RedWolf Security Comprehensive DNS Testing
December 19, 2015
Enterprise DNS is rarely simple but there is one truth: a DDoS on a vulnerable DNS can cause the most catastrophic outages. A DNS DDoS can easily generate millions of requests per second.
Enterprise DNS deployments are often a mix of beefy DNS servers, load balancers performing DNS caching, DDoS mitigation appliances, 3rd party DNS hosting and CDN’s.
Types of DNS Vectors RedWolf Supports (Q1 2016):
DNS Query Attacks:
Protocol:
IPV4 UDP
IPV4 TCP
IPV6 UDP
IPV6 TCP
Query Types Supported:
ANY
A
AAAA
CNAME
PTR
HINFO
MINFO
MX
TXT
Parameters:
Randomize DNS Query Prefix (___.domain.com)
Queries can be positive/negative
DNS Packet ID can be specified
Recursive Iterative Query (DNS Scraping)
Spoofing (supported only with local RedWolf VM)
Malformed DNS Attacks:
Illegal characters in payload
Zero payload
Bad DNS (Non RFC)
DNS Reflection Attacks:
Protocol:
IPV4 UDP with optional EDNS0 (RFC 2671) for larger than 512 byte UDP replies.
IPV4 TCP
IPV6 UDP with optional EDNS0 (RFC 2671)f or larger than 512 byte UDP replies.
IPV6 TCP
Types of traffic:
Any DNS response packet can be replayed.
Standard reflection attack default is UDP IPV4
DNSSEC Replay requires pre-setup to capture packets signed by DNSSEC zone.
TCP DNS ATTACKS:
Types:
TCP SYN flood
TCP hanging connection flood
TCP chargen (random stream of bytes) protocol stream
DNS Cache Poisoining Attack
(requires local RedWolf VM. Not a direct attack against a DNS server, but a Man-in-the-middle attack)
DNSSEC
Records Supported:
DLV – Publishing DNSSEC trust anchors outside of DNS delegation chain.
DNSKEY – key record used in DNSSEC.
DS – Identify a DNSSEC signing key of a delegated zone
NSEC – Used to prove a name does not exist.
NSEC3 – Extension to DNSSEC that allows proof of nonexistence for a name without permitting zone walking
NSEC3PARAM – Parameter record for use with NSEC3
RRSIG – Signature for a DNSSEC-secured record set. USes same format as SIG RECORD.
SIG – Signature record used in SIG(0) (RFC 2931) and TKEY (RFC 2930)
TA – Part of proposal for DNSSEC without signed DNS root
TSIG – Authenticate dynamic updates from approved client
Zone Enumeration DDoS
Zone enumeration is a type of scavenging attack where multiple recursive domains and sub-domains are queried.
The test continually iterates getting A records, name servers, MX records, performs axfr records, and other tricks.
Once the exhaustive list of names is established query floods will begin on all the DNS names simultaneously.
Query Types Supported:
ALL DNS queries +
*
AXFR
IXFR
OPT