DNS Study Guide
DNS spoofing
- is a term referring to the action of answering a DNS request that was intended for another server (a "real" DNS server). This can be in a server-server exchange (a DNS server asks another for a mapping) or in a client-server dialog (when a client asks a DNS server for a mapping). There is no functional difference. The hacker "spoofs" the DNS server's answer by answering with the DNS server's IP address in the packets' source-address field. But this is not enough to spoof a DNS reply. DNS uses ID number to identify queries and answer, so the hacker needs to find the ID the client is waiting for.
A zone transfer
DNS zone transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.
DKIM record
stands for Domain Keys Identified Mail. DKIM is an email validation system designed to detect email spoofing by providing encryption authentication to receiving mail exchangers. It will check whether the incoming mail domain is authorized by the domain's administrators and that the email (including attachments) has not been modified during transport. A digital signature included with the message can be validated by the recipient using the signer's public key published in the DNS.
NS Record
stands for Name Server record. NS Records maps a domain name to a list of authoritative DNS servers.
Type the following command to see the current status of BIND server:
service bind9 status status - Display status of the server.
Type the following command to stop BIND server:
service bind9 stop stop - Save pending updates to master files and stop the server.
PTR record
stands for Reverse lookup record or Pointer record. A PTR record maps the IP address to a specific host.
CNAME Record
stands for Canonical Name. CNAME record is used to create aliases that point to other names such as WWW, FTP, MAIL & subdomains to a domain name. Example : a CNAME record can associate the subdomain www.2daygeek.com with 2daygeek.com
SPF Record
stands for Sender Policy Framework. SPF is an extension to the SMTP mail protocol which is used for e-mail authentication. SPF record used to verifies that the message came from an authorized mail server or not. SPF is designed to detect SPAM & PHISHING mail sender's, IP address which was included in e-mail header.
SOA record
stands for Start of Authority records. SOA records contain information about a DNS zone such as Primary nameserver, Hostmaster E-mail address, zone file seriel number, zone transfer interval and zone expiry details.
MX Record
stands for mail exchange record. MX Records maps a domain name to a list of mail exchange servers.
TXT Record
stands for text record. A TXT record is a type of DNS record that provides text information to sources outside your domain. The text can be either human-or machine-readable and can be used for a variety of purposes.
apt-get install
the command-line tool for working with APT software packages. APT (the Advanced Packaging Tool) is an evolution of the Debian .deb software packaging system. It is a rapid, practical, and efficient way to install packages on your system.
nameserver
- A name server translates domain names into IP addresses. - a nameserver is any server that has DNS software installed on it. But usually, "nameserver" refers to a server owned by a web host that is specifically used to manage the domain names associated with their web hosting customers. When it comes to your own domain, your domain's nameservers are used to point any traffic that types in your domain name to a specific web server at a specific web host.
DNS protocols
- DNS spoofing - DNS ID hacking - DNS cache poisoning
named-checkzone
- checks the syntax and integrity of a zone file. named-checkzone domain.com /var/named/zone.domain.com
named-checkconf
- checks the syntax, but not the semantics, of a named configuration file. named-checkconf /etc/named.conf
DNS cache
- relates to an attack consisting of making a DNS server cache false information: usually, a wrong record that will map a name to a "wrong" IP address. We will see that there are different ways for a hacker to do that, and that they are often related to DNS spoofing. - With DNS cache poisoning, the hacker will try to make a DNS answer something he wants for a specific request. - For instance, try to make the ns.defense.gov DNS to answer with the IP of the hacker's computer to any query about the IP of telnetaccess.defense.gov. Cache poisoning can be done by related data or unrelated data attacks (we will see what these are later), as well as by using DNS spoofing.
Ways to secure a server
-Forbid recursive queries to prevent spoofing, -Update BIND as often as possible to limit bug problems -To avoid having a single point of failure, do not put all DNS servers on the same subnet, or even behind the same router or the same leased line -Restrict the possible queries and the possible hosts who are allowed to query to the mini mum. - Restrict zone transfers -Split service by splitting the DNS server into two separate architectures in case of a breach, the external dns is affected and not the internal hosts.
BIND9 Configuration files are stored in:
/etc/bind/
The main bind9 configuration is stored in the following files:
/etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local
Cname
A Canonical Name or CNAME record is a type of DNS record that maps an alias name to a true or canonical domain name. CNAME records are typically used to map a subdomain such as www or mail to the domain hosting that subdomain's content.
Zone file
A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS.
mx record
A mail exchanger record (MX record) is a type of certified and verified resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available.
DNS ID hacking
DNS ID Hacking isn't a usual way of hacking/spoofing. This method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID hack/spoof is very efficient is very strong because there is no generation of DNS daemons that escapes from it. As I explained before, the DNS ID hacking is a necessary technique for a hacker to succeed in impersonating a DNS server (this is the basic of DNS spoofing). Indeed, to be able to forge a fake answer, the hacker must first use the DNS server's IP address as a source for his own IP packet, and then use the correct ID number without which the client won't take the reply into account. The client will send a query to the DNS server using a specific ID number. The server will reply using the same ID number. This is the number the hacker has to find.
What is a fw and how to configure?
Firmware,
What to put on a DMZ?
Here are examples of systems to put on your DMZ: -A Web server that holds public information. The front end to an e-commerce transaction server through which orders are placed. Keep the back end, where you store client information, behind the firewall. -A mail server that relays outside mail to the inside. -Authentication services and servers that let you in to the internal net. -VPN endpoints. -Application gateways. -Test and staging servers.
DNS server attacks
It is quite difficult to detail any of those attacks. They are evolving way too fast. As soon as a bug is discovered, a patch is released and the contrary is also true. Two kinds of attacks can aim at the server instead of the DNS protocol itself (ref. 6). -Attacks taking advantage of bugs in DNS Software implementation (buffer overflows in BIND for instance) or in any other running service on the DNS server machine (ref. 7). - Attack by Denial of Service (using flooding for instance, of the DNS service using in-band attacks, or of the machine in general using ICMP smurfing for example)
Steps of DNS ID hacking
On a LAN, getting the ID is pretty easy: all the hacker has to do is sniff the network for the initial query and answer quicker than the DNS (which is very easy on a LAN). The late reply from the real DNS server will be discarded. When the hacker is not on the same LAN as the victim client, he has four options to try to guess the ID: 1 -Test all the possible values of the ID flag (or as many random values as you can before the NS replies): this is quite an obsolete method and quite useless since its only advantage is that it will let you know what the ID is. 2 -Flood the DNS server to buy some m ore time for trying different ID numbers. The hacker can even hope it will crash the server. 3 -Send a few hundred replies at the same time to increase his chances to find the good ID. The hacker can do that several times one after the other with different ranges until the server replies. 4 -Use a vulnerability in the server, knowing that some of them just increase the ID number from one request to another. This works in a server- server dialog (The "client" in our last figure is a DNS server, and the hacker is trying to poison its cache). In that case, the hacker can first make a request to the "client" using a host name in a zone controlled by the hacker, and sniff the ID used by the victim DNS server.
TCP 3-way handshake
Sender sends a SYN, Receiver sends a SYNACK, Sender sends an ACK A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server. It is a three-step method that requires both the client and server to exchange SYN and ACK (acknowledgment) packets before actual data communication begins.
In virtualization, the hypervisor (also called a virtual machine monitor) is the low-level program that allows..
multiple operating systems to run concurrently on a single host computer. Hypervisors use a thin layer of code in software or firmware to allocate resources in real-time. You can think of the hypervisor as the traffic cop that controls I/O and memory management.
"a" record
The A record maps a name to one or more IPv4 addresses, when the IP are known and stable.
AAAA record
The DNS record that maps a hostname to a 128-bit IPv6 address. This is also known as the IPv6 address record.
Related DNS attack
The attack is exactly the same as an unrelated data attack, but this time the hacker has to make the "extra" information related to the original query. He solves this problem by adding MX, CNAME or NS records, which point to unrelated data. Those three records we can find in a DNS database are not a real "mapping" between an IP address and a hostname. They point to some other useful information (MX: mail server for a domain, CNAME: Canonical name for an alias, NS: DNS servers for a domain). Therefore, the information in these records is "related" to the original request, but they can point to totally different information the hacker wants to be cached. This problem has also been fixed in BIND, by rejecting all the "out of zone" information, that is to say all the information that is not fully and directly related to the zone the DNS is responsible for.
Unrelated data attack
This was the first attack, the simplest and the most widely used: 1- The hacker asks the victim DNS for a nonexistent name mapping in a domain for which he controls the DNS. The hacker uses a "recursive" query so that the remote DNS server will make further inquiries by itself. 2- The remote DNS, which is not aware of such mapping, will go and ask the DNS server responsible for the required domain. Remember this server is under the control of the hacker. 3- The hacker will answer, and add in the answer anything he wants to be cached in the victims DNS cache. That way, he will have poisoned the cache of the remote DNS server. This problem has been fixed in BIND, by forbidding anything that is not related to the original request to be cached.
DMZ Network
a physical or logical sub-network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. Generally speaking when setting up a DMZ scenario you need two firewalls or firewall/routers. A DMZ scenario involved an open, ore general open area where you host services like http, ftp, maybe VPN, etc.... and then a second network behind your DMZ that is your internal Network.
dig
dig (domain information groper) is a network administration command-line tool for querying Domain Name System (DNS) servers.
host command
is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When no arguments or options are given, host prints a short summary of its command line arguments and options.
How to enable debug mode.
nslookup -debug example.com
How to change the port number for the connection.
nslookup -port=56 example.com
How to find the MX records responsible for the email exchange.
nslookup -query=mx example.com
How to find all of the available DNS records of a domain.
nslookup -type=any example.com
How to check the NS records of a domain.
nslookup -type=ns example.com
How to query the SOA record of a domain.
nslookup -type=soa example.com
How to check the Reverse DNS Lookup.
nslookup 10.20.30.40
How to find the A record of а domain.
nslookup example.com
How to check the using of a specific DNS Server.
nslookup example.com ns1.nsexample.com
Type 1 hypervisors
run directly on the system hardware. They are often referred to as a "native" or "bare metal" or "embedded" hypervisors in vendor literature.
Type 2 hypervisors
run on a host operating system. When the virtualization movement first began to take off, Type 2 hypervisors were most popular. Administrators could buy the software and install it on a server they already had.
Type the following command to reload BIND server to reload zone file or config file changes:
service bind9 reload reload - Reload configuration file and zones.
Type the following command to restart BIND server:
service bind9 restart restart - Restart the server.
Type the following command to start BIND server:
service bind9 start