DNS Spoofing Attack and Its Protection

Source: Internet
Author: User
Tags dnssec domain server dns spoofing

Domain Name System (DNS) is a Distributed Database that maps Domain names and IP addresses. DNS is the infrastructure of network applications. Its security has a significant impact on Internet security. However, due to the flaws in the DNS Protocol design and the imperfect security protection and authentication mechanisms, the DNS itself has many security risks, making it vulnerable to attacks. Many experts have proposed many technical solutions to the security defects of DNS Protocol. For example, the Domain Name System Security protocol (DNSSEC) proposed by IETF aims to solve these Security risks. This Protocol adds a Security Authentication project and enhances the security functions of the Protocol. However, the new security mechanism requires more System and network resources and upgrades Database and System Manggament Software. These Software based on the DNSSEC Protocol are not mature yet, it is still a long time before the application is popularized. At present, common measures are to regularly upgrade DNS software, enhance security configurations, and disable insecure ports. This article discusses the dns id spoofing Based on listening and provides related protection solutions.

1. dns server Service Process

DNS is a system that converts Domain names and IP addresses. It maps Domain names to IP addresses and serves as a translation system. The DNS System is divided into two parts: Server and Client. The general Port of Server is 53. When the Client sends a resolution request to the Server, the Local DNS Server first queries whether the Database contains the required content. If yes, the Local DNS Server sends the response packet and provides the corresponding result; otherwise, it will query the domain name on the top of the DNS Server. The query continues until the corresponding results are found or the query Failure Information is fed back to the client. If the Local DNS Server finds the information, it will first save it in the Local high-speed cache, and then send a response to the customer. On a daily basis, we use Browser to apply for resolution from Domain Name to IP Address, that is, the Client submits a Domain Name translation application to the DNS Server to obtain the corresponding IP Address. Here, the author's school is used as an example to describe how DNS works.

For example, the Address of the Client is 10.252.2.16 and the DNS Server of the school is 218.30.19.40. Then, the Client accesses the website of Xi'an Institute of Finance and Economics. In the Address bar, type www.xaufe.edu.cn on the school website and use the DNS Server to find the corresponding IP Address. This application is sent from a random PORT of 10.252.2.16 and received and translated by the 53 binding PORT of 218.30.19.40. First, search for the IP Address of www.xaufe.edu.cn in the cache of 218.30.19.40, if a ing relationship exists, the IP Address is directly sent to the client. If no IP Address exists in the cache, 218.30.19.40 is queried by the dns server at the upper layer, and the query result is first sent to 218.30.19.40, at last, 218.30.19.40 returns the IP Address (281.195.32.1) of Xi'an Institute of Finance and Economics to Client 10.252.2.16. In this way, 10.252.2.16 can be connected to the site of Xi'an Institute of Finance and Economics and accessed.


Ii. DNS Spoofing Attack principles

2.1 spoofing Principle

The DNS query requests of the Client and the response data packets of the DNS Server correspond to each other based on the ID of the DNS message. During domain name resolution, the Client first sends a domain name resolution packet to the DNS Server with a specific ID. This ID is randomly generated. The DNS Server uses this ID to send a response packet to the Client after finding the result. After the Client receives the response packet, it compares the received ID with the request packet ID. If the request packet ID is the same, the received data packet is required by the Client, discard this response packet if it is different. Based on the attacker's query and response principles, different methods can be used for attacks, such:

(1) because DNS Message uses only one simple authentication code for authenticity verification, the authentication code is generated by the Client program and returned by the DNS Server, the client only uses this authentication code to identify whether the response matches the request query, which makes the attack threat against the ID authentication code possible.

(2) You can add information in the DNS Request Message, which is not necessarily related to the content requested by the client, therefore, attackers can add some false information in the Request Message based on their own purposes, such as adding Domain names and IP addresses of other Domain servers. At this time, the Client's query application on the attacked Domain Server is directed to the false Domain Server added by the attacker in the Request Message, which causes DNS Spoofing and threatens the network.

(3) When the DNS Server receives data mapped to the Domain Name and IP Address, it stores the data in the local Cache. If another Client requests to query the IP Address corresponding to this Domain Name, the Domain Server will return the ing information from the Cache to the Client, instead of querying the Database again. If hackers set the existence cycle of DNS Request Message to a long time, they can perform long-term spoofing.

2.2 DNS Spoofing Attacks

Common DNS Spoofing technologies include internal attacks and serial number attacks. Internal attacks means that after hackers control a DNS Server, they modify the Domain Database content and assign the fake IP Address to a specific Domain Name, when the Client requests to query the IP address of this specific domain name, it will get a forged IP address.

Serial number attack refers to a disguised DNS Server that sends a response data packet to the client before the real DNS Server, the serial number ID contained in the message is the same as the ID contained in the request packet sent from the client to the real DNS Server. Therefore, the client will receive the false message and discard the late real message, in this way, dns id serial number spoofing is successful. The IP address of the domain name provided in the false message obtained by the client is the IP address set by the attacker. This IP address will take the customer to the site specified by the attacker.

2.3 DNS serial number spoofing attack Principle

DNS serial number (ID) Spoofing is based on the Detection ID and Port. In a network built by a Switch, the attacker first implements ARP spoofing to the target. When the Client, attacker, and DNS Server are in the same network, the attack process is as follows: ① the attacker repeatedly sends a forged ARP Request Message to the target machine and modifies the ARP cache content of the target machine, at the same time, Data passes through the attacker to the destination through continued IP transfer. The attacker uses Sniffer software to detect DNS request packets and obtain the ID serial number and Potr. ② once the attacker obtains the ID and Potr, the Client immediately sends a false DNS Request Message to the Client. After receiving the Request, the Client verifies that the ID and Potr are correct and considers that the Client has received a valid DNS response; the IP address obtained by the Client may be directed to an illegal site induced by the attacker, which threatens the Client information security. ③ the Client then receives the Request Message from the DNS Server, the Client discards the DNS response because it lags behind the false DNS response. When the Client accesses a false IP address pointed by the attacker, a dns id spoofing is completed immediately.



Iii. DNS Spoofing Detection and Prevention ideas

3.1 detection ideas

In the event of DNS spoofing, the Client will receive at least two response data packets, which contain the same ID serial number. One is legal and the other is disguised. Based on these features, there are two detection methods:

(1) passive monitoring detection. It monitors and detects all DNS request and response packets. Generally, the DNS Server sends only one response data packet to a request query (even if a domain name is mapped to multiple IP addresses, multiple links are answered in one message ). Therefore, if a request receives two or more response data packets within a limited period of time, it is suspected to be suffering DNS spoofing.

(2) Proactive testing. That is, the system sends a verification packet to check whether DNS Spoofing exists. Generally, no response is received when a verification packet is sent. However, in order to send spoofing messages to the customer before the valid response packet arrives at the client, the hacker will not verify the validity of the IP address of the DNS Server and will continue to cheat. If you receive a response packet, it indicates that you are under a spoofing attack.

3.2 defense ideas

After detecting a DNS Spoofing Attack on the network, the following preventive measures are taken: ① directly use IP Address on the client to access important sites, so as to avoid DNS Spoofing; ② encrypt the data streams of the DNS Server and Client. The Server can use the SSH encryption protocol, and the Client can use the PGP software to encrypt the data.

For common ID serial number spoofing attacks, professional software is used to check the network. If the client receives more than two response packets within a short period of time, this indicates that there may be DNS spoofing attacks. After the valid package is sent to the DNS Server and the DNS data is modified, the correct result will be returned when you apply for the next query.



Iv. DNS protection solution

4.1 bind the IP address and MAC address

(1) Prevent ARP spoofing attacks. Because the spoofing behavior of DNS attacks should begin with ARP spoofing, if it can effectively prevent or avoid ARP spoofing, it will make the dns id spoofing attack useless. For example, you can prevent ARP attack spoofing by statically binding the Ip Address and MAC Address of the Gateway Router.

(2) bind dns information. DNS spoofing attacks can be changed or disguised as the IP Address of the DNS Server. Therefore, you can use static binding between MAC Address and IP Address to prevent DNS spoofing. Because the MAC Address of each Network Card is unique, you can bind the MAC Address of the DNS Server to its IP Address, and then store the binding information in the Eprom of the client Nic. Each time the client sends a query request to the DNS Server, it checks whether the MAC Address in the response packet responded by the DNS Server is the same as the MAC Address in the Eprom memory. If it is different, the DNS Server in the network is likely to be attacked by DNS spoofing. This method has some limitations, because if the customer host inside the LAN also saves the MAC Address of the DNS Server, you can still use the MAC Address for disguised spoofing attacks.

4.2 Use Digital Password for identification

To prevent information theft or tampering during file data transmission across different subnets, you can use the task digital signature (TSIG) the technology uses the same Password and Mathematical Model algorithms in the master/Slave Domain Name Server to identify and confirm data communication. Because of the Password verification mechanism, it is difficult to disguise the identity of the master and slave servers, enhancing the security of Domain Name information transmission.

Domain Name Service, with better Security and reliability, uses Domain Name System Security (DNSSEC) and Digital Signature to identify information sources in the search, verify DATA integrity. For DNSSEC specifications, see RFC2605. Because the Password is generated when the Domain is set up, and the upper-layer Domain Name must also be configured with the relevant Domain Password Signature. Obviously, this method is very complicated, so the InterNIC Domain Name management has not yet been used. However, at the technical level, DNSSEC should be the most perfect Domain Name Establishment and resolution method today, which is very effective in preventing Domain Name spoofing attacks and other security events.

4.3 optimize dns server settings

The Optimization of the DNS Server can bring the security of the DNS to a high standard. The common work is as follows: ① use physically separate Domain Name Server for different subnets, in this way, the DNS function redundancy is obtained. ② the external and internal Domain Name Server are physically separated and the Forwarders forwarder is used. The external Domain Name Server can query requests from any client, but Forwarders cannot. Forwarders is set to receive requests from internal clients only; ③ technical measures are adopted to restrict Dynamic DNS updates; ④ restrict zone transfer to the authorized device; ⑤ use the transaction signature to digitally sign the region transfer and region update; ⑥ hide the Bind version on the server; 7. Delete unnecessary services running on the DNS server, such as FTP, telnet, and Http. The firewall is used on the network perimeter and DNS server, restrict access to the ports required by DNS.

4.4 Access through IP addresses directly

Websites with strict requirements on individual information security levels should not use DNS for resolution. Many DNS spoofing attacks are aimed at stealing customers' private data, while most websites accessed by users do not involve such private information. Therefore, when a website with strict confidentiality information is accessed, you can directly use the IP address without using DNS resolution, so that all DNS spoofing attacks may cause harm. In addition, the security configuration items of the DNS Server should be well configured and the DNS software should be upgraded, the IP address range of the DNS Server should be reasonably limited, and recursive query items of the DNS Server should be disabled.

4.5 monitor DNS data packets

In DNS spoofing attacks, the Client will receive at least two DNS data response packets, one being real data packets and the other being attack packets. In order to get back to the Client before the real response packet, the information data structure of the spoofing attack packet is much simpler than that of the real data packet. Only the response domain does not include the authorization domain and the additional domain. Therefore, you can monitor the DNS response packet and follow the corresponding principles and model algorithms to distinguish the two response packets, so as to avoid the attack of false data packets.

V. Conclusion

This article describes the principles of DNS resolution and DNS spoofing, discusses the methods, detection, and prevention of DNS spoofing attacks, and finally provides some common methods to prevent DNS spoofing. We believe that the application of these solutions can greatly improve the security and reliability of DNS. However, with the rapid development and application of the network, we must keep up with the pace of technological changes in practice and continue to learn and summarize to effectively defend against various new types of DNS faults.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.