DNS Cache Snooping.!! Checking whether the hostname resides in cache of the nameserver users were using currently.
After Hearing the Word Snooping the First Thing that can come to mind is that What is Snooping..????
So, Snooping means Spying on something or Secretly look on something to findout something really important.
So Now you must be Knowing that we are Gonna Snoop Around the DNS Server.
So Now you must be Knowing that we are Gonna Snoop Around the DNS Server.
So lets Start..............
1. Introduction:
DNS or Name Server are the servers that resolve a hostname to their IP representation.There are numerous DNS Servers out there,all of which resolves specific domains,but each of them stores specific DNS records.Those records can be the following: A , MX , NS , AAAA , etc
All the DNS servers are connected together to form a hierarchial DNS networks. For Example if we nslookup any website , it will give its server address, its address , Name , and other Addresses if the website has any.
Let's Check it out for the www.google.com
Let's Check it out for the www.google.com
# nslookup www.google.com 192.168.1.1 Server: 192.168.1.1 Address 1: 192.168.1.1 Name: www.google.com Address 1: 173.194.35.148
Address 2: 173.194.35.144
Address 3: 173.194.35.147
Address 4: 173.194.35.145
Address 5: 173.194.35.146
Note: All these commands were tested on the Linux Operating System . It may or may not be possible that the Result may vary as per the different OS.
We can see clearly in the above output that the query returned the different address which are used for the load balancing of the server.
2. DNS Queries:
Yeah we all know that the main job of any of the DNS server id to respond back to the Queries it recieves.
Whenever the DNS server recieves the query regarding the IP Address of the Domain,then it look for the address of the Domain in its cache.
If it Found in its cache then it quickly returns the IP Addresses and if not found then it forwards the query to the other DNS Server.
Whenever the Server recieves the Query , the DNS server checks that which type of query it is.
Whether it is:
1. Recursive query.
2. Interactive Non - Recursive Query.
3. DNS cache snooping.
1. Since the DNS server doesnot have the knowledge about the hostname in query. It will ask its own DNS server to resolve it . The recursive Query thus always returns the IP Address of the domain or the hostname if such IP exist.
2. If DNS server does'nt have the Knowledge about the hostname in the query , it returns the list of DNS servers, which might can have the information about the hostname.
3. DNS CACHE SNOOPING:
a) when non-recursive query are enabled
DNS cache snooping is actually the process of figuring out the already resolved queries by the DNS Server
DNS cache snooping can be useful if we want to check the hostname that the local network already resolved.
This means that the nodes on the local network using that DNS server (the server we are connected and the local network we are connected) requested specific hostname in the near past , which can be used to snoop webpages that the users are visiting at any time.
* A DNS Server is suspectible to DNS Cache snooping if we can make the non-recursive query to a DNS Server looking for already resolved hostnames.
To check whether the DNS Server is suspectible to cache snooping we can try to find out the IP Address of the hostname by querying the DNS Server non-recursively.
Example:
# nslookup -norecursive -type=A www.xyz.com
Server: x.x.x.x
Address: x.x.x.x#53 Non-authoritative answer: *** Can't find www.xyz.com: No answer
Don't see the output with such a horrifying look , It looks like this because our DNS server was not able to reveal the IP Address after running " -norecursive " command. But we want it to reveal .
So before running the " -norecursive" we will run the same statement with the " -recursive" command.
Now Lets see -
# nslookup -recursive -type=A www.xyz.com
Server: x.x.x.x Address: x.x.x.x#53 Non-authoritative answer: Name: www.xyz.com Address: x.x.x.x
Here we can see that after using " -recursive" it displays the Name and IP of the hostname.
And note that now if we do " -norecursive" it will display the Name and IP for the same hostname , and that's because now the entry already exists in the cache of the DNS Server.
# nslookup -norecursive -type=A www.xyz.com
Server: x.x.x.x Address: x.x.x.x#53 Non-authoritative answer: Name: www.xyz.com Address: x.x.x.xThus we Have seen that how to figure out if a DNS server is vulnerable to cache snooping.b) when non-recursive queries are disabled.For the information i want to mention here that the non-recursive queries are not the big thing , they can be disabled by the administrator at the time of configuring the DNS server.But yet even the non-recursive queries are not allowed and we have only left with option to use the recursive queries, there are some other ways from where we can define that the certain hostname for which we are passing the query are taken from the cache or not. This can be done in two ways:1. By checking the Time the query takes to process:If the Query time is exactly equal to the time that it takes to send packets to the server, then it is quite much possible that the entry exists in the cache and have been accessed from there itself.We can check this by using the ping command and checking the total RTT(i.e round trip time) of the ICMP packets being sent to the server. Let us look at the example:# ping -c 3 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_req=1 ttl=47 time=29.7 ms 64 bytes from 8.8.8.8: icmp_req=2 ttl=47 time=30.7 ms 64 bytes from 8.8.8.8: icmp_req=3 ttl=47 time=30.6 ms --- 8.8.8.8 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 200msNow we had the total time used to send the packets. Now we had to check the query request time by requesting any hostname using the DNS nameserver. We will be using dig command here...now calculate the average time for both the sending packets and making query request. we found here that both the timings are same , hence this shows that the hostname already exist in the cache.Similarly do it for the other hostname as per your wish and see what is the output , based on the output you will know that the particular hostname lies there in the cache or not.2) By Checking the TTL when querying the vulnerable DNS serverAs we have no choice other than using the " recursive "command , the another way to determine that the hostname exists in the cache or not we can look after the TTL value which should be low if it already exist in the cache.We can check the TTL value by executing the command below:# nslookup -type=A www.google.com 8.8.8.8 -debugServer: 8.8.8.8 Address: 8.8.8.8#53 ------------ QUESTIONS: www.google.com, type = A, class = IN ANSWERS: -> www.google.com internet address = 173.194.35.146 ttl = 300 -> www.google.com internet address = 173.194.35.148 ttl = 300 -> www.google.com internet address = 173.194.35.144 ttl = 300 -> www.google.com internet address = 173.194.35.145 ttl = 300 -> www.google.com internet address = 173.194.35.147 ttl = 300 AUTHORITY RECORDS: ADDITIONAL RECORDS: ------------ Non-authoritative answer: Name: www.google.com Address: 173.194.35.146 Name: www.google.com Address: 173.194.35.148 Name: www.google.com Address: 173.194.35.144 Name: www.google.com Address: 173.194.35.145 Name: www.google.com Address: 173.194.35.147In the above output the TTL value is Considerably low (i.e 300) which means that this hostname already resides in the cache of the DNS server.Similarly we can check for another hostnames of our choice to know whether it resides in the cache or not.CONCLUSION:So friends here we come tot he end of this tutorial. Here we seen that how can we see and query a DNS server to tell us that whether the hostname exits in the cache or not i.e whether it has been already resolved by the Specific DNS server or not. This can be used to lookout that what hostname the users of that server were using recently.NOTE: Here we have not discussed how to snoop the webpages but i will update that too, research work on that is in progress , so stay tuned.Thank you for reading. Admin
Comments
Post a Comment