Cатсн²² (in)sесuяitу / ChrisJohnRiley

The presentation is available here. There is also information available on the HAR2009 Wiki.

Presenter is the writer of PowerDNS (written in 1999). HAR2009 is using PowerDNS for all DNS resolution at the camp. 40% of all NL domains, and 50% of all DE domains are hosted using PowerDNS.

DNS is scary and complex, it’s also used almost everywhere.

DNS compression – Used to make the DNS requests smaller by using pointers to the previously used domain. This could be a problem.

Whole field of research looking at how the (NULL char) effects DNS –> see SSL talks for more info 😉

DNS is hard, perhaps too hard for the current sploied generation of coders

• Variable length fields
• Internal packet pointers
• Implementations that implement the bare minimum

€20 ADSL routers are now in the path of almost all home based internet connections. These routers have not always implemented DNS correctly. Some even reset when given RFC compliant DNS replies to requests.

DNS isn’t only in your PC – Phones, Cameras, printers (HP – it orders it’s own toner!), Scanners, ….

DNS Threats

• Availability
• -No DNS = No Service = “My Internets don’t work”
• -One typical resolver services up to 100,000 subscribers
• -Largest authoritve server host 8,000,000+ zones
• Exploitation
• -Once exploited, integrity & availability are damaged
• -Plus all other software on same server/client!
• Integrity
• -DNS sends you the wrong way ­> the internet changes (and your Euros follow!)

DNS Availability is bad news, especially resolvers – 10K well-designed queries will kill most resolvers, 50K well-designed queries will kill most auth servers.

DNS Exploitation

• Stubs – Many DNS implementations date from 1984 and have been copy pasted ever since. No one really cares about DNS. Originally Windows XP used ‘1’ or ‘2’ as it’s random DNS transaction ID.
• SOHO routers – Designed to be quick andd nasty. The less they cost the better as they’re given away for free. Exploiting one, normally means you can exploit them all (similar code base). Good target
• Servers – Often more secure. Often subject to regular attacks and are better secured.

DNS Integrity / spoofing

If you can’t trust DNS, you can’t trust the web.

DNS resolution is like throwing a brick into the crowd and hoping it hits the right resolver. The resolver then throws back a brick, hopefully, with the right transaction ID and resolution information. Becoming harder to spoof these responses. May issues to overcome.

• Spoofing using a static source port, it’s possible to achieve this with 50% reliability within 2 seconds.
• Spoofing using a random source port, it takes 10 hours to reach 50% chance

This is theoretic, as it would require a gigabit connection dedicated to DNS traffic. Problem is, it would kill the DNS server. People tend to notice that.

When under attack a smart nameserver will not be able to communicate with the nameserver anymore (due to the traffic levels) and not make any more queries to this server for the next few minutes. This makes the attack fail, as the DNS under attack is no longer listening for the responses. This means an attacker needs to throttle the attack to not overload the server and still perform the attack. This gives a 50% chance in roughly 6 weeks time. This kind of slow attack is probably already happening.

Unconfirmed reports from a Brazilian bank briefly got it’s IP address changed on Aptril 22nd this year – This was attributed to the Kaminsky DNS spoof attack.

Further issues: DNS’s that use source port randomization need to be wary of NAT boxes rewriting the source ports and re-enabling the attack vector.

Many solutions discussed

• Use TCP – Issues of traffic levels (RFC says keep connection open 2 minutes)
• Multiple queries and then take the majority answer
• EDNS-PING – Extra numbers for attackers to guess (only works on 5% of domains currently)

Long-term solutions

• DNSSEC – Will solve everything, however if it breaks even one thing, people won’t accept it as a solution to an issue that normal users have never heard of. Debugging (took 3 days for a bug in the top level .org to be fixed