8.9 KiB
DNS Concepts and Security Implications
DNS Protocol Fundamentals
DNS (Domain Name System) is a distributed hierarchical database that translates human-readable domain names into IP addresses. Understanding DNS deeply is critical for both defending networks and understanding attack vectors.
The DNS Hierarchy
[Root Servers]
a-m.root-servers.net
|
+----------+----------+
| |
[.com TLD] [.org TLD]
TLD nameservers TLD nameservers
| |
+-----+-----+ |
| | |
[example.com] [google.com] [example.org]
Authoritative NS Authoritative NS
The trace command (dnslookup/resolver.py:293-426) implements walking this hierarchy. It starts at root servers (resolver.py:307-312):
root_servers = [
("a.root-servers.net", "198.41.0.4"),
("b.root-servers.net", "170.247.170.2"),
("c.root-servers.net", "192.33.4.12"),
]
These 13 logical root server addresses (actually hundreds of physical servers via anycast) are hardcoded into every DNS resolver.
DNS Record Types
The project supports eight record types (dnslookup/resolver.py:24-33):
A Record (IPv4 Address)
- Maps domain to 32-bit IPv4 address
- Example:
example.com → 93.184.216.34 - Security note: Can be hijacked to redirect traffic
AAAA Record (IPv6 Address)
- Maps domain to 128-bit IPv6 address
- Attackers increasingly target IPv6 due to less monitoring
MX Record (Mail Exchanger)
- Specifies mail servers for a domain
- Has priority field (
resolver.py:148-150) - Security: Reveals email infrastructure, can be spoofed for phishing
NS Record (Name Server)
- Delegates a zone to specific DNS servers
- Critical for understanding DNS hierarchy
- Attackers target these for DNS hijacking
TXT Record (Text Data)
- Arbitrary text, often used for:
- SPF (email sender verification)
- DKIM (email signing)
- Domain verification
- Sometimes abused for DNS tunneling
CNAME Record (Canonical Name)
- Alias from one domain to another
- Can create long chains that impact performance
- Security: Can be used to hide real infrastructure
SOA Record (Start of Authority)
- Contains zone metadata (
resolver.py:153) - Shows primary nameserver and serial number
- Reveals zone transfer configuration
PTR Record (Pointer)
- Reverse DNS mapping (IP → hostname)
- Used in email validation and logging
- Absence indicates poor infrastructure hygiene
How DNS Resolution Works
When you query www.example.com, here's what happens (implemented in resolver.py:293-426):
-
Query Root Server (
resolver.py:319-328)- Ask root server about
.com - Root refers to
.comTLD servers
- Ask root server about
-
Query TLD Server (
resolver.py:359-380)- Ask TLD about
example.com - TLD refers to authoritative nameservers
- Ask TLD about
-
Query Authoritative Server (
resolver.py:329-348)- Get the actual answer
- Response marked authoritative
-
Cache Result
- TTL field controls cache duration (
output.py:52-61) - This project doesn't cache (fresh queries every time)
- TTL field controls cache duration (
The trace function shows this visually (output.py:266-310).
Security Concepts
DNS Cache Poisoning (CVE-2008-1447, Kaminsky Attack)
DNS responses lack strong authentication. An attacker can:
- Send query to victim's DNS server
- Flood with forged responses before real answer arrives
- If forged response arrives first and has correct transaction ID, it's cached
Defenses:
- DNSSEC (cryptographic signatures)
- Randomized source ports
- Transaction ID randomization
This tool doesn't implement DNSSEC validation but shows you raw DNS data to understand what could be spoofed.
DNS Tunneling (MITRE T1071.004)
Exfiltrating data through DNS queries. An attacker might:
- Encode stolen data in subdomain:
<base64-data>.attacker.com - Their authoritative server logs all queries
- Data extracted from DNS query logs
The TXT record support in this tool shows how much data can fit in DNS (resolver.py:151-152):
elif record_type == RecordType.TXT:
value = rdata.to_text()
TXT records can be 255 characters per string, multiple strings per record.
DNS Reconnaissance (MITRE T1590.002)
Attackers use DNS to map infrastructure before attacks:
- A/AAAA records reveal IP addresses and hosting providers
- MX records show email infrastructure
- NS records expose DNS provider
- TXT records leak SPF/DKIM configurations
The batch command (cli.py:266-350) demonstrates automated reconnaissance at scale.
DNS Amplification DDoS
Attacker sends small DNS queries with spoofed source IP (victim's address). DNS server sends large responses to victim. Amplification factor can be 50x.
How to spot it:
- Unusual query patterns
- High volume of ANY queries (deprecated)
- Queries for large TXT/DNSSEC records
DNS Hijacking
Compromising DNS infrastructure to redirect traffic:
- Registrar compromise: Change nameserver records
- Nameserver compromise: Modify zone files
- Cache poisoning: Inject false records into resolvers
- BGP hijacking: Route DNS traffic to attacker
Real incidents:
- Sea Turtle (2019): Targeted government DNS infrastructure
- MyEtherWallet (2018): BGP hijack redirected to phishing site
DNS Privacy Issues
Every DNS query is visible to:
- Your ISP's DNS resolver
- Authoritative nameservers
- Any intermediate network
This reveals browsing history. Solutions:
- DNS over HTTPS (DoH): Encrypts queries in HTTPS
- DNS over TLS (DoT): Encrypts queries in TLS
- DNSCrypt: Encrypts and authenticates
This tool doesn't implement encryption but uses standard UDP port 53 queries.
Time-to-Live (TTL) Security
TTL controls caching duration (output.py:45-61). Low TTL means:
- More queries hitting authoritative servers
- Faster propagation of changes
- Less opportunity for stale poisoned caches
High TTL means:
- Reduced load on DNS infrastructure
- Slower incident response
- Poisoned records persist longer
Attackers can set low TTLs on malicious domains to evade blacklists.
DNSSEC Validation
DNSSEC adds cryptographic signatures to DNS records. Each zone signs its records with a private key. Resolvers verify signatures using public keys.
Chain of trust:
- Root zone signs
.compublic key .comsignsexample.compublic keyexample.comsigns its own records
The WHOIS command shows DNSSEC status (whois_lookup.py:113-114):
if hasattr(w, "dnssec"):
result.dnssec = str(w.dnssec) if w.dnssec else None
Error Responses and Their Meanings
The resolver handles multiple error conditions (resolver.py:181-189):
NXDOMAIN: Domain doesn't exist
- Could indicate typosquatting attempts
- Useful for detecting malware C2 using DGA (domain generation algorithms)
NOERROR with empty answer: Domain exists but no record of that type
- Indicates misconfiguration or incomplete setup
SERVFAIL: Server encountered error processing query
- Could indicate DNSSEC validation failure
- Might suggest DNS server under attack
Timeout: No response received
- Network issues
- Firewall blocking
- DNS server overloaded or down
Async Operations and Performance
DNS queries are I/O-bound. The tool uses asyncio for concurrency (resolver.py:233-242):
tasks = [
query_record_type(domain, rt, resolver) for rt in record_types
]
query_results = await asyncio.gather(*tasks, return_exceptions=True)
This queries all record types simultaneously instead of sequentially. For 7 record types with 50ms latency each:
- Sequential: 350ms
- Concurrent: 50ms
The batch command applies this to multiple domains (resolver.py:428-440).
Common Mistakes and Misconceptions
Mistake 1: Trusting DNS responses DNS has no built-in authentication. Without DNSSEC, responses could be forged.
Mistake 2: Hardcoding IP addresses to avoid DNS IPs change. Cloud services use dynamic IPs. DNS provides flexibility.
Mistake 3: Ignoring reverse DNS PTR records help validate server identity. Their absence is suspicious.
Mistake 4: Not monitoring DNS queries DNS query logs reveal reconnaissance, data exfiltration, and C2 traffic.
Mistake 5: Caching too aggressively Stale DNS data can persist long after infrastructure changes.
Industry Standards and References
OWASP References:
- Testing for DNS Zone Transfer (OTG-INFO-002)
- Testing DNS Spoofing (OTG-INPVAL-007)
MITRE ATT&CK Techniques:
- T1071.004: DNS tunneling for command and control
- T1590.002: DNS reconnaissance
- T1584.002: Compromise DNS infrastructure
RFCs to Study:
- RFC 1035: DNS specification
- RFC 4033-4035: DNSSEC
- RFC 7858: DNS over TLS
- RFC 8484: DNS over HTTPS
Next, see 02-ARCHITECTURE.md for how this tool implements these concepts in code.