Oliver COM Solutions, d/b/a
2019 CISSP Candidate
Domain Name System
(DNS) Exploits
Consider a conversation that you may have with a friend, or
even with a total stranger out on the street. How do you start this
conversation? Perhaps a smile that leads to a compliment which leads to a full-blown
conversation (communication). Well, if you consider network communications, it essentially
works the same way. Think further about the conversation with this person,
perhaps the conversation evolves into a friendship, or a relationship. By now,
you know this person’s name and they know yours, correct? This is an important
component of network comms, whereas, addressing and naming are a key element that
makes Network Communications possible. This is the fundamental idea behind DNS.
In the IT world, naming conventions, nomenclatures and acronyms
are as common as expletives (come on have you ever had to do a migration on a
production system)? By the same token, it would be our responsibility to rely
on numbering systems to identify computers without our naming schemes. We don’t
have the time. Therefore, we use DNS to resolve those number systems to
human-friendly IP addresses. I mean, I have no desire to memorize the static IP
for Google.com, but I visit it a lot. Never mind the inner workings of DNS for
now, that’s for us to know and you to not have to worry about. But in the sense
of Cybersecurity, let us take a bit of a deep technical dive into the risks
that this service provides.
DNS – TCP and UDP Port 53 is used for ‘zone’ transfers.
When a response exceeds 512 bytes, TCP 53 is used, as well as when there are
zone file exchanges between DNS servers. UDP 53, is commonly used for most usual
DNS queries. Client resolution to a DNS
server can happen in a few different ways. First, the client can check its own
local cache (with content from the HOSTS file), second, a DNS query can be sent
to a known DNS server, lastly, a Broadcast Query can be sent to any possible
local subnet DNS server.
Inherent Risks
DNS Poisoning
DNS information can be falsified on the client side, if any
of the three steps above fail during initial communication, or resolution, DNS
poisoning can then occur at any point. During that failure can ensue the corruption
of the HOSTS file or the DNS server query.
Rogue DNS Server
Imagine playing paintball with your friends and then the one
guy that’s really good is always sneaking around corners listening in on
everybody else to learn their next move. This is essentially the idea behind
rogue DNS service. A Rogue DNS Server can listen in for DNS queries on Network traffic.
The Rogue DNS server then sends a DNS response to the client with false IP
info. It is important that the 16-bit QID is included in the false response.
Proxy Falsification
This is the act of planting false web proxy information into
a client’s browser, thus – this method only works against Web comms. The hacker
can use the rogue proxy to modify HTTP packets to reroute requests to whichever
site the hacker wants. In my opinion, this method can actually lead to an even
worse attack because it is essentially luring the end user into following the
prompts..what does this remind you of? Phishing? Can we even talk about Social
Engineering right now? No. Come back later 😊
How can you protect your Enterprise, Corporate, or
Individual Network from these attacks? Well, there are methods to protect, like
using the newer DNSSEC to secure your infrastructure, or deploying a NIDS in
your network, amongst many others.
For more information on how we can protect your infrastructure
and to learn more about the Cybersecurity Consulting services I provide; please
visit my website at www.olivercomsolutions.net. Thanks for
reading and have a great..I don’t know what day it is. #thanksCISSP
Other ways to reach me:
LinkedIn - Ashley J. Oliver
InstaGram - Oliver COM Solutions
Email: olivercomsolutions@outlook.com
No comments:
Post a Comment