textbook

CNIT 40: DNS Security

Fall 2017 Sam Bowne

Scores

77239 T 06:10-09:00PM Moved to MUB 388

Schedule · Lecture Notes · Projects · Links · Home Page

Catalog Description

DNS is crucial for all Internet transactions, but it is subject to numerous security risks, including phishing, hijacking, packet amplification, spoofing, snooping, poisoning, and more. Learn how to configure secure DNS servers, and to detect malicious activity with DNS monitoring. We will also cover DNSSEC principles and deployment. Students will perform hands-on projects deploying secure DNS servers on both Windows and Linux platforms.

Advisory: CNIT 106 or 201E, or Network+-level understanding of networking.

Upon successful completion of this course, the student will be able to:
  1. Describe the normal operation of DNS: Zones, servers, records, and protocol function
  2. Explain common DNS attacks, including hijacking, snooping, poisoning, spoofing, fast flux, and packet amplification
  3. Understand common defenses against each type of attack
  4. Configure a secure BIND server on Linux
  5. Configure a secure Windows DNS server
  6. Prevent unwanted zone transfers
  7. Design high-availability DNS infrastructure
  8. Explain how to detect security breaches with DNS monitoring
  9. Describe the function and operation of DNSSEC
  10. Add a DNSSEC signatures to a zone

Textbook

"DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE Buy from Amazon
Free Kindle Apps

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is available for one week, up till 8:30 am Saturday. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

To take quizzes, first claim your RAM ID and then log in to Canvas here:

https://ccsf.instructure.com

Live Streaming

Live stream at: ccsf.edu/webcasts

Classes will also be recorded and published on YouTube for later viewing.

Live Streaming for Kahoots

During the Kahoots, I'll also stream the class via Zoom.

Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/4108472927
Meeting ID: 410-847-2927

Schedule

Date Due Topic

Tue 8-22  1: The importance of DNS security


Tue 9-12 Proj 1 due
Quizzes: Ch 1 & Ch 2
due before class
2: DNS protocol and architecture


Tue 10-3 Proj 2 & 3 due
Quiz Ch 3
due before class
3: DNS vulnerabilities


Tue 10-24 Proj 4 & 5 due
Quiz Ch 4
due before class
4: Monitoring and detecting security breaches


Tue 11-14 Proj 6 due
No Quiz due
Guest: Nate Lindstrom "How the DNS Really Works"


Tue 12-5 Proj 7 due
Quiz Ch 5
due before class
Last class: 5: Prevention, protection, and mitigation of DNS service disruption


Fri 12-15 -
Thu 12-21
Final Exam available online throughout the week.
You can only take it once.

Lecture Notes

Policy · Schedule
1: The Importance of DNS Security (Updated 8-21-17) · KEY
2: DNS Protocol and Architecture · KEY · PDF
3: DNS vulnerabilities · KEY · PDF
4: Monitoring and detecting security breaches · KEY · PDF
5: Prevention, protection, and mitigation of DNS service disruption · KEY · PDF
6: DNSSEC and beyond · KEY · PDF
Click a lecture name to see it on SlideShare.
The KEY links are Apple Keynote files.
To use other formats, use Cloud Convert.

Projects

Downloading the Virtual Machines

Download VMware Player

Proj 1: Making a DNS Server on Windows Server 2008 (20 pts.) (Updated 9-22-16)
Proj 2: Making a DNS Server on Linux with Bind (15 pts.)

How to Fix Kali 2 Repositories

Proj 3: Dig (25 pts.)
Proj 4: Source Port Randomization (10 pts.)
Proj 5: Disabling Dynamic DNS Updates (15 pts.)
Proj 6: DNS Logging on Linux with Bind (15 pts.) (Updated 11-1-16)
Proj 7: Performing the Kaminsky Attack (15 pts.) (Updated 10-24-17)

Extra Credit Projects

Proj 1x: Logging DNS Requests on Windows Server 2008 (10 pts.)
Proj 2x: DNSCrypt on Linux (15 pts.) (Updated 10-24-17)
Proj 3x: Source Port Randomization on Linux (10 pts.)
Proj 4x: Configuring an Authoritative DNS Server on Windows (20 pts.)
Proj 5x: Configuring an Authoritative DNS Server on Linux (15 pts.)
Proj 6x: Making a Domain Name and Using Cloudflare (15 pts.) (Revised 11-22-16)
Proj 7x: Making a Validating Resolver with Bind on Linux (10 pts.)
Proj 8x: DNS Over HTTPS (10 pts. extra credit)

Links

NIST Secure Domain Name System (DNS) Deployment Guide

References for Chapter Lectures

Ch 1a: Attack knocks out Microsoft Web sites (from 2001)
Ch 1b: 'Zombie' PCs caused Web outage, Akamai says (from 2004)
Ch 1c: Events of 21-Oct-2002
Ch 1d: Massive DDoS Attack Hit DNS Root Servers (from 2002)
Ch 1e: DNS Attack Factsheet 1.1 ICANN (from 2007)
Ch 1f: dig trace -- Men & Mice
Ch 1g: DNS Poisoning Scam Raises Wariness of 'Pharming' (from 2005)
Ch 1h: DNSChanger - Wikipedia
Ch 1i: An Illustrated Guide to the Kaminsky DNS Vulnerability
Ch 1j: Fast flux DNS
Ch 1k: Extension mechanisms for DNS (EDNS) - Wikipedia
Ch 1l Attackers Using Overlooked Connected Devices to Launch 'DrDoS' Attacks
Ch 1m: Sinit P2P Trojan Analysis (from 2003)
Ch 1n: Tracking Malicious Activity with Passive DNS Query Monitoring (2012)
Ch 1o: DNS Monitor
Ch 1p: Monitoring DNS Queries with tcpdump
Ch 1q: DNS-Based Botnet Detection
Ch 1r: Prototype system goes after DNS-based botnets (2012)
Ch 1s: Gathering 'Storm' Superworm Poses Grave Threat to PC Nets (2007)
Ch 1t: Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains
Ch 1u: Conficker Domain Information (2009)
Ch 1v: Blocking Conficker domain names: Will it work? (2009)
Ch 1w: Estonia hit by 'Moscow cyber war' (2007)
Ch 1x: Enable DNS Request Logging for Windows 20032008

Ch 2a: Using the dig dns tool on Windows 7
Ch 2b: How to Install dig for Windows
Ch 2c: Installing Dig on Windows
Ch 2d: Web-based Dig

Ch 3a: The Windows of Private DNS Updates
Ch 3b: Open Resolver Project
Ch 3c: CVE List: National Vulnerability Database
Ch 3d: Tutorial - DNS Vulnerabilities
Ch 3e: Video: Source Port Randomization (Socket Pool) in Windows Server 2008 R2 DNS
Ch 3f: The Kaminsky DNS Attack
Ch 3g: Understanding Kaminsky's DNS Bug
Ch 3h: Dan Kaminsky's DNS Slides

Ch 4a: DNS BIND logging Clause

Ch 5a: UltraDNS DNS Shield
Ch 5b: djbdns: Domain Name System tools
Ch 5c: Comparison of DNS server software - Wikipedia
Ch 5d: DNSSEC -- The DNSKEY and DS record
Ch 5e: Root DNSSEC
Ch 5f: ICANN Research - TLD DNSSEC Report
Ch 5g: List of DNS record types - Wikipedia
Ch 5h: Step-By-Step: How To Use a DNSSEC DS Record to Link a Registar To A DNS Hosting Provider
Ch 5i: Extension mechanisms for DNS - Wikipedia

DNS Amplification

A quick look at open DNS resolvers
DNS Response Rate Limiting
Defending against DNS reflection amplification attacks
Open Resolver Project
How Spamhaus' attackers turned DNS into a weapon of mass destruction
Fix your DNS servers or risk aiding DDoS attacks
Is Your DNS Server A Weapon?
DNS Amplification Attacks Observer: Open Resolver World Map

Domain Name Hijacking

HD Moore explains DNS Registry Locks
Details Behind DNS Registry Hacks in August 2013
How Registrants Can Reduce the Threat of Domain Hijacking
DNS Registry Locking -- Best Explanation I've Found
Tests of Domain Locking

Kaminsky Attack

Exploit Code for the Kaminsky Attack in Metasploit
DNS Cache Poisoning Demo - YouTube
Microsoft Security Bulletin MS08-037 - Important : Vulnerabilities in DNS Could Allow Spoofing (953230)
Understanding Kaminsky's DNS Bug --Bailiwick checking explained

IANA Blackholes

IANA Blackhole Servers for Private IP Addresses
DNS request for prisoner.iana.org
DNS Information Leakage slides from CERT (2007)
DNS Issues with RFC1918 IP Addresses?
How to Disable Dynamic DNS Updates on Windows Systems
RFC 6304 - AS112 Nameserver Operations - Blackholes

DNSSEC

KLOTH.NET - DIG - DNS lookup - WITH DNSSEC OPTION
DNS, DNSSEC and Google's Public DNS Service
DNSCrypt
DNSSEC glitch causes .gov sites to become inaccessible (Aug, 2013)
DNSSEC Deployment Maps
DNSSEC HOWTO turn BIND into a Validating Resolver -- WORKS ON KALI

Misc.

13 Signs that bad guys are using DNS Exfiltration to steal your data
Step-by-Step: Demonstrate DNSSEC in a Test Lab (Microsoft)
DNS SOA - Start of Authority serial number check
Malicious DNS Traffic: Detection is Good, Proactivity is Better
DNSInspect
NLnet Labs DNSSEC workshop Website
Bind9 - Debian Wiki
Viewing a Bind Name Server's Cache
Pingdom DNS check tool
Identifying suspicious domains using DNS records AlienVault
Security Onion: Got DNS visibility?
September 2013 DNS Speed Comparison Report
DNS Version Scan Results
Five Basic Mistakes Not to Make in DNS
Bind9 - Debian Wiki -- reference for DNSSEC
DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems
DNS research
What's Wrong with The DNS (from 2006)
DNS Tunneling made easy splitbrain.org
10 DNS Errors That Will Kill Your Network
Typosquatting Stole 20 GB of E-Mail From Fortune 500 (2011)
Collateral Damage of Internet Censorship by DNS Injection (2012)

New Unsorted Links

Everyone should be deploying BCP 38! Wait, they are (from 2012)
How to View Your DNS History for Free - OKay Marketing
RFC 5731: Extensible Provisioning Protocol (EPP) Domain Name Mapping -- Domain Status Codes Defined
GOV failing DNSSEC validation in 2013
Visualization of GOV DNSSEC failure in 2013
Visualization of fixed DNSSEC chain for GOV in 2014
Comcast DNS News
Comcast Goes DNSSEC, OpenDNS Adopts DNSCurve (from 2010)
DNSCrypt OpenDNS
OpenDNS adopts DNSCurve OpenDNS Blog (from 2010)
How To Add DNSSEC Support To Google Chrome (from 2012)
How to Boost Your Internet Security with DNSCrypt
ICANN's technical competence queried by Verisign, especially on DNSSEC (Dec., 2014)
Cricket Liu on Preparing Your DNS for IPv6 Infoblox
Against DNSSEC
Help us test our DNSSEC implementation -- CloudFlare
Ch 2e: RFC 4408: Sender Policy Framework (SPF) (see 3.1.1 for record types)
Ch 2f: How to check domain NS glue records using dig
DKIM, SPF, and Spam Assassin Validator
Ch 4b: Load Balancing With Round Robin DNS

The sad state of SMTP encryption -- useless without DNSSEC
NIST Secure Domain Name System (DNS) Deployment Guide
Today, DNSSEC is all cost, no benefit, and with high risks (1-14-16)
DNS Response Rate Limiting (DNS RRL)
Domain Name System Explained
DNSDiag: Tools to detect if your ISP is hijacking your DNS traffic
Building Your Own Passive DNS Collection System -- MAKE INTO A PROJECT
US-CERT Alert: WPAD (Web Proxy Auto-Discovery) Name Collision Vulnerability (May, 2016)
2016-09-13: Kali sources.list Repositories -- REQUIRED TO UPDATE KALI
Who Runs the DNS Root Name Servers?
DNS reflection amplification attacks growing strongly (9-15-16)
The Cryptographic Key That Secures the Web Is Being Changed for the First Time (Sept, 2016)
NorthKoreaDNSLeak: Snapshot of North Korea's DNS data taken from zone transfers. (Sept. 2016)
Dnscrypt vs Dnscurve? - Information Security Stack Exchange
Ch 3i: NorthKoreaDNSLeak: Snapshot of North Korea's DNS data taken from zone transfers (Sept., 2016)
Hacked Cameras, DVRs Powered Today's Massive Internet Outage (10-21-16)
Ch 5j: DNSSEC/TLSA Validator
Ch 5k: DNS-based Authentication of Named Entities (DANE) - Wikipedia
Help installing Bind on Windows
Blockchain Based DNS: dnschain
HTTPS Certificate Revocation is broken, and it's time for some new tools (July, 2017) -- ADD TO CLASSES
DNS Queries over HTTPS
DNS Query name minimization
Ch 1y: What is WannaCry ransomware and why is it attacking global computers?
Ch 1z: Marcus Hutchins is 22-year-old who stopped ransomware malware virus
Ch 1z1: How to Accidentally Stop a Global Cyber Attacks | MalwareTech
Ch 1z2: Marcus Hutchins: Good Guy or Bad Guy?
Public PCAP files for download
DNS over HTTPS -- POSSIBLE PROJECT
Quick Start for CoreDNS for Windows
NetworkMiner - The NSM and Network Forensics Analysis Tool %u26CF
How to set up dnscrypt-proxy on Kali -- USEFUL FOR PROJECTS
The Best Alternatives to DNSCrypt
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Additional Record Types Available with Cloudflare DNS
G Suite toolbox
Now Testing DNSCrypt -- Quad 9 Privacy -- TEST FOR PROJECT
Ring of Saturn Looking Glass: Web-based Dig
Ch 5m: Why DNSSEC deployment remains so low | APNIC Blog
Ch 5n: DNSSEC Is Dead, Stick a Fork in It
Ch 5o: Cloudflare Looks to Take the Pain Out of DNSSEC Protocol Adoption

          

Back to Top
Last Updated: 12-6-17 7:19 pm