Chapter 7
Application Layer |
|
7.1 DNS (Domain Name
System)
- DNS (Domain Name System) - DNS is a hierarchical, distributed
naming system to translate names into IP addresses.
# Copyright (c) 1993-1999 Microsoft Corp.
#
#
This is a sample HOSTS file used by Microsoft TCP/IP for
Windows.
#
# This file contains the mappings of IP addresses to
host names. Each
# entry should be kept on an individual line. The IP
address should
# be placed in the first column followed by the
corresponding host name.
# The IP address and the host name should be
separated by at least one
# space.
#
# Additionally, comments
(such as these) may be inserted on individual
# lines or following
the machine name denoted by a '#' symbol.
#
# For
example:
#
102.54.94.97 rhino.acme.com # source
server
38.25.63.10
x.acme.com # x client
host
127.0.0.1 localhost
|
Structure of Computer Names
- Three main parts: computer.organization.domain
- www.ius.edu
- edu - domain name
- ius - organization name
- www - machine name
DNS Client-Server Model
- Supports autonomy - organization can assign names without central
authority.
- Hierarchical
- Each organization responsible for name service at their level
- IUS is free to change any name ending in ius.edu because they are
responsible.
- Distributed - Database distributed across servers with hierarchy of
authority zones.
DNS Server Hierarchy
- In an Internet address – such as www.ius.edu – the .edu part
is known as a Top Level Domain, or TLD.
- So-called "TLD registry" organizations house online databases that contain
information about the domain names in that TLD.
- The .edu registry database, for example, contains the Internet whereabouts
– or IP address – of ius.edu.
- To find the Internet address of ius.edu your computer must first find the
.edu registry database.
- Examples:
- aero - Air transport industry.
- biz - Businesses
- name - Individuals
Root servers
- At the heart of the DNS are 13 special computers, called root servers.
- They are coordinated by ICANN (Internet Corporation for
Assigned Names and Numbers) and are distributed around the world.
- All 13 contain the same vital information – this is to spread the workload
and back each other up.
- The root servers contain the IP addresses of all the TLD registries – both
the global registries such as .com, .org, etc. and the 244 country-specific
registries such as .fr (France), .cn (China), etc.
- Critical information that must be 100% correct or it might not be possible
to locate a key registry on the Internet.
At right are two examples of dividing domain name hierarchy into
3-levels among three servers.
-
Root server - knows how to reach all organization-level
servers in domain. Does not know anything about hosts.
-
Organization server - knows how to reach root servers,
lower-level servers, and some hosts.
-
Lower-level server - know how to reach root servers, certain
other servers, and hosts.
-
Hosts - know how to reach server.
Resolving local address in hierarchy (b)
Server: a1.almond.candy.foobar.com authority for foobar.com
except for walnut.candy.foobar.com
Requesting Host: p1.peanut.candy.foobar.com
Request: s1.soap.foobar.com
- Client domain resolver software has IP address of foobar.com
DNS server, a1.almond.candy.foobar.com.
- Places name in DNS request and sends to local server,
a1.almond.candy.foobar.com. Most use UDP but TCP also used.
- Waits for reply.
- Server is authority for name in request.
- Answers directly for name in request.
Resolving non-local address in hierarchy (b)
Servers:
- w1.walnut.candy.foobar.com authority for walnut.candy.foobar.com.
- a1.almond.candy.foobar.com authority for foobar.com
Requesting Host: p1.peanut.candy.foobar.com
Request: w2.walnut.candy.foobar.com
- Client domain resolver software has IP address of foobar.com
DNS server, a1.almond.candy.foobar.com.
- Places name in DNS request and sends to local server,
a1.almond.candy.foobar.com.
- Waits for reply.
- Server a1.almond.candy.foobar.com authority for foobar.com is not
authority for name in request.
- Examines tables for walnut.candy.foobar.com authority server.
- Sends request to walnut.candy.foobar.com authority server.
- walnut.candy.foobar.com authority server looks up
w2.walnut.candy.foobar.com and replies to a1.almond.candy.foobar.com
- a1.almond.candy.foobar.com replies to client either with IP or failure
Iterative query resolution - Server iteratively stepping through the
hierarchy of servers to find authority for a name.
Recursive query resolution - Resolvers for applications request
complete resolution, reply is IP or failure, not the name of another server to
query.
Optimization of DNS performance
- Root server - Traffic too heavy if each host request required root
server.
- Replication
- Each root server is replicated many times.
- Each local DNS server contains IP of a list of root servers generally
geographically close.
- Not necessary for server to be in the zone served, dns.ius.com
could provide DNS for ius.edu
- Caching
- Name resolution has high degree of temporal locality, same user tends
to use same hosts.
- Local DNS server caches the DNS name with IP binding.
nslookup - Windows name lookup. Name servers respond with name
database information useful to contact higher authority name server.
- Find the primary root server for your Top Level Domain (such as .com if
you have the domain example.com).
- With NSLOOKUP, you can type "set type=NS" (to get the NS, or nameserver,
records) and then enter your top level domain ("com" or "uk" or whatever). You
will get a list of root nameservers.
- Type "server " followed by the first nameserver in the list (for example,
"server a.root-servers.net").
- Then, enter your domain name ("example.com"). Now, you will have a list of
servers that the root servers think are authoritative for your domain.
- Type "server nameserver.example.com" (where nameserver.example.com is the
first name server on the list you wrote down), then "set type=ns", and then
enter your domain name.
Resource records for domain ius.edu
- Domain Name - Domain that records applies to. Used for lookup
during IP solution.
- Time to Live - Record stability, higher numbers, longer
stability. Useful for caching of name by requesting host.
- Type - Kind of record.
- SOA - Primary source of information about server zone. May
contain email address of administrator, etc.
- MX - Email domain.
- CNAME - Alias.
- PTR - Alias.
- HINFO - Kind of server machine and OS.
- A - Host
- Class - IN for Internet.
- Value - Depends on type, could be domain name, alias, etc.
| Domain name Time to live
Type
Class Value |
ius.edu
86400
IN
SOA dns1.ius.edu. email.ius.edu (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
ius.edu
IN
NS dns1.ius.edu.
ius.edu
IN
NS dns2.ius.edu. |
www.ius.edu
3600 IN
HINFO Compaq
IN
A
149.160.30.13 |
email.ius.edu
3600
IN
HINFO Tangent
IN
A
149.160.34.213 |
| website.ius.edu
3600
IN
CNAME www.ius.edu |
| ius
7200
IN
MX 10
email.ius |
dns1.ius.edu
3600
IN
HINFO Sinclair
IN
A
149.160.34.98 |
dns2.ius.edu
3600
IN
HINFO Sinclair
IN
A
149.160.34.99 |
DNS Spoofing - Tricking DNS server to provide bogus IP for a requested
name.
Recursive queries opens the door for DSN spoofing because servers cache names
learned from higher authority servers (i.e. not physically entered into name
database).
Normal DNS operation; the server may need to consult a higher
authority.
1. Searcher’s browser contacts DNS server for IP of
www.search.com.
2. DNS server replies with IP 148.13.23.4 of
www.search.com.
3. Browser sends search query to search engine at IP
148.13.23.4.
4. Search engine returns results.
Attacker masquerading as a search engine.
1. Attacker
contacts DNS server for IP of www.search.com.
2. DNS server requests IP of
www.search.com from higher authority DNS server.
3. DNS server receives
attacker’s IP 147.17.32.6 response to www.search.com.
4. Searcher’s browser
contacts DNS server for IP of www.search.com.
5. DNS server replies with
attacker’s IP 147.17.32.6 of www.search.com.
6. Browser sends search query to
attacker at IP 147.17.32.6.
7. Attacker returns
results.
Attacker intercepting communication between searcher and
search engine.
1. Attacker contacts DNS server for IP of
www.search.com.
2. DNS server requests IP of www.search.com from higher
authority DNS server.
3. DNS server receives attacker’s IP 147.17.32.6
response to www.search.com.
4. Searcher’s browser contacts DNS server for IP
of www.search.com.
5. DNS server replies with attacker’s IP 147.17.32.6 of
www.search.com.
6. Browser sends search query to attacker at IP 147.17.32.6.
7. Attacker forwards query to search engine.
8. Search engine sends
response to attacker.
9. Attacker forwards response to searcher.
DNS
spoofing results in using an attacker’s IP address instead of intended site.
- The goal of DNS spoofing is again to place the attacker in the middle of
communications between user and site name such as http://www.search.com/.
- When the DNS server cannot answer a request from our searcher, the request
is sent to a higher authority server.
- DNS servers can request that the higher authority return the response
directly to the searcher, an iterative request, or return the response to
itself, a recursive request, caching the response in the database and
returning to the searcher.
- Configuring DNS servers for recursive requests assumes future requests can
be answered from the cache without the overhead and delay of contacting a
higher authority.
- The fundamental trick of the spoof places the record (www.search.com,
attacker IP address) on the DNS server, DNS servers configured for recursive
requests are open to attack because the cached record is not permanent.
- In the second figure the attacker first sends a request to a DNS server
for the IP address of www.search.com counting on that DNS server to consult a
higher DNS server to locate the IP address.
- The attacker then follows the request with a forged response from a higher
authority DNS server that contains the attacker’s IP address.
- The DNS server now caches the forgery pair (www.search.com, attacker IP
address) in its database.
- In the third figure, when someone tries to contact www.search.com they
receive the attacker IP address instead and the man-in-the-middle attack can
begin.
DNS spoofing is amenable to brute force attacks.
- The attacker requests the victim DNS server to resolve a search engine
name requiring a higher authority (Sacramento, 2002) and fakes multiple higher
authority responses until one is accepted.
- Responses are discarded by the DNS server when the transaction
identification (TID), used to connect a response with a request, received does
not agree with the TID expected.
- The attack blindly sends many responses until the DNS server eventually
accepts one, which can easily be determined when the victim DNS server
responds with the attacker’s IP number for the search engine name.
- On older DNS servers, the TID is incremented for each request allowing the
attack to be more efficient by discovering a recent TID used in the victim DNS
server request and sending higher numbered responses.
- Launching the attack begins by sending the victim DNS server a request
that requires contacting a valid DNS server under the control of the attacker.
- The TID of the request is noted, a new request for the search engine IP is
then sent to the victim DNS server, followed by multiple fake higher-authority
responses with the attacker IP and incremented TID’s to ensure acceptance by
the victim DNS server.
Other Application-Level Services
- Telnet - Simple remote terminal protocol that allows remote login
using TCP. The client on host presents a terminal emulation to user, passing
keystrokes to remote machine and receiving output back. The server on remote
machine passes keystrokes to system and sends back any results.
- FTP (File Transfer Protocol) - Allows authorized users to login to
remote system and perform limited set of file commands such as directory
listing, changing directory, file get and put, delete, etc. It uses two TCP
connections, one for control commands using Telnet protocol and the other for
data.
- Example - User input in itialics.
ftp ftp.ius.edu
Connected to ftp.ius.edu.
220 ius_email2 FTP server (NetWare v4.11)
ready.
User (ftp.ius.indiana.edu:(none)): rwisman.r.users
331
Password required for rwisman.r.users.
Password: secret
230
Successful Login
ftp> cd web_docs\b438\html
250-Command
Successful.
250 This directory's volume does not allow long
file/directory names.
ftp> binary
200 Type set to I.
ftp> put chap7_1.jpg
200 PORT command okay.
150
Opening data connection for chap7_1.jpg (149.160.29.93,1048).
226
Transfer complete.
12669 bytes sent in 4.34 seconds (2.92 Kbytes/sec)
ftp> quit
221 Goodbye.
- SMTP (Simple Mail Transport Protocol) - Reliable end-to-end
email protocol.
- Addresses - In form of mailbox@domain where a SMTP uses
DNS to lookup destination.
- Delivery - TCP connection made directly to destination
machine.
- Example - Command/response protocol used in which sender
indentifies itself and the intended mail recipents, then sends the body of
the message itself. The following lists the commands that could be entered
via a Telnet session to mail-server.ucs.indiana.edu SMTP server to
send mail to rwisman@ius.edu from bill@whitehouse.gov. Sender input is
marked itialics.
- telnet mail-server.ucs.indiana.edu 25
- 220 mail-server.ucs.indiana.edu Sendmail 5.54/3.16 ready
- HELO ius.edu
- 250 mail-server.ucs.indiana.edu Hello ius.edu
- MAIL From:<bill@whitehouse.gov>
- 250 <bill@whitehouse.gov>... Sender ok
- RCPT To:<jfdoyle@ius.edu>
- 250 <jfdoyle@ius.edu> ... Recipient ok
- DATA
- 354 Enter mail, end with "." on a line by itself
- Hi there,
- Well gotta go
- .
- 250 ok
- QUIT
- 221 mail-server.ucs.indiana.edu closing connection
Document last modified: