Protect your name: how to secure DNS servers?

Whenever we are talking about network communication, first thing is to resolve the name. We need to have a way to ensure that the name that you are using in an application is translated to the IP address that is actually for this server. We will be talking about DNSSEC. Let’s dive in!

What’s the environment?

Before we begin working with the DNSSEC, let me introduce our environment. We have a Windows 10 client machine, which IP address is 10.1.1.101, and it’s set that it’s using the DNS server under IP 10.1.1.1. This is our domain controller for the same domain that is both Windows 10 so it’s cqure.lab.

We have also on this domain controller the DNS server, which has the zone cqure.lab. We also configured on that DNS server a forward lookup zone. We also configured on this DNS server a conditional forwarder for the domain racoons.lab, and it’s set for the GW01 server with the IP address 10.1.1.254. On this server we have a DNS server that is responding to the racoons.lab.

We also have an attacker’s machine, which is actually KALI LINUX, and the IP address of it is 10.1.1.115. We will be using this machine to host our danger application that will be spoofed by using DNS pro zoning and we will actually use an ARP spoofing to substitute the responses sent from gateway, so from this GW01 server to the SDC, for any requests regarding racoons.lab.

DNS servers

So, whenever the client computer will ask our DNS server for the www.racoons.lab, KALI LINUX machine will try to redirect the traffic by substituting the DNS queries responses to the KALI LINUX IP address instead of going to the safe website, which is on the 10.1.1.1 server. So, let’s see it in an example.

First of all, I will start the service on the KALI LINUX machine and verify what is the IP address of this machine: it’s 10.1.1.113. So, let’s move to the Windows 10 machine. And, first of all, let’s clear anything that was previously used on this machine. Clear the IPconfig and flush DNS.

Now, what I want to do is just simply to start the Internet Explorer. Let’s be in it. And go to http 10.1.1.1, this is the safe website. And, we have the second server, which is KALI LINUX with an unsafe webpage. What I want to get is when I type http www.raccoons.lab I want to get to the safe website. The attackers will try to spoof this and to get the responses redirecting to different server.

Don’t forget to clear the cache

Let’s clear the cache again. Okay, the cache is cleared. Let’s close the browser. So we are sure there’s nothing cached there. And, let’s go to the SDC neutral machine; so it’s our domain controller. On this domain controller, let’s clear the cache and also clear the DNS cache. So I have this command here: it’s clear DNS server cache. Of course, yes, I’m allowing for that.

What else I can do is actually clear the cache on the DNS Manager. So, this is the same as clearing it through the PowerShell. I have here a conditional forwarder that is set to the IP address 10.1.1 254. So each request for racoons.lab is going to this IP address to resolve it.

So, let’s go to that server. Okay, let’s see it. On that server, this is GW01 We have a forward lookup zone, which is racoons.lab, and we have only one entry here for host A that is www, which is pointing to the SDC on which we have the safe webpage.

DNS servers

Okay, so now let’s see what we can do without DNSSEC applied to the servers. First of all, let me show you etc/ettercap/etter.dns. In the DNS configuration for the plug in for the ettercap, which is a very powerful tool, we will have entries for www.racoons.lab. And we have record A and information that this is our IP address of actual LINUX machine. So let’s close it. And let’s start ettercap with graphic user interface. It will be easier to perform it.

Man-in-the-middle attack

First, of all we need to sniff. It will be unified sniffing, on the ethernet 0. Next, let’s see the hosts and let’s scan for the hosts on the network. It’s scanning. It will show me all the hosts that are available right now. So I have the target machine, which is SDC, and the target machine, which is a gateway. I will perform ARP spoofing between those two neutral machines and perform man-in-the-middle attack based on this.

So, I selected the targets, now on the man-in-the-middle attack, I’m using ARP poisoning, sniff remote connections, okay, so it’s started to perform the attack. And, now I want to use the plugins and one of the built-in plugins is DNS spoof. I just enabled it, and the last part is start sniffing. So, whenever I start sniffing here, you see that request for www.racoons.lab will be substituted with actual IP address of the LINUX machine.

So, let’s switch to Windows 10 machine. And now let’s try to resolve the names for www.raccoons.lab. As you can see, this time it’s already 10.1.1.113. So as you can imagine, if I open the Internet Explorer and go to the www.raccoons.lab I will get unsafe webpage. So, basically the DNS spoofing was successful.

Next – enabling the DNSSEC on the gateway

On this computer, I can just simply make DNSSEC and sign the zone. This will generate the keys and of course I can customize everything but for the demo purpose I will just simply use the default setting for signing the zone. This is very simple. It’s creating KSK Key for signing the zone. The algorithm will be RSA-256 with 2 kilobits of key. So, let’s try to do this next.

It’s signing. When I refresh, from my sign here, you will see much more information.

There are entries for RR Signatures for the DNS KEYs that are used for the encryption, for the signing actually for the zone, and we have also here NSEC3 parameters for signing. And for every entry that we have here, for example, www we have also a signature here that is with the information about this particular entry. So, this is the signature in base 64 form for www.racoons.lab.

DNS servers

Okay let’s see, if this is changing anything on our servers. So let’s go first to SDC01. Let’s clear the cache. Okay, the cache was cleared. And let’s now try to resolve the name for the racoons.lab. Okay, still getting the information that the IP address was spoofed. Let’s try to flush DNSSEC and let’s try to do it again.

This time I’m sending information that I’m able to consume the DNSSEC address. In this case, I got nothing. Let’s try to do this against the GW01 Server. Okay, still nothing because I’m substituting the older response from the server GW01 with the responses made by the KALI LINUX.

Let’s see what will happen if I stop the spoofing.

Okay, so let’s go to the KALI LINUX. Okay, start stop sniffing, let’s try do it again. On SD01 first clear DNS server cache. Yes. Now, let’s try to do it.

(I didn’t stop the man-in-the-middle attack. Let’s try to do it again. Man-in-the-middle, stop man-in-the-middle attack, okay. Stopping it. Yeah, stopped. Let’s go back.)

This is my SDC so let’s flush this one. Yes, and now let’s try to do it again. Yeah. Now I’m getting the correct answer. Let’s try to see what will happen if I use with DNSsecOK the switch.

Now I’m getting additional information about this signature for that entry. I can also ask it directly on that remote server, and I will get also the information about the signature on the server. So, is it preventing me from getting the responses that are not valid? Actually, not yet.

DNS servers

First, let’s try to get the trustAnchor for that zone. To get it, I will query the remote server, okay, for the DNS KEYs. These are the four keys that are used here for actually making a signatures. data, as a dnservertrustsnchor for this zone.

Now, if I go to the trust points on my DNS, let’s see. There is nothing. If I add right now those keys and refresh the trust points, I’m actually getting the entries for the DNS KEYs.

So, let’s try and verify what will happen right now. Still, I do not get additional information without setting the DNSSEC. This is getting me also all the information.

Let’s now try to resolve the name on the server.

So I will close this website. Okay. Close it, just simply flush DNS, and I will ask first, for just racoons.lab; it’s getting the correct response.

If I ask it on the gateway server and say that I want to get DNSSEC, I’m getting the signature. If I try to get it from my local DNS server for this Windows 10 machine from the SDC01, I’m getting also the signature here.

Let’s try to get the signature for the zone that is not signed. There is nothing because cqure.lab is not signed. Okay, so let’s now try to again spoof the DNS responses from KALI LINUX. Let me sign in. Okay, I’m starting again the ARP poisoning. And, again starting sniffing. So, let’s go to SDC, let’s clear the cache and let’s clear the local IPconfig cache of the DNS. Let’s try to do it.

This time I’m getting information about the record server failure because I cannot actually verify the information with the signature that I have a trustAnchor currently. Let’s try to do this with DNSSEC: still not possible.

Let’s try to do it directly on the gateway server. This time, it’s saying okay that was the response directly, which I’m getting from the gateway server. It’s not from the gateway; it’s from the KALI LINUX. So, if I’m trying to ask for the response from gateway. It’s allowing me to get the response.

Let’s do this on the Windows 10 machine.

Now I will try to request for racoons.net again. And the response is actually exactly the same as on the server. So, my DNS server is rejecting the response because it’s not signed with the keys that I have in the trustAnchor.

So, the only last part, which I actually should perform is to enable NRPT policy on my servers. So, I will stop again the DNS spoofing and stop man-in-the-middle attack. And try to do it again on the Windows 10 machine. The requests.

Oops now I’m still getting information that’s not correct one. Let’s try to clear the cache. Let’s verify. Okay, it’s the correct one. It’s getting the signature. Let’s go now to the Windows 10 machine. And now, I can try to get this information again. Now it’s the correct one with the signature. Everything’s good. But usually we are just asking for using the DNS names. Without additional switch for getting the DNSSEC record. There is something called NRPT policy. So, we can assign the domains for which we are enforcing the need to use the DNSSEC. Let’s try to do this.

Assigning the domains

Let’s me go to the SDC. So, let’s clear the cache and right now I will create a group policy that will apply NRPT policy for this actual: create a GPO, “DNSsecPolNRPT”. Okay, let’s edit this policy.

In the policies, in the Windows, in the computer, of course, configuration I have a name resolution policy, and I will add it for the racoons. (Remember: never use a wild card here).

Racoons.lab. Enable, require and or create policy. And also in the Advanced Global let’s apply it to both IPv4 and IPv6. Remember at the end apply the policy. So now I can close it. Let’s verify it’s there. Settings. NRPT policies here so I can close it. Now I can switch to Windows 10 machine. And update. Wait until the computer policies’ updated. And verify NRPT policy.

DNS servers

Every time I will be asking for racoons.lab, it will enforce using the DNSSEC So, let’s try it. And as you can see without the DNSSEC switch I’m enforcing to use the racoons.lab.

What will happen if I lose a trustAnchor on SDC01?

Let’s try to remove the trustAnchors for the racoons.lab. Yes, let’s see what’s happening in the DNSSEC, in the DNS console. Refresh this one. And we have no trustAnchor currently. So let’s clear the cache. And let’s go to Windows 10 machine. Let’s see what will happen.

Okay, ipconfig / flushdns. Now let’s try to resolve this one. We are getting information about DNS error unsecure packet. Let’s try to do this on SDC01.

On SDC01, I’m getting the response without any problems, because I am not requesting for DNSSEC and I’m not validating it because there’s no NRPT policy for the domain controller. So, actually, right now without providing theDNSSEC I’m not asking for the DNSSEC. Let me get back the records. Otherwise, it will not be possible to get the responses on the Windows 10 machine because it’s required to be signed withDNSSEC.

I need to refresh. Okay. Let’s try to do it again. Probably on the cache on the server. SDC… Okay, let’s try to do it again. Just to be on the safe side, clear this one and let’s resolve. This time everything is working perfectly.

Now, if I will see that it’s not resolving properly because there is some DNS spoofing it will not allow me to get to racoons.lab website. Oh, it’s caching from Internet Explorer. Of course, refresh it and then we get the secure website.

Remember, if you want to protect your zones always use DNSsec for that. Otherwise, it is possible to spoof the DNS responses and it can redirect you to the not the site or not the server that you are expecting it.

Comments