The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Search
Published by Enhelion, 2019-11-24 05:35:56

Network Security - MOD1 (II)

Network Security - MOD1 (II)

MODULE 1: DOMAIN NAME SYSTEM

Domain Name System or DNS is an important part of almost all types of networks. DNS translates
domain names into IP addresses that can be used by network servers to route the network traffic
to the appropriate destination. DNS can also be used for malicious activities, such as a DNS
poisoning attack.

Personal and commercial use of the Internet requires human-readable addresses because human
beings cannot remember IP addresses and that too for such a large number of websites that they
visit daily. A single hosts file was initially used by the name-to-IP address translation service. The
file was administered by the Stanford Research Institute and was distributed among several system
admins via FTP. This method, however, became obsolete as more and more number of websites
eventually got created.

The foundation of Domain Name System
RFC’s 882 and 883 contain the specifications for the design of the Domain Name System. The
IPv4 networks grew in number and size with the help of DNS. The domain name to IP address
translation service got a new hierarchical and de-centralised system. The domain space blocks can
easily be navigated through as the different parts of the DNS name space are distributed to multiple
entities by the top level zones that are managed by various organisations. Due to the fact that the
data is shared among multiple entities, any missing data does not affect the system.

The growth of DNS
As both IPv4 and IPv6 addresses grew, so did the number of AAAA and IP6.ARPA records. A
large number of these two types of DNS records were registered in the year 2004. On a main set
of root name servers, about 250 ccTLD zones, which are the 2-letter country specific top-level
domains, and more than 21 gTLD zones, which are the generic top-level domains, have been
assigned by ICANN from the top-level. The root name servers are a vast collection of scattered
systems setup at key data exchange nodes available on the Internet. They are also available on
systems present in various organisations.

The management of policies and domain name registration is the responsibility of the Network
Information Centre (NIC) or the registrar of every country. Different registrars have different rules
concerning cost, process, identity, responsibility, etc. An example of a rule set by the registrar of
a certain country would be a requirement that makes it mandatory for a company doing business
in that country, and who wants to register themselves with the registrar to be registered with
specific professional agencies and be a commercial entity at the time of registration. Some
countries have a restriction on what type of domain suffix an entity could use for their online
website, whereas, some countries do not have that restriction. Threat actors could use the non-
restriction on using the type of domain suffixes to create malicious websites and lure people into
using them. They could then use this opportunity to steal sensitive information from their victims,
steal money, or perform other malicious activities through the use of their bogus website.

Many countries have been advised by authorities that they should take measures to prevent
malicious activities within their digital borders, and that they could start doing this by securing the
part of the domain name system infrastructure that lies within a particular country. There have
been cases where DNS providers have been falsifying DNS data for commercial and other
purposes. ICANN sets out rules and regulations that registrars have to be compliant with, however,
there are still a lot of registrars present around the world who violate those rules and regulations.
There are a great number of vulnerabilities present in the global DNS system that need to be fixed
in order to detect and prevent cyber-crime.

The DNS service
The ISC BIND distribution is the base of the main domain name service software. Devices such
as modems servers, and routers are used to make the domain name system available to various
different types of organisations. When the process IP address allocation takes place on a client
computer system, the DHCP client software present on that system also receives the information
about the DNS server that the system can use for name resolution services.

The accuracy and the availability of the DNS servers being used by the DNS service are mostly
assumed by the DNS protocol. This happens when no DNSSEC extensions are used by the DNS
service and it relies only on UDP and TCP connections to the delegated DNS servers. This is risky

because the DNS protocol itself does not have any security mechanism built into it. DNS packets
can be manipulated as the protocol does not provide any means to detect DNS data interception.

Importance of DNS in packet capturing and analysis
DNS can be very helpful while analysing network traffic packet captures. Few examples of the
utility of DNS queries in network traffic analysis are as follows:

• They can be used for investigating whether IP addresses have been pre-planted into HTTP
requests. This could come in handy in a situation where it is to be determined whether a
spoofing attack was performed on the network or not.

• By using DNS queries, it can also be figured out whether the DNS queries were generated
by a human or a malware.

• Any failed domain name lookups can also be discovered.
• DNS queries can also be used to perform deep searches within the network traffic dump

and get specific results.
• The timings of the DNS queries can also be found out.

Data contained within the DNS queries
There is a specific query and response related to every DNS transaction that occurs. A resolution
request for an IP address or a specific name is contained within a query. There is a standard form
that is followed by every query. Let us study about the whole DNS transaction step-by-step. Each
exchange could be considered as a packet being sent from the client computer system to the
resolver or vice-versa. The following are the exchanges that take place for resolving a FQDN to
its related IP address:

1. The transaction starts with a request for a reverse resolution of the configured name server.
The system makes a PTR query for this purpose. For example, PTR 6.32.179.67.in-
addr.arpa is the query that would be made for the reverse resolution of the 67.179.32.6 IP
address of the configured name server.

2. After this, the upstream resolver sends back a reply that contains the fully qualified domain
name or FQDN related to the given IP address. The fully qualified domain name of the
name server that is returned in the reply can tell a lot of information. For example, UUNET
is an Internet Service Provider, the information regarding whose operations could be

determined easily via the FQDN, cache4.ns.au.uu.net, that is returned in the reply sent by
the upstream resolver. It can be found out that they are operating region wise from the
'au.uu.net' part of the FQDN. It can also be found out that they have divisions according to
the functionality of the server by looking at the 'ns.au.uu.net' part. The 'cache' in the FQDN
tells that multiple classes of name servers have been utilised by the ISP, and the number '4'
provides information that there are numerous instances being utilised by them. One can
figure out whether the configured resolver has been changed by examining the previously
discussed data. It can also be found out whether someone us subverting the DNS
connection by verifying the IP address contained in the upstream resolver's reply.
3. In the third exchange, the 'A' record is requested for the particular FQDN for whom the
resolution has to be done for. An 'A' record points to the IP address of the FQDN in
question. For example, the packet sent in the third exchange will contain the FQDN, such
as www.abcdefg.com, for which the name to IP address resolution has to be done for.
4. Various addresses are returned in the fourth exchange by the upstream name server. The
server replies with A records and the CNAMES to which they are related to. The server
sends these multiple records so that for the resolution of a single IP address the client
computer does not have to send a lot of queries.
5. In the fifth exchange, the client computer system again sends a resolution request but to
get the FQDN resolved to an IPv6 address. The IPv6 address is contained in an ‘AAAA’
record.
6. If the server has an ‘AAAA’ record available for the particular request, it replies back with
it in the sixth exchange.

DNS hierarchy

An explanation of the DNS hierarchy is given below:
• Root directory
o In this example, the (root) is the root directory.
• Top-Level Domains
o The .com, .org suffixes come under organisational hierarchy. Some more examples
of organizational domain suffixes are .edu, .gov, and .net
o The .uk suffix comes under geographical hierarchy. Some more examples of
domain suffixes that come under the geographical hierarchy are .sp, .fr, .gr, and .pe
• Second-Level Domains
o The .ac, .co domain suffixes are the second-level domains that fall directly under a
Top-Level Domain.

• Main domain
o A main domain name is the name that is used while registering for a website domain
on a domain hosting website or when hosting a domain within a private network.
From the DNS hierarchy chart shown above the example of a main domain are
‘Google’ and ‘wmin’.

• Hostname
o From DNS hierarchy chart shown above, an example of a hostname contained
within a fully qualified domain name is ‘www’.


Click to View FlipBook Version