Popular Science Introduction to DNS-related attacks

One what is DNS

DNS is the abbreviation for the domain Name System and is a core service of the Internet as a distributed database that maps domain names and IP addresses to each other, making it easier for people to access the Internet without remembering the number of IP strings that can be read directly by the machine.

DNS Domain name structure

Typically, the general structure of the Internet host domain name is: hostname. Level three domain name. Level two domain name. The top-level domain name of the Internet is registered and managed by the Internet Network association domain name Registry Query Committee responsible for network address allocation, which also assigns a unique IP address to each host on the Internet. There are three major network information centers around the world: Inter-nic in the United States, the United States and other regions, Ripe-nic in the Netherlands, responsible for the European region and APNIC in Japan, responsible for the Asia Pacific region.

DNS Query Packets

DNS response messages

Parsing process for DNS

The world has a lot of domain names need to parse, these can not be resolved on a server, it is too slow. DNS parsing uses a tree-structured parsing process.

In front of the above parsing process in fact there is a step, the system before issuing a DNS resolution will first look at whether the local preservation of the relevant domain name resolution, if any, will save a lot of time. The file is saved in the

C:\Windows\System32\drivers\etc\hosts, the file holds the relevant contents of the local DNS resolution as follows:

# copyright  (c)  1993-2009 microsoft corp.## this is a sample  HOSTS file used by Microsoft TCP/IP for Windows.## This  file contains the mappings of ip addresses to host names.  Each# entry should be kept on an individual line. the ip  address should# be placed in the first column followed by  the corresponding host name.# the ip address and the host  name should be separated by at least one# space.##  additionally, comments  (Such as these)  may be inserted on  Individual# lines or following the machine name denoted by a   ' # '  symbol.## for example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com  # x client host# localhost name resolution is handled within  dns itself.# 127.0.0.1 localhost# ::1 localhost

Two DNS-related attack types
1 DDoS attacks against DNS servers
The first type of DNS query denial of service attack based on host exhaustion type

Such an attack is to send a large number of DNS resolution request packets to the victim's DNS server, due to the limited number of wonderful queries from the DNS server, which makes it too busy to cause a denial of service attack.

The second type of DNS bounce denial-of-service attack based on broadband exhaustion (DNS reflector attacks, also known as DNS amplification attacks)
Principle: A large number of host forgery victim IP sends an NDS query request packet to a large number of open recursive DNS servers on the Internet. Since the open recursive DNS server does not validate the request packet for geologic authenticity, it will respond, so that the victim receives a large number of DNS request reply packets at the same time, blocking the network of the victim DNS server and finally forming a denial of service attack.
What is an open recursive DNS server?
An open recursive server is a DNS server that supports recursive queries and that does not authenticate clients that initiate recursive query requests.
Such as:

2 DNS hijacking for users

What is the simple thing about DNS hijacking?

Is that you want to visit Ctrip's website www.ctrip.com, the results of the input domain name returned to you is the server IP Baidu, then naturally displayed in the browser is the Baidu page.

Then I can take a look at the DNS resolution process described above to see which places will cause the IP returned to you to be wrong.

A first is the DNS server address being hijacked

For example, the DNS server address in your router is modified to a malicious DNS server. Then it's all over, and any domain you visit will be resolved to another address.

However, this is generally not the case, because the malicious personnel can not log on the router can not modify the DNS server address, you can not modify your native DNS settings. But when a few small loopholes are combined, it becomes a big loophole. For example, the router hijacking event that occurred before:

The vulnerability itself relies on 3 parts:

1. The Tp-link router discovers a csrf vulnerability exists.

2. Some users ' routers do not change the user name and password, use the default user name and password, or the browser logs the router's logon status.

3. Browsers such as Firefox and Chrome support HTTP authentication.

These combinations lead to such an attack process:

1. A malicious person constructs a malicious Web page, such as www.foo.com/text.html, where the function of the page is to automatically log on to the router and modify the DNS address.

2. A malicious person constructs a URL to send to the victim, and when the victim clicks on the link, it accesses the malicious page and modifies the router's DNS address.

The next is simple, malicious people can be the site you want to visit the domain name such as www.ctrip.com resolution to any other address such as 1.1.1.1. (Of course he will not be able to resolve here, to have financial benefits, or advertising or Ctrip promotion affiliate URL, etc.) ）

The following is a small demo of Tplink:

<Script>functionDns(){Alert(' I have changed your DNS on my domain! ')I=New Image;I.Src= http://192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1= 192.168.1.100&ip2=192.168.1.199&lease=120&gateway=0.0.0.0&domain=&dnsserver=8.8.8.8& Dnsserver2=0.0.0.0&save=%b1%a3+%b4%e6 ' ;}</script>//Modify dns<img src= "Http://admin:[email protected]/images/logo.jpg"  height= 1 width=1  Onload=dns () >//login    

b The Hosts file was modified

According to the parsing process, if you want to resolve www.ctrip.com IP, the system will first access the hosts file to see if there is a related binding:

If you have the following records:

1.1.1.1 www.ctrip.com

Your system will not send the www.ctrip.com to the DNS server to parse, directly resolve it to 1.1.1.1.

The mappings in the C DNS server cache are modified, also known as cache poison attacks

When the system detects the resolution of a domain name that is not responding in the Hosts file, it is sent to the local DNS server for resolution, before parsing it to see if it exists in the cache and, if not, sending the resolution request to the next DNS server. The result is returned and the resolution of the domain name is saved to the cache for the next parse.

There are 2 types of attacks on parsing in the cache:

Traditional DNS Cache Poison attack: The malicious person sends the resolution request of the domain name to the victim DNS server, then steals the reply packets to the victim server before the authoritative server answers. So the parse record of the error is saved in the cache, then all the parsing of the domain name in the next cache time is wrong. This attack is forged by answering resource records, with short attack times and low efficiency.

Kaminsky Cache poison attack: A malicious person sends a query request like this www24385.ctrip.com to the DNS server, and steals the ACK before the authoritative reply packets to the DNS server. It modifies the authorization resource record and can be a lot of attempts.

The above is a simple introduction of the cache poisoning attacks, interested colleagues can refer to the following documents
Http://wenku.baidu.com/view/c97eb1e5aeaad1f346933fbd.html
D invade the DNS server and modify the database records.
This is the method of more direct violence, of course, is the most difficult.

PS: This article is popular science, there is no advanced technology, just let more people interested in security can understand the principle of DNS attack, welcome Daniel to correct.

Transferred from: http://www.freebuf.com/articles/network/17150.html

Popular Science Introduction to DNS-related attacks