DNS & DNSSEC === ## Requirements / Presentation talking points - DNS, DNSSEC, DNS over HTTPS - https://de.wikipedia.org/wiki/Domain_Name_System_Security_Extensions - Understand RFC1035 including chapter 4 - https://www.ietf.org/rfc/rfc1035.txt - Packet format - Compression - Basic RRs - Caching - Recursive servers vs. authoritative servers - Capture DNS traffic - Privacy and security issues - QNAME minimization, 0x20 Vixie Draft - Iodine - DNS Amplification - https://de.wikipedia.org/wiki/DNS_Amplification_Attack - Domain/DNS hijacking - https://en.wikipedia.org/wiki/DNS_hijacking - Cache poisoning & DNS Spoofing - https://de.wikipedia.org/wiki/Cache_Poisoning ## Presentation - RFC1035 (DNS basis) - RFC2535 (DNSSEC (obsolete)) - RFC3225 (Indicating DNSSEC support) - RFC4034 (DNSSEC (RRSIG/DNSKEY)) - RFC6891 (EDNS(0) (DNS Extension Mechanisms)) ## Example Task Use a custom udp client to send hidden data to an attacker controlled dns server. A similar, already existing project can be found here: https://code.kryo.se/iodine/ ## Links DNSSEC https://www.nic.sa/en/view/dnssec https://www.verisign.com/en_US/domain-names/dnssec/how-dnssec-works/index.xhtml ## Technical ``` All RRs have the same top level format shown below: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / / / NAME / | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | CLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TTL | | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | RDLENGTH | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| / RDATA / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: NAME an owner name, i.e., the name of the node to which this resource record pertains. TYPE two octets containing one of the RR TYPE codes. CLASS two octets containing one of the RR CLASS codes. TTL a 32 bit signed integer that specifies the time interval that the resource record may be cached before the source of the information should again be consulted. Zero values are interpreted to mean that the RR can only be used for the transaction in progress, and should not be cached. For example, SOA records are always distributed with a zero TTL to prohibit caching. Zero values can also be used for extremely volatile data. RDLENGTH an unsigned 16 bit integer that specifies the length in octets of the RDATA field. ``` ``` 3.2.2. TYPE values TYPE fields are used in resource records. Note that these types are a subset of QTYPEs. TYPE value and meaning A 1 a host address NS 2 an authoritative name server MD 3 a mail destination (Obsolete - use MX) MF 4 a mail forwarder (Obsolete - use MX) CNAME 5 the canonical name for an alias SOA 6 marks the start of a zone of authority MB 7 a mailbox domain name (EXPERIMENTAL) MG 8 a mail group member (EXPERIMENTAL) MR 9 a mail rename domain name (EXPERIMENTAL) NULL 10 a null RR (EXPERIMENTAL) WKS 11 a well known service description PTR 12 a domain name pointer HINFO 13 host information MINFO 14 mailbox or mail list information MX 15 mail exchange TXT 16 text strings ``` ``` 3.2.3. QTYPE values QTYPE fields appear in the question part of a query. QTYPES are a superset of TYPEs, hence all TYPEs are valid QTYPEs. In addition, the following QTYPEs are defined: AXFR 252 A request for a transfer of an entire zone MAILB 253 A request for mailbox-related records (MB, MG or MR) MAILA 254 A request for mail agent RRs (Obsolete - see MX) * 255 A request for all records ``` ``` 3.3.2. HINFO RDATA format +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / CPU / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ / OS / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: CPU A <character-string> which specifies the CPU type. OS A <character-string> which specifies the operating system type. Standard values for CPU and OS can be found in [RFC-1010]. HINFO records are used to acquire general information about a host. The main use is for protocols such as FTP that can use special procedures when talking between machines or operating systems of the same type. ``` ``` 4. MESSAGES 4.1. Format All communications inside of the domain protocol are carried in a single format called a message. The top level format of message is divided into 5 sections (some of which are empty in certain cases) shown below: +---------------------+ | Header | +---------------------+ | Question | the question for the name server +---------------------+ | Answer | RRs answering the question +---------------------+ | Authority | RRs pointing toward an authority +---------------------+ | Additional | RRs holding additional information +---------------------+ ``` ``` 4.1.1. Header section format The header contains the following fields: 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ where: ID A 16 bit identifier assigned by the program that generates any kind of query. This identifier is copied the corresponding reply and can be used by the requester to match up replies to outstanding queries. QR A one bit field that specifies whether this message is a query (0), or a response (1). OPCODE A four bit field that specifies kind of query in this message. This value is set by the originator of a query and copied into the response. The values are: 0 a standard query (QUERY) 1 an inverse query (IQUERY) 2 a server status request (STATUS) 3-15 reserved for future use AA Authoritative Answer - this bit is valid in responses, and specifies that the responding name server is an authority for the domain name in question section. Note that the contents of the answer section may have multiple owner names because of aliases. The AA bit corresponds to the name which matches the query name, or the first owner name in the answer section. TC TrunCation - specifies that this message was truncated due to length greater than that permitted on the transmission channel. RD Recursion Desired - this bit may be set in a query and is copied into the response. If RD is set, it directs the name server to pursue the query recursively. Recursive query support is optional. RA Recursion Available - this be is set or cleared in a response, and denotes whether recursive query support is available in the name server. Z Reserved for future use. Must be zero in all queries and responses. RCODE Response code - this 4 bit field is set as part of responses. The values have the following interpretation: 0 No error condition 1 Format error - The name server was unable to interpret the query. 2 Server failure - The name server was unable to process this query due to a problem with the name server. 3 Name Error - Meaningful only for responses from an authoritative name server, this code signifies that the domain name referenced in the query does not exist. 4 Not Implemented - The name server does not support the requested kind of query. 5 Refused - The name server refuses to perform the specified operation for policy reasons. For example, a name server may not wish to provide the information to the particular requester, or a name server may not wish to perform a particular operation (e.g., zone transfer) for particular data. 6-15 Reserved for future use. QDCOUNT an unsigned 16 bit integer specifying the number of entries in the question section. ANCOUNT an unsigned 16 bit integer specifying the number of resource records in the answer section. NSCOUNT an unsigned 16 bit integer specifying the number of name server resource records in the authority records section. ARCOUNT an unsigned 16 bit integer specifying the number of resource records in the additional records section. ``` Standard values for CPU and OS: https://www.ietf.org/rfc/rfc1010.txt ``` ALTO AMDAHL-V7 APOLLO ATT-3B20 BBN-C/60 BURROUGHS-B/29 BURROUGHS-B/4800 BUTTERFLY C/30 C/70 CADLINC CADR CDC-170 CDC-170/750 CDC-173 CELERITY-1200 COMTEN-3690 CP8040 CRAY-1 CRAY-X/MP CRAY-2 CTIWS-117 DANDELION DEC-10 DEC-1050 DEC-1077 DEC-1080 DEC-1090 DEC-1090B DEC-1090T DEC-2020T DEC-2040 DEC-2040T DEC-2050T DEC-2060 DEC-2060T DEC-2065 DEC-FALCON DEC-KS10 DORADO DPS8/70M ELXSI-6400 FOONLY-F2 FOONLY-F3 FOONLY-F4 GOULD GOULD-6050 GOULD-6080 GOULD-9050 GOULD-9080 H-316 H-60/68 H-68 H-68/80 H-89 HONEYWELL-DPS-6 HONEYWELL-DPS-8/70 HP3000 HP3000/64 IBM-158 IBM-360/67 IBM-370/3033 IBM-3081 IBM-3084QX IBM-3101 IBM-4331 IBM-4341 IBM-4361 IBM-4381 IBM-4956 IBM-PC IBM-PC/AT IBM-PC/XT IBM-SERIES/1 IMAGEN IMAGEN-8/300 IMSAI INTEGRATED-SOLUTIONS INTEGRATED-SOLUTIONS-68K INTEGRATED-SOLUTIONS-CREATOR INTEGRATED-SOLUTIONS-CREATOR-8 INTEL-IPSC IS-1 IS-68010 LMI LSI-11 LSI-11/2 LSI-11/23 LSI-11/73 M68000 MASSCOMP MC500 MC68000 MICROVAX MICROVAX-I MV/8000 NAS3-5 NCR-COMTEN-3690 NOW ONYX-Z8000 PDP-11 PDP-11/3 PDP-11/23 PDP-11/24 PDP-11/34 PDP-11/40 PDP-11/44 PDP-11/45 PDP-11/50 PDP-11/70 PDP-11/73 PE-7/32 PE-3205 PERQ PLEXUS-P/60 PLI PLURIBUS PRIME-2350 PRIME-2450 PRIME-2755 PRIME-9655 PRIME-9755 PRIME-9955II PRIME-2250 PRIME-2655 PRIME-9955 PRIME-9950 PRIME-9650 PRIME-9750 PRIME-2250 PRIME-750 PRIME-850 PRIME-550II PYRAMID-90 PYRAMID-90MX PYRAMID-90X RIDGE RIDGE-32 RIDGE-32C ROLM-1666 S1-MKIIA SMI SEQUENT-BALANCE-8000 SIEMENS SILICON-GRAPHICS SILICON-GRAPHICS-IRIS SPERRY-DCP/10 SUN SUN-2 SUN-2/50 SUN-2/100 SUN-2/120 SUN-2/140 SUN-2/150 SUN-2/160 SUN-2/170 SUN-3/160 SUN-3/50 SUN-3/75 SUN-3/110 SUN-50 SUN-100 SUN-120 SUN-130 SUN-150 SUN-170 SUN-68000 SYMBOLICS-3600 SYMBOLICS-3670 TANDEM-TXP TEK-6130 TI-EXPLORER TP-4000 TRS-80 UNIVAC-1100 UNIVAC-1100/60 UNIVAC-1100/62 UNIVAC-1100/63 UNIVAC-1100/64 UNIVAC-1100/70 UNIVAC-1160 VAX-11/725 VAX-11/730 VAX-11/750 VAX-11/780 VAX-11/785 VAX-11/790 VAX-11/8600 VAX-8600 WANG-PC002 WANG-VS100 WANG-VS400 XEROX-1108 XEROX-8010 ``` ``` AEGIS APOLLO BS-2000 CEDAR CGW CHRYSALIS CMOS CMS COS CPIX CTOS CTSS DCN DDNOS DOMAIN EDX ELF EMBOS EMMOS EPOS FOONEX FUZZ GCOS GPOS HDOS IMAGEN INTERCOM IMPRESS INTERLISP IOS ITS LISP LISPM LOCUS MINOS MOS MPE5 MSDOS MULTICS MVS MVS/SP NEXUS NMS NONSTOP NOS-2 OS/DDP OS4 OS86 OSX PCDOS PERQ/OS PLI PSDOS/MIT PRIMOS RMX/RDOS ROS RSX11M SATOPS SCS SIMP SWIFT TAC TANDEM TENEX TOPS10 TOPS20 TP3010 TRSDOS ULTRIX UNIX UT2D V VM VM/370 VM/CMS VM/SP VMS VMS/EUNICE VRTX WAITS WANG XDE XENIX ```