Announcements Next Wednesday s lecture will be given by Lisa I won t have my usual 3 4PM office hours next Wednesday but will be available at the usual 34PM slot on Friday Security Analysis of DNS Applications Email as well as by appointment via email as always Reminder first phase of Project 1 due next Wednesday by 11PM EE 122 Intro to Communication Networks Fall 2007 WF 4 5 30 in Cory 277 Vern Paxson The writeup has been updated for clarity see mailing list archives for diffs TAs Lisa Fowler Daniel Killebrew Jorge Ortiz http inst eecs berkeley edu ee122 Materials with thanks to Jennifer Rexford Ion Stoica and colleagues at Princeton and UC Berkeley Thanksgiving week I ll give the same lecture twice Mon 4 5 30PM room TBD and Weds usual 2 1 unix dig norecurse a root servers net in addr arpa ns Goals of Today s Lecture DiG 9 3 4 norecurse a root servers net in addr arpa ns 1 server found global options printcmd Got answer HEADER opcode QUERY status NOERROR id 62001 flags qr aa QUERY 1 ANSWER 12 AUTHORITY 0 ADDITIONAL 12 Finish discussion of the workings of DNS DNS security analysis QUESTION SECTION in addr arpa Applications in general and Email in particular 3 ANSWER SECTION in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa in addr arpa 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 86400 IN NS IN IN IN IN IN IN IN IN IN IN IN IN NS NS NS NS NS NS NS NS NS NS NS NS G ROOT SERVERS NET H ROOT SERVERS NET I ROOT SERVERS NET K ROOT SERVERS NET L ROOT SERVERS NET M ROOT SERVERS NET A ROOT SERVERS NET B ROOT SERVERS NET C ROOT SERVERS NET D ROOT SERVERS NET E ROOT SERVERS NET F ROOT SERVERS NET unix dig norecurse a root servers net x 64 236 24 12 unix dig norecurse dill arin net x 64 236 24 12 QUESTION SECTION 12 24 236 64 in addr arpa QUESTION SECTION 12 24 236 64 in addr arpa IN PTR AUTHORITY SECTION 236 64 in addr arpa 236 64 in addr arpa IN IN NS NS AUTHORITY SECTION 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 64 in addr arpa 86400 86400 86400 86400 86400 86400 86400 IN IN IN IN IN IN IN IN PTR NS NS NS NS NS NS NS dill ARIN NET BASIL ARIN NET henna ARIN NET indigo ARIN NET epazote ARIN NET figwort ARIN NET chia ARIN NET 86400 86400 4 dns 02 atdn net dns 01 atdn net unix dig norecurse dns 02 atdn net x 64 236 24 12 QUESTION SECTION 12 24 236 64 in addr arpa IN PTR no ADDITIONAL section ANSWER SECTION 12 24 236 64 in addr arpa 3600 IN PTR www3 cnn com AUTHORITY SECTION 24 236 64 in addr arpa 3600 24 236 64 in addr arpa 3600 IN IN NS NS dns 02 atdn net dns 01 atdn net ADDITIONAL SECTION dns 01 atdn net dns 02 atdn net IN IN A A 64 12 51 136 205 188 157 2366 Query time 93 msec SERVER 198 41 0 4 53 198 41 0 4 WHEN Thu Sep 20 23 50 49 2007 MSG SIZE rcvd 194 5 3600 3600 1 Setting up foobar com con t Inserting Resource Records into DNS Example just created startup FooBar In addition need to provide reverse PTR bindings E g 212 44 9 129 dns1 foobar com Get a block of address space from ISP Say 212 44 9 128 25 Normally these would go in 9 44 212 in addr arpa Register foobar com at Network Solutions say Problem you can t run the name server for that domain Why not Provide registrar with names and IP addresses of your authoritative name server primary and secondary Registrar inserts RR pairs into the com TLD server Because your block is 212 44 9 128 25 not 212 44 9 0 24 And whoever has 212 44 9 0 25 won t be happy with you owning their PTR records o foobar com dns1 foobar com NS o dns1 foobar com 212 44 9 129 A Put in your authoritative server dns1 foobar com Solution ISP runs it for you Type A record for www foobar com Type MX record for foobar com Now it s more of a headache to keep it up to date 7 Security Analysis of DNS 8 Security Problem 1 Starbucks What security issues does the design operation of the Domain Name System raise As you sip your latte and surf the Web how does your laptop find google com Degrees of freedom Answer it asks the local name server per Dynamic Host Configuration Protocol DHCP 16 bits 16 bits Identification Flags Questions Answer RRs Authority RRs Additional RRs which is run by Starbucks or their contractor and can return to you any answer they please including a man in the middle site that forwards your query to Google gets the reply to forward back to you yet can change anything they wish in either direction Questions type class domain name Answers variable of resource records How can you know you re getting correct data Authority variable of resource records Additional information variable of resource records 9 Security Problem 2 Cache Poisoning IN A Evidence of the attack disappears 5 seconds later ANSWER SECTION www foobar com 300 IN A 212 44 9 144 AUTHORITY SECTION foobar com foobar com 600 600 IN IN NS NS dns1 foobar com google com 5 IN A 212 44 9 155 ADDITIONAL SECTION google com A foobar com machine not google com 10 Cache Poisoning con t Suppose you are a Bad Guy and you control the name server for foobar com You receive a request to resolve www foobar com and reply QUESTION SECTION www foobar com Today you can t Though if site is HTTPS that helps One day hopefully DNSSEC extensions to DNS Okay but how do you get the victim to look up www foobar com in the first place Perhaps you connect to their mail server and send HELO www foobar com Which their mail server then looks up to see if it corresponds to your source address anti spam measure Note with compromised name server we can also lie about PTR records address name mapping E g for 212 44 9 155 155 44 9 212 in addr arpa return google com or whitehouse gov or whatever o If our ISP lets us manage those records as we see fit or we happen to directly manage them 11 12 2 Security Summary Cache Poisoning con t Suppose Bad Guy is at Starbuck s and they can sniff or even guess the identification field the local server will use in 16 bits 16 bits …
View Full Document
Unlocking...