DNS HIJACKING

Supervisor: Chao-Li Tarng

Team:
Surya Abhijith Kumar Devaraju (009179300)
Bharadwaj Ananthula (009290489)
Sarath Kumar Gupta Sunku (009326213)
Anirudh Sri Jayendra Janga (008681907)
Understanding DNS
How DNS Work ?
Vulnerabilities
Attacks and Defense Schemes
DNSSEC (DNS Security)
Attack Demonstration
DNSSEC Implementation
Outline
2
Domain Name System
3
Developed in 1983
Application Layer Protocol
Scalable way to map hostnames to IP addresses
Uses a hierarchal tree structure beginning at the root
Below the root are generic top level domains (edu., com.,
net., etc) and country code top level domains (uk., cn., etc)
Each TLD further subdivides to produce domains such as
colostate.edu. and deterlab.net
Every Internet application requires some DNS lookup
DNS Queries
4
Two Types

1. Recursive Query
Puts the burden of resolution on the contacted name server

2. Iterative Query
Contact server replies with the name of the next authority in
the hierarchy
I dont know this name, but this other server might

This is how DNS works today



The Importance of DNS
5
Without DNS
How could you get to any websites?

DNS is the root of trust for the web
When a user types www.bankofamerica.com, they expect to
be taken to their banks website
What if the DNS record is compromised?
DNS Hijacking
6
Infecting OS or browser with a virus/trojan
E.g. Many Trojans change entries in /etc/hosts
*.bankofamerica.com evilbank.com
Man-in-the-middle Attack
Response Spoofing
Eavesdrop on requests
Outrace the servers response
DNS Vulnerabilities
7
DNS wasn't designed with any security concerns in mind.
Classical DNS uses plaintext messages - third party can
easily read
It also does very little by way of message verification
End-user has no way of knowing if the message was altered
en-route or if DNS servers supplying the information are
acting maliciously.
This leaves the service open to several well-known vectors of
attack

MITM Man In The Middle Attack
Birthday Attack
Kaminsky Attack
Man In The Middle Attack
8
MITM is common to network services
Effective on communications that don't use cryptographic encryption or
authentication.
Attacker positions between the client and the server on a network
Can intercept messages going in either direction
Can alter or deny them at will, violating either the integrity or the
availability of the service.
In the context of DNS, the attacker to position somewhere between the
end-user and the relevant DNS server
Alter the DNS response to supply a different IP address for the requested
internet address, effectively rerouting the user anywhere they want.
MITM Attack Defense
9
DNSSEC
For preventing the DNS poisoning attack
Use Certificates
Against public key encryption MitM
Trusted Certificate Authority (CA) to verify certificate, digital signature
or key
DHCP snooping
Used against DHCP spoofing
Helps in differentiating trusted and non-trusted ports
Against ARP poisoning
DHCP snooping creates MAC to IP table
Monitors ARP packets and checks them against the table

Birthday Attack
10
A type of cryptographic attack
Exploits the mathematics behind the birthday problem
An attacker will send a query to the caching server quickly followed by a
response to that same query
If the response appears valid to the caching sever, it will accept it and add
the "poison" data into cache ignores subsequent response for same
query
Birthday Attack Defense
11
Problem:
DNS servers cannot restrict the number of simultaneous requests for
same IP.
This paves way for birthday attack
Solution
Restrict the multiple DNS requests for the same resource
Implement birthday attack protection mechanism in firewall
Respond to first DNS Query and ignore others

Store the first request and set the flag to 1 and subsequent requests reset
flag, respond to the first request and discard the rest.
Kaminsky Attack
12
Transaction IDs prevent from assigning their own IP to any domain
But they are ineffective as security measures
An attacker could flood a DNS server with multiple, slightly varied
requests for a domain, such as "1.foo.com" or "2.foo.com."
Transaction IDs can only be a number between 0 and 65535
Attacker can launch multiple requests
Eventually the attacker could spoof a domain by matching the ID through
chance.

Once this domain is spoofed, the attacker can flood a name server with
spoofed replies to poison its cache for the domain being attacked,
"foo.com."
Requests for foo.com would direct a user to a site of the attacker's
choosing.
Kaminsky Attack Defense
13
Randomize the UDP used to send the DNS query
The attacker has to guess that port correctly as well
Increase the space of possible IDs

Real" fix is to notice lot of requests and only communicate
using TCP, which can't be spoofed
A further fix would be to have carriers communicate using
DNSSEC, a form of DNS which is encrypted
DNSSEC
14
DNSSEC is an enhancement to the DNS protocol
Integrates cryptographic authentication into DNS messages.
DNSSEC assures data integrity, mitigating man in the middle and cache-
poisoning attacks using a "chain of trust."
DNSSEC works by digitally signing records for DNS lookup using public-
key cryptography.
The correct DNSKEY record is authenticated via a chain of trust, starting
with a set of verified public keys for the DNS root zone which is the trusted
third party
Requires DNSSEC to be enabled on authoritative and cache machines
15
Attack Demonstration
16
Login to attacker machine
Enable ettercap to redirect traffic
to attackers machine
Now verify that traffic passes
through attacker
Now edit etter.dns file to spoof
the DNS response for
google.com
Verify that the client now gets a
spoofed response

Attack Successful !!!
Enabling DNSSEC
17

Login to Authoritative Machine
Using zonesigner create signed copies of google.com
Now open named.conf.options and make necessary changes
In named.conf.local file make a change for signed copy of google.com
Now restart bind9 service to make the changes saved
Verify DNNSEC is working
Copy the public key for signed google.com
Repeat same steps in cache machine
Login to client machine and use dig with DNSSEC
Obtain authoritative answers and this verifies DNSSEC is working



Conclusion
18
DNS is important protocol
Current Internet system fails without DNS
Its vulnerable and can be easily attacked
Implementation of DNSSEC can be helpful to
mitigate the vulnerability