Small Discussion on DNS Security

You might have heard of DNS Attack, DNS spoofing, etc many times. So here i am going to discuss a general DNS Security case sttudy.


DNS cache poisoning (also known as DNS cache pollution) is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources. It occur if DNS "spoofing attack" has been encountered. An attacker will send malicious data / non-secure data in response to a DNS query.


For the simplest scenario, a cleint sends DNS server a question , "What is the Ip adress of Hackplane.in" ?


Now DNS server gives it the answer. if the answer matches the question, the client will trust that it had got a right answer.


BUt here it must be noted that there are various ways in which this process can be intercepted or changed or impersonated so that wrong answer can be given and thereby making client go for something wrong.


Here i am attaching an image for better understanding of this concept.

 Click On the Image for Enlarging. :)



Now How does one spoof a response. 


1. A question is sent by the cleint and then it waits for the answer.



Well, the question arises that how the client is gonna trust the spoofed answers. So there are someof the attributes by which t identifies it.
a) It comes back to same ip it was sent from.
b) It comes to the same port number it was sent from.
c) Answer mathces the asked question.
d) A uinque transaction number.


In order to spoof a message we need to find out all these attributes. We need to have the Ip Address of recursive name server, question whichh the cleintsend, so as to inject the answer, the port number, and the uninque sequence number. What clicks my mind for all this informaiton is WIRESHARK. :P


Now Whats new??


Dam kaminsky identified that there is a way by which we can directly flood the recursivve server with lots f answers so that a right combination may go in a hit. (But actually it would not take a long time, so dn start putting on ur brains).


Now if the Name server deals with authoritative as well as recursive responses, any such attack can store bad data and that may be forwarded to lame computers that want authoritative responses.


For somehow controlling this:-
1. Sequence numbers must be randomized with a greater frequency.
2. Recursive name servers must be disabled (and if not disabled, must be restricted to only required number of users).
3. Diffrent Port numbers(apart from 53, default one fixed by IANA)  must be used.
4. More emphasis on encrypted data must be laid on.
5. DNS SEC (DNS Security policy must be used).



For a clear logic, jst cop up with the folllowing if else statment.

If DNS is not recursive, it is safe.
If DNS is recursive, then if it provides good randomness or sequence numbers, then it is OKAY ( A mid position, neither too secure nor too vulnerable).
If DNS is not recursive as well as it do not provide good randomness, it is highly vulnerable.

Enjoy Hacking. :)