Domain Name Systems Security

Topics DNS Lookup · Caching · Poisoning · Kaminsky · DNSSEC · Rebinding
01 //

DNS Basics

DNS is a hierarchical database mapping domain names to IP addresses. Domain name = name in DNS format (e.g. www.cc.gatech.edu). Zone = set of names under same authority (e.g. .com). Delegation = transfer of authority for a subdomain.

Hierarchical Name Space

root → org/net/edu/com → wisc/ucb/gatech/mit → cs/ee → www. There are 13 DNS root name servers.

Record Types

Type Purpose
A Address record (IP address)
NS Name server (points to other server)
MX Mail exchanger (handles email)
TXT Generic text (e.g. DKIM public keys)
02 //

DNS Lookup & Caching

Lookup is iterative or recursive. Client asks local resolver; resolver queries root → TLD → authoritative server. Each step returns delegation (NS + glue records) until the final authoritative answer.

Lookup Example: www.cc.gatech.edu
Client
Local Resolver
root & edu
gatech.edu
cc.gatech.edu
Caching
  • Records cached for reuse; TTL (time to live) controls how long
  • NS records for domains also cached
  • Negative queries (NXDOMAIN) cached - saves time for nonexistent/misspelled sites
  • TTL passed with every record; lifetime controlled by data owner
03 //

DNS Packet

DNS uses UDP (port 53). Packets include IP header, UDP header, and DNS data. Query ID (16-bit, sometimes called transaction ID) links response to query.

Key Fields
  • QueryID (QID) - 16-bit value; pairs response with query
  • QR - 0 = query, 1 = response
  • RD - Recursion Desired
  • AA - Authoritative Answer (1 = final authoritative response)
  • RA - Recursion Available
  • Glue records - authority section includes IP of next NS server
Bailiwick Checking

Response is cached only if within same domain as query. a.com cannot set NS for b.com.

04 //

Basic DNS Vulnerabilities

Users and hosts trust the host–address mapping from DNS. It underpins same-origin policy, URLs, and many security decisions. Interception or compromise of DNS servers yields incorrect or malicious responses.

Problems
  • Malicious access point (e.g. café WiFi) can intercept or spoof DNS
  • Compromised DNS server returns attacker-controlled IPs
  • No authentication of requests or responses in basic DNS
Solution

DNSSEC provides authenticated requests/responses - but few use it yet.

05 //

Cache Poisoning

Goal: give DNS servers false records and get them cached. Cache may be poisoned when the resolver: (1) has predictable Query IDs, (2) accepts unsolicited DNS records, (3) disregards identifiers.

Traditional Poisoning

Single Record

Attacker guesses Query ID and sends forged response before legitimate one. If wrong, attacker must wait for TTL to expire before retrying - limits attack rate.

Kaminsky's Poisoning Attack (2008)

Key Insight

Ask for random non-existent subdomain: $RAND.www.google.com. Each query is unique → no TTL wait. Attacker floods with forged responses (e.g. "Ask www.google.com = 6.6.6.6") until Query ID is guessed. Can succeed in ~10 seconds.

Attack Flow
Attacker
$RAND.www.google.com query
Local Resolver
ns1.google.com

Attacker floods resolver with forged responses; no wait between attempts.

Defenses

Randomize Source Port

Add ~11 bits; attack takes hours instead of seconds. DNS system load can be a concern.

Increase Query ID Size

Larger ID space makes guessing harder.

Query Twice

Attacker must guess Query ID correctly twice (32 bits combined).

DNSSEC

Cryptographic signing of responses - fundamental fix. Deployment still limited.

06 //

DNSSEC

DNSSEC provides: authenticity of answer origin, integrity of reply, and authenticity of denial of existence. Accomplished by signing DNS replies at each step using public-key cryptography. Trust anchors in the OS bootstrap the process.

DNS Signing Example: wikipedia.org
  1. 1
    Resolver requests "wikipedia.org" from root
  2. 2
    Root returns IP of .org, public key of .org, signature of "." (IP, PK)
  3. 3
    Resolver requests wikipedia.org from .org
  4. 4
    .org returns IP of wikipedia.org, signature of .org (IP)

Each step is signed; chain of trust from root to leaf.

Limitation

DNSSEC cannot stop the DNS Rebinding attack - the response is authentic; the attack abuses same-origin policy.

07 //

DNS Rebinding Attack

Attacker registers a domain (e.g. evil.com) and delegates to a server under control. Page loads with attacker's external IP; short TTL ensures record expires quickly. On next request, attacker rebinds the hostname to an internal IP (e.g. 192.168.0.100). Browser treats it as same origin; malicious script reads internal content.

Attack Flow
  1. 1
    User loads www.evil.com (iframe/ad). DNS returns 171.64.7.115 (attacker), TTL=0
  2. 2
    Malicious JavaScript runs; TTL expires. JS queries evil.com again
  3. 3
    Attacker's DNS now returns 192.168.0.100 (internal corporate server)
  4. 4
    Same origin: evil.com = evil.com. Script reads internal docs, exfiltrates to attacker
Why Short TTL?

Short TTL means the record expires quickly - not that it is "quickly cached." Attacker needs the first response cached briefly, then rebinds before next lookup.

Defenses

DNS Pinning (Browser)

Refuse to switch to a new IP for a domain. Interacts poorly with proxies, VPNs, dynamic DNS. Not consistently implemented in browsers.

Server-Side

Check Host header for unrecognized domains. Authenticate users with something other than IP.

Firewall

External domain names cannot resolve to internal addresses. Protects browsers inside the organization.

08 //

Summary

DNS Security Takeaways
  • DNS - hierarchical, cached, unauthenticated; trust is implicit
  • Cache poisoning - predictable Query ID + unsolicited responses; Kaminsky eliminates TTL wait
  • Defenses - randomize port, increase ID size, query twice; DNSSEC for authenticity
  • DNS rebinding - short TTL + rebind to internal IP; exploits same-origin; DNSSEC doesn't help

Further Reading

Steve Friedl's Illustrated Guide to the Kaminsky DNS Vulnerability

Step-by-step explanation of traditional vs. Kaminsky poisoning; DNS packet structure; mitigation techniques.