The Domain Name System (DNS): Security challenges and improvements

Richard John Matthew Agar

(2009)

Richard John Matthew Agar (2009) The Domain Name System (DNS): Security challenges and improvements.

Our Full Text Deposits

Full text access: Open

Full Text - 1.15 MB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

An analogy that is often used for the Domain Name System (DNS) is that it is the phonebook for the Internet. The DNS provides the mapping between the names that we use to identify applications, websites and e-mail recipients etc and the numerical addresses that are used by the components in networks. If an attacker can poison the DNS (i.e. make it return invalid information) then the user may unknowingly connect to the attacker’s service, rather than the correct one. The user may then be exposed to confidentiality, integrity and availability issues. In July 2008, security researcher Dan Kaminsky disclosed a significant issue in DNS that allowed an attacker to be able to poison the DNS with information of the attacker’s choosing. Whilst this had always been possible, it was believed there was a narrow window of opportunity to attack, and that during that narrow window the possibility of a successful attack was very low. Dan Kaminsky showed that this was not the case; this report includes an analysis that shows an attack of 259 seconds duration has a 75% chance of success against vulnerable servers. Weaknesses exist in client and server applications and operating systems, their configuration, procedures, people and the DNS protocol that allow a range of different factors that may cause confidentiality, integrity and availability issues to users and applications that rely on the DNS. This report provides an overview of related vulnerabilities and attacks, two of which are investigated in more detail; cache poisoning and amplification attacks (a type of denial of service attack). DNS poisoning attacks can easily be conducted against servers not patched against the Kaminsky vulnerability. A tactical solution has been provided that makes these attacks harder, but still possible. A strategic solution is needed that provides a cryptographic response to cache poisoning. This report looks at two possible solutions to cache poisoning attacks: DNSSEC and DNSCurve, although neither provides the perfect solution. The DNS is vulnerable to use in amplification attacks. The DNS can be abused to generate multigigabit attacks that can be used against any target to prevent legitimate use of resources at the target. Although DNSSEC provides protection against DNS poisoning attacks it does make amplification attacks easier.

Information about this Version

This is a Published version
This version's date is: 04/09/2009
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/e498a852-9067-5bfb-be41-fe0f27ba02a1/1/

Item TypeMonograph (Technical Report)
TitleThe Domain Name System (DNS): Security challenges and improvements
AuthorsAgar, Richard John Matthew
DepartmentsFaculty of Science\Mathematics

Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[ARE05a]
R Arends, R Austein, M Larson, D Massey, S Rose
RFC 4033 DNS security introduction and requirements
http://www.ietf.org/rfc/rfc4033.txt
March 2005

[ARE05b]
R Arends, R Austein, M Larson, D Massey, S Rose
RFC 4034 Resource records for the DNS security extensions
http://www.ietf.org/rfc/rfc4034.txt
March 2005

[BAK04]
F Baker, P Savola
RFC 3704, Ingress filtering for multihomed networks
http://www.ietf.org/rfc/rfc3704.txt
March 2004

[BEL06]
A Bellissimo, J Burgess, K Fu
Secure software updates: disappointments and new challenges
http://www.cs.umass.edu/~kevinfu/papers/secureupdates-hotsec06.pdf
Last accessed: 2 September, 2009

[BER09a]
D Bernstein
DNSCurve website
http://dnscurve.org/
22 June, 2009

[BER09b]
D Bernstein
DNSCurve website
http://dnscurve.org/amplification.html
30 June, 2009

[CHI08]
R Chiodi, E Florio
Trojan.Flush.M
December 3, 2008
http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99

[CRO04]
S Crocker
Presentation to INET 2004 conference, Internet infrastructure security and stability
http://www.isoc.org/isoc/conferences/inet/04/presentations.shtml
May 2004

[DAG08]
D Dagon, M Antonakakis, P Vixie, T Jinmei, W Lee
15th ACM conference on computer and communications security, increased DNS forgery
resistance through 0x20-bit encoding
October 2008

[DOR09]
W Dormann, C Dougherty
CERT vulnerability note VU#725188, ISC BIND 9 vulnerable to denial of service via dynamic
update request
https://www.kb.cert.org/vuls/id/725188
July 28, 2009

[DOU08]
C Dougherty
CERT vulnerability note VU#800113, multiple DNS implementations vulnerable to cache
poisoning
http://www.kb.cert.org/vuls/id/800113
July 8, 2008

[EAS97]
D Eastlake, C Kaufman
RFC 2065 Domain name system security extensions
http://www.ietf.org/rfc/rfc2065.txt
January 1997

[FER00]
P Ferguson, D Senie
RFC 2827, Network ingress filtering: defeating denial of service attacks which employ IP source
address spoofing
http://www.ietf.org/rfc/rfc2827.txt
May 2000

[FOR09]
B Forbes, C Boutin, NIST website
Commerce department to work with ICANN and VeriSign to enhance the security and stability of
the Internet’s domain name and addressing system
http://www.nist.gov/public_affairs/releases/dnssec_060309.html
June 3, 2009

[GAB09]
E Gabrilovich, A Gontmakher
Technical report, the homograph attack
http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf
Last accessed: 2 September, 2009

[GIO07]
R Giobbi
CERT vulnerability note VU#221876, Apple Mac OS X mDNSResponder buffer overflow
vulnerability
May 25, 2007
https://www.kb.cert.org/vuls/id/221876

[GIO09]
R Giobbi
CERT vulnerability note VU#319331, Microsoft Windows DNS server response validation
vulnerability
http://www.kb.cert.org/vuls/id/319331
March 10, 2009

[GOO08]
D Goodin, The Register
Patched DNS servers still vulnerable to cache poisoning
http://www.theregister.co.uk/2008/08/11/cache_poisoning_threat_remains/
August 11, 2008

[HOL03]
J Holmblad
The evolving threats to the availability and security of the domain name service
SANS GIAC/GSEC Practical
Part of the Information Security Reading Room
October 5, 2003

[HOL08]
T Holz, C Gorecki, F Freiling, K Rieck
Measuring and detecting fast-flux service networks
http://pi1.informatik.uni-mannheim.de/filepool/research/publications/fast-flux-ndss08.pdf
2008
Last accessed: 2 September, 2009

[HUB06]
A Hubert, R van Mook
Internet draft, measures to prevent DNS spoofing draft-hubert-dns-anti-spoofing-00.txt
http://tools.ietf.org/html/draft-hubert-dns-anti-spoofing-00
August 14, 2006

[ICA05]
ICANN security and stability advisory committee report
Domain name hijacking - incidents, threats, risks, and remedial actions
12 July, 2005

[ICA06]
ICANN security and stability advisory committee report
DNS distributed denial of service, (DDoS) attacks
March 2006

[ICA07]
ICANN factsheet
Root server attack on 6 February 2007
1 March, 2007

[ISC08]
ISC mailing list
Kaminsky vulnerability mailing list FAQ
https://lists.isc.org/pipermail/bind-users/2008-July/071835.html
July 31, 2008

[ISC09a]
Internet Systems Consortium
Web page on the "F" root domain server
https://www.isc.org/community/f-root
Last accessed: 2 September, 2009

[ISC09b]
Internet Systems Consortium
BIND dynamic update DoS
https://www.isc.org/node/474
July 28, 2009

[JAC09]
C Jackson, A Barth, A Bortz, W Shao, D Boneh
Protecting browsers from DNS rebinding attacks
ACM transactions on the Web, Vol. 3, No. 1, Article 2,
Publication date: January 2009

[LAR09]
Matt Larson, VeriSign
Presentation to Internet Society panel, Stockholm, Sweden: VeriSign’s DNSSEC plans for .com,
.net and the root
July 28, 2009

[LAU08]
B Laurie, G Sisson, R Arends, D Blacka
RFC 5155 DNS security (DNSSEC) hashed authenticated denial of existence
http://www.ietf.org/rfc/rfc5155.txt
March 2008

[LIU06]
C Liu, P Albitz
DNS and BIND, 5th edition
O'Reilly Media, Sebastapol
May 2006

[LIU09]
C Liu, Infoblox
A closer look at threats to the domain name system
Vendor webinar presentation
June 2009

[LOT87]
M Lottor
RFC 1033 Domain administrators operations guide
http://www.ietf.org/rfc/rfc1033.txt
November 1987

[MAN02]
A Manion
CERT vulnerability note VU#542971, Multiple vendors' domain name system (DNS) stub
resolvers vulnerable to buffer overflow via network name and address lookups
August 1, 2002
https://www.kb.cert.org/vuls/id/542971

[MIC06]
Microsoft
Microsoft security bulletin MS06-041, Vulnerabilities in DNS resolution could allow remote code
execution
September 13, 2006
http://www.microsoft.com/technet/security/bulletin/ms06-041.mspx

[MIC08]
Microsoft
Microsoft security bulletin MS08-037: Vulnerabilities in DNS could allow spoofing
http://support.microsoft.com/kb/953230
July 8, 2008

[MIC09]
Microsoft
Microsoft security bulletin MS09-008, Vulnerabilities in DNS and WINS server could allow
spoofing
http://www.microsoft.com/technet/security/Bulletin/MS09-008.mspx
March 10, 2009

[MOC87a]
P Mockapetris
RFC 1034, Domain names – concepts and facilities
http://www.ietf.org/rfc/rfc1034.txt
November 1987

[MOC87b]
P Mockapetris
RFC 1035 Domain names - implementation and specification
http://www.ietf.org/rfc/rfc1035.txt
November 1987

[OLI08]
P Oliveria
Targeted attack in Mexico, part 2: yet another drive-by pharming
March 5, 2008
http://blog.trendmicro.com/targeted-attack-in-mexico-part-2-yet-another-drive-by-pharming/

[PRU06]
J Pruszynski
CERT vulnerability note VU#794580, Microsoft DNS client buffer overflow
August 8, 2006
http://www.kb.cert.org/vuls/id/794580

[STA06]
S Stamm, Z Ramzan, M Jakobsson
Drive-by pharming
Technical report
December 13, 2006

[THO95]
S Thomson, C Huitema
RFC 1886 DNS extensions to support IP version 6
http://www.ietf.org/rfc/rfc1886.txt
December 1995

[TMF08]
The Measurement Factory
DNS survey: October 2008
http://dns.measurement-factory.com/surveys/200810.html
October 2009

[VAN03]
S Vanstone, Certicom
Next generation security for wireless: elliptic curve cryptography
http://www.compseconline.com/hottopics/hottopic20_8/Next.pdf
2003

[VIX02]
P Vixie, G Sneeringer, M Schleifer
Events of 21-Oct-2002
November 24, 2002
http://d.root-servers.org/october21.txt

[VIX99]
P Vixie
RFC 2671, Extension mechanisms for DNS (EDNS0)
http://www.ietf.org/rfc/rfc2671.txt
August 1999

[VIX00]
P Vixie, O Gudmundsson, D Eastlake, B Wellington
RFC 2845 Secret Key Transaction Authentication for DNS (TSIG)
http://www.ietf.org/rfc/rfc2845.txt
May 2000

[WAN09]
WANem website
http://wanem.sourceforge.net/
Last accessed: 2 September, 2009

[WEI07]
S Weiler
RFC 5074 DNSSEC Lookaside Validation (DLV)
http://www.ietf.org/rfc/rfc5074.txt
November 2007

[WIL03]
M Wilson and J Hash
NIST special publication 800-50, building an information technology security awareness and
training program
October 2003

[ZDR07]
B Zdrnja
DNS changer trojan for Mac (!) in the wild
November 1, 2007
http://isc.sans.org/diary.html?storyid=3595

[ZEL06]
L Zeltser
An overview of the FreeVideo Player trojan
November 19, 2006
http://isc.sans.org/diary.html?storyid=1872

Details