Thursday, June 30, 2016

DNS Cookies

When we type a URL in the address bar, our computer makes a DNS query to appropriate DNS servers and it gets the corresponding IP address, using which it accesses the target system. Protocols like SSL/TLS, HTTPS can ensure that the communication between the server and the client, after the domain name resolution is done for the server, is encrypted. But, what if an attacker takes advantage of the DNS communication between the client and the DNS server at the time of domain name resolution and affects that to transfer the traffic to malicious servers or make a DoS attack ? DNS Cookies is a security mechanism which is developed for that purpose.


DNS Cookies is a lightweight DNS transaction security mechanism that protects DNS servers and DNS clients from a variety of attacks like DoS attacks, DNS Amplification attacks, DNS Cache Poisoning etc. It is a lightweight mechanism and can work with other existing DNS transaction security mechanisms. It can even work in the presence of NAT and NAT – Protocol Transaction (NAT-PT).

Let’s understand what DNS Cookies is actually and how it works.



Security Concerns of DNS


There are a number of security concerns in the existing DNS system. Some of them are mentioned below :


DNS Server Denial of Service Attack 

 
When a DNS client makes a DNS request to DNS servers, it causes much computaional burden to the DNS serevers. A recursive server may issue one or more requests and process the responses, which takes muc computational resources. The situation may even get worse when DNSSEC is used, as DNSSEC performs many cryptographic computations to verify the authenticity of the DNS transation.

So, if an attacker forges source IP address and sends many DNS requests to the DNS servers, it would be very hard to identify that the requests are forged ones. Moreoevr, it is impossible to restrict IP addresses from which DNS requests should be honored and discarded otherwise.

As a result, an attacker can take advantage of that and send a large number of DNS requests to the DNS servers, so that the DNS servers get exhausted resulting in a DoS attack.


DNS Cache Poisoning


For the first time we type a URL in the addressbar, our computer will make a DNS query to appropriate DNS Server and once it gets a response, it will store the IP address in its DNS Cache, with a timestamp upto which the entry remains valid.

Within that time, if we type google.com again, our computer will look at its DNS Cache for the entry.

Suppose, our computer has made a DNS query and waiting for a response from the DNS Servers. But, instead of an authentic response it gets a response containing IP address of the attacker's website. So, its DNS Cache will be poisoned and next time onwards, whenever the computer will try to resolve the IP address of the same URL, it will end up being to the attacker's website.

In similar way, DNS Cache of any DNS Server also may get poisoned. Because, ISP's DNS Server gets response from other DNS Servers and it stores the responses in its cache. If that cache is poisoned, the same poisoned entry will spread to all home routers and from them to all computers.


DNS Amplification Attack


If an attacker sends lots of DNS queries to DNS servers, but forges the IP address of a victim machne as the source IP address of all the packets, lots of DNS responses will be generated by the servers and all of them will reach the victim machine. Normally without any security mechanism, DNS servers cannot find out if the source IP of a DNS request is a forged one. As a result, as DNS responses are much larger in size, the responses will end up flooding the victim machine with responses and consuming its bandwidth. And, it will cause a DoS attack to the victim machine.


Existing DNS Security


There are a number of existing security mechanisms which can be used to secure DNS transactions. But, each of them has its own disadvantages.

For example, DNSSEC (How does DNSSEC work ?) is a security extension which can be used to verify the authenticity of a DNS transaction. DNSSEC can ensure that the response coming from a DNS server is an authentic one and it no doubt protects us from attacks like DNS Hijacking and DNS Cache Poisoning.

But, as mentioned earlier, DNSSEC performs many cryptographic computations to ensure security, which increases the computaional burden on the DNS servers. As a result, if an attacker forges IP addresses and sends many DNS requests to the DNS servers, it will aggravate the situation and can easily cause a DoS attack.

Another security mechanism is Transaction Signature or TSIG (How does TSIG work ? ) It uses cryptographic keys to establish a trust relationship between a DNS client and a DNS server and secure the DNS transation. TSIG provides good security, but it is non-trivial to deploy. It imposes much burden to the existing DNS system like the burden of pre-agreement and distribution of cryptoraphic keys, keeping track of server side key state and synchronization between a DNS client and a DNS server.


DNS Cookies is a lightweight security mechanism, which can be implemented easily with the existing DNS system and can work together with other security mechanisms. It does not have much overhead of pre-configuration etc.


How does DNS Cookies work ?





In DNS Cookies mechanism, each DNS server and each DNS client maintain a cookie. Each of them maintains a different cookie which can be used at the time of DNS transaction to make sure that the DNS request has indeed come from an authentic DNS client and its source IP address is not forged.


A client cookie is 8 byte long and it is a pseudorandom function of client IP, server IP and a secret quantity known only to the client. This pseudorandom function is secret to the client and can be changed periodically. Each DNS client will have a different cookie, which can be used with the DNS request to verify its authenticity. As a DNS cookie is only returned to the IP address from which the request was generated, it cannot be used to track internet users.


Similarly, each DNS server with different IP will have a different server cookie. This server cookie is a pseudoransom function of client cookie, client IP and a secret quntity known only to the server. This pseudorandom function is secret to the server and can be changed periodically. A DNS server must send different cookies for different clients.


DNS Cookies mechanism works in the following way :

  • A DNS client sends a DNS request and includes its client cookie along with the request. If it knows the server cookie, it sends the server cookie along with its own cookie.
  • The server receives the DNS request from the client with the client cookie. If the DNS request contains only the client cookie and not any server cookie, the server calculates a server cookie using the secret pseudorandom function using the client IP, received client cookie and the secret quantity known to the server. The server then processes the request and sends its cookie to the client, so that the client can refer it in future communications.
    On the other hand, if the server receives a server cookie along with the client cookie, it will verify the cookie and then process the request. It will then generate a response and send that along with the new server cookie if it generates one.
  • Different DNS clients behind a NAT box can use their own local IP addresses to have different client cookies. And, based upon these diferent client cookies, different server cookies can be generated which can be used in the DNS transactions without much confusion.


So, be aware of different security mechanisms so that you can protect your systems in a better way and stay safe, stay secured.

No comments:

Post a Comment