DNS Cache Poisoning - Computerphile
Вставка
- Опубліковано 21 лип 2020
- Poisoning the DNS cache is a sure way to serve malware to unsuspecting users. Dr Mike Pound explains some of the ways this has been accomplished.
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Seeing Dr. Pound's eyes light up every time he mentions filling up some random computer with malware gives me so much energy
😂
Hahaha
I just realized the other day I have 200+ samples on my work laptop. It’s all locked-down and [hopefully] can’t execute, but like... I’m kinda hesitant to pick it up now. Lol
(I study malware, I’m not just a SUPER infected user)
Well he works in Internet and Computer Security as far as I know so his job is basically understanding how to fill up some random computer with malware ^^ It‘s obvious he‘s doing something he is passionate about which is nice.
@@mrnik.0 00
beautiful pen flip at 10:07
Now I cant stoping replaying it over and over
Just about to write that, now gonna practice that :)
@@TheDevilItSelf If you haven't figured it out yet, you need to hold the pen such that it is resting on your middle and ring finger. The thumb rests on the pen such that it is slightly off(towards the index finger) from the pen's center of gravity. Now flick the pen around your thumb with the middle finger and the ring finger.
@@rajiv8k thanks dude, thats actually really helpful
I AM INVINCIBLE!
Out of all Computerphile presenters, Dr. Pound, in my opinion, is simply the best! He explanations are bang on and are super easy to grasp. Whenever I see a notification for a video featuring him, I leave everything and start watching it right away.
I completely agree
Same! He's super entertaining as well. Computerphile please set up playlists categorized by nottingham staff!
Totally agree. He’s explaining these things better than anyone else.
His name MIKE POUND is Sooo James Bond character name=PUSSY GALOR
*bang* on for doctor *pound*
Rest in peace, Dan Kaminsky
Dr. Mike Pound's enthusiasm for knowledge is infectious
Truly. I actually started to learn to code watching his videos. Not from them ofc, but the motivation originated heree
It's also important to note that DNS happens over UDP (stateless) so there's no 'connection' to check the response against. For example, in TCP, participating computers establish a connection, and the only response for the request that was sent out is accepted by the requesting server.
No matter what the subject, I always find myself learning something new from
Dr. Pound.
Name server poisoning also happened occasionally on accident, due to responding accidently with an incremented query id, possibly poisoning some later random request. Also, if a DNS has DNS level blocking taking place, and it is treated like an authoritative DNS server, it may 'black hole' your request. As in, send you an IP that is invalid and leads no where. This happened to google servers a while back when they accidentally had china servers listed as authoritative, which was causing global traffic to get black holed due to china censorship.
Of course Dr. Mike Pound would say that a hacking attack has a "cool" name and is a very "cool" kind of attack.
I really like how he says something and it souds like it's insanely fun. And simple enough for almost anyone to understand.
Me: I have to get up early tomorrow.
Dr. Mike Pound: Wanna know something about DNS Cache Poisoning?
Me: Tell me everything!
#sleepis4theweak
oh and nice pen flip at 10:07
I was looking forward to this video and as always its amazingly explained by Dr.Mike. I couldn't keep it as he left us with a cliffhanger in the last DNS video and searched about it but still his explanation gave me a better and clear understanding of it.. Love his way of teaching
We asked and we received! 🙏🏼
I see Dr. Pound and I like first, then watch
who are you talking to? That's how it works.
Major props for making this video despite the earthquake you guys were experiencing.
Well explained as usual. But I kept wondering why name servers don’t simply only accept each query ID from the IP address of the authoritative server they sent the query ID to.
I found out the reason is that with UDP you can spoof the source IP
The best presenter, I owe so much of my knowledge to this guy and this channel, glad these videos keep coming out !
It's kind of surprising to hear that most of the global DNS system is not secured with certificates/TLS. Thanks for the great video!
It's actually quite terrifying, even if a poisoning attack only has like 1/1,000,000,000% chance of working.
Certbot takes like two to three lines of code lol
@@cosmicrider5898 It's not the name server that is the "hard" part. You can turn that on with the config file on most name servers these days. It's convincing accounting that spending 100,000/yr on the signed certificate is "worth it". Is your ISP really going to pay for that? What if they have to buy a dozen for various bits of their country wide network? Is your work going to buy one for their server? for each branch (yes there are ways around this at the corporate level, but if you have 2 or 3 small offices)?
This is a chicken and egg issue, without DNS the common name of X509 certificates could not provide the information where a certificate would fit in a global hierarchy so you wouldn't know what to validate it against. This is an issue solved by DNSSEC in a different way that still provides compatibility with regular DNS while maintaining its scalability.
@Bjorn While that might be true for some ISPs the real reason is that nobody thought about protecting against eavesdropping at the time DNS was invented and it is in such ubiquitous use today that nobody reinvented a perfect enough replacement yet. There are lots of interoperability and scalability issues to solve for any such replacement.
Thanks for explaining the subject in an easy to understand manner. The next time a client of mine tells me that my recommendation of implementing DNSSEC is "overkill" and "too expensive", I shall point them to this video.
As a reptile owner: WHAT'S IN THE BOX!!!!!!
a snake. he showed at the end of the last dns video
A Cornsnake to be precise
The answer is always Gwyneth Paltrow's head.
I had the same question
@@bentoth9555 I read the question with Jack's voice lol
Now i won't have to go to tons of lessons in school to learn this thanks to computerphile🤙
That pen flick tho... OMW!!!
This definitely makes Dr. Pound the best Computerphile ;)
I studied computer science about 30 years ago, and would have loved to have had a professor like him. I remember buying my first computer magazine about 1980 aged about 7 and being amazed. I used every penny of my pocket money to buy as many magazines and books as I could up until the age of about 17.
Computers were a different beast then, and the challenges were very different, but I LOVE watching these videos (I no longer program computers) - and I'm in awe of you guys.
BYTE Magazine, by chance?
yay, professor Pound again!!
Awesome video !!!! Love the animation, so helpful !!! Job well done sir.
Since Facebook was down yesterday, couldn't that have been the best time for someone to try something like this.
I encountered a sysadmin on the internet who used a kind of client side DNS cache poisoning as a security feature. Apparently bots scanning IP addresses for webservers is an extremely common thing. His solution to this was to run his webserver on an unusual port, then reply to all requests to his IP on the default HTTP ports with a HTTP 301: Permantently Moved error, with the TTL set to 1000 years. The result was that anyone who tried to connect to his webserver without a DNS telling them the correct port would have their local DNS cache updated to effectively permanently redirect all further attempts to connect to his site to a different site. This reportedly resulted in a dramatic drop of connection attempts from bots.
That's pretty devious. I love it!
I don't get it. But what about the local cache? Every browser that already had a DNS cache will then be permanently blocked (since the browser will never attempt to clear a 301 redirect cache automatically).
@@lake5044 Could be a problem with existing users, but might be able to be worked around by having the bot trap serving up a page saying "If you're seeing this, your browser's DNS cache is outdated. Clear it and try revisiting the site." which the bots will never actually read.
@@Roxor128 But then, that's no different than doing the same from your server (i.e. presenting some bot-challenge). I don't see the added benefit from going to such lengths as to purposefully poison your own domain name (maybe some load balancing? But standard load balancing is still much preferred and robust I think)
@Zero Cool What do you mean by "upload more RAM from the cloud"?
Very interesting and well explained, Dr. Pound! I'm kind of curious now though, what's the timeline of when all these different types of attacks and/or defenses started popping up? When did cybersecurity start becoming such a big issue?
Fascinating, and quite a scary prospect. 10:08 - Top class pen trick...
I learned more about DNS in your DNS video and this video than I did in my grad network security course.
I have only been lead to a single login spoofing website recently, but when it was more prevalent years ago it always amazed me how bad or lazy their developers used to be at their job. Most pages were so far off the original that they could only hope to trick the most gullible users.
With relatively low costs, it only takes a few suckers to become profitable.
thank god i was just thinking about this since the last video about dns
10:07 beautifully choreographed pen-spin flex by Dr. Mike
Thanks Jarrod! Great vid.
Thanks for the great explanation. He's great !!!
Yo, I've been wondering if this could happen! Great video!
I would love someone to take one of Mike's videos and just superimpose a ghost hand touching his arm every time he lifts his arm to stretch his sleeve out.
You can't unsee it now
I noticed this a while ago and have been wondering if anyone else saw it haha. I hope if he sees this comment he knows it's not a bad thing or that I'm making fun, it's just a cute little quirk!
As always another great video from you guys, bonus points for the chessboard i am curious if its a finished game or heated battle
this is so interesting. thank you!
Thanks for sharing knowledge ! 👍 Greetings from La Paz Bolivia 🇧🇴
Just today I wrote an exam on distributed systems and security. This video is two days late!
(But awesome in every other way)
The smooth pen movement on 10:07
I wish my college professors explained topic like this, I would have been more interested in studying. Topics covered here are more easier to understand, even though I didn't do CS in college.
very informative!
It feels weird to re-watch Computerphile videos that I already watched years ago for entertainment, but this time because I’m writing a computer science bachelor thesis about DNS security (specifically about the identity management for DANE).
Sir Dr Pound, I’d love some explanation on what happened with the Garmin ransomware a few days back
Notice the chosen sharpie pens. They closely match the colours of the surrounding objects.
Good explanation of how DNS injection works. Hard to believe DNS servers aren't using certificates until now though. You'd think someone would have figured this out a long time ago, especially given the popularity of SQL injection vulnerabilities and the like that have been used to deliver payloads in databases for years.
Is the querry spam the reason why this "attack" is so slow? I have used this kind of attacks in lack of other ways to redirect traffic(And problems with finding captive portals that works) on my own network but i don't find it to work that well :/
Iv'e tried this multiple times over the years but never found anything that works well so i end up giving up every time hehe.
Great video. 👍
Could you cover "port knocking"?
That casual sharpie spin at 10:07
Why dont they simply check if the IP of the one answering is the IP they asked? And wont the Recursive resolver still receive the correct answer a moment later? Couldnt one at least use the second answer to invalidate the cache?
Do mobile applications fetch to their sites to work? If so then shouldn't they be vulnerable as well?
0:10
Domain Name System
0:32
Poisoning.
1:01
DNS
3:17
How it works.
4:29
Cache poisoning.
6:06
Botnet.
10:08
Security
Ahhh...DNS cache poisoning ,I know everything about it
Dr.Pound : come here mate !!!👀
Dan Kaminsky is awesome, great talker!
Any ideas on how Tor V3 hidden services can start getting nicer names? Some kind of ring of trust situation?
Hello,
Just to say that the content you guys put forth is so much helpful in many ways.. masters really!!
Only thing is sometimes its difficult to understand what they say ... myself not quite familiar with the accent ...
please kindly make captions/subtitles available... it will help us to understand better ... Thanks in advance
on a related note with the Lancache game download cache service, you have to purposely poison your dns cache, so that when a user wants to download a game that's already downloaded, it gets the game from the server hosting the service, rather than the internet.
RIP Kaminsky, who passed just 2 weeks ago.
1:54 this is how excited I want to be when talking about anything
I really like the way this guy talks for some reason, I don't know why though
That spin at 10:06 is lit
What if you're running your own recursive dns like unbound?
Please could someone explain that Dan Kaminsky trick?
Is the exploit kit he talks about at 5:56 real? Like if you accidentally visited a bad website you'll get infected. Assuming you don't have flash installed.
talk about websockets
Wow. The internet is held together with duct tape and twine. It is crazy that the early internet even worked at all without security measures like public key cryptography.
What are your favorite pieces of literature that has helped your career and in teaching over the years?
How much bandwith would one need to hijack the current randomizing defence. Anyone calculated that?
Is there no way to send the poisoned dns query on all ports at once?
Just based on your other videos, why don't these requests between DNS servers use token like when browsers are talking to websites? Just send a request for the IP address, plus a random string, and only accept it if the response matches? They could easily have turned that 16 bits into 16 or more bytes. Did they just not see a need for any form of security when saying what address a site is at?
Would DNS over TLS be a solution to this issue?
I think dnssec would be a better solution. I believe tls or doh could still be poisoned.
Edit: he says this at 10:12
if the connection between the client and server is encrypted, there's no opportunity to send a spoofed response, since you'd need to crack the encryption to send a response on that specific request, right?
dnssec just takes this a step further with trusted dns servers
DNSSEC is the answer, not DNS over TLS. However, if the server isn't supporting DNSSEC which a LOT do not, or it not enabled. . .then it's game on.
@@juliankandlhofer7553 The opportunity would be to MITM the client recursive name server, which could be easier or harder depending on the privacy profile (opportunistic or out-of-band key-pinned, see RFC7858 section 4).
@@cosmicrider5898 You're only partially correct, because who decides who is a 'trusted' domain name server? If you trust anyone to be that 'trusted' party, then by default you can no longer trust them. Anyone who gains that must trust is immediately untrustworthy, lol... That's the facts of life. What you need is DN SEC where we trust individual domains by their public keys which only they have the private key for... Where we dont trust domain name servers but we trust individual domains proving who they are themselves. We can't trust any central authority to give us the truth, because with that trust they will always use it to lie. Instead we have to determine the individuals that we trust and only rely on our own ability to verify they are who they say they are and if we believe or better yet know we can trust them. G000gle is not to be trusted they can't even let TRUE information not be censored due to pharmaceutical interest for people to believe something that is true is not true... Because if people believe something that is true is not true then they equal big money for the pharmaceutical companies, and if they know the truth that money is greatly diminished. These companies aren't out for our best interests but for their own and their friends.
0:44 *China Great Firewall: Let me introduce myself*
please also explain DNS over HTTP?
Watching Mike pounding out these drawings, improving them a bit and not worrying about being perfect is kind of relaxing. Bob Ross as an excited hacker!
What i dont understand about this DNS Cache Poisoning is: If my DNS resolver asks an outside DNS server to resolve for fish.google.com, it talks to an IP address of the public DNS lets say 1.1.1.1. If then a malocious answer with the correct querryID comes in, it likely wont have the correct source IP as the device probably sits within your local network. Im guessing the DNS resolver does check this while receiving responses. So is there source IP spoofing going on as well for this attack?
but why does it even accept the response if it comes from another ip then the request where send to?
So what exactly happens when we change the DNS id on out phone (eg: change it to 1.1.1.1 instead of what was there before, which is the dns for cloudflare. But still what does that mean or do?)
It is skimmed over in this video but if you watch the other DNS explanation, that IP is the IP of the first DNS server you will ask (which in turn may ask other DNS servers)
Do you also have to do IP spoofing?
I was just looking up how to flush a dns cache and this popped up thanks desperate storage saving me
More mr pound
10.0.9.9 being a private address is kind of a bad example. But good presentation
I'm pretty sure that's intentional so they don't accidentally slander a random public IP address.
i will be using DNS for comunication trough dns resolv messages. is a simple project, but with great potential.
im curious whats gonna happen when i point 2Dns servers to resolve eachother, each other beeing the others dns server, but beeing dns server itself.
My guess: They just start sending every request that comes in round forever until both name servers become unresponsive because all they do is send queries to each other.
@@cameron7374 Have you got no hope at all in people who designed such fundamental service?
@@Mr.Leeroy I do have hope in them but if the specification says to ask the next DNS server if you don't know and they both point at each other, that is what will happen and not a flaw in the technology but rather user error. I mean, something like this can already happen with some routing protocols for regular routers where they establish a path that leads in a circle, in the hopes the next router knows where to send the packets. That's called a broadcast storm and it's the job of whoever is setting up the network to set it up in a way where it doesn't happen.
Hello, the NS will receive a malicious answer from a different IP than the one that used for the query, right? Why will it accept it?
That is an option you can enable in at least some DNS servers, and could even be a default setting. But it takes time/processing power to check, reducing throughput.
In the early days of the internet the standards weren't created with lots of security built in. By now we've learned and there is more thought put in to the security of newer standards or changes to existing standards to make them more secure. But lots of newer and more secure features are optional, because of the unwillingness to break backwards compatibility with older devices/software.
I love spiderman teaching me about networking
What exactly is multicast dns and .local domain?
Apple Bonjour and Zeroconf use multicast DNS. Basically how this works is your devices for example Google Chromecast periodically sends a DNS packet to a multicast address that gets broadcast to all devices connected to your LAN or those who subscribed to said multicast address saying 'I am a chromecast, you can use my services x, y. and z at IP address such and such'. The .local Top Level Domain is one reserved for private usage - for example on your LAN - and will not be resolvable in the internet. Avahi (Linux) would be one example of a zeroconf implementation making use of the .local TLD.
do not use .local unless you know what you are doing
What if they send a key with it and say "send the response encrypted with this key" and randomize that key every time? That would add another element the attacker would need to guess in order to be successful
So a fortigate FW/router that is using https but with no certificate could fall into this attack?
Why not make the query ID 64 bits, or more?
RIP Dan
how you find a dns poisonous computer in the network ? how can i detect it ?
My registrar supports DNSEC. But what are the downsides of enabling it though? (because it's off by default.)
The downside WHICH IS MAJOR is that you're trusting a untrustworthy third party to vet your domains instead of yourself. Only we can trust who we communicate and make network transactions with, a third party will 100% of the time LIE TO US.
2:26 That's a real Parker Square of a Jolly Roger.
Indeed👏
How we prevent this attack how we resolve this if attacker poisoned my caches
I'm using DNSSEC via Cloudflare on my Piehole. Highly recommend it.
why dont they just query multiple name servers and compare different responses to use the most common/trustworthy response ?
I am bit confused. If the attacker is sending false replies to the requester due to the fact that the valid reply is taking too long. isn't that DNS spoofing rather than DNS poisoning? DNS poisoning is when the attacker alters the dns-name-to-ip mapping. Isn't this video explaining spoofing rather than poisoning?
Since a majority of TLS certificate issuance systems rely on DNS verification to prove ownership of a domain, could you not also issue yourself valid certificates for the domain you have poisoned? Then, combined with the DNS sending people to your site, you also have browsers validating the server is legitimate?
no, because in general those certificates are signed by a central authority, and since you don't have their key you can't sign your own certificate. So if you were paying attention to your browser, it would complain that the site isn't signed. Chrome does this very aggressively these days.