DNS - Domain Name System

  • DNS is based on UDP and therefore easy to spoof without advanced security measures (source port randomization and query ID randomization).
  • Query ID Randomization are easy to spoof.
  • With recursive DNS servers, the name server recursively queries all required external name servers to resolve the address.
  • The source port is not defined in the standard.
  • The destination port of DNS is always 53
  • The QID (16 bit query ID) identifies a DNS request. It must be the same as the DNS response Transaction ID.
  • The query ID and the source port must be correct for a DNS server to respond to a request.

DNS protocol sequence

  1. The computer asks the recursive DNS server if it knows the IP of elsensohn.ch. If it knows it, it would immediately jump to step 8 and answer.
  2. The recursive DNS server asks the root DNS server.
  3. The root DNS server answers with a reference to the top level domain server.
  4. The recursive DNS server queries the country level DNS server.
  5. The latter responds with a reference to the authoritative DNS server.
  6. The recursive DNS server asks the authoritative DNS server whether it knows the IP.
  7. It answers with the IP.
  8. The DNS server gives the IP to the computer.

DNS Spoofing Procedure

Essentially, only the source port number of the victim’s DNS server and the query ID of the DNS request need to be known. If the fake service is then faster than the authoritative DNS server, the spoofing has worked.

The fake service must also find the source port of the original DNS request in order to respond on this port, otherwise the victim’s operating system will simply reject the DNS response. The source port can be found by the attacker creating an authoritative DNS server for one of his domains and making a request for this domain to the victim. The victim’s DNS server now contacts the attacker’s DNS server, which then knows the source port.

There are 2 countermeasures:

  1. A different source port should be used for each DNS request.
  2. The query id must be randomized.

DNSSEC

DNSSEC stands for Domain Name System Security Extensions and guarantees the authenticity and integrity of the requested data. It should therefore be noted that the data is not transmitted in encrypted form. They are essentially based on a “chain of trust”. The root key is trusted, which in turn signs the key in the lower tree. More precisely, it signs the hash (DS) of the key. This is repeated down to the lowest zone, which forms the end of the “chain of trust”. To simplify the whole key handling, a distinction is made between a “Key Signing Key” (KSK) and a “Zone Signing Key” (ZSK). The KSK signs the ZSK, which has the advantage that only the hash of the KSK has to be stored in the parent zone. The KSK also has a longer runtime than the ZSK.

This then looks like this as a graphic (from dnsviz.net):

The keys and DS can also be obtained via bash.

Root zone:

$ dig @8.8.8.8 -4 . DNSKEY +multiline +rrcomments

; <<>> DiG 9.16.18 <<>> @8.8.8.8 -4 . DNSKEY +multiline +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46929
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;.			IN DNSKEY

;; ANSWER SECTION:
.			72954 IN DNSKEY	256 3 8 (
				AwEAAbDEyqdwu2fqAwinPCFwALUCWfYYaLrNhnOrMxDo
				rLBYMipEE1btlK1XnigTRMeb0YQ8/LCopb3CN73hYDhC
				HFsNk+GtukBB+gWLcg+2FZXbhLXIheQm8x2VfOHy2yYQ
				G+18wjx3HY9Mj/ZEhXbZNrDMvpFKKVihWXa0/cHNg4Zc
				IHD9KkMlKzK+my1K/vz8fq5cFCFOu7wgM+kKbOikdcRB
				m7Uf/wRXZItFg2uhUijUb56gEN8uCUgmuEw6wQ5ZBuR7
				UT/FLyyAUeAH87oxF4im2DXK6J+JA7IAs2UHJ16uTqvd
				serUU8NIosislaXIZCvz+NTDb3SJcxs6bvCikeU=
				) ; ZSK; alg = RSASHA256 ; key id = 26838
.			72954 IN DNSKEY	257 3 8 (
				AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
				iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
				7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
				LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
				efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
				pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
				A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
				9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
				) ; KSK; alg = RSASHA256 ; key id = 20326

;; Query time: 23 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 26 17:59:37 CEST 2021
;; MSG SIZE  rcvd: 578

.ch. zone:

$ dig @8.8.8.8 -4 ch. DNSKEY +multiline +rrcomments

; <<>> DiG 9.16.18 <<>> @8.8.8.8 -4 ch. DNSKEY +multiline +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22510
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ch.			IN DNSKEY

;; ANSWER SECTION:
ch.			16771 IN DNSKEY	256 3 13 (
				+K7BOD21mQNNv4S+3vq01c2aPBI9thhyl8uzVUOMwh32
				rj8mZz+FLN8Ia1wJ3L3IUBy+jv44zCXCri3XMR0O/g==
				) ; ZSK; alg = ECDSAP256SHA256 ; key id = 59794
ch.			16771 IN DNSKEY	257 3 13 (
				kr4o4HQBltkJbi/uQ03HU9DY4eKY9gVHyHJk/Qw1ZRYe
				Cb/QMQ8hx0gN5o0lTBEqO/H5DwCWxM33aUwBBZostw==
				) ; KSK; alg = ECDSAP256SHA256 ; key id = 1053
ch.			16771 IN DNSKEY	256 3 13 (
				aRltdCO9+rUkM35hRQtCsZYPKM4w7Q6MyEsY2l50383m
				DtQw5i0miGj/mZEv+/G39/fkanDQbokuw2HL8EzIAQ==
				) ; ZSK; alg = ECDSAP256SHA256 ; key id = 12530

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 26 17:59:56 CEST 2021
;; MSG SIZE  rcvd: 271

elsensohn.ch. zone:

$ dig @8.8.8.8 -4 elsensohn.ch. DNSKEY +multiline +rrcomments

; <<>> DiG 9.16.18 <<>> @8.8.8.8 -4 elsensohn.ch. DNSKEY +multiline +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20501
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;elsensohn.ch.		IN DNSKEY

;; ANSWER SECTION:
elsensohn.ch.		3599 IN	DNSKEY 257 3 13 (
				vz97nfOMzU2lDNcs4SBQC6tH/AuIswt+5vT0tPNw9ilm
				RFUOshPYWwt2VzMFf+LvSyzvto+5ersY4FMeE+hN1A==
				) ; KSK; alg = ECDSAP256SHA256 ; key id = 20963

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 26 18:00:07 CEST 2021
;; MSG SIZE  rcvd: 121

The signed A record from elsensohn.ch:

$ dig @8.8.8.8 -4 elsensohn.ch. +dnssec +multiline +rrcomments

; <<>> DiG 9.16.18 <<>> @8.8.8.8 -4 elsensohn.ch. +dnssec +multiline +rrcomments
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40983
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;elsensohn.ch.		IN A

;; ANSWER SECTION:
elsensohn.ch.		197 IN RRSIG A 13 2 300 (
				20210805000000 20210715000000 20963 elsensohn.ch.
				iCWpDAJ7m1TxJFXwrF5nQtf1CH3aRbJ9EkFqQSqdK3yS
				1gOGVbVv7rOiWVcqBog/LftYjpb3e/V0fbV0k5hMBQ== )
elsensohn.ch.		197 IN A 116.203.219.190

;; Query time: 26 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Jul 26 18:00:30 CEST 2021
;; MSG SIZE  rcvd: 165
Previous
Next