DNS Cache Poisoning - Computerphile
ฝัง
- เผยแพร่เมื่อ 21 ก.ค. 2020
- Poisoning the DNS cache is a sure way to serve malware to unsuspecting users. Dr Mike Pound explains some of the ways this has been accomplished.
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. More at www.bradyharan.com
Seeing Dr. Pound's eyes light up every time he mentions filling up some random computer with malware gives me so much energy
😂
Hahaha
I just realized the other day I have 200+ samples on my work laptop. It’s all locked-down and [hopefully] can’t execute, but like... I’m kinda hesitant to pick it up now. Lol
(I study malware, I’m not just a SUPER infected user)
Well he works in Internet and Computer Security as far as I know so his job is basically understanding how to fill up some random computer with malware ^^ It‘s obvious he‘s doing something he is passionate about which is nice.
@@mrnik.0 00
beautiful pen flip at 10:07
Now I cant stoping replaying it over and over
Just about to write that, now gonna practice that :)
@@TheDevilItSelf If you haven't figured it out yet, you need to hold the pen such that it is resting on your middle and ring finger. The thumb rests on the pen such that it is slightly off(towards the index finger) from the pen's center of gravity. Now flick the pen around your thumb with the middle finger and the ring finger.
@@rajiv8k thanks dude, thats actually really helpful
I AM INVINCIBLE!
Out of all Computerphile presenters, Dr. Pound, in my opinion, is simply the best! He explanations are bang on and are super easy to grasp. Whenever I see a notification for a video featuring him, I leave everything and start watching it right away.
I completely agree
Same! He's super entertaining as well. Computerphile please set up playlists categorized by nottingham staff!
Totally agree. He’s explaining these things better than anyone else.
His name MIKE POUND is Sooo James Bond character name=PUSSY GALOR
*bang* on for doctor *pound*
Rest in peace, Dan Kaminsky
Dr. Mike Pound's enthusiasm for knowledge is infectious
Truly. I actually started to learn to code watching his videos. Not from them ofc, but the motivation originated heree
It's also important to note that DNS happens over UDP (stateless) so there's no 'connection' to check the response against. For example, in TCP, participating computers establish a connection, and the only response for the request that was sent out is accepted by the requesting server.
Me: I have to get up early tomorrow.
Dr. Mike Pound: Wanna know something about DNS Cache Poisoning?
Me: Tell me everything!
#sleepis4theweak
oh and nice pen flip at 10:07
No matter what the subject, I always find myself learning something new from
Dr. Pound.
Name server poisoning also happened occasionally on accident, due to responding accidently with an incremented query id, possibly poisoning some later random request. Also, if a DNS has DNS level blocking taking place, and it is treated like an authoritative DNS server, it may 'black hole' your request. As in, send you an IP that is invalid and leads no where. This happened to google servers a while back when they accidentally had china servers listed as authoritative, which was causing global traffic to get black holed due to china censorship.
I see Dr. Pound and I like first, then watch
who are you talking to? That's how it works.
I really like how he says something and it souds like it's insanely fun. And simple enough for almost anyone to understand.
I was looking forward to this video and as always its amazingly explained by Dr.Mike. I couldn't keep it as he left us with a cliffhanger in the last DNS video and searched about it but still his explanation gave me a better and clear understanding of it.. Love his way of teaching
Major props for making this video despite the earthquake you guys were experiencing.
It's kind of surprising to hear that most of the global DNS system is not secured with certificates/TLS. Thanks for the great video!
It's actually quite terrifying, even if a poisoning attack only has like 1/1,000,000,000% chance of working.
Certbot takes like two to three lines of code lol
@@cosmicrider5898 It's not the name server that is the "hard" part. You can turn that on with the config file on most name servers these days. It's convincing accounting that spending 100,000/yr on the signed certificate is "worth it". Is your ISP really going to pay for that? What if they have to buy a dozen for various bits of their country wide network? Is your work going to buy one for their server? for each branch (yes there are ways around this at the corporate level, but if you have 2 or 3 small offices)?
This is a chicken and egg issue, without DNS the common name of X509 certificates could not provide the information where a certificate would fit in a global hierarchy so you wouldn't know what to validate it against. This is an issue solved by DNSSEC in a different way that still provides compatibility with regular DNS while maintaining its scalability.
@Bjorn While that might be true for some ISPs the real reason is that nobody thought about protecting against eavesdropping at the time DNS was invented and it is in such ubiquitous use today that nobody reinvented a perfect enough replacement yet. There are lots of interoperability and scalability issues to solve for any such replacement.
Well explained as usual. But I kept wondering why name servers don’t simply only accept each query ID from the IP address of the authoritative server they sent the query ID to.
I found out the reason is that with UDP you can spoof the source IP
The best presenter, I owe so much of my knowledge to this guy and this channel, glad these videos keep coming out !
Thanks for explaining the subject in an easy to understand manner. The next time a client of mine tells me that my recommendation of implementing DNSSEC is "overkill" and "too expensive", I shall point them to this video.
That pen flick tho... OMW!!!
This definitely makes Dr. Pound the best Computerphile ;)
Of course Dr. Mike Pound would say that a hacking attack has a "cool" name and is a very "cool" kind of attack.
Now i won't have to go to tons of lessons in school to learn this thanks to computerphile🤙
We asked and we received! 🙏🏼
Since Facebook was down yesterday, couldn't that have been the best time for someone to try something like this.
I studied computer science about 30 years ago, and would have loved to have had a professor like him. I remember buying my first computer magazine about 1980 aged about 7 and being amazed. I used every penny of my pocket money to buy as many magazines and books as I could up until the age of about 17.
Computers were a different beast then, and the challenges were very different, but I LOVE watching these videos (I no longer program computers) - and I'm in awe of you guys.
BYTE Magazine, by chance?
yay, professor Pound again!!
Very interesting and well explained, Dr. Pound! I'm kind of curious now though, what's the timeline of when all these different types of attacks and/or defenses started popping up? When did cybersecurity start becoming such a big issue?
As a reptile owner: WHAT'S IN THE BOX!!!!!!
a snake. he showed at the end of the last dns video
A Cornsnake to be precise
The answer is always Gwyneth Paltrow's head.
I had the same question
@@bentoth9555 I read the question with Jack's voice lol
I learned more about DNS in your DNS video and this video than I did in my grad network security course.
Awesome video !!!! Love the animation, so helpful !!! Job well done sir.
Fascinating, and quite a scary prospect. 10:08 - Top class pen trick...
I encountered a sysadmin on the internet who used a kind of client side DNS cache poisoning as a security feature. Apparently bots scanning IP addresses for webservers is an extremely common thing. His solution to this was to run his webserver on an unusual port, then reply to all requests to his IP on the default HTTP ports with a HTTP 301: Permantently Moved error, with the TTL set to 1000 years. The result was that anyone who tried to connect to his webserver without a DNS telling them the correct port would have their local DNS cache updated to effectively permanently redirect all further attempts to connect to his site to a different site. This reportedly resulted in a dramatic drop of connection attempts from bots.
That's pretty devious. I love it!
I don't get it. But what about the local cache? Every browser that already had a DNS cache will then be permanently blocked (since the browser will never attempt to clear a 301 redirect cache automatically).
@@lake5044 Could be a problem with existing users, but might be able to be worked around by having the bot trap serving up a page saying "If you're seeing this, your browser's DNS cache is outdated. Clear it and try revisiting the site." which the bots will never actually read.
@@Roxor128 But then, that's no different than doing the same from your server (i.e. presenting some bot-challenge). I don't see the added benefit from going to such lengths as to purposefully poison your own domain name (maybe some load balancing? But standard load balancing is still much preferred and robust I think)
@Zero Cool What do you mean by "upload more RAM from the cloud"?
Just today I wrote an exam on distributed systems and security. This video is two days late!
(But awesome in every other way)
Yo, I've been wondering if this could happen! Great video!
As always another great video from you guys, bonus points for the chessboard i am curious if its a finished game or heated battle
10:07 beautifully choreographed pen-spin flex by Dr. Mike
Thanks Jarrod! Great vid.
I would love someone to take one of Mike's videos and just superimpose a ghost hand touching his arm every time he lifts his arm to stretch his sleeve out.
You can't unsee it now
I noticed this a while ago and have been wondering if anyone else saw it haha. I hope if he sees this comment he knows it's not a bad thing or that I'm making fun, it's just a cute little quirk!
thank god i was just thinking about this since the last video about dns
Thanks for the great explanation. He's great !!!
Good explanation of how DNS injection works. Hard to believe DNS servers aren't using certificates until now though. You'd think someone would have figured this out a long time ago, especially given the popularity of SQL injection vulnerabilities and the like that have been used to deliver payloads in databases for years.
Thanks for sharing knowledge ! 👍 Greetings from La Paz Bolivia 🇧🇴
I wish my college professors explained topic like this, I would have been more interested in studying. Topics covered here are more easier to understand, even though I didn't do CS in college.
Hello,
Just to say that the content you guys put forth is so much helpful in many ways.. masters really!!
Only thing is sometimes its difficult to understand what they say ... myself not quite familiar with the accent ...
please kindly make captions/subtitles available... it will help us to understand better ... Thanks in advance
Great video. 👍
Could you cover "port knocking"?
It feels weird to re-watch Computerphile videos that I already watched years ago for entertainment, but this time because I’m writing a computer science bachelor thesis about DNS security (specifically about the identity management for DANE).
The smooth pen movement on 10:07
I have only been lead to a single login spoofing website recently, but when it was more prevalent years ago it always amazed me how bad or lazy their developers used to be at their job. Most pages were so far off the original that they could only hope to trick the most gullible users.
With relatively low costs, it only takes a few suckers to become profitable.
this is so interesting. thank you!
Sir Dr Pound, I’d love some explanation on what happened with the Garmin ransomware a few days back
Watching Mike pounding out these drawings, improving them a bit and not worrying about being perfect is kind of relaxing. Bob Ross as an excited hacker!
That casual sharpie spin at 10:07
Ahhh...DNS cache poisoning ,I know everything about it
Dr.Pound : come here mate !!!👀
Dan Kaminsky is awesome, great talker!
Notice the chosen sharpie pens. They closely match the colours of the surrounding objects.
very informative!
0:10
Domain Name System
0:32
Poisoning.
1:01
DNS
3:17
How it works.
4:29
Cache poisoning.
6:06
Botnet.
10:08
Security
on a related note with the Lancache game download cache service, you have to purposely poison your dns cache, so that when a user wants to download a game that's already downloaded, it gets the game from the server hosting the service, rather than the internet.
Any ideas on how Tor V3 hidden services can start getting nicer names? Some kind of ring of trust situation?
Is the querry spam the reason why this "attack" is so slow? I have used this kind of attacks in lack of other ways to redirect traffic(And problems with finding captive portals that works) on my own network but i don't find it to work that well :/
Iv'e tried this multiple times over the years but never found anything that works well so i end up giving up every time hehe.
That spin at 10:06 is lit
I believe DNSSEC doesn't rely on PKI and therefore certificates as it is mentioned in the video.
I really like the way this guy talks for some reason, I don't know why though
RIP Kaminsky, who passed just 2 weeks ago.
1:54 this is how excited I want to be when talking about anything
Wow. The internet is held together with duct tape and twine. It is crazy that the early internet even worked at all without security measures like public key cryptography.
Do mobile applications fetch to their sites to work? If so then shouldn't they be vulnerable as well?
I was just looking up how to flush a dns cache and this popped up thanks desperate storage saving me
Why dont they simply check if the IP of the one answering is the IP they asked? And wont the Recursive resolver still receive the correct answer a moment later? Couldnt one at least use the second answer to invalidate the cache?
i will be using DNS for comunication trough dns resolv messages. is a simple project, but with great potential.
im curious whats gonna happen when i point 2Dns servers to resolve eachother, each other beeing the others dns server, but beeing dns server itself.
My guess: They just start sending every request that comes in round forever until both name servers become unresponsive because all they do is send queries to each other.
@@cameron7374 Have you got no hope at all in people who designed such fundamental service?
@@Mr.Leeroy I do have hope in them but if the specification says to ask the next DNS server if you don't know and they both point at each other, that is what will happen and not a flaw in the technology but rather user error. I mean, something like this can already happen with some routing protocols for regular routers where they establish a path that leads in a circle, in the hopes the next router knows where to send the packets. That's called a broadcast storm and it's the job of whoever is setting up the network to set it up in a way where it doesn't happen.
During this whole video I was thinking "I can't believe nameservers don't authentificate to each others" and then he mentionned they're rolling out DNSSEC and I was like "oh really!" I mean what were they thinking during all these years.
I guess it's probably more complicated than it seems
please also explain DNS over HTTP?
Do you also have to do IP spoofing?
Just based on your other videos, why don't these requests between DNS servers use token like when browsers are talking to websites? Just send a request for the IP address, plus a random string, and only accept it if the response matches? They could easily have turned that 16 bits into 16 or more bytes. Did they just not see a need for any form of security when saying what address a site is at?
Ah, how beautiful naive times were those when Vint Cerf, Bob Kahn and others designed TCP/IP stack. It withstood the test of time perfectly, _except_ for security and perhaps the quality of service (and, yes, address space size).
If memory serves, equivalent standards from ITU (than CCITT) were a tad more robust, but the ones we still use ware much simpler and more elegant.
What if you're running your own recursive dns like unbound?
Please could someone explain that Dan Kaminsky trick?
10.0.9.9 being a private address is kind of a bad example. But good presentation
I'm pretty sure that's intentional so they don't accidentally slander a random public IP address.
Is the exploit kit he talks about at 5:56 real? Like if you accidentally visited a bad website you'll get infected. Assuming you don't have flash installed.
I'm using DNSSEC via Cloudflare on my Piehole. Highly recommend it.
More mr pound
So a fortigate FW/router that is using https but with no certificate could fall into this attack?
0:44 *China Great Firewall: Let me introduce myself*
Is there no way to send the poisoned dns query on all ports at once?
How much bandwith would one need to hijack the current randomizing defence. Anyone calculated that?
2:26 That's a real Parker Square of a Jolly Roger.
talk about websockets
Dr Mike should have his own youtube channel ( i'm talking about Dr Mike the computer guy )
thx for the clarification
Would DNS over TLS be a solution to this issue?
I think dnssec would be a better solution. I believe tls or doh could still be poisoned.
Edit: he says this at 10:12
if the connection between the client and server is encrypted, there's no opportunity to send a spoofed response, since you'd need to crack the encryption to send a response on that specific request, right?
dnssec just takes this a step further with trusted dns servers
DNSSEC is the answer, not DNS over TLS. However, if the server isn't supporting DNSSEC which a LOT do not, or it not enabled. . .then it's game on.
@@juliankandlhofer7553 The opportunity would be to MITM the client recursive name server, which could be easier or harder depending on the privacy profile (opportunistic or out-of-band key-pinned, see RFC7858 section 4).
@@cosmicrider5898 You're only partially correct, because who decides who is a 'trusted' domain name server? If you trust anyone to be that 'trusted' party, then by default you can no longer trust them. Anyone who gains that must trust is immediately untrustworthy, lol... That's the facts of life. What you need is DN SEC where we trust individual domains by their public keys which only they have the private key for... Where we dont trust domain name servers but we trust individual domains proving who they are themselves. We can't trust any central authority to give us the truth, because with that trust they will always use it to lie. Instead we have to determine the individuals that we trust and only rely on our own ability to verify they are who they say they are and if we believe or better yet know we can trust them. G000gle is not to be trusted they can't even let TRUE information not be censored due to pharmaceutical interest for people to believe something that is true is not true... Because if people believe something that is true is not true then they equal big money for the pharmaceutical companies, and if they know the truth that money is greatly diminished. These companies aren't out for our best interests but for their own and their friends.
Would love to see him play a game called GreyHack o.o
What exactly is multicast dns and .local domain?
Apple Bonjour and Zeroconf use multicast DNS. Basically how this works is your devices for example Google Chromecast periodically sends a DNS packet to a multicast address that gets broadcast to all devices connected to your LAN or those who subscribed to said multicast address saying 'I am a chromecast, you can use my services x, y. and z at IP address such and such'. The .local Top Level Domain is one reserved for private usage - for example on your LAN - and will not be resolvable in the internet. Avahi (Linux) would be one example of a zeroconf implementation making use of the .local TLD.
do not use .local unless you know what you are doing
So what exactly happens when we change the DNS id on out phone (eg: change it to 1.1.1.1 instead of what was there before, which is the dns for cloudflare. But still what does that mean or do?)
It is skimmed over in this video but if you watch the other DNS explanation, that IP is the IP of the first DNS server you will ask (which in turn may ask other DNS servers)
how you find a dns poisonous computer in the network ? how can i detect it ?
hy fellas,
how can i make a virus that just change cache of dns without that process of malicious server response? is this practical?
In response to SIGred?
Why not make the query ID 64 bits, or more?
How we prevent this attack how we resolve this if attacker poisoned my caches
I'm concerned about the computer apocalypse when quantum computers are powerful enough. The encryption and randomization methods are going to be fairly easy to crack
Bring a episode with Tom Scott also
Just noticed that Dr. Pound is a chess player ! :D
I love spiderman teaching me about networking
What about applying a UUID? Basically that would solve the whole problem