DNS Systems and Query Types

Questions and Answers

What is the primary function of the DNS in the context of the Internet?

• To enhance network security through encryption
• To manage network traffic and bandwidth
• To translate hostnames to IP addresses (correct)
• To store user credentials and passwords

Which of the following is NOT a service provided by DNS?

• Load distribution among replicated servers
• Host aliasing for easier identification
• Data encryption for secure transmission (correct)
• Mail server aliasing

What type of attack involves injecting malicious data into a DNS cache?

• DDoS attack
• Man-in-the-middle attack
• Phishing attack
• Cache poisoning attack (correct)

What is the typical format of a DNS message when requesting information?

UDP datagram (B)

How does DNS caching improve performance?

By storing frequently accessed data for faster retrieval (B)

Which component of a DNS structure provides the actual mapping of hostnames to IP addresses?

Authoritative server (C)

Which query type would a DNS server respond to if it needs to provide an IP address for a given hostname?

A record query (B)

What is one primary method to fix DNS cache poisoning?

Regularly flushing the DNS cache (D)

What is a key step in executing a DNS cache poisoning attack?

Crafting UDP packets with manipulated DNS transaction IDs (C)

Which of the following describes a characteristic of Dan Kaminsky's Attack?

Exploits caching nameservers accepting resource records for unqueried hosts (D)

What does bailiwick checking involve in DNS security?

Verifying that the hostname in replies matches the original query (A)

What significant event occurred on October 21, 2002, related to DNS?

A DDoS attack against DNS root servers was executed (B)

In the context of a DNS cache poisoning attack, what is the purpose of flooding the target DNS server?

To match the Transaction ID of the original query with a fake response (B)

How does DNSChanger malware alter a system's DNS settings?

By modifying the /etc/resolv.conf file (C)

What was the nature of the DDoS attack on Dyn in October 2016?

It involved a massive increase in DNS queries from a botnet of IoT devices (B)

What kind of packets does the attacker send during a DNS flood attack?

Manually crafted UDP packets simulating valid replies (A)

What security measure can help prevent DNS cache poisoning by limiting the acceptance of unsolicited records?

Requiring a bailiwick check on the resource records in replies (B)

What was a significant defense mechanism introduced following DNS poisoning exploits?

Randomizing query ports to enhance security (A)

What is the primary function of the /etc/host.conf file?

To specify the order of name resolution sources. (D)

What command is used to restart the network service after changing network configuration files?

sudo /etc/init.d/network restart (B)

Which of the following describes the role of root servers in the DNS hierarchy?

They respond with the IP address of gTLD or ccTLD DNS servers. (A)

What port does a DNS server listen to for queries?

53 (D)

What utility can be used to query DNS nameservers for information?

dig (B)

What is the primary purpose of the gethostbyname() function on UNIX-based machines?

To perform hostname-to-IP-address translation. (D)

What happens if the DNS response is larger than 1024 bytes?

It triggers a protocol switch to TCP. (D)

Which class of DNS servers provides the IP addresses for authoritative DNS servers?

Top-level domain (TLD) servers (D)

What happens when a DNS cache is flushed on a system?

Old cached entries are removed, forcing fresh queries. (A)

What type of query is typically sent from a host to the local DNS server?

Recursive query (C)

Which component of BIND listens for DNS queries?

named (D)

What is a common vulnerability in earlier versions of BIND related to Transaction IDs?

They are not randomized and are sequential. (A)

What is a primary benefit of DNS caching?

Reduces the number of DNS messages on the Internet. (A)

What does a resource record (RR) in DNS contain?

A four-tuple consisting of Name, Value, Type, and TTL. (A)

What does a DNS Cache Poisoning Attack involve?

Redirecting users to incorrect IP addresses. (C)

What does the SOA record stand for in DNS terminology?

Start of Authority (A)

Which of the following describes the authoritative section of a DNS message?

Records of other authoritative servers. (C)

What are the roles of local DNS servers provided by ISPs?

Act as a proxy for forwarding queries into the DNS hierarchy. (C)

Which command is used to view and manage the root server IP addresses?

dig @b.root-servers.net com (C)

What is the purpose of the DNS TTL (Time To Live)?

To specify how long a DNS record is cached. (D)

What does the 'TTL' field in a resource record signify?

The duration for which the record can be cached. (B)

How does a registrar enter records into the DNS database?

By verifying domain name uniqueness and recording it. (A)

What is a primary function of the nslookup program?

To send a DNS query to any DNS server. (D)

What problem does a simple design with a single DNS server face?

High traffic volume and single point of failure. (C)

What is the role of the root DNS servers?

To provide IP addresses of TLD servers. (A)

What does the file /etc/resolv.conf do?

Lists the name servers for name resolution. (B)

Flashcards

What is DNS?

A hierarchical database system that translates hostnames to IP addresses.

Explain the three levels of DNS servers.

DNS servers operate in a hierarchical structure with three major levels: root servers, top-level domain servers, and authoritative servers. Root servers provide the starting point for resolving a hostname, while top-level domain servers handle domains like .com, .org, etc. Authoritative servers are responsible for specific domains like google.com or example.com.

What are the different query types in DNS?

DNS uses specific query types to retrieve different information from the database. The most common is the A record (Address) which maps a hostname to an IPv4 address. Other types include MX (Mail Exchange), CNAME (Canonical name), and TXT (Text), each providing different domain details.

How does DNS caching work?

DNS servers cache recently used information to speed up subsequent lookups. This caching mechanism reduces the number of requests to upstream servers, improving efficiency and reducing response times.

What is the structure of a DNS message?

DNS uses a standardized message format to communicate between servers. This format defines various sections like header, question, answer, authority, and additional information.

What is a DNS cache poisoning attack?

It occurs when an attacker manipulates DNS responses to mislead users or intercept traffic. This attack exploits vulnerabilities in the DNS system's trust model and can disrupt services or redirect users to malicious websites.

How can we protect against DNS cache poisoning attacks?

Implementing DNSSEC (Domain Name System Security Extensions) is a key step in protecting DNS from cache poisoning. DNSSEC uses digital signatures to authenticate responses, ensuring their origin and integrity.

Why is DNS important?

DNS plays a crucial role in internet communication by resolving human-readable names into machine-readable IP addresses. It enables users to access websites, email servers, and other online services without needing to know complex IP addresses.

gethostbyname()

A function call used on UNIX-based machines to translate a hostname to an IP address.

Simple DNS Design

A single, centralized DNS server that would store all hostname-to-IP address mappings.

Root DNS Server

A type of DNS server responsible for providing the IP addresses of Top-Level Domain (TLD) servers.

Authoritative DNS Server

A type of DNS Server that stores authoritative records for a specific domain.

Top-Level Domain (TLD) Servers

DNS servers that provide the IP addresses for authoritative DNS servers for various top-level domains (com, org, net, edu, etc.) and country top-level domains (uk, fr, ca, etc.).

Local DNS Server

A DNS server provided by an ISP that acts as a proxy, forwarding DNS queries to the appropriate servers in the hierarchy.

Recursive DNS Query

A DNS query where the local DNS server will attempt to find the requested information recursively, querying multiple servers if necessary.

Iterative DNS Query

A DNS query where the requesting server will only ask the contacted server and won't continue searching if the information is not found.

DNS Caching

A way for DNS servers to speed up query resolution by storing recently used hostname-to-IP address mappings in memory.

Resource Record (RR)

A four-tuple record that represents a single entry in the DNS database.

DNS Record: Type A

A type of resource record (RR) that maps a hostname to its IP address.

DNS Record: Type NS

A type of resource record (RR) that specifies the hostname of an authoritative DNS server for a domain.

DNS Record: Type CNAME

A type of resource record (RR) that defines an alias hostname for a canonical hostname.

DNS Record: Type MX

A type of resource record (RR) that maps an alias hostname to a mail server.

nslookup

A program that allows sending DNS queries to any DNS server, often used for troubleshooting or checking DNS settings for a particular hostname or domain.

DNS Cache Poisoning Attack

A type of attack where an attacker sends crafted responses to a DNS server, hoping to trick it into storing fake data about a domain. This can redirect users to malicious websites.

DNS DDoS Attack

An attack where an attacker sends a flood of requests to a DNS server, overwhelming it and making it unavailable to legitimate users.

DNSChanger Malware

A type of malware that modifies the DNS settings on a computer, directing traffic to malicious websites instead of the intended destinations.

DNSSEC (Domain Name System Security Extensions)

A method of verifying the authenticity of DNS responses, preventing attackers from injecting fake information into the DNS system.

Bailiwick Check

A security measure where DNS servers check if the domain name in a response is the same as the one requested in the query. This helps prevent attackers from injecting fake information.

DNS Root Server Attack

A technique where attackers target the DNS root servers, which are at the top of the DNS hierarchy, to disrupt DNS resolution for everyone.

Kaminsky Attack

A type of DNS attack where an attacker sends requests to a DNS server for a non-existent hostname, then sends fake responses containing malicious information.

Randomizing Ports for DNS Queries

A method of protecting against DNS cache poisoning by using a different port for each outgoing DNS query.

DNS Spoofing Attack

A malicious user sending forged DNS queries using the victim's DNS server, hoping to get it to send a spoofed response to a specific target.

DNS Amplification Attack

Attackers sending a huge number of DNS requests to a target DNS server, causing it to become overloaded and unable to respond to legitimate requests.

What is the /etc/host.conf file?

A file that specifies the order in which the system searches for host mappings, prioritizing either the local /etc/hosts file or the DNS server. It typically sets 'order hosts, bind' for a prioritized search of the local hosts file followed by DNS.

Why is the network service important?

The service responsible for managing network settings on a system. It can be restarted to refresh network configurations. It can be started/stopped/restarted with the command "/etc/init.d/network {start|stop|restart}"

What are root servers?

The highest tier of DNS servers. There are 13 root servers in total, and they are the starting point for any DNS query. They delegate queries to the top-level domain servers for the appropriate domain.

What is root.hints?

A file that contains hints about root servers and their corresponding IP addresses. This file is used by BIND, the DNS software, to locate root servers when resolving domain names. The path to the file is typically /etc/bind/named.conf.default-zones

What are gTLDs and ccTLDs?

Generic Top-Level Domains (gTLDs) are the primary domains for a wide range of organizations, such as .com, .net, .org, .edu. Country Code Top-Level Domains (ccTLDs) are specific to countries, such as .uk, .jp, .fr.

What is a Transaction ID?

It is a unique 16-bit number that identifies each DNS query. This number is randomly generated for each query. It ensures that the response is associated with the correct query. The /etc/init.d/bind9 restart command can flush the DNS cache.

What is a DNS cache?

A local storage for recently resolved host names and their corresponding IP addresses. It helps speed up resolving requests for frequently accessed domains. The cache is usually cleared or refreshed automatically after a certain period of time.

What is DNS (Domain Name System)?

It is a service that acts as a central database for resolving domain names to IP addresses. It uses a hierarchical structure, with root servers at the top and authoritative servers for individual domains at the bottom. BIND is a popular DNS server implementation.

What is DNS cache poisoning?

A technique that allows attackers to manipulate DNS responses to redirect users to malicious websites or intercept sensitive data. It exploits vulnerabilities in DNS server configurations and can be used for phishing, malware distribution, and other malicious activities.

What is DNSSEC?

A security measure that uses digital signatures to verify the authenticity and integrity of DNS responses. DNSSEC helps prevent DNS cache poisoning by ensuring that the responses are from trusted sources.

What is Pharming?

This occurs when a user's browser is redirected to a malicious website after an attacker corrupts a domain nameserver (DNS) with illegitimate IP addresses for certain hostnames.

How can a domain delegate authority to other servers?

a sub-domain can be delegated by its parents to other servers. This allows for flexibility within the DNS namespace and increases redundancy.

What is redundancy in a DNS system?

Multiple name servers are used to handle domain lookups. This prevents single points of failure and improves DNS server availability. They are often set up as master and slave servers.

What is the risk of a non-random Transaction ID?

This is a security issue tied to the Transaction ID that could allow an attacker to insert false information into a DNS server's cache. It's particularly vulnerable in older versions of BIND where the ID wasn't truly random.

What is BIND?

BIND , short for Berkeley Internet Name Daemon, is a widely used implementation of the Domain Name System (DNS). This software manages DNS servers, resolves domain names into IP addresses, and provides various tools for interacting with DNS.

How does named respond to queries?

This refers to the process by which a DNS server responds to a DNS query. It's based on the configuration files that dictate how the server handles requests and where it retrieves the necessary information.

Study Notes

DNS: Three Levels of Servers

• Root DNS servers: Over 1000 instances globally, providing IP addresses for top-level domain (TLD) servers. Copies of 13 servers coordinated by IANA.
• Top-Level Domain (TLD) servers: For specific top-level domains (e.g., .com, .org) and country-level domains (e.g., .uk, .jp). Provide IP addresses of authoritative DNS servers.
• Authoritative DNS servers: Each organization with public hosts maintains its own; provide hostname-to-IP address mappings for their domain.

Query Types

• Iterative queries: DNS servers ask other servers until it reaches the correct answer, with each query proceeding to another server.
• Recursive queries: A DNS server on behalf of a client, forwards the query to other servers (eventually to an authoritative server). The client receives the final answer or an error message.

Caching

• DNS extensively uses caching. Servers storing previously resolved mappings.
• Cached information discarded after a set time (often 2 days).
• Reduced number of queries across the internet and decreased delay.

DNS Message Format

• Query and reply messages share the same format.
• Header (12 bytes): Includes query/reply flag, recursion desired/available flags, and section counts.
• Question section: Names and types of queries (e.g., A record (IP address), MX record(mail server)).
• Answer section: Resource records for the queried name.
• Authority section: Records for other authoritative servers.
• Additional section: Extra relevant records.

DNS Cache Poisoning

• Attack: Substituting incorrect IP addresses in the DNS cache.
• Vulnerable versions of BIND (pre-BIND9).
• Spoofing technique: Using a matching transaction ID in fake replies.
• Attacker needs information on the source port the DNS server uses for queries.
• Challenges: Creating spoofing DNS Transaction IDs and guessing the destination port.

Fixing Cache Poisoning

• Randomizing source ports for queries.
• Implement "bailiwick check": Verifying that response hostnames are part of the original query.

Description

Explore the three levels of DNS servers, including Root, TLD, and Authoritative servers, as well as the types of DNS queries: iterative and recursive. This quiz provides insights into how DNS functions and the importance of caching in the process.