DNS spoofing
DNS spoofing or cache poisoning is an IT security attack on the domain name system to spoof the mapping between a domain name and associated IP address. The purpose is to allow traffic unnoticed to direct it to another computer, for example to perform a phishing or pharming attack. If the traffic directed to an unreachable goal, thus a denial of service attack can be carried out.
The terms DNS spoofing and cache poisoning arise from different methods of attack, however, pursue the same objective. Cache poisoning ( German temporary memory poisoning ) refers to attacks where fake resource records are inserted into the DNS cache of the victim. DNS Spoofing attacks, which are sent via IP spoofing fake Resource Records. A related attack is DNS hijacking in which a DNS resolver returns incorrect answers.
- 5.1 Random Information
- 5.2 Cryptographic methods
Attack on additional data
A historical cache poisoning attack method is adding additional, fake DNS records in legitimate DNS responses. Takes the requestor unaudited resource records in the answer, so he forged resource records for any domain name in the DNS cache can be fed.
Operation
In the public DNS are single DNS server authoritative only for parts of the entire DNA. Gets a DNS server receives a request for an area in which it is not authoritative, it can forward the request to the next DNS server. In order to avoid unnecessary load, DNS servers can save the answers to requests of other servers locally in a cache. In this case, the forwarding of the above request could be lost to another server and sent an immediate response. A DNS participant who sends a request to a name server, the response received does not audited for a predetermined time in its cache. Apart from the actual response are often additional ( legitimate ) data ( glue records ) transmitted that are also stored in the cache. The cache poisoning based one out in these additional data or to hide several fake Resource Records.
Execution example
Troubleshooting
The vulnerability has been fixed in BIND name server in June 1997 by supplied resource records are unasked ignored. We accept only the resource records from the actually requested domain ( in - bailiwick; German in the county ). All commonly used today nameservers run this check before the takeover by the cache.
Shortly after becoming aware of the gap resulted in Eugene Kashpureff by a large cache poisoning attack still vulnerable BIND name server for which he was later sentenced to probation.
DNS Spoofing
When DNS spoofing, the attacker sends fake DNS responses, probably via IP spoofing ostensibly from an authoritative name server. For an attack to be successful, the fake answer must either before the legitimate response when challenged resolver arrive, or the responsible name server is a denial-of -service attack prevented from sending a response. Further, the parameters of the response to the request match, including the 16 -bit transaction number. The attacker is on the local computer network, he can observe the transaction number with a sniffer on the network. Otherwise, the transaction number must be guessed what tests are necessary on average. The attacker can send multiple fake Answers simultaneously to increase the probability of success in an attack attempt, however, which increases the expenditure of resources.
Through various weaknesses, the transaction number can be easily guessed. In BIND 8, the pseudo-random number generator was uncertain, so that the transaction number could be predicted with little effort. Sends the attacked Resolver an identical DNS request multiple times with different transaction numbers, the probability of success increases significantly due to the birthday paradox.
Was the attack was not successful, the correct resource record is in the cache, so the attacker can make a new attempt until after the time to live.
Kaminsky attack
In July 2008, Dan Kaminsky presented a kind of attack that circumvents the above-described caching of valid responses, and thus considerably reduces the time required. By querying non-existent domain names a forgery attempt can be repeated any number of times, if not was guess the correct transaction number in a lot of fake response packets. The fake response contains a delegation consisting of a NS resource record and a glue record that points to a host of the attacker. Thus it is ensured that spurious Glue Records are in - bailiwick and the entire domain is bent at the attacker.
Internet censorship
In various countries, DNS spoofing is used to censor the Internet. Enter DNS resolver fake answers back, so one speaks also of DNS hijacking. This was the intended method for the discussed access difficulty Act to block websites in Germany.
A man-in -the -middle attack by a network operator is also called DNS Injection. The network operator reads by deep packet inspection of the domain names of all DNS requests and compares it against a block list. If the domain name locked by DNS spoofing a fake DNS response is sent to the sender. Because this method all DNS requests will be reviewed on the net, blocking works even if the user does not use the DNS server of the network operator.
DNS Injection is applied in the People's Republic of China under the Golden Shield project. In this case, third parties from other countries can receive fake answers when their DNS request is passed through Chinese networks.
Protection measures
Measures to protect against DNS spoofing target either it from raising more random information in the DNS message, which the attacker has to guess, or to protect the message with cryptographic procedures.
Random information
Since the announcement of the Kaminsky attack put all common name server Source Port Randomization one ( djbdns and PowerDNS before then). Here, in addition to the transaction number, the source port a DNS request in the UDP header is selected at random. Depending on the implementation, resulting thereby further about 11-16 bits, which must also correctly guessed the attacker. Thus, attempts are necessary for the full use of possible ports on average.
The mentioned methods have in common that the message format does not need to be adjusted and the process therefore are largely compatible with the existing DNS infrastructure. DNS spoofing is still feasible in principle, but by the enlarged space of guessed parameters decreases the probability of success of a remote attacker. None of the methods to increase the randomness protects against an attacker who can read the DNS request ( on- path attacker ).
Cryptographic methods
Another category of protective measures is the DNS message format to expand digital signatures or message authentication codes, which are generated and verified using cryptographic methods. Although an attacker can generate fake DNS responses, without knowing the secret key, however, produce no matching signature.
A known method is DNSSEC, are signed with the resource records with asymmetric cryptosystems. DNSSEC is used partially in practice, however, most of the DNA Internet traffic is not protected.
An alternative to DNSSEC method is DNSCurve in which no resource records, but the communication channel between the resolver and name server is cryptographically protected. It uses a combination of asymmetric and symmetric cryptosystems. An adaptation of DNSCurve is DNSCrypt that uses OpenDNS to secure communications between end-users and resolver.
TSIG secures similar DNSCurve or DNSCrypt communication between two DNS participants. It uses this HMAC symmetric-key, which must be manually configured.