Network Security Wiki

DNS

Revision as of 19:10, 25 August 2016 by Amanjosan2008 (talk | contribs) (Protected "DNS" ([Edit=Allow only logged in users] (indefinite) [Move=Allow only logged in users] (indefinite) [Delete=Allow only logged in users] (indefinite)))


DNS

Why do we need DNS?[1]
  • People prefer to use names instead of numeric addresses.
  • So we need a system that can map a name to an address or an address to a name.
  • When Internet was small, IP to Hostname mapping was done using a Host file, which was periodically updated.
  • Today it is impossible to store & update all as it will create a huge amount of traffic in Internet.
Packet Capture

DNS Packet Capture - TXT, MX, LOC, PTR, A, AAAA, Any, NS, SRV queries

Which Protocol does DNS use?
UDP: For all general purpose DNS Requests like nslookup, client's requests, etc
TCP: For Server to Server Communication like Zone transfer as this process needs reliable protocol.
When will firewall close a session opened for DNS?
  • UDP is having timeout of 1 minute.
  • DNS Queries may fill out the session table to its limit.
  • Therefore DNS ALG is used to close the DNS session on getting a reply message.
  • If DNS ALG is disabled, the session table may fill in a short time.

Zone

Source: [think-like-a-computer.com]

 
  • DNS zone is any distinct, contiguous portion of domain name space for which administrative responsibility has been delegated to a single manager.
  • The domain name space of the Internet is organized into a hierarchical layout of subdomains below the DNS root domain.
  • Don’t associate a zone with a domain.
  • A DNS zone can contain multiple domains or just one domain, the important thing to remember is that it is used for delegating control of portions of the namespace.
  • Different zones can also be on the same server.
  • Think of a zone as a database or part of it.
Example
 
  • If a company is massive and have offices all over the world.
  • You create a subdomain for each country on the same DNS server.
  • Now if you further split up into cities.
  • Can you imagine how many subdomains, DNS A records etc must be stored on this one server.
  • This DNS server would contain every record of all my worldwide organisations and most likely kill the server.
  • So all these domains are stored in one zone on one server.
  • The problem is that it is too much for one server and too much for the admin team to manage this entire “zone”.
Delegating DNS Zones
  • Now we create a new zone on each COuntry DNS server.
  • Root Server is configured to push all queries for the Country Subdomain to this server.

The key differences here is that:

  • Main DNS Server does not contain any records at all for Country or city subdomains.
  • It only contains a pointer to redirect queries there.
  • This means the entire DNS namespace can be split throughout an organisation.
  • By splitting the entire namespace like this it removes unnecessary bandwidth and queries.
  • If the whole namespace existed in the US then the UK would have to query the US servers for UK queries.
  • Moving the UK subdomain into a zone on a UK server keeps the queries local.
  • Once a zone is created you can set permissions on it and delegate control of it out to different staff.
  • If we wanted 3 domains to be administered by 3 different teams they would need to be in different zones.


Zone Transfer

  • DNS zone transfer (Also called AXFR) is a mechanism to replicate DNS databases across a set of DNS servers.
  • Zone transfers may be performed using two methods, full AXFR and incremental IXFR
  • A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.
  • The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, called a primary server.
  • The portion of the database that is replicated is a zone.


Query Types[2]

DNS client tells DNS server whether Query is Recursive or Iterative.

Recursive query:

  • This means that the resolver expects the server to supply the final answer.
  • Reply with an address or an error message.
  • Server cannot refer client to a different DNS server.
  • Generally made by a DNS client to a DNS server or by server that is configured to pass unresolved name queries to another DNS server, if configured to use a forwarder.

Iterative query:

  • Returns the best answer server can give based on its cache or zone data.
  • If it does not have an exact match, it returns a pointer to another DNS server.
  • The Client can then query the DNS server for which it obtained a referral.
  • It continues until it locates a DNS server authoritative for the query, or until an error or time-out condition.

Reverse DNS query

  • rDNS is the determination of a domain name associated with a IP address.
  • Uses the pointer DNS record type (PTR record).
  • use a reverse IN-ADDR entry in the special domain in-addr.arpa
  • If an address (A) record for mail.example.com points to the IP address 192.0.2.5.
  • In pointer records of the reverse database, this IP address is stored as the domain name 5.2.0.192.in-addr.arpa pointing back to its designated host name mail.example.com.
Uses
  • Original use of the rDNS: network troubleshooting via tools such as traceroute, ping, and the "Received:" trace header field for SMTP e-mail, web sites tracking users (especially on Internet forums), etc.
  • One e-mail anti-spam technique: Checking the domain names in the rDNS to see if they are likely from dialup users, dynamically assigned addresses, or other inexpensive Internet services.
  • System logging or monitoring tools often receive entries by IP addresses. To provide more human-usable data.



DNS Doctoring[3]

         This section needs formatting or rework.
  • DNS doctoring enables an internal host on a LAN to receive the Private ip of an internal server as an answer from a DNS query when using a DNS server that is outside the LAN, such as on the internet.
  • A static NAT translation must also exist to translate the public IP to the private IP.
  • Without DNS doctoring, the external DNS server will reply with the public IP address of the host on the internal LAN.
  • The problem occurs when the client and the host that the client tries to reach are both on the same of different private network behind NAT, but the DNS server used by the client is on another public network.
  • Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of the Web Server it is unable to access the WWW server.
  • This is because the client receives an A-record that contains the mapped public address of WWW server.
  • When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface.
  • Configure static NAT for the DNS server first and if the DNS ALG is enabled, public-to-private and private-to-public static address translation can occur for A-records in DNS replies.


DNS Record Types

A 	Address record 	 	 	 	Returns a 32-bit IPv4 address,
AAAA 	IPv6 address record 	
CNAME 	Canonical name record 	 	 	Alias of one name to another, DNS lookup will continue by retrying the lookup with the new name.
LOC 	Location record 	 	 	Specifies a geographical location associated with a domain name
MX 	Mail exchange record 	 	 	Maps a domain name to a list of message transfer agents for that domain
NS 	Name server record 	 	 	Delegates a DNS zone to use the given authoritative name servers
PTR 	Pointer record 	 	 	 	Pointer to a canonical name. Unlike a CNAME, DNS processing stops and just the name is returned. The most common use is for implementing reverse DNS lookups.
SOA 	Start of [a zone of] authority record 	Specifies authoritative information about a DNS zone, including the primary name server, the email of the domain administrator, the domain serial number,etc
SRV 	Service locator 	 	 	 Generalized service location record, used for newer protocols instead of creating protocol-specific records such as MX.
TXT 	Text record 	 	 	 	Originally for arbitrary human-readable text in a DNS record. Now more often carries machine-readable data, opportunistic encryption, Sender Policy Framework, etc.
* 	All cached records 	 	 	Returns all cached records of all types known to the name server. If the name server does not have any information on the name, the request will be forwarded on.
AXFR 	Authoritative Zone Transfer 	 	Transfer entire zone file from the master name server to secondary name servers.
IXFR 	Incremental Zone Transfer 	 	Requests a zone transfer of the given zone but only differences from a previous serial number.


DHCP

What are the ports used in DHCP?[4]
Client-------------------Server
 68  ------------------>  67
          Request
 68  <-----------------   67
           Reply

All are UDP ports

What packets are exchanged in DHCP?[5] Which packets are unicast or broadcast in DHCP?[4]
  • Usually 4 messages are involved:
D = Discover     =  Broadcast
O = Offer        =  May be broadcast or unicast depending upon implementation
R = Request      =  Broadcast
A = Acknowledge  =  May be broadcast or unicast depending upon implementation
  • A DHCP Server listens on port number UDP 67 and client uses source port UDP 68.
  • The message from client is encapsulated in a UDP datagram, using the destination port number 67 and the source port number 68.
  • This UDP datagram is encapsulated in an IP datagram.
  • Now the question is how a client can send an IP datagram when it knows neither its own IP address nor the server’s IP address (the destination address).
  • The client uses all 0s as the source address and all 1s as the destination address.
  • The server responds with either a broadcast or a unicast message using UDP source port number 67 and destination port number 68.
  • The response can be unicast because the server knows the IP address of the client.
  • It also knows the physical address of the client, which means it does not need the services of ARP for logical to physical address mapping.
  • However, some systems do not allow the bypassing of ARP, resulting in the use of the broadcast address.


DHCP Relay Agent

PC-----Switch-------------Router------DHCP Server
          |
          |
     Relay Agent
|-------->|----------------->|------------->|
 Broadcast      Unicast          Unicast
  • The DHCP request is broadcast because the client does not know the IP address of the server.
  • A broadcast IP datagram cannot pass through any router.
  • To solve the problem, there is a need for an intermediary.
  • One of the hosts (or a router) can be used as a relay agent.
  • The relay agent knows the unicast address of a DHCP server and listens for broadcast messages on port 67.
  • It encapsulates the message in a unicast datagram and sends the request to the DHCP server.
  • The packet is routed by any router and reaches the DHCP server.
  • The DHCP server knows the message comes from a relay agent because one of the fields in the request message defines the IP address of the relay agent.
  • The relay agent, after receiving the reply, sends it to the DHCP client.


References
  1. www.zscaler.com
  2. www.mphasis.com
  3. www.juniper.net
  4. 4.0 4.1 www.bt.com/in
  5. www.convergys.com


{{#widget:DISQUS |id=networkm |uniqid=DNS |url=https://aman.awiki.org/wiki/DNS }}

Retrieved from "https://aman.awiki.org/wiki/DNS?oldid=1028"