DNS <minmin@jprs.co.jp> 2005 10 6 JPNIC JPCERT/CC Security Seminar 2005
DNS Pharming BIND djbdns 2
DNS
DNS (Domain Name System)? IP www.example.jp IP 172.16.37.65 http://www.example.jp/ - http://172.16.37.65/ - 4
DNS(Domain Name System) 5
WEB http://www.example.jp/ www.example.jp IP WEB PC IP DHCP www.example.jp IP WEB 6
www.example.jp IP NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp jp NS jp IP jp(5 ) jp example.jp example.jp NS example.jp IP example.jp www.example.jp IP NS PC IP 7
2 (1) www.example.jp IP 10.10.10.1 jp example.jp Authoritative Nameserver DNS 8
NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp NS jp IP jp(5 ) jp example.jp NS example.jp example.jp IP example.jp www.example.jp IP NS PC IP 9
2 (2) www.example.jp IP? IP 10.20.30.40? DHCP PPP PC PC 10
NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp NS jp IP jp(5 ) jp example.jp NS example.jp example.jp IP example.jp www.example.jp IP NS PC IP 11
NS RR RR RR - Resource Record (example.jp JP ) (example.jp) 12
(Glue) RR NS RR RR A RR AAAA RR RR 13
NS NS PC.(13 ). jp(5 ) example.jp ( NS ) PC NS www.example.jp IP NS. ( ) IP. jp NS jp IP jp example.jp NS example.jp IP example.jp www.example.jp IP NS PC IP 14
NS ( ) NS ( ). DNS RR 15
. NS RR ( ns.example.net) IP 16
DNS 17
NS RR DNS NS RR ) NS RR ns0 ns1 ns0 ns1 ns1 ns0 ns1 18
NS 1 19
example.jp example.net 100% example.net example.jp example.net MX RR, CNAME RR RR 20
Pharming ( )
Pharming Phishing ( ) fishing( ) Pharming ( ) farming( ) ( ) Phishing 22
Pharming DNS ( ) hosts DNS hosts ID 23
Cache Poisoning ( ) DNS Pharming www.example.jp A www.example.jp A 192.168.100.1 Root servers JP DNS servers www.example.jp A 192.168.100.1 example.jp 24
Cache Poisoning example.gr.jp example.jp dig @< > www.example.gr.jp 25
Cache Poisoning BIND 8 or 4 Windows 2000 SP2 http://support.microsoft.com/default.aspx?scid=kb;ja;jp241352 26
(forwarder) Cache2 Cache1 PC.(13 ). jp(5 ) example.jp Cache1 Cache2 Cache2 Cache2 BIND 8 or 4 Cache1 Windows DNS BIND 9 27
DNS IPA 2005 6 27 http://www.ipa.go.jp/security/vuln/20050627_dns.html Pharming 28
IPA (1) 1 (or ) ) example.jp example.net example.net dns1.example.net 29
IPA (2) DNS ns1.example.jp example.jp example.jp example.net example.net dns1.example.net 30
IPA (3) example.jp dns1.example.net example.jp www.example.jp Pharming ( 50%) 31
IPA (4) example.net example.net provider.dom 25% example.jp. 32
IPA (5) ( ) l k IP 10.10.10.10 10.10.19.10 10.10.19.10 33
DNS Squish DNS Checker http://www.squish.net/dnscheck/ DNS Report http://www.dnsreport.com/ Zone Check http://www.zonecheck.fr/ 34
BIND named 1 Windows DNS djbdns tinydns dnscache NSD 36
BIND ( ) 37
BIND 8 (4 ) BIND 9 38
TIPS BIND 39
(BIND 8) (DoS) 40
Cache Poisoning ( ) 41
LAN Man in the Middle Attack Pharming www.example.jp A www.example.jp A www.example.jp A 192.168.100.1 Root servers JP DNS servers example.jp 43
LAN LAN 44
DNS ARP Poisoning 3 (A,B,C) A B C ARP Spoofing 45
ARP Poisoning (1/4) 3 A( B( ) GW( ) 46
ARP Poisoning (2/4) B root B ARP A 10.10.10.1 MACaddr 0:3:3:3:3:3 GW 10.10.10.2 MACaddr 0:3:3:3:3:3 A GW ARP B 47
ARP Poisoning (3/4) B IP Layer2 B A B GW ARP Poisoning 48
ARP Poisoning (3/4) ARP Poisoning OS ARP syslog 49
ARP Poisoning ARP 50
DNS ( ) RR ID (Query ID) Query ID 16bit RR ID UDP DNS 53 51
ID (1) Cache Poisoning Pharming 52
ID (2) RR ID 16bit BIND named DNS 53 ID Cache Poisoning 1/2 16 53
ID (3) dnscache(djbdns ) 1/2 32 DNS 54
DNS SSH SSL/TLS RFC3833 Threat Analysis of the Domain Name System (DNS) DNSSEC 55
DNSSEC DNS Security Extension RFC4043,4044,4045 DNS DNS DNS 56
BIND
BIND?? BIND? 58
BIND named.conf recursion no; fetch-glue no; BIND9 no hint (zone. ) zone options { } ;... recursion no; fetch-glue no;... zone "example.jp" { } ; type master ; file "example.jp.zone" ; 59
BIND recursion yes; fetch-glue no; hint allow-query 127.0.0.1 (localhost) ::1 options {... recursion yes; fetch-glue no; allow-query { 10.0.0.0/8 ; 127.0.0.1 ; };... }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; 60
1 (1/3) named 2 /etc/named.conf options {... recursion no; fetch-glue no; listen-on { 10.10.10.1 ; } ;... } ; listen-on IP 61
1 (2/3) /etc/cache.conf named c /etc/cache.conf options {... pid-file "/var/run/cache-named.pid" ; listen-on { 127.0.0.1 ; } ;... }; /etc/resolv.conf nameserver 127.0.0.1 127.0.0.1 62
1 (3/3) listen-on controls dump-file statistics-file 2 named 63
BIND 8 DoS BIND 9 BIND 8 options {... allow-transfer { 10.10.10.10 ; };... } ; zone "example.jp" { type master ; file "example.jp.zone" ; allow-transfer {... } ; } ; 64
BIND 9 BIND 8 options {... max-cache-size 100M;... } ; 65
dig @10.10.10.1 example.jp ns ;; flags: qr aa rd ra; recursion yes ; dig @10.10.10.1 < > dig @127.0.0.1 < > 66
named (1) root named named u <user> /var/run/named.pid 67
named (2) named chroot named t <chroot > BIND9 http://www.unixwiz.net/techtips/bind9-chroot.html djbdns chroot 68
BIND 4 8 9 8 : : 4 8 9 69
djbdns
djbdns BIND (1) tinydns dnscache dnscache 71
djbdns BIND (2) chroot 72
dnscache root/ip "/" root/ip/10 10.0.0.0/8 root/ip/10.20 10.20.0.0/16 root/ip/10.20.30 10.20.30.0/24 10.20.30.32/29 8 root/ip/10.20.30.32 root/ip/10.20.30.39 73
djbdns BIND 74
Q & A 75