DNS … The Greatest Flaw In The Internet?

Did you know that the whole of the Internet could crash in an instant… just because of one protocol? … DNS. A massive distributed denial…
Photo by Vinicius Marques on Unsplash

DNS … The Greatest Flaw In The Internet?

Did you know that the whole of the Internet could crash in an instant… just because of one protocol? … DNS. A massive distributed denial of service (DDoS) against the core DNS infrastructure would cripple most of the Internet, as we are so dependent on DNS servers to resolve IP addresses. If the core fails to work, the rest of the infrastructure would collapse. And, that, at any time, our DNS infrastructure could be taken over for malicious purposes.

DNS is a terrible protocol. It relies on one DNS server telling others what the IP resolution of the domain name is. But who can you trust to seed this? Well, the main authority of the domain. We don’t have to integrate the main authority as the information on the domains will be propagated through the Internet. So what happens if a malicious entity sees the wrong IP address? Let’s say a nation-state — MegaTropolis — wants to take over a little state — MiniTropolis. Well, their first focus might be poisoning DNS caches around the world, so that all the MiniTopolis domains pointed to MegaTropolis sites.

The problem with DNS is that it has virtually no real security built into it, and where a fake DNS system can easily be set up and redirect users to incorrect sites. But there is a solution … Domain Name System Security Extensions (DNSSEC). It provides origin authentication of DNS data, along with data integrity. It does not stop someone from viewing the data in the request and reply. The issues related to DNS have been known for a while [here]:

The threats include: Packet interception; ID Guessing and Query Prediction; Name Chaining; Betrayal By Trusted Servers; Denial of Service; Authenticated Denial of Domain Names; and Wildcards. One of the greatest threats is DNS cache poisoning, and where a malicious host can seed an incorrect domain name for the rest of the network. DNSSEC overcomes this by having a protected zone in which all the responses are digitally signed. DNS resolves can then check that the DNS information has been signed by one of the trusted hosts.

DNS works by creating a domain record which defines an SOA (Start of Authority). This then defines the serial number, the refresh time, and so on:

Within this, we can define an NS (Name Server) and MX (Mail Server), along with the IP addresses of defined hosts within the domain. We can use nslookup to interrogate the entry:

It should be noted the DNSSEC does not provide confidentially of the data, or does it protect against a denial of service attack.

Coding

Some coding in Go is [here]. With this, we will create a 2,048-bit RSA key pair (a public key and a private key), and then sign the SOA with the private key of a trusted domain. Others can then check the signature using the public key of the trusted domain. The SOA entry is created as in DNS, with a response header for the domain name, and the IP addresses (dns.ClassINET):

The serial number is important on the SOA, as it defines the most up-to-date version of the entry. In this case, the signature was created with an RSA-encrypted SHA-256 hash. We also include a date for the expiry time for the signature. The signature is signed the entity defined in the key (key.Hdr.Name):

package main

import (
    "crypto"
    "crypto/rsa"
    "github.com/miekg/dns"
    "fmt"
    "os"
)

func main() {
    domain:="asecuritysite.com"

    argCount := len(os.Args[1:])

        if (argCount>0) {domain= string(os.Args[1])}

    domain = domain+"."
    key := new(dns.DNSKEY)
    key.Hdr.Name = domain
    key.Hdr.Rrtype = dns.TypeDNSKEY
    key.Hdr.Class = dns.ClassINET
    key.Hdr.Ttl = 3600
    key.Flags = 256
    key.Protocol = 3
    key.Algorithm = dns.RSASHA256
    priv, _ := key.Generate(2048)

    soa := new(dns.SOA)
    soa.Hdr = dns.RR_Header{domain, dns.TypeSOA,dns.ClassINET, 14400, 0}
    soa.Ns = "ns."+domain
    soa.Mbox = "mail."+domain
    soa.Serial = 1293945905
    soa.Refresh = 14400
    soa.Retry = 3600
    soa.Expire = 604800
    soa.Minttl = 86400

    sig := new(dns.RRSIG)
    sig.Hdr = dns.RR_Header{domain, dns.TypeRRSIG, dns.ClassINET, 14400, 0}
    sig.TypeCovered = dns.TypeSOA
    sig.Algorithm = dns.RSASHA256
    sig.Labels = 2
    sig.Expiration = 1562761057 
    sig.Inception = 1562761057  
    sig.OrigTtl = soa.Hdr.Ttl
    sig.KeyTag = key.KeyTag()
    sig.SignerName = key.Hdr.Name

    var pr crypto.Signer
    pr,_= newSignerFromKey(priv)

    if err := sig.Sign(pr, []dns.RR{soa}); err != nil {
        fmt.Printf("Failed to sign")

        return
    }
    if err := sig.Verify(key, []dns.RR{soa}); err != nil {
        fmt.Printf("Failed to verify")

    } else {
        fmt.Printf("Signature okay\n\n")
    }
    fmt.Printf("SOA: %s\n\n",soa)
    fmt.Printf("Sig: %s\n\n",sig)
    fmt.Printf("Key: %s\n\n",key)
        
}

type rsaPrivateKey struct {
    *rsa.PrivateKey
}

func newSignerFromKey(k interface{}) (crypto.Signer, error) {
    var sshKey crypto.Signer
    switch t := k.(type) {
    case *rsa.PrivateKey:
        sshKey = &rsaPrivateKey{t}
    default:
        return nil, fmt.Errorf("ssh: unsupported key type %T", k)
    }
    return sshKey, nil
}

A sample run for a message of “asecuritysite.com.” is [here]:

Signature okay

SOA: asecuritysite.com. 14400   IN  SOA ns.asecuritysite.com. mail.asecuritysite.com. 1293945905 14400 3600 604800 86400

Sig: asecuritysite.com. 14400   IN  RRSIG   SOA 8 2 14400 20190710121737 20190710121737 42450 asecuritysite.com. NqFhFsl
EHFtETdO1cWFKhMyWydiTDpGkWKQggzgbzVGa9COBQDrFS+NRsVEQEpIee3EMJ/hY6RXpmo75ZxWO7OO4FfIBbl2qgZctewmutFy+HT4GUFA3dJp9rzfr2Jn
0lnCCOkLIW33zHgXgSXmKJobWXPsHTPQoUogjdxmPzbzWFd6S1XXPep4klyi1hbcM9uvnABtFGw5tb/rd7hs6B/hS9spoO5MHZqDczmAKEoW1XKht12G97Qc
Qz3nyyGlRScntbHNXk3xaD3Xzevu9SWhZ4Ro2xFvIWxdFkLWCv2wZkcwHIG9q7zFE5HglZhip+q8EKzfZV1PQn8AOVf16dA==

Key: asecuritysite.com. 3600    IN  DNSKEY  256 3 8 AwEAAdcn7cvHVXBvDQVsh6ge+JHZWTCn4WarBbWzQ1TGKMpk/pT9L386Q2ZU1fvynYdp
eqQi4PKbRpavycjqMFBtJvg9qhHpXq25iSpdx1+aNHL8zyvx/eFFTAWHA8qN3uQuVKc5mm+KQ498poWd1dnYBNHRcNGgZA8epNsq+WSoLzRISIxgiFDs6j+k
ryO4ivj7n8dLOqqcv9C/tQl/7YhU4y3lHSek9FqFOCpYK4DzQb+jJuLKNWjAPobWF19JkrvcN0KeDZ2TZEeApz3UGtjsRMowH4AJ48yKyaT2vnmE52MwIiC1
/yHLtQJK77CMgow3BejXO2T9uytp+rTQyZk8Ens=

Conclusions

The Internet is a big lumber ship which takes a while to turn. It has struggled to adapt to major changes, such as IPv6, but it has a major flaw at its core … DNS. While DNSSEC addresses some of its weaknesses, it does not stop people from spying on your accesses, and where the DNS infrastructure can be attacked through DDoS.