What is a DNS?
A DNS is a server that translates domain names into IP addresses. Every website has its IP or set of IP address-numbers. The world wide web and the computers at all work more easily with numbers, on the other hand we as humans find it hard to remember any web address as a group of numbers. For example the website Google.com has its own address in numbers(IP address): http://18.104.22.168/
So if you type the address above, your browser won't connect to any DNS server just because the mentioned web address is in fact a set of numbers and the computers don't need "translation". That was de facto the case in the early days of the world wide web and Internet and Fidonet(already forgotten competitor of Internet in its early days(the internet), Fidonet actually used only numbers to refer to addresses, it used already the term "zone", which is essential to the DNS server operation, but we will discuss that later).
The first DNS appeared 1993, but years prior to the 90's, a group of
On the other hand the DNS history isn't that "bright" and "clear" as it seems. Since the very early years BIND and DNS in general...were always target of hacking attacks, such as "pharming", "spoofing", "phishing", "hijacking", "birthday paradox". We will state these techniques in detail below.
However, lets examine the DNS structure in better detail. In order to understand and prevent the hacking attacks we need an excellent understanding of the Internet structure at all. Many people are unaware of in what order the DNS queries take place. Some people might find it surprisingly that the DNS queries in fact occur starting from the top to the bottom -> eg. the root server -> the ISP server -> the local server -> the cache resolver.
As we however already explained in the early days of the Internet, DNS wasn't necessary. Every computer back then have had its own "host" file, surprisingly the infamous host file yet exists on Linux and Windows systems. Its role is to handle some pretty often used websites. You can modify your host file. On windows machines the host file is located: c:\windows\system32\drivers\etc\ That is the case in Windows XP. On Linux you might try to find it in /etc
You can open the host file with notepad and modify it so that any webpage could later redirect to an IP address of your choice. If you are "suspicious" enough you probably already realize the enormous bad "hacking" potential behind the DNS. In practice, assuming that you have opened your host file. Add this line on the top of your file. Please, remember to make a copy of the host file, just in case. Now open your host file with notepad, select the code inside. Delete the code originally in the host file and on the place of the old code paste this:
Now open your favourite webbrowser and try to navigate to: http://yahoo.com
Now you don't see Yahoo, right??? You might be willing to reach Yahoo but instead you see...Google? Quite confusing, but what you just did was to assigning the IP address of Google to domain yahoo.com.
Needless to say, this change works only on your computer...it doesn't reach Yahoo or Google directly, but for the novice hacker this technique is nothing but an example of the extreme power hidden in the malicious DNS exploits. Of course in order to reverse this annoying hack just open the host file again and...better delete everything inside. You perhaps don't need the localhost value assigned to 127.0.0.1, even better change your localhost to some better numeric address :) like 22.214.171.124.
Here is a simple diagram that shows you though the way of your DNS queries on the internet. What exactly happens in the background when you type a webaddress in your browser. The operation occurs in a second, in fact fractions of the seconds and obviously this doesn't bother you, since you reach your favorite Google.com or Yahoo.com as soon as you blink:
DNS hacking techniques:
2.1. The modern approach: A recent exploit in BIND 9:
Many DNS attacks attempt to use the "man in the middle" way. In other words, when the real DNS server expects an answer from the client, a malicious 3rd party software intentionally "represents" itself as the real client and hence the DNS server believes this is the real client and communicates to the malicious software, while the bad software poisons the DNS server cache...poisoning the server cache with fake results like assigning a fake IP addresses to sites like ebay.com. So the next time when a user reaches the DNS server and open ebay.com thanks to the DNS server, it actually opens a poisoned website with fake hacked IP assigned to the server which actually belongs to the hacker in order to get personal information such as credit card numbers, bank accounts... On the other hand the good news is that such attacks have been extremely unsuccessful in the last few years thanks to many patches released by BIND and other DNS servers. The DNS attacks became a hacking fashion back in the 90's even perhaps more popular than the trojans at some point. But...yet the bad security holes aren't over...A recent and a very interesting exploit in the latest versions of BIND shows that the BIND "random" numbers are actually predictable. These "random numbers" are actually the unique IDs that a BIND server must assign on a current session when it communicates with a client. Just to be sure that it really communicates with the client and not some hacking software. Another disadvantage comes from the fact that the BIND sessions are just 16 bytes coded. For people who understand of cryptography it's clear that such codes could be not only broken by brute force but even guessed with simple logic. A such interesting approach is described in great detail in the paper below:
Later, it has been written a prototype in Python to test this manual. Here is the source code:
At the moment we won't discuss other hacking techniques just
because this isn't a hacking tutorial and mainly because as we mentioned, most
of the DNS hacking ways aren't possible nowadays. Like for example the birthday
paradox. Plus you will find tons of information with google on such old topics
and we don't intend to copy them.
Now lets see what you can in order to protect your DNS server.
3. Protect your DNS server
- Protect your DNS server ache pollution;
- Enable recursion only on a specific type of DNS servers which you know(for example DNS servers from relocation of your hosting server)
- Use firewalls. Better several firewalls! Recent studies show that around the new millennium a group of hackers broke the 13 main root DNS servers with extremely high amount of flood queries. Though the attack wasn't anything special the root servers stopped to function for several minutes. In result and the entire internet. The attack isn't that popular, because the local cache lan dns servers show every webpage as it if nothing has happened. Even if the internet wasn't practically visible at the casual web visitor, obviously several minutes without internet are not a world disaster...However this very example illustrates the potential of the flooding attacks, the so called DoS attacks(Denial of service). And as we mentioned in the particular example the root servers used several firewalls which literally saved them from overheating and literal explosion/out of service...
- Use internal zones only;
- Be careful in the zone transfers.
- Always install the latest patches of BIND;
- Create daily backups and better replicate the hard disk;
- Configure a 3rd party local DNS server to act as the master DNS server, this way you can forbid access from the internet.
- Better use Linux rather than Windows and perhaps Fedora or Redhat with SELInux turned on. Installing patches on these systems is always a good idea.
- Use tools like "Necto" to scan your open ports, domains and so on. Follow for unusual activity on higher ports or on any port.
- Deploys the server as a server core.
- Avoid services like dyndns.
- Use MAC addresses limitation where this is possible.
- Install and run the DNS servers on the domain controllers.