.2.33748 > 216.239.38.10.53: 53735 [1au] A? www.google.com. (43) (DF)
10:54:27.182852 192.168.1.2.33748 > 149.174.213.7.53: 19315 [1au] A? www.netscape.com. (45) (DF)
10:54:43.252461 192.168.1.2.33748 > 66.35.250.11.53: 43129 [1au] A? www.linux.com. (42) (DF)

(33748)
.
DNS
DNS .

DNS

14/19

 DNS
.
DNS
.

- .
,
Man in The Midle MTM ,

.

90 DNS
. DNS
cache poisoning . ,
DNS DNS
, .
DNS , ,
DNSSEC ( DNS
).

DNS

15/19

DNSSEC
DNS
. ,
,
.
DNS , DNSSEC (DNS
Security Extension), man in the middle .
DNSSEC DNS DNS-
DNS DNS
:

:
DNS .

:
.

:
, DNS
.

?
DNSSEC
PK (Public Key encryption).
,
DNSKEY .

.
DNSSEC , DNS (A,
MX, CNAME, .) DNS ,
DNSSEC RRSIG (resource record signature). RRSIG
hash-

. DNS
DNS . , hash RRset
hash- RRSIG
DNS .

DNS

16/19


. , DS
DNS
.
DNSKEY , DS, RRSIG(DS) DNSKEY
.
DS DNS
(ZSK)
, DS DNSKEY
. , DS

DNSKEY. DNS , , ,
DNS .
,
(. trust anchor),
DNS root . , (NSEC) ,
,
.
DNSSEC : (Zone Signing Keys
ZSK) (Key Signing Keys KSK). ZSK

DNSKEY . KSK
DNSKEY , DNSKEY
.
.
,
. . DNS-

. ,
. , .
, ,
DNSKEY
DS . ,
, DNS
KSK , ( ).
.

DNS

17/19

, DNSSEC DNS .
DNS ( DNS
) DNSSEC .
DNS DNS
DNS ,
. ,
,
.
DNS ,
,
, , ,

DNS, ,
. DNS ! DNS
, DNS ,
.
(, , FTP) , . ,
DNS , . , DNS
.
:
DNS
, root
, TLD .
DNS ( DNS
DNS ).
.
DNS ,

DNS

18/19

 .
, .
( DNS )
.
()
.
DNS
DNS open resolver DNS ,
DNS
.

.
Response Rate Limiting (RRL)
DNS .
DDoS DRDoS
. Response Rate Limiting (RRL)
DNS . razliiti (po IP ,
, ). RRL-
.
(SAV Source Address
Validation)
DNS IP DNS ,
DNS
. , . IP
.
DNSSEC
DNS-.

DNS . DNS ,
imaju aktiviranu DNS
.

DNS

19/19