Talk by Jonathan Oxer at Linux Users Victoria in April 2007 about how DNS works. Covers authoritative and recursive DNS, delegation, and attack vectors including cache poisoning and DNS forgery. More information at http://jon.oxer.com.au/talks/id/66

1. Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 Jonathan Oxer <jon@ivt.com.au>

2. what is the domain name system anyway? Introduction To DNS Jonathan Oxer < [email_address] >

3. it's like a phone book ...kinda Introduction To DNS Jonathan Oxer < [email_address] >

4. DNS is (1) a directory service Introduction To DNS Jonathan Oxer < [email_address] >

5. DNS is (2) an identity mechanism Introduction To DNS Jonathan Oxer < [email_address] >

6. DNS is (3) a namespace structure Introduction To DNS Jonathan Oxer < [email_address] >

7. DNS is (4) an abstraction layer Introduction To DNS Jonathan Oxer < [email_address] >

8. think of the phone book... Introduction To DNS Jonathan Oxer < [email_address] >

9. maps hostnames to IP addresses Introduction To DNS Jonathan Oxer < [email_address] >

10. maps jon.oxer.com.au to 221.133.213.151 Introduction To DNS Jonathan Oxer < [email_address] >

11. forward vs reverse Introduction To DNS Jonathan Oxer < [email_address] >

12. maps jon.oxer.com.au to 221.133.213.151 Introduction To DNS Jonathan Oxer < [email_address] >

13. maps 221.133.213.151 to jon.oxer.com.au Introduction To DNS Jonathan Oxer < [email_address] >

14. simple beginnings: hosts.txt Introduction To DNS Jonathan Oxer < [email_address] >

15. ...but phone books Introduction To DNS Jonathan Oxer < [email_address] >

16. ...but phone books don't Introduction To DNS Jonathan Oxer < [email_address] >

17. ...but phone books don't Introduction To DNS Jonathan Oxer < [email_address] > scale

18. so modern DNS is managed like a distributed phone book Introduction To DNS Jonathan Oxer < [email_address] >

19. DNS is (5) delegation of authority Introduction To DNS Jonathan Oxer < [email_address] >

20. a “zone” defines an area of authority Introduction To DNS Jonathan Oxer < [email_address] >

21. think of it as an inverted tree Introduction To DNS Jonathan Oxer < [email_address] >

22. Introduction To DNS Jonathan Oxer < [email_address] >

23. anatomy of a host name Introduction To DNS Jonathan Oxer < [email_address] >

24. (a host name is a record inside a domain name) Introduction To DNS Jonathan Oxer < [email_address] >

25. read right to left: jon.oxer.com.au. Introduction To DNS Jonathan Oxer < [email_address] >

26. yes, it really ends in a dot! Introduction To DNS Jonathan Oxer < [email_address] >

27. root zone: jon.oxer.com.au . Introduction To DNS Jonathan Oxer < [email_address] >

28. top level domain: jon.oxer.com .au . Introduction To DNS Jonathan Oxer < [email_address] >

29. 2nd level zone: jon.oxer .com .au. Introduction To DNS Jonathan Oxer < [email_address] >

30. 3rd level zone: jon .oxer .com.au. Introduction To DNS Jonathan Oxer < [email_address] >

31. host name: jon .oxer.com.au. Introduction To DNS Jonathan Oxer < [email_address] >

32. back to that dot: jon.oxer.com.au . Introduction To DNS Jonathan Oxer < [email_address] >

33. “ ICANN's 13” : the A to M root servers Introduction To DNS Jonathan Oxer < [email_address] >

34. root.hints Introduction To DNS Jonathan Oxer < [email_address] >

35. “ There can be only 13” Introduction To DNS Jonathan Oxer < [email_address] >

36. (UDP packets limited to 512B) Introduction To DNS Jonathan Oxer < [email_address] >

37. A response with more than 13 entries > 512B Introduction To DNS Jonathan Oxer < [email_address] >

38. root servers replicated globally using anycast Introduction To DNS Jonathan Oxer < [email_address] >

39. Introduction To DNS Jonathan Oxer < [email_address] >

40. root servers delegate ccTLDs, gTLDs, and iTLDs Introduction To DNS Jonathan Oxer < [email_address] >

41. so what is this “ delegation” of which you speak? Introduction To DNS Jonathan Oxer < [email_address] >

42. registries, registrars, resellers, registrants, InterNIC, ICANN, OpenSRS, oh my! Introduction To DNS Jonathan Oxer < [email_address] >

43. Introduction To DNS Jonathan Oxer < [email_address] >

44. ICANN controls the registries Introduction To DNS Jonathan Oxer < [email_address] >

45. registries control the registrars Introduction To DNS Jonathan Oxer < [email_address] >

46. registrars control delegations Introduction To DNS Jonathan Oxer < [email_address] >

47. domain allocation policies Introduction To DNS Jonathan Oxer < [email_address] >

48. own or lease? Introduction To DNS Jonathan Oxer < [email_address] >

49. trademarks and disputes Introduction To DNS Jonathan Oxer < [email_address] >

50. Introduction To DNS Jonathan Oxer < [email_address] >

51. alt roots (alternative DNS roots) Introduction To DNS Jonathan Oxer < [email_address] >

52. DNS works because we agree to let it work Introduction To DNS Jonathan Oxer < [email_address] >

53. alt roots are just alternative agreements Introduction To DNS Jonathan Oxer < [email_address] >

54. Introduction To DNS Jonathan Oxer < [email_address] >

55. critical concept alert! Introduction To DNS Jonathan Oxer < [email_address] >

56. authoritative vs recursive servers Introduction To DNS Jonathan Oxer < [email_address] >

57. authoritative servers answer questions about zones they own Introduction To DNS Jonathan Oxer < [email_address] >

58. recursive resolvers query other servers on your behalf Introduction To DNS Jonathan Oxer < [email_address] >

59. recursive lookups require multiple queries Introduction To DNS Jonathan Oxer < [email_address] >

60. Introduction To DNS Jonathan Oxer < [email_address] >

72. caching good! Introduction To DNS Jonathan Oxer < [email_address] >

73. caching bad! Introduction To DNS Jonathan Oxer < [email_address] >

74. beware the cache Introduction To DNS Jonathan Oxer < [email_address] >

75. caching: in the recursive DNS resolver Introduction To DNS Jonathan Oxer < [email_address] >

76. (Big Pond bad! Bad, I say!) Introduction To DNS Jonathan Oxer < [email_address] >

77. caching: in your OSs resolver library Introduction To DNS Jonathan Oxer < [email_address] >

78. caching: directly inside applications Introduction To DNS Jonathan Oxer < [email_address] >

79. (IE very bad too!) Introduction To DNS Jonathan Oxer < [email_address] >

80. internationalisation Introduction To DNS Jonathan Oxer < [email_address] >

81. anatomy of a zone[file] Introduction To DNS Jonathan Oxer < [email_address] >

82. ; zone file for example.com. $TTL 2d ; 172800 TTL @ IN SOA ns1.example.com. hostmaster.example.com. ( 2007040304 ; serial 12h ; refresh 15m ; retry 3w ; expiry 3h ; minimum ) IN NS ns1.myprovider.com. IN NS ns1.example.com. IN MX 10 mail.example.net. homer IN A 192.168.254.3 marge IN A 192.168.12.15 www IN CNAME homer vpn IN CNAME marge Introduction To DNS Jonathan Oxer < [email_address] >

83. types of DNS records Introduction To DNS Jonathan Oxer < [email_address] >

84. “ A” (address) links names and IPv4 addresses Introduction To DNS Jonathan Oxer < [email_address] >

85. “ AAAA” (address) links names and IPv6 addresses Introduction To DNS Jonathan Oxer < [email_address] >

86. “ CNAME” (canonical name) aliases names to other names Introduction To DNS Jonathan Oxer < [email_address] >

87. “ MX” (mail exchange) name of machine for mail delivery Introduction To DNS Jonathan Oxer < [email_address] >

88. “ NS” (name server) name of DNS server for a zone Introduction To DNS Jonathan Oxer < [email_address] >

89. “ TXT” (text) arbitrary text string Introduction To DNS Jonathan Oxer < [email_address] >

90. “ NAPTR” (naming auth pointer) fun with regex Introduction To DNS Jonathan Oxer < [email_address] >

91. “ SOA” (start of authority) controls inter-server data synchronisation Introduction To DNS Jonathan Oxer < [email_address] >

92. SOA (Start Of Authority) Introduction To DNS Jonathan Oxer < [email_address] >

93. SOA sets TTL (Time To Live) Introduction To DNS Jonathan Oxer < [email_address] >

94. TTL says how long data may be cached Introduction To DNS Jonathan Oxer < [email_address] >

95. SOA parameters Serial : identifies version of SOA Introduction To DNS Jonathan Oxer < [email_address] >

96. SOA parameters Refresh : seconds between updates Introduction To DNS Jonathan Oxer < [email_address] >

97. SOA parameters Retry : seconds to wait after failure Introduction To DNS Jonathan Oxer < [email_address] >

98. SOA parameters Expire : seconds before data flushed Introduction To DNS Jonathan Oxer < [email_address] >

99. SOA parameters Minimum : used now for negative caching Introduction To DNS Jonathan Oxer < [email_address] >

100. circular dependencies: self-delegation Introduction To DNS Jonathan Oxer < [email_address] >

101. the solution: glue records Introduction To DNS Jonathan Oxer < [email_address] >

102. breaking your brain: reverse DNS Introduction To DNS Jonathan Oxer < [email_address] >

103. Let's look up 1.2.3.4! Introduction To DNS Jonathan Oxer < [email_address] >

104. 4.3.2.1.in-addr.arpa. Introduction To DNS Jonathan Oxer < [email_address] >

105. security Introduction To DNS Jonathan Oxer < [email_address] >

106. DNS cache poisoning Introduction To DNS Jonathan Oxer < [email_address] >

107. Introduction To DNS Jonathan Oxer < [email_address] >

108. Practical example: Dr Evil wants to take over “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >

109. Dr Evil attack vector #1 redirecting the target domain's nameserver Introduction To DNS Jonathan Oxer < [email_address] >

110. (1) Dr Evil creates a sub-zone of a zone he controls, such as “ bigbank.dr-evil.com” Introduction To DNS Jonathan Oxer < [email_address] >

111. (2) Dr Evil delegates his evil zone to “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >

112. (3) Dr Evil configures his DNS server to return the wrong IP address for “www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >

113. (4) Dr Evil issues a DNS lookup for “ bigbank.dr-evil.com” to your DNS resolver Introduction To DNS Jonathan Oxer < [email_address] >

114. (5) Your DNS server caches the evil IP and uses it for future requests for “ www.bigbank.com” Introduction To DNS Jonathan Oxer < [email_address] >

115. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

116. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

117. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

118. what happened? request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

119. Introduction To DNS Jonathan Oxer < [email_address] >

120. Dr Evil attack vector #2 redirect the NS record of the target domain Introduction To DNS Jonathan Oxer < [email_address] >

121. compare this with... request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.dr-evil.com. 3600 IN NS www.bigbank.com. Additional section: www.bigbank.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

122. ...alternative attack request: bigbank.dr-evil.com. IN A response: Answer: (no response) Authority section: bigbank.com. 3600 IN NS ns.dr-evil.com. Additional section: ns.dr-evil.com. IN A 1.2.3.4 Introduction To DNS Jonathan Oxer < [email_address] >

123. Dr Evil attack vector #3 DNS forgery: respond before the real nameserver Introduction To DNS Jonathan Oxer < [email_address] >

124. not as easy as it sounds! Introduction To DNS Jonathan Oxer < [email_address] >

125. do a “ birthday attack” against the nonce value Introduction To DNS Jonathan Oxer < [email_address] >

126. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!

127. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!

128. Introduction To DNS Jonathan Oxer < [email_address] > Start with the Taylor series approximation to the probability of a “nonce” value collision where “n” is the number of attempts and “H” is the number of unique outputs: Invert the expression: Now assigning a 0.5 probability of collision: So it's obvious that for a 16 bit hash there are 65536 outputs, ie: only 301 attempts are required to generate a collision by brute force!

129. 301 attempts against 2 x16 hash Introduction To DNS Jonathan Oxer < [email_address] >

130. secure zone transfers Introduction To DNS Jonathan Oxer < [email_address] >

131. (mis?)using DNS Introduction To DNS Jonathan Oxer < [email_address] >

132. TCP-over-DNS Introduction To DNS Jonathan Oxer < [email_address] >

133. dynamic DNS Introduction To DNS Jonathan Oxer < [email_address] >

134. SPF Introduction To DNS Jonathan Oxer < [email_address] >

135. useful tools nslookup Introduction To DNS Jonathan Oxer < [email_address] >

136. useful tools nslookup Introduction To DNS Jonathan Oxer < [email_address] >

137. useful tools whois Introduction To DNS Jonathan Oxer < [email_address] >

138. useful tools dig Introduction To DNS Jonathan Oxer < [email_address] >

139. DNS server software Introduction To DNS Jonathan Oxer < [email_address] >

140. authoritative and recursive: BIND, MaraDNS Introduction To DNS Jonathan Oxer < [email_address] >

141. authoritative: MyDNS, tinydns Introduction To DNS Jonathan Oxer < [email_address] >

142. recursive: dnscache Introduction To DNS Jonathan Oxer < [email_address] >

143. master vs slave Introduction To DNS Jonathan Oxer < [email_address] >

144. firewall issues port 53 UDP and TCP Introduction To DNS Jonathan Oxer < [email_address] >

145. Introduction To DNS Jonathan Oxer < [email_address] >

146. Introduction to DNS Thankyou :-) questions? Slid es: jon.oxer.com.au/talks Contact: Jonathan Oxer < [email_address] > We're hiring! www.ivt.com.au/jobs