1 / 12

DNS Cache Poisoning

By Chris Racki. DNS Cache Poisoning. Outline. Introduction How DNS works A typical DNS lookup Caching for later Vulnerabilities of DNS Anatomy of a cache poisoning Why isn’t the security community panicked Ok, now they’re panicked! Mitigation Conclusion. Introduction.

luciano-bolton
Download Presentation

DNS Cache Poisoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. By Chris Racki DNS Cache Poisoning

  2. Outline • Introduction • How DNS works • A typical DNS lookup • Caching for later • Vulnerabilities of DNS • Anatomy of a cache poisoning • Why isn’t the security community panicked • Ok, now they’re panicked! • Mitigation • Conclusion

  3. Introduction • Computers navigate the internet using DNS • Common requests are cached • Caching makes DNS vulnerable • When a DNS is poisoned any IP can be set to any internet address • The fix is in the chaos

  4. How DNS Works . . . Root Servers Top Level Domain Servers .com .org .net .com .gov .edu .net montclair.edu google.com

  5. A Typical DNS Lookup 2. what’s the IP for www.google.com? Root Server 3. Server Referral ISP DNS 4. what’s the IP for www.google.com? 8. Cache result .com Server 5. Server Referral 6. what’s the IP for www.google.com? 1. what’s the IP for www.google.com? google.com Server 7. The IP is XXX.XXX.XXX 9. The IP is XXX.XXX.XXX User 10. Go to www.google.com

  6. Vulnerabilities 2. what’s the IP for www.google.com? Root Server 3. Server Referral ISP DNS 4. what’s the IP for www.google.com? Cached result .com Server 5. Server Referral 6. what’s the IP for www.google.com? 1. what’s the IP for www.google.com? google.com Server 7. The IP is XXX.XXX.XXX 8. The IP is XXX.XXX.XXX User 10. Go to www.google.com Go to www.BADPLACE.com

  7. Anatomy of a Cache Poisoning ? Lookup Request • What’s the IP for www.google.com? • It’s not in my cache, I have to look it up. • Now that he’s waiting for a response, it’s my chance! • Unsolicited reply… ignore. • Forged reply is accepted and cached. Forged Lookup Reply . . . Query ID 10021 Query ID 10018 Query ID 10020 Query ID 10021 Query ID 10019 forged reply

  8. Why isn’t the security community panicked? • Attack only works when entry is not in cache • Hard to predict exactly when Time To Live will expire • Limited chances for attack

  9. Ok, now they’re panicked! • In 2008 Dan Kaminsky improved the attack. • Attack is only possible when target is not in cache. • www.google.com is almost always in the cache. • fake01.google.com is never in cache so it always triggers a lookup. • Instead of forging a single page, forge the google.com DNS server. • Now all requests for google.com domain can be redirected to attacker’s DNS server.

  10. A More Toxic Poison what’s the IP for fake01.google.com? Root Server Server Referral ISP DNS what’s the IP for fake01.google.com? .com Server Server Referral google.com Server Forge the IP of the google.com domain DNS server Response is too slow

  11. What’s the fix? • Make the query ID more random • Older DNS software use sequential query IDs or easily predicted random query IDs • Randomize the port and change it often • Older DNS software always uses one port

  12. Conclusion • DNS cache poisoning is not new • There are new ways to use it • A successful DNS poisoning could be very damaging • Be alert of new threats • Thank you

More Related