IP Behavior VI Domain Name System (DNS) IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Hello again I am Judy Novak If you are taking the IP Behavior series in successive webcasts, my name and voice may be familiar to you by now since I am the author of a couple of previous webcasts I still work for Jacob and Sundstrom in the Computer Security and Incident Response Team at the Army Research Lab as a Shadow analyst Stephen Northcutt has graciously requested that I author this webcast on the Domain Name System or DNS I’d personally like to thank my excellent technical editors Bill Ralph of Naval Surface Warfare Center and Hal Pomeranz of Deer Run Associates What’s the big deal with DNS? Isn’t it basically used to translate a hostname to an IP number and that’s it? Well sure, that is a big and important part of DNS, but it is much more Having examined traffic for over two years on a military network, we see much interest in our DNS servers from lessthan-upstanding citizens Our DNS servers are probably the most common targets of reconnaissance efforts Your DNS server is a cherished prize for a hacker to compromise, so they are going to see how vulnerable it is by pounding on it for weaknesses Some of the reasons that the DNS server is targeted are, first, this is a good reconnaissance method of learning about all the DNS information in preparation for launching an attack Second, if an intruder can inject spurious DNS information in the local server, this can be used as an attack on other hosts Finally, UDP port 53, the port commonly associated with DNS traffic, is often left open on packet filtering devices so that internal name servers can function After completion of this webcast, the student will have a good foundation of DNS theory and practical application You will be able to see how DNS queries are answered, how the DNS server interacts with other DNS servers, how DNS can be used to discover information about a site, and ways that DNS can be used for exploitation purposes In short, this will aid you in doing network security to analyze the nature of DNS traffic seen on the network 8-1 Objectives • Explain DNS theory including: – Client and server interaction – Server to server interaction – Primary and secondary servers – Transport protocol used (TCP/UDP) – WINS • Intelligence gathering tools • DNS - the dark side IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 The objectives of this webcast are to teach the underlying theory of DNS so the student can interpret tcpdump output of DNS transactions and examine DNS events occurring on the network with some insight about what is transpiring Specifically, we will examine how a DNS query is answered DNS is different than a normal client server application in this aspect Typically, in client server applications such as telnet or ftp, the client requests a connection to a desired server and the interaction is pretty much between those two hosts For DNS, however, when a client issues a DNS query, a DNS server will accept the query, perhaps interact with one or more additional DNS servers, and when it receives the response to the query, it will return it to the client We will look at the role of primary and secondary name servers and discuss the interaction between them Also, unlike other services, DNS can switch between UDP and TCP protocols depending on the kind of DNS activity We will briefly cover the way in which Windows hosts hostname resolution We will also talk about some ways that others may use your DNS server to gather information about the DNS server itself and hosts that the DNS server knows about Finally, we will look at examples of how DNS was used for malicious purposes 8-2 Going places How you go from your host to www.sans.org? Step 1: Resolve www.sans.org to an IP number Step 2: Request a connection to the resolved IP number www.sans.org host.my.com IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 The slide “Going places” supposes that you want to go to the SANS website, www.sans.org to see what the latest offerings and postings of interest might be You bring up your Netscape browser and enter the URL http://www.sans.org Seconds later, if you are not on a slow or congested network, you will see the www.sans.org web page Remember that TCP/IP datagrams use IP numbers for all source and destination addresses TCP/IP does not use hostnames However, we humans tend to remember hostnames far better than we remember IP numbers so we speak in hostnames It’s obvious that we need some kind of translation mechanism between the way we reference hosts hostnames and the way TCP/IP must reference hosts IP numbers So, how did this translation from www.sans.org to an IP address mysteriously occur behind the scenes? Before you could even send out a request to www.sans.org, your host had to know an IP number Your host needs this IP number to package into the datagram when it sends the connection request to www.sans.org out on the network We’ll examine this Step process from the above slide in the next several slides 8-3 Client resolver host.my.com dns.my.com gethostbyname(www.sans.org) www.sans org return IP address 167.216.133.33 name server resolver Find the IP address IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Continuing with the process of resolution from hostname www.sans.org to IP number, look at slide “Client resolver” Here, we see the host on which we have our Netscape browser, host.my.com attempt resolution of www.sans.org Assuming that your host is not a name server, it is mostly passive throughout the resolution process It simply fires off the request for the translation, and resumes the process of connecting to the www.sans.org web page after it receives a reply of the IP address The workhorse behind the resolution process is the DNS server which is queried, in this case, dns.my.com Generally, a default name server is chosen at the time the operating system is installed on a given client machine (on Unix machines the information is stored in the file /etc/resolv.conf) This default DNS server is typically managed locally and is located somewhere on your organization’s intranet dns.my.com is this site’s DNS server On the client host, the TCP/IP applications such as telnet, ftp, Netscape or Internet Explorer call “resolver” library routines to obtain DNS resolution When you requested www.sans.org, application software issued a call to resolve the hostname to an IP address In this case, a gethostbyname call is sent from host.my.com to the DNS server This requests that the hostname www.sans.org be translated to an IP address The DNS server receives this request, processes it, and returns it to host.my.com 8-4 DNS server resolution (part I) IP for www.sans.org Ask host server1.sans.org h.root-servers.net dns.my.com IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Resuming our resolution journey on slide “DNS server resolution (part I)”, we see dns.my.com take over the actual duties of finding the answer of the IP of www.sans.org dns.my.com begins its search with a root server to find the resolution In order to resolve external names, many times, your local name server must contact a root name server Root name servers maintain a mapping between domain names (sans.org) and the authoritative name servers for those domains When the local name server, dns.my.com, asks a root name server for the IP address of www.sans.org, it gets back a referral to the name servers for sans.org You might ask how dns.my.com knows the names and IP numbers of the root servers to contact Obviously, the local name server must be pre-configured with a list of known root name servers This information is maintained by the InterNIC and may be downloaded from ftp://ftp.rs.internic.net/domain/named.ca 8-5 DNS server resolution (part II) dns.my.com IP is 167.216.233.33 IP for www.sans.org server1.sans.org IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Continuing our resolution journey on slide “DNS server resolution (part II)”, The root server lets dns.my.com know where to continue its search The root server has returned a referral to the name server server1.sans.org as an authoritative name server for www.sans.org dns.my.com then queries server1.sans.org and receives an authoritative answer, the IP number of 167.216.133.33 8-6 Requisite picture of DNS structure root servers arpa com edu gov mil net org jp sans in-addr www.sans.org www IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 If you look at the next slide “Requisite picture of DNS structure”, we need to interject a little theory about the nature of DNS DNS is a globally distributed system which depends on the cooperative interaction of many DNS servers to store records about “domains” and communicate with each other A domain is a subset of DNS records associated with a logical grouping For instance, sans.org, is the domain that logically contains all hosts that SANS might use The distributed system has been set up as a hierarchy of special servers known as root servers at the top of the domain tree These servers simply point to other DNS servers that may have dominion of DNS records being sought You are probably familiar with the top-level domains, those falling directly under the root servers as edu, org, com, net, mil, gov to name the domestic domains There are additional top-level domains for foreign countries, such as jp for Japan 8-7 tcpdump output of resolution host.my.com.1716 > dns.my.com.domain: 1+ (35) dns.my.com.domain > h.root-servers.net.domain: 12420 (30) (DF) h.root-servers.net.domain > dns.my.com.domain: 12420- 0/3/3 (153) (DF) dns.my.com.domain > server1.sans.org.domain: 12421+ (30) (DF) server1.sans.org.domain > dns.my.com.domain: 12421* 1/3/3 (172) dns.my.com.domain > host.my.com.1716: 1* 1/3/3 (197) (DF) = Client = Server IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Moving to slide “tcpdump output of resolution”, we can see what was happening on the network First we see host.my.com issue the request to resolve www.sans.org to dns.my.com While tcpdump prints the word “udp” for some UDP protocols, there is no such blatant clue in tcpdump DNS output Regardless of this omission, the above transactions used UDP UDP was selected for the method of transmission of the majority of DNS traffic since the queries and responses are often short and the application itself can withstand lost or missing data When anticipated data is not received, a new query is reissued Next, dns.my.com attempts a connection to h.root-servers.net on port domain which is port 53 Note that both source and destination ports are 53 We see h.root-servers.net respond back to dns.my.com on source and destination ports 53 as well We’ll discuss the numbers and notations found at the end of each tcpdump record in the next slide h.root-servers.net doesn’t have the answer to the query, however it has a reference of another DNS server that may have the answer or may have a reference of who may have the answer Querying name servers for the IP of www.sans.org is a repeated process that may yield a reference of another DNS server that may have the answer until finally a name server is contacted that has the answer of the IP number Since h.root-servers referred dns.my.com to another DNS server, we next see dns.my.com query this server, server1.sans.org, for the IP for www.sans.org server1.sans.org happens to “own” the DNS record for www.sans.org and is able to return to dns.my.com the IP number associated with www.sans.org Before we continue with the resolution process, we need to digress on the next slide to explain the tcpdump format for DNS records It is a unique format and it contains necessary insight into what is happening between connections 8-8 What is that strange tcpdump notation? dns.my.com.domain > h.root-servers.net.domain: 12420 (30) (DF) h.root-servers.net.domain > dns.my.com.domain: 12420- 0/3/3 (153) (DF) authority records sans.org sans.org sans.org nameserver = server1.sans.org nameserver = ns.BSDI.COM nameserver = ns.DELOS.COM additional records server1.sans.org internet address = 167.216.133.33 ns.BSDI.COM internet address = 205.230.225.16 ns.DELOS.COM internet address = 192.65.171.1 IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Let’s look at slide “What is that strange tcpdump notation?” The first line of tcpdump output is the query from dns.my.com to the root server The first field that we haven’t seen before in conventional tcpdump output is the number 12420 following the colon after domain This is the DNS identification number It is a unique identifying number that a DNS server or client uses to match a query and response dns.my.com issues the request to the root server with the number 12420 and when it receives a response, it is able to pair it to the request Remember, dns.my.com is probably doing a lot of other queries while it is doing ours so it has to be able to match multiple queries with responses The length of the UDP payload (not including the IP or UDP headers) is 30 bytes And, we have the don’t fragment flag set so this datagram won’t be fragmented The response to query 12420 follows There is a dash after the 12420 signifying that recursion was not available dns.my.com did not tell the root server that it wanted a response that referenced where the next DNS server might be - it did not want the root server to pursue finding the response itself Root servers are very busy machines and cannot process queries in a recursive fashion as dns.my.com is doing They are only expected to give whatever knowledge they have about a good reference in pursuit of the answer In the response from the root server, we see some strange output in the format of 0/3/3 This says that there were answer records - this means no IP was found, but authoritative records were found and additional records were found An authoritative server is one that “owns” and maintains records for a given domain We’ve listed the authoritative servers - server1.sans.org, ns.BSDI.COM, and ns.DELOS.com The additional records are shown with the pairing of the authoritative DNS servers with their IP addresses By sending the IP numbers in additional records, we didn’t have to resolve the hostnames sent to IP numbers Any one of those DNS servers has authority for the sans.org domain and will be able to answer the query As you saw, dns.my.com selects the first one, server1.sans.org to use for the final resolution 8-9 tcpdump output of resolution (2) dns.my.com.domain > server1.sans.org.domain: 12421+ (30) (DF) server1.sans.org.domain > dns.my.com.domain: 12421* 1/3/3 (172) dns.my.com.domain > host.my.com.1716: 1* 1/3/3 (197) (DF) IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 10 Moving to slide “tcpdump response output”, we examine the remainder of the tcpdump output from the resolution process dns.my.com has been informed that there are several authoritative servers and it selects the first one, server1.sans.org for resolution It issues a new query 12421 and asks for recursion, noted by the plus sign Essentially, dns.my.com has tasked server1.sans.org to find the IP address In this case server1.sans.org is an authoritative name server for www.sans.org so it can answer the query itself However, if it were not the authoritative name server, it would have to find the IP number by recursively issuing queries to other name servers until an IP number was found server1.sans.org responds to the query The asterisk means that this is an authoritative response This means that the record for www.sans.org is in the DNS database that server1.sans.org maintains One answer is returned - the answer in this case is the IP number of www.sans.org, 167.216.133.33 We don’t see the IP in the tcpdump output, but that is what is in the payload of the UDP datagram The authority records and additional records that we saw on the previous slide are returned here too Finally, once dns.my.com has the IP address, it delivers it to host.my.com, the original querier - 10 What can you with poisoned cache? Step 1: evil.dns sends a bogus query to name server ns04.baweb.com to find address for www.hillary2000.org with a response of 206.245.150.74 Step 2: bogus entry cached www.hillary2000.org 206.245.150.74 evil.dns Step 3: browser.net uses ns04.baweb.com to resolve www.hillary2000.org and receives IP number of 206.245.150.74 browser.net ns04.baweb.com IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 33 Let’s look at how cache poisoning might work on slide “What can you with poisoned cache?” Suppose we have a wicked user who can craft a DNS message with a response in the request This same user can then send a query using the source host evil.dns and the destination DNS server of ns04.baweb.com, the authoritative name server for www.hillary2000.org This crafted packet will have a query for the IP address of www.hillary2000.org, but it will include an IP number in the response part of the DNS message which gives the IP number of 206.245.150.74 This is not the real IP number associated with www.hillary2000.org as we’ll see in the next slide ns04.baweb.com suffers from the inability to tell query from response and thus caches the answer it received in the query It’s cache has just been poisoned with a bogus hostname and IP pairing Now, to complete the ruse, we must have a user who consults ns04.baweb.com for the IP number for www.hillary200.org In response, the cached answer of 206.245.150.74 is returned Let’s see what just happened! - 33 Poisoned cache results Asked for this Got this! IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 34 If you proceed to the next slide “Poisoned cache results”, you’ll see the results of alleged political cyber-warfare In July of 1999, Hillary Clinton launched a web site, www.hillary2000.org, which promoted her as-yet-undeclared for the U.S Senate in New York The real web site is seen on the left side of the slide However, when some users attempted to contact this site, they were redirected to a rival site, www.hillaryno.com (IP number 206.245.150.74) This site is maintained by the supporters of the New York City mayor at that time, Rudolph Giuliani, who was likely contender for this same Senate seat before he withdrew from the race in 2000 This web site is seen on the right side of the slide The speculation is that this may have been a cache poisoning hack that successfully diverted Hillary supporters to the Giuliani page In other words www.hillary2000.com was paired with the IP number for www.hillaryno.org Of course the people who maintain the www.hillaryno.com site, disavow all knowledge of any wrongdoing So we see that the arsenal of political dirty tricks has now entered the realm of cyberspace If cache were poisoned to re-route users, this would be a very hard kind of hack to trace or prove - 34 DNS review • Host to IP resolution must be done before any IP traffic can be sent • Client make DNS requests, DNS server does resolution, returns answer to client • Different ways to discover information about DNS servers and associated hosts • DNS can be used as an exploit vehicle IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 35 Let’s wrap up what we’ve covered in this webcast by turning to the final information slide “DNS review” First, we discussed how people refer to hosts using hostname but IP uses IP numbers to refer to hosts So, some kind of translation is required which is what DNS attempts to A client must issue a request for this resolution A DNS server initiates the search for resolution perhaps beginning at the root servers and possibly handing off the request to another name server to resolve The DNS server will not query the root server if the answer has been cached or if has the authoritative answer for the query Eventually when other DNS servers are queried, a response is returned to the original DNS server, even if the IP could not be found This, in turn, is sent to the client that requested the information We discussed the roles of primary and secondary name servers in maintaining DNS records and providing redundancy We examined how both TCP and UDP can be used as the transport protocols for DNS depending on the nature of the DNS transaction We took a cursory look at how Windows hosts hostname resolution We also saw how different tools such as nslookup and dig can be used for reconnaissance purposes Finally, we saw there are ways to use DNS for scanning or cache poisoning If you are taking this course as part of the LevelOne training, please get ready for the quiz that follows This concludes the DNS webcast Thank you for listening and I hope this was a valuable learning experience for you - 35 DNS quiz 1) One of the primary uses of DNS is for hostname to IP resolution because: a) Hostnames are too long for the allotted fields in the IP datagram for source and destination hosts b) Datagrams and IP deal with IP numbers, not hostnames c) IP addresses speed up delivery of the datagram d) Not all hostnames have different nodes like IP numbers 2) If you want to bring up a URL on a browser on your Unix host, DNS resolution of hostname to IP number occurs: a) When the first router is encountered on the route from source to destination host b) After a SYN/ACK response from the web host c) After a SYN connection is sent to the web port of the web host d) Before the connection is attempted to the web host IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 36 36 DNS quiz 3) Routing is the process responsible for getting a datagram from source to destination, DNS hostname resolution is the process responsible for: a) Supplying the destination IP for the datagram b) Finding the most efficient route from source to destination c) Doing an inverse query to find the next hostname along the route d) Avoiding routes with smaller MTU’s 4) A DNS query on a Unix host is typically initiated in the following fashion: a) Client requests resolution through DNS resolver software to a DNS server, the DNS server finds the answer or tasks other DNS servers to find the answer and the initial DNS server returns the answer to the client b) Client queries the root server and the root server retrieves the answer c) The client queries a root server and the root server tasks another DNS server to find the answer d) A client queries a WINS server and receives the answer IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 37 37 DNS quiz 5) The in-addr.arpa domain is used for: a) HINFO queries b) Name server queries c) Discovering BIND versions d) Performing reverse lookups 6) The function of the root servers is to: a) Refer queries to lower level name servers b) Be the authoritative servers and house all DNS records for all hosts c) Directly answer all client requests d) Store IP to hostname resolutions IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 38 38 DNS quiz h.root-servers.net.domain > dns.my.com.domain: 12420- 0/3/3 (153) (DF) 7) In the above DNS response, 12420 is: a) Acknowledgement sequence number for received data b) The byte count for the DNS message c) The DNS identification number to match queries and responses d) Authoritative DNS server identification number 8) In the above DNS response, the notation 0/3/3 means: a) There are no answer records, authoritative server records and additional records b) There were no answers found after querying root servers and authoritative name servers c) There are no authoritative servers, root servers, and secondary servers that know the answer d) There are no primary servers, secondary servers, and caching name servers that can resolve the hostname IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 39 39 DNS quiz 9) If the same Unix host repeats the same query seconds later using the same DNS server for resolution, chances are: a) The answer will be in the Unix host’s cache b) The answer will be returned from the local DNS server’s cache c) The answer will be stored in the /etc/resolv.conf file d) The answer can be obtained by asking the primary name server to download the cache to the secondary name server 10) A secondary name server can be used to: a) Provide redundancy in case the primary server fails b) Transfer data from the secondary to the primary upon boot up of the primary c) Cache name server records for the primary servers d) Store the root server IP numbers for the primary name server IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 40 40 DNS quiz 11) A security issue associated with zone transfers from the primary to the secondary server is: a) BIND version queries b) HINFO records queries c) Cache poisoning d) Allowing only authorized secondary servers to perform transfers 12) TCP is the transport protocol for DNS when: a) Queries are done to root servers only b) Zone transfers are done or truncated UDP queries are reissued c) All responses from root servers are received d) Queries are issued to authoritative servers only IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 41 41 DNS quiz 13) HINFO records contain: a) Hostname to IP information for the DNS entry b) IP to hostname information for the DNS entry c) The version of BIND for the authoritative server d) CPU and operating system information for the DNS entry 14) WINS resolves: a) NetBios names to IP numbers b) Fully qualified domain names to IP numbers c) Windows names to fully qualified domain names d) IP numbers to shared resource names IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 42 42 DNS quiz 15) Poisoned cache is: a) A malicious mismatched hostname to IP pairing residing in cache of a name server b) A malicious mismatched hostname and HINFO pairing residing in cache of a name server c) A malicious mismatched hostname and BIND version pairing residing in cache of a name server d) A malicious mismatched hostname and Time To Live pairing residing in cache of a name server IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 43 43 DNS quiz 16) (T/F) Secondary name servers receive their DNS records from primary servers 17) (T/F) An authoritative name server is one that owns or maintains DNS records for a given domain 18) (T/F) A WINS host can be queried for HINFO, name server, and BIND version records 19) The truncated flag is set on a DNS response to signify that the requested hostname to address resolution doesn’t exist on any DNS server 20) (T/F) A name server that is asked to a recursive query may end up contacting other name servers to get an answer IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 44 44 DNS quiz 21) (T/F) Discovering the BIND version running on a DNS server can assist an aggressor who is looking for name servers to exploit 22) (T/F) A record gets deleted from cache when the Time To Live value expires 23) (T/F) nslookup is a tool used by root servers only for hostname resolution 24) (T/F) The dig (Domain Internet Groper) command may be used to attempt to discover the version of BIND running on a name server 25) (T/F) The only transport protocol used for DNS is UDP; TCP is never used IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 This page intentionally left blank - 45 45 DNS quiz 26) (T/F) When authoritative name servers are returned in a query, often the additional records that accompany the response will contain the IP numbers for the authoritative servers 27) (T/F) DNS servers know about the root servers because they query the in-addr.arp domain for the IP numbers 28) (T/F) There can only be one authoritative server per domain as we witnessed with the sans.org domain 29) (T/F) DNS is also responsible for routing an IP datagram from source to destination host 30) (T/F) DNS servers are rarely targeted for scanning or exploit because they are hard to find IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Answers: 1) b 16) T 2) d 17) T 3) a 18) F 4) a 19) F 5) d 20) T 6) a 21) T 7) c 22) T 8) a 23) F 9) b 24) T 10) a 25) F 11) d 26) T 12) b 27) F 13) d 28) F 14) a 29) F 15) a 30) F - 46 46 Course Revision History IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 v1.1 – J Novak, Added slides on SOA and DDNS – 27 Oct 2000 v1.2 – J Kolde – formatting changes – 22 Jan 01 - 47 47 ... operating system information for the DNS entry 14) WINS resolves: a) NetBios names to IP numbers b) Fully qualified domain names to IP numbers c) Windows names to fully qualified domain names d) IP. .. dns.my.com .domain > server1.sans.org .domain: 12421+ (30) (DF) server1.sans.org .domain > dns.my.com .domain: 12421* 1/3/3 (172) dns.my.com .domain > host.my.com.1716: 1* 1/3/3 (197) (DF) IP Behavior VI. .. server1.sans.org .domain > dns.my.com .domain: 12421* 1/3/3 (172) dns.my.com .domain > host.my.com.1716: 1* 1/3/3 (197) (DF) = Client = Server IP Behavior VI – SANS GIAC LevelTwo - ©2000, 2001 Moving to