Increased DNS Forgery Resistance

Through 0x20-Bit Encoding

Written By:

David Dagon Manos Antonakakis Paul Vixie

Georgia Institute of Georgia Institute of Internet Systems . Technology Technology

Consortium

Wenke Lee Tatuya Jinmei Presented By:

Georgia Institute of Internet Systems Consortium Jarrod Williams

Technology

Overview

Domain Name System(DNS)

0x20 Bit Encoding

Conclusion

Outline

DNS labels, matching, and the resolution process are all case insensitive

DNS query strings can have the alphabetical characters switched between lower case and upper by adding 0x20 or subtracting 0x20

Using different capitalization schemes DNS queries can be made unique and more resistant to DNS poisoning attacks

Overview

Domain Name Field Value◦ Uppercase = 0, Lowercase = 1

www.example.com 1111111111111

WWW.EXAMPLE.COM 0000000000000

WwW.eXaMpLe.CoM 0101010101010

wWw.ExAmPlE.cOm 1010101010101

Overview

No radical changes

Protocol Stability

Backward Compatible

To protect the recursive resolver in its transaction with the authority servers

Goals

Overview

Domain Name System(DNS)

0x20 Bit Encoding

Conclusion

Outline

is a hierarchical naming system for computers, services, and any other resource participating on the internet to associate various information with domain names

DNS initiators on host machines are called stub resolvers

Domain Name System (DNS)

Each domain is a node

Each zone consist of many nodes

Each node can have a subzone

DNS authority servers are sometimes called the SOA or Start of Authority.

Domain Name System (DNS)

Domain Name Hierarchy

First, the stub resolver sends the query to the recursive server

Next, the recursive resolver consults with the root servers

Then the recursive server will consult with the “.com” zone authority servers

Finally, the answer is returned to the stub resolver, and cached by the recursive resolver to assist in future resolutions.

How DNS Operates

Simplified DNS Model

Is a maliciously created or unintended situation that provides data to a Domain Name Server that did not originate from authoritative DNS sources

Attackers exploit DNS software by making it accept incorrect information and if the DNS response to the server is not accurately validated, it will end up caching the incorrect entries locally and serve them to users that make the same request

DNS Cache Poisoning

Cache Poisoning Window

Overview

Domain Name System(DNS)

0x20 Bit Encoding

Conclusion

Outline

A DNS query is not copied into memory, it is rewritten just as it arrives over the wire

Almost all authority DNS servers preserve the case encoding of DNS queries, bit-for-bit, as they are presented by the recursive server

A pattern of mixed case encoding of domain names, make unique transactions between DNS initiators and responders and provides an additional means to track messages between servers

0x20 Bit Encoding

A domain name input arrives as an answer from a server, or a query from a stub resolver

Transform the query field into a canonical format

Use a chosen encryption scheme to encrypt the canonical query

Bits are read in sequential fashion one byte at a time and all “0x20 capable” characters are encoded

0x20 Bit Encoding Algorithm

if the jth bit is 0, make the i query character upper case (i.e., buff[i] |= 0x20)

if the jth bit is 1, make the i query character lower case(i.e., buff[i] &= 0x20)

This produces a 0x20-encoded domain name that can be sent to an authority server, it can also be used to verify the query field returned by an authority server.

0x20 Bit Encoding Algorithm

0x20 capable character is a letter character on the ASCII table in hexadecimal format

American Standard Code for Information Interchange (ASCII)

The range is:◦ A…Z 0x41 – 0x5A◦ a…z 0x61 – 0x7A

0x20 Bit Encoding Capability

www.ucf.com - 6, 0x20 capable characters◦ 6 bit key length◦ 26 = 64 unique combinations

www.vh1.com - 5, 0x20 capable character◦ 5 bit key length◦ 25 = 32

www.licensing.disney.com – 18, 0x20 capable characters◦ 18 bit key length◦ 218 = 262,144

0x20 Bit Encoding Capability

0x20 Bit Encoding Capability

Authority servers were checked for proper preservation and support of 0x20 encoding

For 3 weeks authority servers listed in the .com and .net zones were targeted

Yielding 75 million server names on average and 7 million probed queries, spread across every DNS server listed in these zones

DNS Server Capability

99.7% of all DNS servers studied could support DNS 0x20 encoding scheme without changing their code base

0.3% of the servers tended to display a failure to preserve DNS 0x20 encodings under very high query volumes

There is a high confidence in DNS bit encoding under high query volume

DNS Server Capability

Overview

Domain Name System(DNS)

0x20 Bit Encoding

Conclusion

Outline

DNS poisoning attacks present a persistent, and ongoing threat to the Internet’s critical infrastructure

0x20 bit encoding makes an attackers job more difficult and makes the DNS server more resistant to attack, not impenetrable

This solution provides little over-head on the recursive server so performance is not sacrificed

Conclusion

It is a light weight and practical improvement to DNS security

It does not require a radical restructure of the DNS infrastructure, and can be adopted unilaterally by recursive servers

Immediate improvement of DNS security and it does not require a community effort

Strengths

Focuses only on recursive DNS servers

The encoding does not provide strong guarantees for transaction integrity.

Encoding length is restricted to domain name capable characters only

Weaknesses

Explain in more detail how the keys would be managed

Investigate a way to expand DNS key length so keys are not limited to domain name capable characters only

Improvements

http://en.wikipedia.org/wiki/DNS_cache_poisoning

http://en.wikipedia.org/wiki/Domain_Name_Systm

http://technet.microsoft.com/enus/library/dd197427.aspx

http://fritz.cc.gt.atl.ga.us/ccs08/ccs202-dagon.pdf

http://www.asciitable.com/

References