textbook

CNIT 40: DNS Security

Summer 2023 Sam Bowne

Class Cancelled July 25

54304 Tue 9:10 am - 12:25 pm Cloud 218

Schedule · Lecture Notes · Projects · Links · Home Page

To attend class online:
https://twitch.tv/sambowne

Catalog Description

DNS is crucial for all Internet transactions, but it is subject to numerous security risks, including phishing, hijacking, packet amplification, spoofing, snooping, poisoning, and more. Learn how to configure secure DNS servers, and to detect malicious activity with DNS monitoring. We will also cover DNSSEC principles and deployment. Students will perform hands-on projects deploying secure DNS servers on both Windows and Linux platforms.

Advisory: CNIT 106 or 201E, or Network+ level understanding of networking.

Upon successful completion of this course, the student will be able to:

  1. Describe the normal operation of DNS: Zones, servers, records, and protocol function
  2. Explain common DNS attacks, including hijacking, snooping, poisoning, spoofing, fast flux, and packet amplification
  3. Understand common defenses against each type of attack
  4. Configure a secure BIND server on Linux
  5. Configure a secure Windows DNS server
  6. Prevent unwanted zone transfers
  7. Design high-availability DNS infrastructure
  8. Explain how to detect security breaches with DNS monitoring
  9. Describe the function and operation of DNSSEC
  10. Add a DNSSEC signatures to a zone

Textbook

"DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE Buy from Amazon

Quizzes

The quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts. If you take the quiz twice, the higher score counts.

Don't use CCSF's Canvas system for this class. Instead, all students should use this Canvas server:

Enroll Here · View Course · Reset password

Email

For class-related questions, please send a message inside Canvas. If you prefer, you can email cnit.40@gmail.com

Schedule

Date Due Topic
Tue 6-6  1: The importance of DNS security
2: DNS protocol and architecture
Demos: D 1, D 2, F 60

      Sat 6-10        Optional Help Session 10:30 - noon in SCIE 37
Tue 6-13 Proj D 1 & D 2 due
Quizzes: Ch 1 & Ch 2		 3: DNS vulnerabilities
4: Monitoring and detecting security breaches
Demos: ED 30 & D 4

      Sat 6-17        Optional Help Session 10:30 - noon in SCIE 37
      Tue 6-20       No Tues class
      Sat 6-24        Optional Help Session 10:30 - noon in SCIE 37
Tue 6-27 Proj ED 30 & D 4 due
Quizzes: Ch 3 & 4		 5: Prevention, protection, and mitigation of DNS service disruption
6: DNSSEC and beyond

      Sat 7-1        Optional Help Session 10:30 - noon in SCIE 37
      Tue 7-4       No Tues class
      Sat 7-8        Optional Help Session 10:30 - noon in SCIE 37
      Tue 7-11       No Tues class
      Sat 7-15        Optional Help Session 10:30 - noon in SCIE 37
      Tue 7-18       No Tues class
      Sat 7-22        Optional Help Session 10:30 - noon in SCIE 37
Tue 7-25 Proj D 5 & D 6 due
Quiz: Ch 5		 No Class Meeting
      Sat 7-29        Optional Help Session 10:30 - noon in SCIE 37
Tue 7-25 -
Sun 7-30		 Final Exam available online.
You can only take it once.

Lecture Slides

1: The Importance of DNS Security (Updated 8-21-17) · KEY · PDF
2: DNS Protocol and Architecture · KEY · PDF
3: DNS vulnerabilities · KEY · PDF
4: Monitoring and detecting security breaches · KEY · PDF
5: Prevention, protection, and mitigation of DNS service disruption · KEY · PDF
6: DNSSEC and beyond · KEY · PDF

Projects

Submitting Projects

CCSF students must do these things to get credit:

  • Perform the project steps until you find a flag
  • Capture a whole-desktop image showing the flag
  • Outline or highlight the flag in the image
  • Submit the image in the appropriate Project in Canvas
  • Type the flag into the text field

D 1: Windows 2022 Server Virtual Machine (15 pts)
D 2: Making a DNS Server on Windows Server 2022 (20 pts)
ED 30: Linux Virtual Machine (15 pts)
D 4: Making a DNS Server on Linux with Bind (15 pts)
D 5: Configuring an Authoritative DNS Server on Windows (10 pts)
D 6: Primary Master DNS Server with Bind on Linux (15 pts)

Extra Credit Projects

F 60: Cloud Server on Azure (15 pts extra)
D 7: Windows Server on Mac M1 or M2 (15 pts extra)
D 10: DNS Privacy (10 pts extra)
D 11: Chrome Remote Desktop (10 pts extra)
D 12: SSH Tunnel (10 pts extra)
H 241: Tailscale VPN (15 pts extra)

Links

NIST Secure Domain Name System (DNS) Deployment Guide

References for Chapter Lectures

Ch 1a: Attack knocks out Microsoft Web sites (from 2001)
Ch 1b: 'Zombie' PCs caused Web outage, Akamai says (from 2004)
Ch 1c: Events of 21-Oct-2002
Ch 1d: Massive DDoS Attack Hit DNS Root Servers (from 2002)
Ch 1e: DNS Attack Factsheet 1.1 ICANN (from 2007)
Ch 1f: dig trace -- Men & Mice
Ch 1g: DNS Poisoning Scam Raises Wariness of 'Pharming' (from 2005)
Ch 1h: DNSChanger - Wikipedia
Ch 1i: An Illustrated Guide to the Kaminsky DNS Vulnerability
Ch 1j: Fast flux DNS
Ch 1k: Extension mechanisms for DNS (EDNS) - Wikipedia
Ch 1l Attackers Using Overlooked Connected Devices to Launch 'DrDoS' Attacks
Ch 1m: Sinit P2P Trojan Analysis (from 2003)
Ch 1n: Tracking Malicious Activity with Passive DNS Query Monitoring (2012)
Ch 1o: DNS Monitor
Ch 1p: Monitoring DNS Queries with tcpdump
Ch 1q: DNS-Based Botnet Detection
Ch 1r: Prototype system goes after DNS-based botnets (2012)
Ch 1s: Gathering 'Storm' Superworm Poses Grave Threat to PC Nets (2007)
Ch 1t: Microsoft Intercepts 'Nitol' Botnet And 70,000 Malicious Domains
Ch 1u: Conficker Domain Information (2009)
Ch 1v: Blocking Conficker domain names: Will it work? (2009)
Ch 1w: Estonia hit by 'Moscow cyber war' (2007)
Ch 1x: Enable DNS Request Logging for Windows 20032008

Ch 2a: Using the dig dns tool on Windows 7
Ch 2b: How to Install dig for Windows
Ch 2c: Installing Dig on Windows
Ch 2d: Web-based Dig

Ch 3a: The Windows of Private DNS Updates
Ch 3b: Open Resolver Project
Ch 3c: CVE List: National Vulnerability Database
Ch 3d: Tutorial - DNS Vulnerabilities
Ch 3e: Video: Source Port Randomization (Socket Pool) in Windows Server 2008 R2 DNS
Ch 3f: The Kaminsky DNS Attack
Ch 3g: Understanding Kaminsky's DNS Bug
Ch 3h: Dan Kaminsky's DNS Slides

Ch 4a: DNS BIND logging Clause

Ch 5a: UltraDNS DNS Shield
Ch 5b: djbdns: Domain Name System tools
Ch 5c: Comparison of DNS server software - Wikipedia
Ch 5d: DNSSEC -- The DNSKEY and DS record
Ch 5e: Root DNSSEC
Ch 5f: ICANN Research - TLD DNSSEC Report
Ch 5g: List of DNS record types - Wikipedia
Ch 5h: Step-By-Step: How To Use a DNSSEC DS Record to Link a Registar To A DNS Hosting Provider
Ch 5i: Extension mechanisms for DNS - Wikipedia

DNS Amplification

A quick look at open DNS resolvers
DNS Response Rate Limiting
Defending against DNS reflection amplification attacks
Open Resolver Project
How Spamhaus' attackers turned DNS into a weapon of mass destruction
Fix your DNS servers or risk aiding DDoS attacks
Is Your DNS Server A Weapon?
DNS Amplification Attacks Observer: Open Resolver World Map

Domain Name Hijacking

HD Moore explains DNS Registry Locks
Details Behind DNS Registry Hacks in August 2013
How Registrants Can Reduce the Threat of Domain Hijacking
DNS Registry Locking -- Best Explanation I've Found
Tests of Domain Locking

Kaminsky Attack

Exploit Code for the Kaminsky Attack in Metasploit
DNS Cache Poisoning Demo - YouTube
Microsoft Security Bulletin MS08-037 - Important : Vulnerabilities in DNS Could Allow Spoofing (953230)
Understanding Kaminsky's DNS Bug --Bailiwick checking explained

IANA Blackholes

IANA Blackhole Servers for Private IP Addresses
DNS request for prisoner.iana.org
DNS Information Leakage slides from CERT (2007)
DNS Issues with RFC1918 IP Addresses?
How to Disable Dynamic DNS Updates on Windows Systems
RFC 6304 - AS112 Nameserver Operations - Blackholes

DNSSEC

KLOTH.NET - DIG - DNS lookup - WITH DNSSEC OPTION
DNS, DNSSEC and Google's Public DNS Service
DNSCrypt
DNSSEC glitch causes .gov sites to become inaccessible (Aug, 2013)
DNSSEC Deployment Maps
DNSSEC HOWTO turn BIND into a Validating Resolver -- WORKS ON KALI

Misc.

13 Signs that bad guys are using DNS Exfiltration to steal your data
Step-by-Step: Demonstrate DNSSEC in a Test Lab (Microsoft)
DNS SOA - Start of Authority serial number check
Malicious DNS Traffic: Detection is Good, Proactivity is Better
DNSInspect
NLnet Labs DNSSEC workshop Website
Bind9 - Debian Wiki
Viewing a Bind Name Server's Cache
Pingdom DNS check tool
Identifying suspicious domains using DNS records AlienVault
Security Onion: Got DNS visibility?
September 2013 DNS Speed Comparison Report
DNS Version Scan Results
Five Basic Mistakes Not to Make in DNS
Bind9 - Debian Wiki -- reference for DNSSEC
DNS Best Practices, Network Protections, and Attack Identification - Cisco Systems
DNS research
What's Wrong with The DNS (from 2006)
DNS Tunneling made easy splitbrain.org
10 DNS Errors That Will Kill Your Network
Typosquatting Stole 20 GB of E-Mail From Fortune 500 (2011)
Collateral Damage of Internet Censorship by DNS Injection (2012)

New Unsorted Links

Everyone should be deploying BCP 38! Wait, they are (from 2012)
How to View Your DNS History for Free - OKay Marketing
RFC 5731: Extensible Provisioning Protocol (EPP) Domain Name Mapping -- Domain Status Codes Defined
GOV failing DNSSEC validation in 2013
Visualization of GOV DNSSEC failure in 2013
Visualization of fixed DNSSEC chain for GOV in 2014
Comcast DNS News
Comcast Goes DNSSEC, OpenDNS Adopts DNSCurve (from 2010)
DNSCrypt OpenDNS
OpenDNS adopts DNSCurve OpenDNS Blog (from 2010)
How To Add DNSSEC Support To Google Chrome (from 2012)
How to Boost Your Internet Security with DNSCrypt
ICANN's technical competence queried by Verisign, especially on DNSSEC (Dec., 2014)
Cricket Liu on Preparing Your DNS for IPv6 Infoblox
Against DNSSEC
Help us test our DNSSEC implementation -- CloudFlare
Ch 2e: RFC 4408: Sender Policy Framework (SPF) (see 3.1.1 for record types)
Ch 2f: How to check domain NS glue records using dig
DKIM, SPF, and Spam Assassin Validator
Ch 4b: Load Balancing With Round Robin DNS

The sad state of SMTP encryption -- useless without DNSSEC
NIST Secure Domain Name System (DNS) Deployment Guide
Today, DNSSEC is all cost, no benefit, and with high risks (1-14-16)
DNS Response Rate Limiting (DNS RRL)
Domain Name System Explained
DNSDiag: Tools to detect if your ISP is hijacking your DNS traffic
Building Your Own Passive DNS Collection System -- MAKE INTO A PROJECT
US-CERT Alert: WPAD (Web Proxy Auto-Discovery) Name Collision Vulnerability (May, 2016)
2016-09-13: Kali sources.list Repositories -- REQUIRED TO UPDATE KALI
Who Runs the DNS Root Name Servers?
DNS reflection amplification attacks growing strongly (9-15-16)
The Cryptographic Key That Secures the Web Is Being Changed for the First Time (Sept, 2016)
NorthKoreaDNSLeak: Snapshot of North Korea's DNS data taken from zone transfers. (Sept. 2016)
Dnscrypt vs Dnscurve? - Information Security Stack Exchange
Ch 3i: NorthKoreaDNSLeak: Snapshot of North Korea's DNS data taken from zone transfers (Sept., 2016)
Hacked Cameras, DVRs Powered Today's Massive Internet Outage (10-21-16)
Ch 5j: DNSSEC/TLSA Validator
Ch 5k: DNS-based Authentication of Named Entities (DANE) - Wikipedia
Help installing Bind on Windows
Blockchain Based DNS: dnschain
HTTPS Certificate Revocation is broken, and it's time for some new tools (July, 2017) -- ADD TO CLASSES
DNS Queries over HTTPS
DNS Query name minimization
Ch 1y: What is WannaCry ransomware and why is it attacking global computers?
Ch 1z: Marcus Hutchins is 22-year-old who stopped ransomware malware virus
Ch 1z1: How to Accidentally Stop a Global Cyber Attacks | MalwareTech
Ch 1z2: Marcus Hutchins: Good Guy or Bad Guy?
Public PCAP files for download
DNS over HTTPS -- POSSIBLE PROJECT
Quick Start for CoreDNS for Windows
NetworkMiner - The NSM and Network Forensics Analysis Tool %u26CF
How to set up dnscrypt-proxy on Kali -- USEFUL FOR PROJECTS
The Best Alternatives to DNSCrypt
Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)
Additional Record Types Available with Cloudflare DNS
G Suite toolbox
Now Testing DNSCrypt -- Quad 9 Privacy -- TEST FOR PROJECT
Ring of Saturn Looking Glass: Web-based Dig
Ch 5m: Why DNSSEC deployment remains so low | APNIC Blog
Ch 5n: DNSSEC Is Dead, Stick a Fork in It
Ch 5o: Cloudflare Looks to Take the Pain Out of DNSSEC Protocol Adoption

                   

Back to Top
Scoreboard · Submit Flags · Updated 7-19-23