DNS Cache Poisoning Chris Racki CMPT-585 Dr. Robila 8 Dec 2008Chris Racki Page 2 of 18 Abstract Using the internet any computer can theoretically communicate with any other computer in the world so long as they are both connected to the internet. Amidst all of the computers connected to the internet, how do you know where the computer that you want to talk to is located? The answer is to use DNS which serves as an internet phone book of sorts linking us to anywhere that we might want to go. As many requests to DNS servers will be repeated it makes sense to cache the results and just reuse them to improve performance. This caching functionality opens up a risk of compromising the integrity of the DNS server by making it susceptible to DNS cache poisoning attacks. DNS cache poisoning attacks can potentially assign any IP address to any internet address. DNS cache poisoning is not new, but recently a new approach to the attack has been discovered that makes it much more effective and potent. Finally as a curiosity some commonly available DNS server safety check tools were tested to determine the current state of this author’s internet service provider’s DNS server. Introduction The internet has had a very colorful history so far. Its reach and influence continues to increase. We continually learn of new applications for the internet, and we continue to push more and more of our lives into the web. More and more electronic devices that we rely on in daily life are dependent on the internet in turn making us dependent on the internet to some degree. We are placing a tremendous amount of blind faith in the reliability of the internet. This would not be a problem if the internet was in fact reliable. However the internet is vulnerable to many points of weakness. One such point ofChris Racki Page 3 of 18 weakness is in the very foundation of the infrastructure of the internet. The internet is at its base flawed and vulnerable to severe compromise. The system on the internet responsible for navigating users to their appropriate locations, DNS, is exposed to attack by its very design. In the summer of 2008 a new threat to this system was discovered that drove fear and almost panic into the entire internet security community. This threat is a new application of the classic DNS Cache Poisoning attack. Internet navigation Using the internet any computer can theoretically communicate with any other computer in the world so long as they are both connected to the internet. The obvious question becomes, amidst all of the computers connected to the internet, how do you know where the computer that you want to talk to is located? We can find a very convenient real world analogy for this. If you want to telephone Dr. Robila at Montclair State University in New Jersey, how do you know which phone is his? Unless we call Dr. Robila on a regular basis we don’t know his direct number. So in this case we need to perform a lookup of his number using a telephone book. Once we get his number from the phone book we can call him. The internet works in much the same way. When a user attempts to connect to a computer on the internet, in other words visit a website or access some other resource, the client computer sends that request to its internet service provider. When the request is to visit a commonly visited website, such as www.google.com, the internet service provider may already know where it is and it provides the connection information to the client. If the request is for something that the internet service provider doesn’t know, then it must look it up much as we looked up Dr.Chris Racki Page 4 of 18 Robila’s phone number in the telephone book. In technical terms, this phonebook is called a DNS (Domain Name System) [1]. DNS In the early days that pre-dated the internet as we know it today, there weren’t very many computers interconnected and so the problem of locating computers was much simpler. Back then there was no internet, it was just ARPAnet (Advanced Research Projects Agency Network). Many people consider this to be the beginning of the internet. ARPAnet was a computer network developed by the United States Department of Defense to facilitate communication among computers [6]. When a computer wanted to connect to another in the network it would look up the receiving computer’s address in a file called HOSTS.TXT [1]. This file was stored on a computer at SRI (Stanford Research Institute) which is now known as SRI International [7]. As networks began to grow it became apparent that this system would not be feasible. Using a host file to store lookup information has many drawbacks that become painfully more apparent as the network grows. The main drawback is that when there are many host files and the address of a computer changes, all of the host files that refer to it must be updated. The answer to this problem came in 1983 when the first DNS system was invented by Paul Mockapetris. In 1984 the first UNIX based implementation was developed at the University of California Berkley. The system was called BIND (Berkley Internet Name Domain). BIND has evolved greatly since that time currently existing at version 9.Chris Racki Page 5 of 18 There are other DNS systems available and in use, but BIND remains the most commonly used DNS on the internet [1]. How DNS works When we wanted to look up Dr. Robila’s phone number we looked in the phone book. This assumes that we know which phone book to look in. There are in fact many different phone books to make all of the records more manageable. In certain cases we may not even know which phone book we should consult. DNS functions much the same way. DNS is composed of a number of servers. Each server knows something that the others don’t, and combined they can offer us all of the information that we need. DNS can be viewed as a distributed database system. There are 13 DNS root servers scattered in locations throughout the world serving the internet. Since they are a sort of starting point for many DNS requests, their IP addresses do not change often. This makes their addresses relatively constant and quite reliable. They are named A.ROOT-SERVERS.NET, B.ROOT-SERVER.NET, …, M.ROOT-SERVERS.NET [9]. Each root server is responsible to serve a particular geographical location and is