Saturday, February 6, 2016

Domain Name Service (DNS) & DNS Security


In previous lesson we discussed about IP addresses. Remembering the IP addresses is difficult. It's not easy to remember all IP addresses that we need for our daily use. Domain name service (DNS) allows us to use "easy to remember" names instead of memorizing IP addresses. For instance instead of remembering 173.194.44.230 we can use www.google.com 
DNS is like a phone book for the Internet. There is a name for each website and instead of a phone number there is an IP address exist for each website. DNS uses a distributed database system where each organisation is responsible to maintain data for their own domain. 
DNS has a hierarchical nature. There are root DNS server which provide high level information for individual DNS server to tell them what server is responsible for all .net domains or what server is responsible for all .com domains. Similar servers exists for each top level domains ( .com , .net , .org). Each of these servers then distribute authoritative for specific domains to the name servers  run by the organisations that owns the domain or their Internet Service Provider (ISP) . for instance yahoo.com runs its owns DNS servers. Yahoo DNS servers will have all information about yahoo sub domains such as www.yahoo.com or mail.yahoo.com

 .


Each organisation might use a relative extension after its domains. For example MIT is an educational institute which use .edu extension at its own domain ( mit.edu ) you can find a more detailed list of top level domain list at ICANN .
When a DNS server receive a request from a client on its network from a domain which its not authoritative for , It has two options: (A) Check the DNS cache. (B) Perform a hierarchical look up.
Each DNS server keep a cache of recently looked up domains. For better understanding I will give you an example. For example you are on the aol network and you try to access root25.com website. So first you need to enter root25.com in the web browser. then your computer will look up in the local DNS server. DNS server of your company runs by aol.com so its not authoritative for root25.com domain. However the DNS server might recently ask the same question from another DNS server for another user which trying to access the same website. So the first place it will look up is the cache (memory) to see if it has the answer. If it didn't find the answer in the cache, it will go to perform a hierarchical look up. 
hierarchical look up check with the root server to find the responsible DNS server for the ".com" domains. then it will contact one of those .com domain servers and ask which server is responsible for root25.com. Afterward it will contact that name server to find the specific IP address for www.root25.com .

There are some security threats related to DNS such as:

  • DNS cache poisoning (DNS spoofing) : In this type of attack, the attacker tries to insert false records into a DNS server cache. For instance an attacker might insert false DNS record instead of HSBC DNS records inside Aol DNS servers. In result all users which access internet form Aol server will see the fake HSBC website. This attack might used to collect bank credentials, which later it might sold on the black market. One of challenges about finding cache poisoning attack is that the attack is limited to a specific server and this make it hard to detect the attack. For instance in the above example while aol server users are accessing to a fake HSBC website other people which use another server from around the world still can access to the legitimate website.
  • Typosquatting : This attack which also known as URL hijacking is relies on the user mistake in typing the domain address of the website. This might happen when the user unconsciously type one additional character or one less character than real domain address. In this type of attack the attacker buy domain names which are similar to a famous website domain address and he hope one day a user because of mistake in typing redirect to his website. For example, if user want to access to twitter.com he might write twiter.com or twiiter.com or twiterr.com which in case these domains are registered by a malicious third party, user will be redirected to there. And that site with a fake page similar to the legitimate website might be used to do a Phishing attack to collect user information.
  _ \   \ |   __| 
  |  | .  | \__ \ 
 ___/ _|\_| ____/