Sunday, July 21, 2019

Domain Name System (DNS) Exploits


Ashley Oliver
Oliver COM Solutions, d/b/a
2019 CISSP Candidate

Domain Name System (DNS) Exploits

Consider a conversation that you may have with a friend, or even with a total stranger out on the street. How do you start this conversation? Perhaps a smile that leads to a compliment which leads to a full-blown conversation (communication). Well, if you consider network communications, it essentially works the same way. Think further about the conversation with this person, perhaps the conversation evolves into a friendship, or a relationship. By now, you know this person’s name and they know yours, correct? This is an important component of network comms, whereas, addressing and naming are a key element that makes Network Communications possible. This is the fundamental idea behind DNS.

In the IT world, naming conventions, nomenclatures and acronyms are as common as expletives (come on have you ever had to do a migration on a production system)? By the same token, it would be our responsibility to rely on numbering systems to identify computers without our naming schemes. We don’t have the time. Therefore, we use DNS to resolve those number systems to human-friendly IP addresses. I mean, I have no desire to memorize the static IP for Google.com, but I visit it a lot. Never mind the inner workings of DNS for now, that’s for us to know and you to not have to worry about. But in the sense of Cybersecurity, let us take a bit of a deep technical dive into the risks that this service provides.

DNS – TCP and UDP Port 53 is used for ‘zone’ transfers. When a response exceeds 512 bytes, TCP 53 is used, as well as when there are zone file exchanges between DNS servers. UDP 53, is commonly used for most usual DNS queries.  Client resolution to a DNS server can happen in a few different ways. First, the client can check its own local cache (with content from the HOSTS file), second, a DNS query can be sent to a known DNS server, lastly, a Broadcast Query can be sent to any possible local subnet DNS server. 

Inherent Risks 

DNS Poisoning 

DNS information can be falsified on the client side, if any of the three steps above fail during initial communication, or resolution, DNS poisoning can then occur at any point. During that failure can ensue the corruption of the HOSTS file or the DNS server query.

Rogue DNS Server

Imagine playing paintball with your friends and then the one guy that’s really good is always sneaking around corners listening in on everybody else to learn their next move. This is essentially the idea behind rogue DNS service. A Rogue DNS Server can listen in for DNS queries on Network traffic. The Rogue DNS server then sends a DNS response to the client with false IP info. It is important that the 16-bit QID is included in the false response.

Proxy Falsification

This is the act of planting false web proxy information into a client’s browser, thus – this method only works against Web comms. The hacker can use the rogue proxy to modify HTTP packets to reroute requests to whichever site the hacker wants. In my opinion, this method can actually lead to an even worse attack because it is essentially luring the end user into following the prompts..what does this remind you of? Phishing? Can we even talk about Social Engineering right now? No. Come back later 😊

How can you protect your Enterprise, Corporate, or Individual Network from these attacks? Well, there are methods to protect, like using the newer DNSSEC to secure your infrastructure, or deploying a NIDS in your network, amongst many others. 

For more information on how we can protect your infrastructure and to learn more about the Cybersecurity Consulting services I provide; please visit my website at www.olivercomsolutions.net. Thanks for reading and have a great..I don’t know what day it is. #thanksCISSP

Other ways to reach me:
Facebook
LinkedIn - Ashley J. Oliver
InstaGram - Oliver COM Solutions
Email: olivercomsolutions@outlook.com

No comments:

Post a Comment