DNS

From Network Security Wiki
Jump to navigation Jump to search


Basics

Why do we need DNS?[1]
  • People prefer to use names instead of numeric addresses.
  • So we need a system that can map a name to an address or an address to a name.
  • When Internet was small, IP to Hostname mapping was done using a Host file, which was periodically updated.
  • Today it is impossible to store & update all as it will create a huge amount of traffic in Internet.
Packet Capture

DNS Packet Capture - TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries

Which Protocol does DNS use?
UDP: For all general purpose DNS Requests like nslookup, client's requests, etc
TCP: For Server to Server Communication like Zone transfer as this process needs reliable protocol.
Zone transfer
It is the process of replicating a zone file to another name server, and is accomplished by copying the zone file information from the master server to the secondary server. 
Zone transfers take place when names and IP address mappings change in a domain.
Who decides it?
  • UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.
  • If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.
When will firewall close a session opened for DNS?
  • UDP is having timeout of 1 minute.
  • DNS Queries may fill out the session table to its limit.
  • Therefore DNS ALG is used to close the DNS session on getting a reply message.
  • If DNS ALG is disabled, the session table may fill in a short time.

DNS Headers


DNS Headers
Identification QR Opcode A
A
T
C
R
D
R
A
Z A
D
C
D
RCode
Total Questions Total Answers
Total Authority Resource Records Total Additional Resource Records



Fields

ID - Identifier (2 Bytes)
A 16-bit identification field generated by the device that creates the DNS query. 
It is copied by the server into the response, so it can be used by that device to match that query to the corresponding reply received from a DNS server. 
This is used in a manner similar to how the Identifier field is used in many of the ICMP message types.
QR - Query/Response Flag (1/8 bytes or 1 bit)
Differentiates between queries and responses. 
Set to 0 when the query is generated; changed to 1 when that query is changed to a response by a replying server.
Opcode
(1/2 bytes or 4 bits)
Specifies the type of query
Set by creator of the message
Copied unchanged into Response
0  Query      A Standard Query
1  IQuery     Inverse Query (Obsolete)
2  Status     Server Status Request
3  (Reserved)
4  Notify     Used by Primary to tell secondary that Data for Zone has changed; prompt them to request zone transfer
5  Update     Implements Dynamic DNS; allows resource records to be Added, Deleted or Updated selectively.
DNS Flags
  • AA - Authoritative Answer Flag
This bit is set to 1 in a response to indicate that the server that created the response is authoritative for the zone in which the domain name specified in the Question section is located. 
If it is 0, the response is non-authoritative.
  • TC - Truncation Flag
When set to 1, indicates that the message was truncated due to its length being longer than the maximum permitted for the type of transport mechanism used. 
TCP doesn't have a length limit for messages, while UDP messages are limited to 512 bytes, so this bit being sent usually is an indication that the message was sent using UDP and was too long to fit. 
The client may need to establish a TCP session to get the full message. 
On the other hand, if the portion truncated was part of the Additional section, it may choose not to bother.
  • RD - Recursion Desired
When set in a query, requests that the server receiving the query attempt to answer the query recursively, if the server supports recursive resolution. 
The value of this bit is not changed in the response.
  • RA - Recursion Available
Set to 1 or cleared to 0 in a response to indicate whether the server creating the response supports recursive queries. 
This can then be noted by the device that sent the query for future use.
  • Z - Zero
Three reserved bits set to zero.
RCode - Response Code (1/2 bytes or 4 bits)
Set to 0 in Queries.
Changed by Replying Server in Response
Conveys Success or Error
0  No Error          Success
1  Format Error
2  Server Failure
3  Name Error        Name specified in query does not exist in domain.
                     This code can be used by Authoritative Server for a zone (as it knows all objects & subdomains) 
                     Or by a caching server that implements negative caching. 
4  Not Implemented   Type of Query not supported by server.
5  Refused           Server refused to process the query, generally for policy reasons - operations such as Zone Transfer are restricted, Server will honor Zone Transfer only from certain devices.
6  YX Domain         A name exists when it should not.
7  YX RR Set         A RR set exists that should not.
8  NX RR Set         A RR set that should exists does not.
9  Not Auth          Server receiving the query is not Authoritative for the zone specified.
10 Not Zone          Name specified in message is not within the zone specified in the message.
QDCount
Specifies the number of questions in the Question section of the message.
ANCount
Specifies the number of resource records in the Answer section of the message.
NSCount
Specifies the number of resource records in the Authority section of the message. 
NS stands for Name Server
ARCount
Specifies the number of resource records in the Additional section of the message.

Resource Records

  • RR is the unit of information entry in DNS zone files.
  • RRs are the basic building blocks of host-name and IP information and are used to resolve all DNS queries.
  • Resource records exist as many types to provide extended name-resolution services.
  • Different types of RRs have different formats, as they contain different data.
  • In general, however, many RRs share a common format, as the following address resource records example illustrates.
  • Fields found in an A resource record:
microsoft.com. 600 IN A 150.150.150.1
  microsoft.com  denotes the owner.
  600            TTL in seconds.
  IN             Class field represents the protocol family commonly IN for Internet class.
  A              Type of resource the RR is representing.
  150.150.150.1  Resource data or RDATA. This field is a variable type that provides information appropriate for the type of resource; in this case, it's a 32-bit IP address.

The following resource record types are commonly used in DNS:

Start of authority (SOA)
Name server (NS)
Pointer record (PTR)
Address (A)
IPv6 Address (AAAA)
Mail exchange (MX)
Canonical name (CNAME)
Windows Internet Naming Service (WINS)
WINS Reverse Look up (WINSR)

SOA Record

Source: cisco.com

SOA Record Data Fields
DOMAIN.NAME
IN
SOA
Hostname.Domain.Name
Mailbox.Domain.Name
Serial number
Refresh
Retry
Expire
TTL

DNS Record Types

A 	Address record 	 	 	 	Returns a 32-bit IPv4 address,
AAAA 	IPv6 address record 	
CNAME 	Canonical name record 	 	 	Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name.
LOC 	Location record 	 	 	Specifies a geographical location associated with a domain name
MX 	Mail exchange record 	 	 	Maps a domain name to a list of message transfer agents for that domain
NS 	Name server record 	 	 	Delegates a DNS zone to use the given authoritative name servers
PTR 	Pointer record 	 	 	 	Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse 
                                                DNS lookups.
SOA 	Start of [a zone of] authority record 	Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial
                                                number,etc
SRV 	Service locator 	 	 	Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
TXT 	Text record 	 	 	 	Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy
                                                Framework, etc.
* 	All cached records 	 	 	Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be 
                                                forwarded on.
AXFR 	Authoritative Zone Transfer 	 	Transfer entire zone file from the master name server to secondary name servers.
IXFR 	Incremental Zone Transfer 	 	Requests a zone transfer of the given zone but only differences from a previous serial number.


Authoritative Nameserver

Authoritative Nameserver is a DNS Server that holds the actual DNS records (A, CNAME, PTR, etc) for a particular domain/address. 
A recursive resolver would be a DNS server that queries an authoritative nameserver to resolve a domain/address.
If I have a DNS server in my network that holds an A record for foobar.com, my DNS server would be authoritative for the foobar.com domain.
If clients needed to access foobar.com, they could query my DNS server and they would get an authoritative response.

Zone

Source: [think-like-a-computer.com]

DNS Server Zone.gif
  • DNS zone is any distinct, contiguous portion of domain name space for which administrative responsibility has been delegated to a single manager.
  • The domain name space of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain.
  • Don’t associate a zone with a domain.
  • A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace.
  • Different zones can also be on the same server.
  • Think of a zone as a database or part of it.
Example
Zone.gif
  • If a company is massive and have offices all over the world.
  • You create a subdomain for each country on the same DNS server.
  • Now if you further split up into cities.
  • Can you imagine how many subdomains, DNS A records etc must be stored on this one server.
  • This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
  • So all these domains are stored in one zone on one server.
  • The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”.
Delegating DNS Zones
  • Now we create a new zone on each COuntry DNS server.
  • Root Server is configured to push all queries for the Country Subdomain to this server.

The key differences here is that:

  • Main DNS Server does not contain any records at all for Country or city subdomains.
  • It only contains a pointer to redirect queries there.
  • This means the entire DNS namespace can be split throughout an organisation.
  • By splitting the entire namespace like this it removes unnecessary bandwidth and queries.
  • If the whole namespace existed in the US then the UK would have to query the US servers for UK queries.
  • Moving the UK subdomain into a zone on a UK server keeps the queries local.
  • Once a zone is created you can set permissions on it and delegate control of it out to different staff.
  • If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.


Zone Transfer

  • DNS zone transfer (Also called AXFR) is a mechanism to replicate DNS databases across a set of DNS servers.
  • Zone transfers may be performed using two methods, full AXFR and incremental IXFR
  • A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
  • The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, called a primary server.
  • The portion of the database that is replicated is a zone.


Query Types[2]

  • DNS client tells DNS server whether Query is Recursive or Iterative.

Recursive query:

  • This means that the resolver expects the server to supply the final answer.
  • Reply with an address or an error message.
  • Server cannot refer client to a different DNS server.
  • Generally made by a DNS client to a DNS server or by server that is configured to pass unresolved name queries to another DNS server, if configured to use a forwarder.

Iterative query:

1 & 8 are Recursive - rest are Interative
  • Returns the best answer server can give based on its cache or zone data.
  • If it does not have an exact match, it returns a pointer to another DNS server.
  • The Client can then query the DNS server for which it obtained a referral.
  • It continues until it locates a DNS server authoritative for the query, or until an error or time-out condition.

Reverse DNS query

  • rDNS is the determination of a domain name associated with a IP address.
  • Uses the pointer DNS record type (PTR record).
  • use a reverse IN-ADDR entry in the special domain in-addr.arpa
  • If an address (A) record for mail.example.com points to the IP address 192.0.2.5.
  • In pointer records of the reverse database, this IP address is stored as the domain name 5.2.0.192.in-addr.arpa pointing back to its designated host name mail.example.com.
Uses
  • Original use of the rDNS: network troubleshooting via tools such as traceroute, ping, and the "Received:" trace header field for SMTP e-mail, web sites tracking users (especially on Internet forums), etc.
  • One e-mail anti-spam technique: Checking the domain names in the rDNS to see if they are likely from dialup users, dynamically assigned addresses, or other inexpensive Internet services.
  • System logging or monitoring tools often receive entries by IP addresses. To provide more human-usable data.



DNS Doctoring[3]

   Edit-clear.png     This section needs formatting or rework.
  • DNS doctoring enables an internal host on a LAN to receive the Private ip of an internal server as an answer from a DNS query when using a DNS server that is outside the LAN, such as on the internet.
  • A static NAT translation must also exist to translate the public IP to the private IP.
  • Without DNS doctoring, the external DNS server will reply with the public IP address of the host on the internal LAN.
  • The problem occurs when the client and the host that the client tries to reach are both on the same of different private network behind NAT, but the DNS server used by the client is on another public network.
  • Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of the Web Server it is unable to access the WWW server.
  • This is because the client receives an A-record that contains the mapped public address of WWW server.
  • When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.
  • Configure static NAT for the DNS server first and if the DNS ALG is enabled, public-to-private and private-to-public static address translation can occur for A-records in DNS replies.



DNSSEC

   Paste.png     This section is under construction.

Misc

CNAME
  • A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) which maps one domain name (an alias) to another (the Canonical Name).
NAME                    TYPE   VALUE
--------------------------------------------------
bar.example.com.        CNAME  foo.example.com.
foo.example.com.        A      192.0.2.23
Glue Record
  • A glue record is a term for a record that's served by a DNS server that's not authoritative for the zone, to avoid a condition of impossible dependencies for a DNS zone.
  • What glue records do is to allow the TLD's servers to send extra information in their response to the query for the example.com zone - to send the IP address that's configured for the name servers.
  • It's not authoritative, but it's a pointer to the authoritative servers, allowing for the loop to be resolved.


References
  1. www.zscaler.com
  2. www.mphasis.com
  3. www.juniper.net


blog comments powered by Disqus