Introduction to DNS and DNS roaming

DNS (Domain Name System) is a distributed database system used to map between domain names and IP addresses. DNS offers a special method to maintain and link these mappings in a unified whole. On a larger scale, computers connected to the internet use DNS to create URL link addresses (Universal Resource Locators). Under this method, each computer will not need to use the IP address for the connection.

General introduction

DNS names are created in the following format . , for example infosec.vasc.com.vn. While the list of DNS names is re-designed by ICANN (Domain Service Management Company), some common types include: .edu (educational website forms), .mil (websites for military), .org (in the form of non-commercial organizations) .com (economic organizations), . And there are also domain names specified by country name, eg .ie (Ireland), .jp (Japan), .de (Germany)

When a computer (a DNS client) wants to look up a URL, it takes the request (GetHostByName) to its DNS server. The DNS client uses a DNS resolver to locate the DNS server. If the DNS server cannot determine the domain name to search, or the DNS server has no information about the URL in its cache, it will not be able to respond to the client's request immediately. Instead, the DNS server will either use a DNS forwarder or recreate a request according to recursive rules.

DNS spoofing involves forcing a DNS client to make a request to an impersonated server, and then the client will receive an incorrect response from the spoof server. There are 3 ways to perform this type of DNS spoofing attack, including:

1. Spoof DNS responses

An attacker can use recursive mechanisms, forging requests that the DNS server sends out during the process of checking an address, and responding to false information before the real information arrives. Each DNS packet has a number of 16-bit IDs that the DNS server uses to check the initial request to send. When using BIND, a software commonly used as DNS server, this number increased by 1 after each incoming request, and creating requests was very easy to forge. BIND has been fixed by recent versions, where DNS packets are initialized at random numbers (BIND v9 version).

To check whether a DNS server may have vulnerabilities for DNS address spoofing attacks, you can send requests to the server, verify whether you can guess the next ID number in a message. request to DNS. If the ID requests are predictable, this means that the DNS cache can be mapped incorrectly to the real IP address, and that is the security hole in DNS.

2. Spoof DNS address caching

After recursive requests, the received address maps exist in the DNS cache. The DNS server will rely on this caching to determine information for incoming requests and responses from incoming clients, making access to information faster. The length of time that recursive request results are kept in DNS cache (TTL-time to live) can be set.

The spoofing addresses are in the DNS cache, which leads to the sending of incorrect mapping information with long lifetime (TTL). So, at the next moment when there is an incoming request, it will get the wrong information. Wrong information can also be affected by receiving data from a remote DNS server that is tampered with. This information fraud can be limited by reducing the time the cache exists (TTL), but this also reduces the server's performance.

A popular application of DNS as open source software is BIND (Berkeley Internet Name Daemon), which provides most of the important functions of DNS servers. However, there are also many security holes in BIND, and therefore, it is important to ensure that you are using BIND software with the latest version. Currently, new DNS standards have fixed this error in DNS caching.

3. Break the environmental security level

The attack by phishing DNS breaks the security level of the network work environment in the DNS server. For example, attacks are based on buffer overflow vulnerabilities for older BIND versions, which allow an attacker to gain root access. When an attacker gains access in a DNS environment, he can control the network environment.

To help with management and troubleshooting, it is useful to know that DNS communications use both Transmission Control Protocol (TCP) and UDP (User Datagram Protocol), and usually a firewall can be used. configure packet filtering before going through DNS.

One way to prevent unproven dangers is to use a DNS system divided by management zone. This involves installing an internal DNS server. Then, each external DNS is set up to contain only relevant information by external hosts, such as SMTP gateway, or an external NS. Most current mail servers can handle SMTP mail very well (IBM MS Outlook and Lotus Lote all have SMTP gateways), it is also safer because there is a separate mechanism for receiving SMTP mail. Then, if the external mail is successfully converted, the attacker will not be able to automatically access the internal mail system.

The future of DNS development

DNS may be vulnerable to packet spoofing because of the lack of access authentication. This can be overcome with DNSSEC. This is a new security mechanism by allowing Web sites to check their domain names and being responsible for IP addresses according to electronic signatures and public encryption algorithms. This also means that, when the DNS client receives a response from its request, it can check that request from an authenticated resource. DNSSEC has begun to be embedded in BIND 9, and in some operating systems.

DNSSEC will require more hardware performance, greater bandwidth and requires changes to all existing DNS servers. Therefore, the application of this new technology is still being implemented and promised in the future.

Today, through this article, millions of issues refer to roaming. You will be interested. The article will give you a better understanding of it, as well as certain knowledge about this issue.

Roaming (This section is collected by author Binh Trieu - vietnam security)

One of the serious misconfiguration that a system administrator might have is to allow untrusted Internet users to perform DNS roaming.

Zone Transfer allows the server to update the database from the primary server. This is redundant when running DNS, missed as the primary name server is not available. Generally, DNS server only need to roam DNS. But, many DNS servers are misconfigured and provide zone copies for anyone who requests. Not necessarily bad if the information provided is related to the Internet connection system. and have a valid server name, although it facilitates an attacker to find the destination. The real problem arises when the organization does not enforce a separate DNS gateway mechanism to isolate external DNS information (publicly). with internal DNS information. Providing internal IP address information to unreliable users via the Internet is like providing an internal map of the organization.
We consider a few roaming methods, and other types of information. There are many roaming tools, but I limit the discussion to some common types.

The simplest way to roam is to use the 'nslookup' client, usually due to UNIX and NT execution. We apply 'nslookup' in interactive mode:

 [bash] $ nslookup 
 Default Server: ns1.example.net 
 Address: 10.10.20.2 
 > 216.182.1.1 
 Default Server: [10.10.20.2] 
 Address: 10.10.20.2 
 Name: gate.tellurian.net 
 Address: 10.10.20.2 
 > set type = nào 
 > ls –d tellurian.net. >> / tmp / zone_out

First we run 'nslookup' in interactive mode. Once it is booted, it will indicate the default server name, usually the organization's DNS server or the service provider's DNS server. However, the DNS server (10.10.20.2) has no authority for the destination area, so there will not be all DNS records. Therefore, we need to hand it to 'nslookup' to know that it will query the machine. Which DNS server. In this example, we use the primary DNS server for Tellurian network (10.10.20.2).

Next we define the type of message as 'any'. This allows you to pull any DNS message (man nslookup) for the complete list.

Finally, list all region-related records with the 'ls' .'- d' option listing all region records. We add '.' At the end of the sentence to indicate the region's eligibility. - Most of the part is so. Let's change the result and file direction '/ tmp / zone_out' to be able to manipulate later.

When roaming, we look in the file to see if any interesting information is allowed to target the specific system. See the following result:

 [bash] more zone_out 

 acct18 1D IN A 192.168.230.3 
 1D IN HINFO 
 1D IN MX 0 tellurianadmin-smtp 
 1D IN RP- bsmith.rci bsmith.who 
 1D IN TXT 'Location: Telephone Room' 
 ce 1D INESO CNAME 
 au 1D IN A 192.168.230.4 
 1D IN HINFO 'aspect' 'MS-DOS' 
 1D IN MX 0 andromeda 
 1D IN RP jcoy.erebus jcoy.who 
 1D IN TXT 'Location: Library' 
 acct21 1D IN A 192.168.230.5 
 1D IN HINFO 'Gateway2000' 'WinWKGRPS' 
 1D IN MX 0 tellurianadmin-smtp 
 1D IN RP bsmith.rci bsmith.who 
 1D IN TXT 'Location: Acounting'

We will not go into every detail, just note some important types. For each entry, we have a record A that indicates the IP address of the system name on the right. Also, each server all have HINFO newsletter that identifies the background or the type of operating system running (RFC-952). Although the HINFO message is not necessary, it provides a lot of information for the attacker. Output files should be easy to manipulate results with UNIX programs such as grep, sed, awk, or Perl.

Assuming we are experts in SunOS or Solaris, we can find out the IP address with the HINFO newsletter regarding SPARC, Sun, or Solaris.

 [bash] $ grep -i solaris zone_out | wc -1 
 388

We have 388 references "Solaris". Needless to say, we have too many goals.

Suppose we want to find a test system, accidentally an option for an attacker. Why? It's simple - they often don't trigger multiple security or encryption features to guess, administrators don't notice or bother anyone who logs on to them. An ideal place for intruders. Find the test system as follows:

 [bash] $ grep -i test / tmp / zone_out | wc -1 
 96

There should be about 96 entries in the zone file containing the word "test". It should be equal to the number of real test systems. These are just a few simple examples. Most intruders will dissect this data to focus on the specific type of system with known weaknesses.

There are a few points to keep in mind. The method above only accesses the name server in turn. That is, you must perform the same task for all authoritative name servers for the destination area. Tellurian.net domain queries only. If there are subdirectories, you will have to perform the same query type for each subdomain (such as greenhouse.tellurian.net). After you receive the notification that you cannot list the region or decline queries.This usually shows that the server has been configured to disable illegal user roaming. Therefore, it is difficult for you to roam from this server. But if there are multiple servers DNS, you will have a chance to find a machine that allows roaming.

There are many tools to accelerate this process, including: host, Sam Spade, axfr and dig (not mentioned here).

The "host" command has many flavors of UNIX. How to use the "host" command is as follows:

 host -1 tellurian.net 
 or 
 host -1 -v -t any tellurian.net

If you need each IP address to include in the shell script, cut (cut) the IP address from the "host" command.

 host -1 tellurian.net | cut -f 4 -d "" >> / tmp / ip_out

Not every footprint function is required to perform the UNIX command. Some Windows products also provide such information.

You will eventually roam with Gaius's super-powerful tools, axfr. This utility will transfer region information, zone databases and server files to each region to be queried in compressed form. you can switch to high level com and edu to get all the regions related to "com" and "edu". However, it should not be done. Want to run axfr, type the following "

 [bash] $ axfr tellurian.net 
 axfr: Using default directory: / root / axfrdb 
 Found 2 name servers for domain "Tellurian.net"; 
 Text deleted. 
 Nhận được XXX câu trả lời (xxx mục).

To query the information just taken in the "axfr" database, type the following: