Nowadays, attackers are definitely interested in checking what sites you are visiting. Depending on that information, they can setup attacks like the following:
One of the most widely used techniques is DNS snooping, where the attacker checks for the DNS server of the domain what queries have been performed by the internal users and therefore letting see the attacker what sites have been visited. A normal DNS query has the following information:
What does mean those fields? Let's check everyone of them:
The answer of the last query is shown in the following figure:
The response code table for the DNS protocol is the following:
When an attacker performs the DNS cache snooping attack, it queries for specific domains without the RD bit set. If the DNS answers the query, then somebody from the inside requested access to that site and so it is cached in the DNS. Let's see a DNS cache snooping attack query, which is a packet without the RD bit set:
How can we send several packets to test various domains? We can use a nmap script to perform the query for 100 domains already preconfigured:
Let's check the nmap options for the last figure:
We can see in the following figure a DNS with many cached registers:
How can you avoid this attack? In bind 9, there is a new feature called view, where you can limit the actions to ip ranges. Let's see an example:
view "external" { This configuration only allows to answer queries for example.com zone. Since the recursion no directive is set, it also defaults the allow-query-cache {none;};, which denies access to the cache server. You can use this with bind 9.4 and newer.
Manuel Humberto Santander Peláez |
Manuel Humberto Santander Pelaacuteez 195 Posts ISC Handler Nov 4th 2013 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thread locked Subscribe |
Nov 4th 2013 8 years ago |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Thanks for the post. Timely, we were just discussing this internally.
Conflicting info out there but from what I gather if the DNS box is a MS DC/DNS and you set to not allow this you have also broken the ability to forward queries so you couldn’t surf the inet from inside? This is a PCI Violation? I would be interested in any real world attack scenarios. |
Anonymous |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Quote |
Nov 5th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!