CNIT 40: DNS Security

Fall 2013 Sam Bowne

75255 501 Lec T 06:10-09:00PM MUB 330

First class meeting: Tue Aug 27

Schedule · Lecture Notes · Projects · Links · Home Page


Catalog Description

DNS is crucial for all Internet transactions, but it is subject to numerous security risks, including phishing, hijacking, packet amplification, spoofing, snooping, poisoning, and more. Learn how to configure secure DNS servers, and to detect malicious activity with DNS monitoring. We will also cover DNSSEC principles and deployment. Students will perform hands-on projects deploying secure DNS servers on both Windows and Linux platforms.

Advisory: CNIT 106 or 201E, or Network+-level understanding of networking.

Upon successful completion of this course, the student will be able to:
  1. Describe the normal operation of DNS: Zones, servers, records, and protocol function
  2. Explain common DNS attacks, including hijacking, snooping, poisoning, spoofing, fast flux, and packet amplification
  3. Understand common defenses against each type of attack
  4. Configure a secure BIND server on Linux
  5. Configure a secure Windows DNS server
  6. Prevent unwanted zone transfers
  7. Design high-availability DNS infrastructure
  8. Explain how to detect security breaches with DNS monitoring
  9. Describe the function and operation of DNSSEC
  10. Add a DNSSEC signatures to a zone


"DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE Buy from Amazon
Free Kindle Apps


DateProj. DueTopic
Tue 8-27  1: The importance of DNS security
Tue 9-10  2: DNS protocol and architecture
Tue 10-8Proj 1 & 2 due 3: DNS vulnerabilities
Tue 10-29Proj 3 due 4: Monitoring and detecting security breaches
Tue 11-12 - Thu 11-14gogoNET LIVE! IPv6 & Internet of Things Conference in San Jose (extra credit)
Tue 11-19Proj 4 & 5 due 5: Prevention, protection, and mitigation of DNS service disruption
Thu 11-21

Guest Speaker: Matthew Prince
CEO & co-founder of CloudFlare

Tue 11-26 No Class Meeting
Tue 12-10Proj 6 & 7 due 6: DNSSEC and beyond
Tue 12-17All Extra Credit Proj due Final Exam (Optional)

Lecture Notes

1: The importance of DNS security     PPTX
2: DNS protocol and architecture     PPTX
3: DNS vulnerabilities     PPTX
4: Monitoring and detecting security breaches     PPTX
5: Prevention, protection, and mitigation of DNS service disruption     PPTX
6: DNSSEC and beyond     PPTX
Review Questions

Back to Top

Projects (in preparation)

Proj 1: Making a DNS Server on Windows Server 2008 (20 pts.)
Proj 2: Making a DNS Server on Linux with Bind (15 pts.)
Proj 3: Dig (25 pts.)
Proj 4: Source Port Randomization (10 pts.)
Proj 5: Disabling Dynamic DNS Updates (15 pts.)
Proj 6: DNS Logging on Linux with Bind (15 pts.)
Proj 7: Performing the Kaminsky Attack (15 pts.)

Extra Credit Projects

Proj 1x: Logging DNS Requests on Windows Server 2008 (10 pts.)
Proj 2x: Social Engineering DNS Registration (points vary)
      Consent Form (html)     (doc)
Proj 3x: Source Port Randomization on Linux (10 pts.)
Proj 4x: Configuring an Authoritative DNS Server on Windows (20 pts.)
Proj 5x: Configuring an Authoritative DNS Server on Linux (15 pts.)
Proj 6x: Making a Domain Name and Using Cloudflare (15 pts.)
Proj 7x: Making a Validating Resolver with Bind on Linux (10 pts.)
Back to Top


NIST Secure Domain Name System (DNS) Deployment Guide

References for Chapter Lectures

Ch 1a: Attack knocks out Microsoft Web sites (from 2001)
Ch 1b: 'Zombie' PCs caused Web outage, Akamai says (from 2004)
Ch 1c: Events of 21-Oct-2002
Ch 1d: Massive DDoS Attack Hit DNS Root Servers (from 2002)
Ch 1e: DNS Attack Factsheet 1.1 ICANN (from 2007)
Ch 1f: dig trace -- Men & Mice
Ch 1g: DNS Poisoning Scam Raises Wariness of 'Pharming' (from 2005)
Ch 1h: DNSChanger - Wikipedia
Ch 1i: An Illustrated Guide to the Kaminsky DNS Vulnerability
Ch 1j: Fast flux DNS
Ch 1k: Extension mechanisms for DNS (EDNS) - Wikipedia
Ch 1l Attackers Using Overlooked Connected Devices to Launch 'DrDoS' Attacks
Ch 1m: Sinit P2P Trojan Analysis (from 2003)
Ch 1n: Tracking Malicious Activity with Passive DNS Query Monitoring (2012)
Ch 1o: DNS Monitor
Ch 1p: Monitoring DNS Queries with tcpdump
Ch 1q: DNS-Based Botnet Detection
Ch 1r: Prototype system goes after DNS-based botnets (2012)
Ch 1s: Gathering 'Storm' Superworm Poses Grave Threat to PC Nets (2007)
Ch 1t: Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains
Ch 1u: Conficker Domain Information (2009)
Ch 1v: Blocking Conficker domain names: Will it work? (2009)
Ch 1w: Estonia hit by 'Moscow cyber war' (2007)
Ch 1x: Enable DNS Request Logging for Windows 20032008

Ch 2a: Using the dig dns tool on Windows 7
Ch 2b: How to Install dig for Windows
Ch 2c: Installing Dig on Windows
Ch 2d: Web-based Dig

Ch 3a: The Windows of Private DNS Updates
Ch 3b: Open Resolver Project
Ch 3c: CVE List: National Vulnerability Database
Ch 3d: Tutorial - DNS Vulnerabilities
Ch 3e: Video: Source Port Randomization (Socket Pool) in Windows Server 2008 R2 DNS
Ch 3f: The Kaminsky DNS Attack
Ch 3g: Understanding Kaminsky's DNS Bug
Ch 3h: Dan Kaminsky's DNS Slides

Ch 4a: DNS BIND logging Clause

Ch 5a: UltraDNS DNS Shield
Ch 5b: djbdns: Domain Name System tools
Ch 5c: Comparison of DNS server software - Wikipedia
Ch 5d: DNSSEC -- The DNSKEY and DS record
Ch 5e: Root DNSSEC
Ch 5f: ICANN Research - TLD DNSSEC Report
Ch 5g: List of DNS record types - Wikipedia
Ch 5h: Step-By-Step: How To Use a DNSSEC DS Record to Link a Registar To A DNS Hosting Provider
Ch 5i: Extension mechanisms for DNS - Wikipedia

DNS Amplification

A quick look at open DNS resolvers
DNS Response Rate Limiting
Defending against DNS reflection amplification attacks
Open Resolver Project
How Spamhaus' attackers turned DNS into a weapon of mass destruction
Fix your DNS servers or risk aiding DDoS attacks
Is Your DNS Server A Weapon?
DNS Amplification Attacks Observer: Open Resolver World Map

Domain Name Hijacking

HD Moore explains DNS Registry Locks
Details Behind DNS Registry Hacks in August 2013
How Registrants Can Reduce the Threat of Domain Hijacking
DNS Registry Locking -- Best Explanation I've Found
Tests of Domain Locking

Kaminsky Attack

Exploit Code for the Kaminsky Attack in Metasploit
DNS Cache Poisoning Demo - YouTube
Microsoft Security Bulletin MS08-037 - Important : Vulnerabilities in DNS Could Allow Spoofing (953230)
Understanding Kaminsky's DNS Bug --Bailiwick checking explained

IANA Blackholes

IANA Blackhole Servers for Private IP Addresses
DNS request for prisoner.iana.org
DNS Information Leakage slides from CERT (2007)
DNS Issues with RFC1918 IP Addresses?
How to Disable Dynamic DNS Updates on Windows Systems
RFC 6304 - AS112 Nameserver Operations - Blackholes


DNS, DNSSEC and Google's Public DNS Service
DNSSEC glitch causes .gov sites to become inaccessible (Aug, 2013)
DNSSEC Deployment Maps
DNSSEC HOWTO turn BIND into a Validating Resolver -- WORKS ON KALI


13 Signs that bad guys are using DNS Exfiltration to steal your data
Step-by-Step: Demonstrate DNSSEC in a Test Lab (Microsoft)
DNS SOA - Start of Authority serial number check
Malicious DNS Traffic: Detection is Good, Proactivity is Better
NLnet Labs DNSSEC workshop Website
Bind9 - Debian Wiki
Viewing a Bind Name Server's Cache
Pingdom DNS check tool
Identifying suspicious domains using DNS records AlienVault
Security Onion: Got DNS visibility?
September 2013 DNS Speed Comparison Report
DNS Version Scan Results
Five Basic Mistakes Not to Make in DNS
Bind9 - Debian Wiki -- reference for DNSSEC
DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems
DNS research
What's Wrong with The DNS (from 2006)
DNS Tunneling made easy splitbrain.org
10 DNS Errors That Will Kill Your Network
Typosquatting Stole 20 GB of E-Mail From Fortune 500 (2011)
Collateral Damage of Internet Censorship by DNS Injection (2012)

New Unsorted Links

Everyone should be deploying BCP 38! Wait, they are (from 2012)
How to View Your DNS History for Free - OKay Marketing
RFC 5731: Extensible Provisioning Protocol (EPP) Domain Name Mapping -- Domain Status Codes Defined
GOV failing DNSSEC validation in 2013
Visualization of GOV DNSSEC failure in 2013
Visualization of fixed DNSSEC chain for GOV in 2014
Comcast DNS News
Comcast Goes DNSSEC, OpenDNS Adopts DNSCurve (from 2010)
DNSCrypt OpenDNS
OpenDNS adopts DNSCurve OpenDNS Blog (from 2010)
How To Add DNSSEC Support To Google Chrome (from 2012)
How to Boost Your Internet Security with DNSCrypt
ICANN's technical competence queried by Verisign, especially on DNSSEC (Dec., 2014)
Cricket Liu on Preparing Your DNS for IPv6 Infoblox
Against DNSSEC
Help us test our DNSSEC implementation -- CloudFlare
Ch 2e: RFC 4408: Sender Policy Framework (SPF) (see 3.1.1 for record types)
Ch 2f: How to check domain NS glue records using dig
DKIM, SPF, and Spam Assassin Validator
Ch 4b: Load Balancing With Round Robin DNS

Back to Top
Last Updated: 12-11-13 7:50 pm