written by: david dagon manos antonakakis paul vixie georgia institute of georgia institute...
TRANSCRIPT
Increased DNS Forgery Resistance
Through 0x20-Bit Encoding
Written By:
David Dagon Manos Antonakakis Paul Vixie
Georgia Institute of Georgia Institute of Internet Systems . Technology Technology
Consortium
Wenke Lee Tatuya Jinmei Presented By:
Georgia Institute of Internet Systems Consortium Jarrod Williams
Technology
Overview
Domain Name System(DNS)
0x20 Bit Encoding
Conclusion
Outline
DNS labels, matching, and the resolution process are all case insensitive
DNS query strings can have the alphabetical characters switched between lower case and upper by adding 0x20 or subtracting 0x20
Using different capitalization schemes DNS queries can be made unique and more resistant to DNS poisoning attacks
Overview
Domain Name Field Value◦ Uppercase = 0, Lowercase = 1
www.example.com 1111111111111
WWW.EXAMPLE.COM 0000000000000
WwW.eXaMpLe.CoM 0101010101010
wWw.ExAmPlE.cOm 1010101010101
Overview
No radical changes
Protocol Stability
Backward Compatible
To protect the recursive resolver in its transaction with the authority servers
Goals
Overview
Domain Name System(DNS)
0x20 Bit Encoding
Conclusion
Outline
is a hierarchical naming system for computers, services, and any other resource participating on the internet to associate various information with domain names
DNS initiators on host machines are called stub resolvers
Domain Name System (DNS)
Each domain is a node
Each zone consist of many nodes
Each node can have a subzone
DNS authority servers are sometimes called the SOA or Start of Authority.
Domain Name System (DNS)
Domain Name Hierarchy
First, the stub resolver sends the query to the recursive server
Next, the recursive resolver consults with the root servers
Then the recursive server will consult with the “.com” zone authority servers
Finally, the answer is returned to the stub resolver, and cached by the recursive resolver to assist in future resolutions.
How DNS Operates
Simplified DNS Model
Is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources
Attackers exploit DNS software by making it accept incorrect information and if the DNS response to the server is not accurately validated, it will end up caching the incorrect entries locally and serve them to users that make the same request
DNS Cache Poisoning
Cache Poisoning Window
Overview
Domain Name System(DNS)
0x20 Bit Encoding
Conclusion
Outline
A DNS query is not copied into memory, it is rewritten just as it arrives over the wire
Almost all authority DNS servers preserve the case encoding of DNS queries, bit-for-bit, as they are presented by the recursive server
A pattern of mixed case encoding of domain names, make unique transactions between DNS initiators and responders and provides an additional means to track messages between servers
0x20 Bit Encoding
A domain name input arrives as an answer from a server, or a query from a stub resolver
Transform the query field into a canonical format
Use a chosen encryption scheme to encrypt the canonical query
Bits are read in sequential fashion one byte at a time and all “0x20 capable” characters are encoded
0x20 Bit Encoding Algorithm
if the jth bit is 0, make the i query character upper case (i.e., buff[i] |= 0x20)
if the jth bit is 1, make the i query character lower case(i.e., buff[i] &= 0x20)
This produces a 0x20-encoded domain name that can be sent to an authority server, it can also be used to verify the query field returned by an authority server.
0x20 Bit Encoding Algorithm
0x20 capable character is a letter character on the ASCII table in hexadecimal format
American Standard Code for Information Interchange (ASCII)
The range is:◦ A…Z 0x41 – 0x5A◦ a…z 0x61 – 0x7A
0x20 Bit Encoding Capability
www.ucf.com - 6, 0x20 capable characters◦ 6 bit key length◦ 26 = 64 unique combinations
www.vh1.com - 5, 0x20 capable character◦ 5 bit key length◦ 25 = 32
www.licensing.disney.com – 18, 0x20 capable characters◦ 18 bit key length◦ 218 = 262,144
0x20 Bit Encoding Capability
0x20 Bit Encoding Capability
Authority servers were checked for proper preservation and support of 0x20 encoding
For 3 weeks authority servers listed in the .com and .net zones were targeted
Yielding 75 million server names on average and 7 million probed queries, spread across every DNS server listed in these zones
DNS Server Capability
99.7% of all DNS servers studied could support DNS 0x20 encoding scheme without changing their code base
0.3% of the servers tended to display a failure to preserve DNS 0x20 encodings under very high query volumes
There is a high confidence in DNS bit encoding under high query volume
DNS Server Capability
Overview
Domain Name System(DNS)
0x20 Bit Encoding
Conclusion
Outline
DNS poisoning attacks present a persistent, and ongoing threat to the Internet’s critical infrastructure
0x20 bit encoding makes an attackers job more difficult and makes the DNS server more resistant to attack, not impenetrable
This solution provides little over-head on the recursive server so performance is not sacrificed
Conclusion
It is a light weight and practical improvement to DNS security
It does not require a radical restructure of the DNS infrastructure, and can be adopted unilaterally by recursive servers
Immediate improvement of DNS security and it does not require a community effort
Strengths
Focuses only on recursive DNS servers
The encoding does not provide strong guarantees for transaction integrity.
Encoding length is restricted to domain name capable characters only
Weaknesses
Explain in more detail how the keys would be managed
Investigate a way to expand DNS key length so keys are not limited to domain name capable characters only
Improvements
http://en.wikipedia.org/wiki/DNS_cache_poisoning
http://en.wikipedia.org/wiki/Domain_Name_Systm
http://technet.microsoft.com/enus/library/dd197427.aspx
http://fritz.cc.gt.atl.ga.us/ccs08/ccs202-dagon.pdf
http://www.asciitable.com/
References