DNS Response Modification Presentation

Description

The aim of this presentation is to describe the effects of DNS response modification on domain name registrants, DNS operators and Internet users, and to explore possible exploitation of the practice by bad actors. The focus will be on explaining the effects of and unintended consequences to users, domain registrants, and those who rely on non-existent domain responses for error reporting and administrative purposes.
In their preliminary report number 32, the SSAC describes the practise of DNS response modification by entrusted agents or third parties. In the first case, an entrusted agent receives a DNS query for a name. The entrusted agent determines that the name in the query does not exist in the zone file it hosts for the domain registrant but rather than returning a DNS response indicating a non-existent name, the entrusted agent returns a response indicating the name exists and containing an IP address mapping for the queried name of the agent's choosing. In the second case, a third party operating an iterative resolver receives NXDomain responses generated by an authoritative name server and silently alters the contents, changing the non-existent name response to one that signals name exists and inserting an IP address mapping for the queried name of the third party's choosing. This behaviour is known by various labels: subdomain redirection, NXDomain redirection, NXDomain rewriting, NXDomain hijacking, subdomain hijacking, error resolution, and error marketing. These labels illustrate that the practice has commercial significance and is controversial."

Reviews

Shared by: Alisha Wright

Tags

DNS, Response Modification Protection, Response Modification, ICANN, SSAC, entrusted agents, third parties, non existent domain responses, domains, registrants, error reporting

Stats

views:: 276
rating:: not rated
reviews:: 0
posted:: 10/23/2008
language:: English
pages:: 0

Public Domain

DNS Response Modification David Piscitello Senior Security Technologist ICANN Sep 2008 ALAC Webinar 1 Intended web experience •  Type a URL: http://www.example.com/index.htm •  Browser asks DNS to find IP address of this host •  If DNS finds the IP address then –  It passes this IP address to browser –  Browser connects to the site –  If page exists, browser downloads page –  Else browser displays “page not found” •  Else if host does not exist –  DNS returns a “name error” to browser –  Browser displays an error “Server not found” (or similar) Sep 2008 ALAC Webinar 2 Response Modification alters this experience •  Type a URL: http://www.example.com/index.htm •  Browser asks DNS to find IP address of this host •  If DNS finds the IP address then –  business as usual (well, maybe…) •  Else if DNS response is “name error” then –  Respond in a way that is self-beneficial –  Commonly done without notice and consent to user or domain registrant •  Even when notice is provided, full disclosure of the security implications are not identified –  The registrant does not benefit from and in some instances is harmed by the alteration Sep 2008 ALAC Webinar 3 DNS Protocol Violation? •  RFC 1035 says name error is "only meaningful in responses from an authoritative name server " –  The response is thus more than an error indication –  Response expresses content that the authoritative name server expects the client to receive •  DNSSEC goes through great pains to provide authenticated denial of existence of DNS records –  Why would we bother if non-existence was unimportant!!! Sep 2008 ALAC Webinar 4 Who can make such changes •  Entrusted Agents –  A DNS operator who provides authoritative name service on behalf of a registrant –  Registrars, ISPs, trusted 3rd parties, registrant’s IT •  Third parties –  any DNS operator of any name server that processes the response along the return path from the authority name server to the client that issued the request Sep 2008 ALAC Webinar 5 Form 1: Synthesized DNS response •  An Entrusted agent operating as a zone authority –  Receives a name query from a client –  Determines the name does not exist in the zone file –  Returns a name exists response containing an IP address mapping the entrusted agent chooses –  Common implementation is to include a wildcard entry in the registrant's zone file •  All names not found resolve to an IP address the agent chooses Sep 2008 ALAC Webinar 6 Synthesized DNS Response (Simplified) Client What is the IP address of ww.example.com ww.example.com is at IP = a.b.c.d Iterative resolver Root Name Server dress of t is the IP ad Wha .com? ww.example ese COM Ask one of th name servers .example.com does not exist synthesize DNS response return Answers Section with IP address = a.b.c.d COM Name Server example.com's Entrusted Agent example.com zone file 7 Sep 2008 ALAC Webinar Form 2: "On the fly" response modification •  A third party NS operator –  Examines DNS responses messages it attempts to resolve for a client –  When it encounters a non-existent domain response the resolver •  Silently alters the response code from non-existent to name found •  Inserts an IP address mapping the third party chooses Sep 2008 ALAC Webinar 8 NXDomain Response Modification(Simplified) Client What is the IP address of ww.example.com ww.example.com is at IP = w.x.y.z Iterative resolver Root Name Server dress of t is the IP ad Wha .com? ww.example ese COM Ask one of th name servers response says NXDomain: synthesize DNS response return Answers Section with IP address = w.x.y.z COM Name Server example.com's Entrusted Agent example.com zone file 9 Sep 2008 ALAC Webinar Who has the means, motive and opportunity? Who Sponsoring registrar Public DNS provider ISP Web (proxy) operators "for fee" DNS provider Domain registrant Attackers How Entrusted agent (EA) Third party NS operator Third party NS operator Why Promote business Promote services Advertise Affiliate advertising "Enhance the user experience"  Enforce a policy Remedial Education Fun, fame, fortune… or EA Third party NS operator Third party NS operator or EA EA "own" a DNS server Sep 2008 ALAC Webinar 10 How are users affected? •  A modified DNS response –  Signals a different state of the zone to the user than the registrant intended •  The non-existence of a name is not conveyed to the user •  The user concludes the host is operated by the registrant –  Can result in inconsistent responses •  The response a user receives depends on the resolver it asks –  Can cause address mapping conflicts when multiple NS operators alter responses •  An authority may add a host that has been “redirected” •  Resolvers caching a modified response for this name will return a different address from the one now in the authority zone file Sep 2008 ALAC Webinar 11 How are domain registrants affected? •  A modified DNS response –  Alters the content the domain authority intended to have delivered •  Would you tolerate undisclosed modification of any other application content? •  Why should DNS messages be treated differently from mail, IMs or voice? –  Has business and brand implications •  Redirection hosts benefit from the domain registrant's brand, reputation, site and link popularity, and sponsored link agreements… •  Operational instabilities •  Security implications -> Sep 2008 ALAC Webinar 12 Security Implications •  A modified DNS response –  Subverts a "parent trusts the subdomain" security assumption common to web applications •  Applications assume that any host in my domain is trustworthy –  Wrests security of hosts from the registrant •  A host is named in your domain but secured by "someone else” •  How can I test and audit for (regulatory) compliance and policy conformance if I don’t know or operate the hosts where my NXDOMAINs are redirected –  Creates opportunities for attack via a host you cannot secure •  Phishing via false site injection •  Redirect hosts can intercept, monitor and analyze traffic (extract data) •  Redirect hosts can intercept cookies to acquire personal, credit or bank data –  Facilitates attacks against brand •  Aren’t 3rd level labels you don't control as dangerous as 2nd level labels Sep 2008 ALAC Webinar 13 Other issues •  A Records today, what about tomorrrow? –  Assumption is that most NXDomain responses are for web sites so they lead to "eyeballs" –  Imagine a future of modified DNS responses that includes MX, NAPTR, SRV and other resource records •  Dueling rewrites –  DNS responses can be processed by many third parties –  Any party downstream from a synthesized response can rewrite the response –  Interesting problem for error resolution marketeers •  Is this the tip of the iceberg? –  How long before responses from other application servers are “in play”? Sep 2008 ALAC Webinar 14 SSAC Recommendations •  Synthesized responses at any level in the DNS have unanticipated and undesirable consequences for the registrant and user •  Registrants should choose an entrusted agent that asserts it will not modify DNS responses in its terms of service •  Registrants should study ways to provide end-to-end authenticated proof of non-existence of subdomains (DNSSEC) •  Entrusted agents should not inject DNS wildcards in a zone without informed consent and without fully informing the domain registrant of the risks this practices exposes •  Entrusted agents should provide opt-out mechanism that allows clients to receive the original DNS answers to their queries. •  Third parties should disclose that they practice NXDomain response modification and should provide opportunities for users to opt out Sep 2008 ALAC Webinar 15