Post subject: Rogue DNS Posted: Mon Jul 25, 2005 6:18 pm
Help others: Review your books and training products here
While preparing for exam I came across "rogue" DNS server's expresion. Technically I didn't see any protection against it yet. So I was wondering what can you do detect or prevent rogue DNS existance on your LAN?
Alhough I was wondering if this would work:
If you have DNS and DHCP running on you LAN but don't have active directory, is it posible to create new DNS server with the same pc suffix, point it to primary DNS and configure secondary zone - so hijacking the zone's information? Is active directory makes this imposible? _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Joined: 10 Apr 2005 Posts: 1296 Location: Wales, UK
Post subject: Posted: Mon Jul 25, 2005 6:28 pm
Help others: Review your books and training products here
This is an interesting question as I have never come across "rogue DNS" and I've recently passed this exam.
In the MS Press book, there are only talk of Rogue DHCP Servers and Rogue Routers (RIP through broadcast traffic)
I don't see how a rogue DNS Server is possible. Let's say in our organisation we have 2 DNS Servers: -
192.168.10.1
192.168.10.2
and a DHCP Scope configured from 192.168.10.3 - 192.168.10.254
Then how can a DNS Server hijack responses and capture them from clients? Those clients would be set to use our two DNS Servers as specified by Scope, Server, Class or Client options.
And your second scenario -
You can prevent this by only allowing Zone Transfers to either
1. Specific Name Servers.
2. Name Servers specified on the Name Servers Tab.
3. No Zone Transfers at all.
The point of Active Directory integration
1. Replicates Zone Information with other DNS Servers in the domain, forest, or with Domain Controllers in the Domain, or with specified application directory partitions.
2. Allows you to setup ACL's on who can manually edit records, and configure the zone and so on.
3. Allows you to configure exactly how dynamic record updates are performed, Secure, Nonsecure and Secure, None.
I'd read up on this if I were you _________________ David Jones BSc (Hons)
MS Certs: MCSA: Messaging 2003, MCSE: 2003, MCTS: Vista, MCTS: Exchange 2007
Cisco Certs: CCNP
Studying: CCIE: R&S Written, Feb 28, 2011
Joined: 18 Sep 2001 Posts: 7870 Location: Portland, Or
Post subject: Posted: Mon Jul 25, 2005 7:51 pm
Help others: Review your books and training products here
It is possible to create a rogue DNS server using a process called DNS cache poisoning. I don't know much about it other than a rogue server is set up which feeds erroneous DNS information to other DNS servers. _________________ Did you know?
Buying discount exam vouchers saves you money and helps support this site.
Joined: 18 Sep 2001 Posts: 7870 Location: Portland, Or
Post subject: Posted: Mon Jul 25, 2005 11:20 pm
Help others: Review your books and training products here
I know a secret place where you can find out.. _________________ Did you know?
Buying discount exam vouchers saves you money and helps support this site.
Joined: 10 Apr 2005 Posts: 1296 Location: Wales, UK
Post subject: Posted: Tue Jul 26, 2005 12:08 pm
Help others: Review your books and training products here
jsprague wrote:
It is possible to create a rogue DNS server using a process called DNS cache poisoning. I don't know much about it other than a rogue server is set up which feeds erroneous DNS information to other DNS servers.
"Protection against cache polluting" will discard this record, as it is not the same as the one requested. _________________ David Jones BSc (Hons)
MS Certs: MCSA: Messaging 2003, MCSE: 2003, MCTS: Vista, MCTS: Exchange 2007
Cisco Certs: CCNP
Studying: CCIE: R&S Written, Feb 28, 2011
Help others: Review your books and training products here
Below is the quote from MS Press for server 2003, I guess the scenerio that I was thinking about is posible for server 2000 by default.
Gorebrush, you are right about cong. stuff but if not configured properly this situation can occur on server 2003 also. (Zone transfer Tab => Enble Zone Transfer => Configure to transfer to any zone)
"Off the Record In Windows 2000, the default setting on the Zone Transfers tab for primary
zones was to allow transfers to any server, but this feature created an unnecessary security
hole. Think about it: why would you want to enable anyone who can access your DNS server to
set up a secondary server and peruse your network’s resource records? Restricting zone transfers
by default is a lot smarter—it allows you to prevent unauthorized copying of zone data." _________________ Don't Drink And Drive
Kill, can not be innocent
Kill can not be, innocent
Help others: Review your books and training products here
Whenever a client is configured with a dns server ,whenthe client send a dns query the query message it contains a transaction id client source port and source ip address whenever configured server replies the client will accept the information if all three field match exactly Hence one would require to use transation id prediction attack to be succesfull
DNS Hijacking : If an attacker is able to insert himself between the client and the DNS server he may be able to intercept replies to client name resolution queries and send false information mapping addresses to incorrect addresses. This type of attack is verymuch a race condition, in that the attacker needs to get his reply back to the client before the legitimate server does. THis would require for primary dns server to be slow in responding to the querry for dns hijacking to be succesfull as the
client alaways uses the preferred dns server first
Zone Tranfer will as stated allow transfers to ip address in the name servers list as configured but this does not prevent ip spoofing attacks as
as any primary server masquerading the actual name server can request
a zone transfer
The solution atleast partially is the DNSSEC implemention of secure zone When DNSSEC is enabled for a zone the secure zone has its own public and private keys used to encrypt and decrypt digital signatures
The digital signature is added to zone in form of new resource record SIG
When DNS server hosting the secure zone answers authoratively to a query it respond to the resolver with the requested resource record alongwith SIG record .The resolver can use Public key to authenticate the record The distrubution of public key poses a challenge as there is no standardised mechanism ,as keys could be distrubuted using voice communication oripsec etc Also time synchronisation is important to prevent replay attacks
The DNSSEC deployment is cumbersome and not trivial task as it requires
the exchange of keys and keys required to be changed periodically hence at present the implementation is not scalable to large organisation and depends whether it implemented at root level or for child domains and negotiation for crypto algorithms which have to be done before hand
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Sponsor
Sponsor
Training Picks
CareerAcademy Expert-led On-Demand Certification training courses with 7x24 LIVE Mentoring. Topics cover MCSE 2008 Training, A+ Certification, IT Security CEH Training, Cisco Training and many more.Training Videos We offer streaming or CD certification training videos for Microsoft, CompTIA, Cisco, Citrix, Oracle, CISSP, CET, CWNA, LPI, SCJP, CIW, MOS, PMP and other certifications. View our free videos!EDULEARN Certification Training on CD-ROMs & Videos: Microsoft MCSE Training, A+ Certification, Windows 2003, & Free demos. MCSE certification training includes videos and labs.Online Computer Trainingby K Alliance. Certification training videos for MCTS, MCITP, Oracle OCA/OCP, A+, CCNA, RHCE and more. Our e-learning courses come with 24/7 online mentoring.More Training
I know a secret place where you can find out.. 