[vox-tech] inject false information into dns

[Tony Cratz]

On 09/16/2013 01:13 PM, Brian Lavender wrote:
> How is it that attackers inject false information into DNS?
> 
> https://wiki.sonic.net/wiki/DNSSEC
> This prevents hackers from injecting false information (aka DNS cache
> 'poisoning'), in an attempt to re-direct people trying to access a real
> website to a fake, phishing or criminal site.

	I will attempt to answer you question by giving a very high
	level overview.

	I do ask others (Rick, Alex and any other person who knows DNS)
	to keep me correct if (when) I say something wrong, if if they
	feel I left something out which needs to be covered.

	Quick History

	Before what we now know of as the 'Internet' we had a network of
	machines which were mostly connected via modems and would use
	UUCP to pass files and E-mail. This networked used was was known
	as the 'bang path' method figure out how to get to a machine.
	For example an old address I use to use was along this line:
	
	intelca!decvax!inhp4!<some machine on the east coast>!username

	which means send the E-mail to intelca, then to decvax, then to
	inhp4 (in HP Indian Hills New Jersey), and then to a machine
	which was connected to it and then to the user mbox.

	Latter we added a couple of other symbols ie '@' to help with
	the processing.

	Then to make life easier, Peter Honeyman developed a program
	which would take what was called the UUCP maps and build a
	file by the name of 'path-file'. This text base file would
	contains the hostname and a bang-path line for how to reach
	the site.

	Paul Vixie (and others) decided we needed a better method
	and developed Bind which used the Domain Name System instead
	of bang-paths.

	What this now does is provide a key-value database which
	contains the domain name such as 'mydomain.tld' (tld means
	top level domain, such as .com, .org, .net and so on). The
	value part of the database contains one or more IP addresses.
	Really it is much more complicated then this but this is a
	very nice and simple way to thing of it.

	There is a lot more which can be covered in the history area
	but I have a quick dirty overview.

	Today with DNS

	Let me cover what happens with Ubuntu as this is what most of
	us are currently using. And the ideas are very close to all
	systems.

	Depending on how you are connected to the Internet, somewhat
	controls type type of name services you run. For most of us
	we are on a dynamic IP and uses DHCP when we connect. Even if
	we are using a M$ system, a Mac or whatever we still follow the
	same base set-up.

	When we connect using DHCP we receive the IP address of the
	name servers we are to use. This information goes into the file
	/etc/resolv.conf.

	Of late, Ubuntu has gone one more step, they have set-up what is
	called a 'caching name server' when you use DHCP. This means we
	keep a cache of domains and their IP address which we use to
	look-up instead of having to ask our ISP for this information
	(thus adding a slight handshake delay). In Brian's and my case
	our ISP DNS 'forwards' is the Sonic DNS servers.

	If you run your own name service (BIND-9), depending on how you
	set it up you can still use your ISP as a 'forwarder'. This
	means, instead of doing a recursive search up to the TLD and
	then down to the DNS server for the domain we just ask the ISP
	if they have the domain in their cache (and most of the major
	sites will be already in the cache). By using 'forwarders' you
	can save a lot of time by not having to do the full search.

	The default method of setting up a DNS server (BIND-9) is to
	not use forward and do your own searches.

	Cache Poisoning - man-in-the-middle

	BIND-9 like all programs has bugs in it. Because of how
	serious the bugs can be, BIND normally has a very quick turn
	around time to fix problem. But that does means all of the bugs
	have been found.

	For this lets assume that I have found a bug in an older version
	of Bind which Brian has not updated to yet.

	Buy using this bug I can change Brian's DNS cache to point to
	me as a 'forwarder' (or ever as a TLD DNS server). This means
	I know become a Man-In-The-Middle, and I can now force Brain
	to use my fake-Google search engine, or even point his browser
	to nude-babes.ru instead of Google.com. And depending on where
	he is at, at the time (think being at work and having this
	happen), he could be put into a very bad spot.

	Reason for DNSSEC

	To try to prevent the man-in-the-middle issue, we now want to
	insure that the machine we are talking to is the one and only
	machine we will trust (NOTE: all security is based on TRUST!!!)
	By using DNSSEC, we have a handshake which happens which goes
	like this:

	Hi! I'm NS1.Sonic.com here is my ID key, can I have yours.
	Thank you. I see you are Brian's machine and you have confirmed
	I'm NS1.Sonic.com. Now here your requested data.

	While that is not fully correct, at a high level we don't need
	to worry about it any more. We have exchanged keys and we have
	both agree to have valid responses.

	Does this prevent Man-In-The-Middle?

	NO!!!! There are still bugs which can be used which has not yet
	been found. And we should also acknowledge there are some BIG
	ISP who have been known to act as a Man-In-The-Middle, such as
	both Comcast and AT&T (such as Room 641A which was discovered
	by Mark Klein in 2006 http://en.wikipedia.org/wiki/Room_641A )

	Even with DNSSEC, we TRUST the upstreams sites to give us the
	correct information. DNSSEC, does reduce the chance from outside
	but it does not all together stop having the DNS cache poisoned.
	And if our upstream 'forwarders' lie to us, then we have in
	valid information.

	Also if you have physical access to the 'wire' you can always
	add taps (room 614A style).

	Who is the biggest Man-In-The-Middle?

	Simple, the NSA!!!!. We already know AT&T is in bed with the
	NSA. Room 641A proves that. As for Comcast we have not had a
	whistle-blower yet to come forward.

	A number of us know about Mae-West which is one of the largest
	networking hubs and a major one for the Internet. Mae-West is
	in San Jose. IN THE SAME BUILDING AS THE IRS AND THE FBI.

	If you can put a T-Trap on the network and capture all of the
	data, it is also possible to introduce a man-in-the-middle!

	As I said, security is all about trust. Right now, there are
	a lot of people who agree with John Gilmore (and EFF) about
	the lack of trust with all of the encryption standards which
	the NSA has been involved with and had input.

	Anyway I know this has somewhat gotten off scope and some might
	say I pulled out my tin-foil hat. But right now, to me Edward
	Snowden and Wikileaks are heroes.

								Tony