Richard John Matthew Agar (2009) The Domain Name System (DNS): Security challenges and improvements.
Full text access: Open
An analogy that is often used for the Domain Name System (DNS) is that it is the phonebook for the Internet. The DNS provides the mapping between the names that we use to identify applications, websites and e-mail recipients etc and the numerical addresses that are used by the components in networks. If an attacker can poison the DNS (i.e. make it return invalid information) then the user may unknowingly connect to the attacker’s service, rather than the correct one. The user may then be exposed to confidentiality, integrity and availability issues. In July 2008, security researcher Dan Kaminsky disclosed a significant issue in DNS that allowed an attacker to be able to poison the DNS with information of the attacker’s choosing. Whilst this had always been possible, it was believed there was a narrow window of opportunity to attack, and that during that narrow window the possibility of a successful attack was very low. Dan Kaminsky showed that this was not the case; this report includes an analysis that shows an attack of 259 seconds duration has a 75% chance of success against vulnerable servers. Weaknesses exist in client and server applications and operating systems, their configuration, procedures, people and the DNS protocol that allow a range of different factors that may cause confidentiality, integrity and availability issues to users and applications that rely on the DNS. This report provides an overview of related vulnerabilities and attacks, two of which are investigated in more detail; cache poisoning and amplification attacks (a type of denial of service attack). DNS poisoning attacks can easily be conducted against servers not patched against the Kaminsky vulnerability. A tactical solution has been provided that makes these attacks harder, but still possible. A strategic solution is needed that provides a cryptographic response to cache poisoning. This report looks at two possible solutions to cache poisoning attacks: DNSSEC and DNSCurve, although neither provides the perfect solution. The DNS is vulnerable to use in amplification attacks. The DNS can be abused to generate multigigabit attacks that can be used against any target to prevent legitimate use of resources at the target. Although DNSSEC provides protection against DNS poisoning attacks it does make amplification attacks easier.
This is a Published version This version's date is: 04/09/2009 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/e498a852-9067-5bfb-be41-fe0f27ba02a1/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[ARE05a]R Arends, R Austein, M Larson, D Massey, S RoseRFC 4033 DNS security introduction and requirementshttp://www.ietf.org/rfc/rfc4033.txtMarch 2005
[ARE05b]R Arends, R Austein, M Larson, D Massey, S RoseRFC 4034 Resource records for the DNS security extensionshttp://www.ietf.org/rfc/rfc4034.txtMarch 2005
[BAK04]F Baker, P SavolaRFC 3704, Ingress filtering for multihomed networkshttp://www.ietf.org/rfc/rfc3704.txtMarch 2004
[BEL06]A Bellissimo, J Burgess, K FuSecure software updates: disappointments and new challengeshttp://www.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdfLast accessed: 2 September, 2009
[BER09a]D BernsteinDNSCurve websitehttp://dnscurve.org/22 June, 2009
[BER09b]D BernsteinDNSCurve websitehttp://dnscurve.org/amplification.html30 June, 2009
[CHI08]R Chiodi, E FlorioTrojan.Flush.MDecember 3, 2008http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99
[CRO04]S CrockerPresentation to INET 2004 conference, Internet infrastructure security and stabilityhttp://www.isoc.org/isoc/conferences/inet/04/presentations.shtmlMay 2004
[DAG08]D Dagon, M Antonakakis, P Vixie, T Jinmei, W Lee15th ACM conference on computer and communications security, increased DNS forgeryresistance through 0x20-bit encodingOctober 2008
[DOR09]W Dormann, C DoughertyCERT vulnerability note VU#725188, ISC BIND 9 vulnerable to denial of service via dynamicupdate requesthttps://www.kb.cert.org/vuls/id/725188July 28, 2009
[DOU08]C DoughertyCERT vulnerability note VU#800113, multiple DNS implementations vulnerable to cachepoisoninghttp://www.kb.cert.org/vuls/id/800113July 8, 2008
[EAS97]D Eastlake, C KaufmanRFC 2065 Domain name system security extensionshttp://www.ietf.org/rfc/rfc2065.txtJanuary 1997
[FER00]P Ferguson, D SenieRFC 2827, Network ingress filtering: defeating denial of service attacks which employ IP sourceaddress spoofinghttp://www.ietf.org/rfc/rfc2827.txtMay 2000
[FOR09]B Forbes, C Boutin, NIST websiteCommerce department to work with ICANN and VeriSign to enhance the security and stability ofthe Internet’s domain name and addressing systemhttp://www.nist.gov/public_affairs/releases/dnssec_060309.htmlJune 3, 2009
[GAB09]E Gabrilovich, A GontmakherTechnical report, the homograph attackhttp://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdfLast accessed: 2 September, 2009
[GIO07]R GiobbiCERT vulnerability note VU#221876, Apple Mac OS X mDNSResponder buffer overflowvulnerabilityMay 25, 2007https://www.kb.cert.org/vuls/id/221876
[GIO09]R GiobbiCERT vulnerability note VU#319331, Microsoft Windows DNS server response validationvulnerabilityhttp://www.kb.cert.org/vuls/id/319331March 10, 2009
[GOO08]D Goodin, The RegisterPatched DNS servers still vulnerable to cache poisoninghttp://www.theregister.co.uk/2008/08/11/cache_poisoning_threat_remains/August 11, 2008
[HOL03]J HolmbladThe evolving threats to the availability and security of the domain name serviceSANS GIAC/GSEC PracticalPart of the Information Security Reading RoomOctober 5, 2003
[HOL08]T Holz, C Gorecki, F Freiling, K RieckMeasuring and detecting fast-flux service networkshttp://pi1.informatik.uni-mannheim.de/filepool/research/publications/fast-flux-ndss08.pdf2008Last accessed: 2 September, 2009
[HUB06]A Hubert, R van MookInternet draft, measures to prevent DNS spoofing draft-hubert-dns-anti-spoofing-00.txthttp://tools.ietf.org/html/draft-hubert-dns-anti-spoofing-00August 14, 2006
[ICA05]ICANN security and stability advisory committee reportDomain name hijacking - incidents, threats, risks, and remedial actions12 July, 2005
[ICA06]ICANN security and stability advisory committee reportDNS distributed denial of service, (DDoS) attacksMarch 2006
[ICA07]ICANN factsheetRoot server attack on 6 February 20071 March, 2007
[ISC08]ISC mailing listKaminsky vulnerability mailing list FAQhttps://lists.isc.org/pipermail/bind-users/2008-July/071835.htmlJuly 31, 2008
[ISC09a]Internet Systems ConsortiumWeb page on the "F" root domain serverhttps://www.isc.org/community/f-rootLast accessed: 2 September, 2009
[ISC09b]Internet Systems ConsortiumBIND dynamic update DoShttps://www.isc.org/node/474July 28, 2009
[JAC09]C Jackson, A Barth, A Bortz, W Shao, D BonehProtecting browsers from DNS rebinding attacksACM transactions on the Web, Vol. 3, No. 1, Article 2,Publication date: January 2009
[LAR09]Matt Larson, VeriSignPresentation to Internet Society panel, Stockholm, Sweden: VeriSign’s DNSSEC plans for .com,.net and the rootJuly 28, 2009
[LAU08]B Laurie, G Sisson, R Arends, D BlackaRFC 5155 DNS security (DNSSEC) hashed authenticated denial of existencehttp://www.ietf.org/rfc/rfc5155.txtMarch 2008
[LIU06]C Liu, P AlbitzDNS and BIND, 5th editionO'Reilly Media, SebastapolMay 2006
[LIU09]C Liu, InfobloxA closer look at threats to the domain name systemVendor webinar presentationJune 2009
[LOT87]M LottorRFC 1033 Domain administrators operations guidehttp://www.ietf.org/rfc/rfc1033.txtNovember 1987
[MAN02]A ManionCERT vulnerability note VU#542971, Multiple vendors' domain name system (DNS) stubresolvers vulnerable to buffer overflow via network name and address lookupsAugust 1, 2002https://www.kb.cert.org/vuls/id/542971
[MIC06]MicrosoftMicrosoft security bulletin MS06-041, Vulnerabilities in DNS resolution could allow remote codeexecutionSeptember 13, 2006http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx
[MIC08]MicrosoftMicrosoft security bulletin MS08-037: Vulnerabilities in DNS could allow spoofinghttp://support.microsoft.com/kb/953230July 8, 2008
[MIC09]MicrosoftMicrosoft security bulletin MS09-008, Vulnerabilities in DNS and WINS server could allowspoofinghttp://www.microsoft.com/technet/security/Bulletin/MS09-008.mspxMarch 10, 2009
[MOC87a]P MockapetrisRFC 1034, Domain names – concepts and facilitieshttp://www.ietf.org/rfc/rfc1034.txtNovember 1987
[MOC87b]P MockapetrisRFC 1035 Domain names - implementation and specificationhttp://www.ietf.org/rfc/rfc1035.txtNovember 1987
[OLI08]P OliveriaTargeted attack in Mexico, part 2: yet another drive-by pharmingMarch 5, 2008http://blog.trendmicro.com/targeted-attack-in-mexico-part-2-yet-another-drive-by-pharming/
[PRU06]J PruszynskiCERT vulnerability note VU#794580, Microsoft DNS client buffer overflowAugust 8, 2006http://www.kb.cert.org/vuls/id/794580
[STA06]S Stamm, Z Ramzan, M JakobssonDrive-by pharmingTechnical reportDecember 13, 2006
[THO95]S Thomson, C HuitemaRFC 1886 DNS extensions to support IP version 6http://www.ietf.org/rfc/rfc1886.txtDecember 1995
[TMF08]The Measurement FactoryDNS survey: October 2008http://dns.measurement-factory.com/surveys/200810.htmlOctober 2009
[VAN03]S Vanstone, CerticomNext generation security for wireless: elliptic curve cryptographyhttp://www.compseconline.com/hottopics/hottopic20_8/Next.pdf2003
[VIX02]P Vixie, G Sneeringer, M SchleiferEvents of 21-Oct-2002November 24, 2002http://d.root-servers.org/october21.txt
[VIX99]P VixieRFC 2671, Extension mechanisms for DNS (EDNS0)http://www.ietf.org/rfc/rfc2671.txtAugust 1999
[VIX00]P Vixie, O Gudmundsson, D Eastlake, B WellingtonRFC 2845 Secret Key Transaction Authentication for DNS (TSIG)http://www.ietf.org/rfc/rfc2845.txtMay 2000
[WAN09]WANem websitehttp://wanem.sourceforge.net/Last accessed: 2 September, 2009
[WEI07]S WeilerRFC 5074 DNSSEC Lookaside Validation (DLV)http://www.ietf.org/rfc/rfc5074.txtNovember 2007
[WIL03]M Wilson and J HashNIST special publication 800-50, building an information technology security awareness andtraining programOctober 2003
[ZDR07]B ZdrnjaDNS changer trojan for Mac (!) in the wildNovember 1, 2007http://isc.sans.org/diary.html?storyid=3595
[ZEL06]L ZeltserAn overview of the FreeVideo Player trojanNovember 19, 2006http://isc.sans.org/diary.html?storyid=1872