Risorse

Test e Notebook

• DNS - Playing with dig.ipynb We will use the dig command for emulating the behavior of any application that operates as a DNS client.

• DNS - Understanding traffic.ipynb We will analyze the traffic generated by a browser for accessing a web page, in particular, for understanding the usage of the DNS to obtain IP addresses of web servers.

• Test - Uso DNS

Altro

Interrogare il DNS

• dig Linux man page Linux command for interacting with web servers, used in one of the Colab notebooks above.
• Online DNS Lookup Webapp for interacting with name servers (a sort of dig on line). Specify query (name and type) and name server IP address.
• The exact same operations of dig can be performed with nslookup, which is available in both Linux and Windows (with some differences between the two platforms). The syntax and output of nslookup is different from that of dig. Search for a tutorial if you are interested.
• WHOIS: Fragile, unparseable, obsolete... and universally relied upon Detailed description of whois: how it works and some history.

Gestione domini

• Domain Name Industry Brief - Dashboards Dati statistici sulla dimensione del DNS.
• DNS Zone Stats On this page you can find links to graphs displaying the total domain count per TLD zone.

• Internet Corporation for Assigned Names and Numbers (ICANN) is the organization that "coordinates" the DNS globally. Its website contains all the technical and procedural definitions related to how domains must be managed. A few relevant pages:

  • Registrant A domain name registrant is an individual or entity who registers a domain name.
  • Registrar ("DNS provider") An entity wishing to register a domain name under a generic top-level domain ("gTLD") may do so by using a registrar.
  • Registry operator The owner of a TLD (a TLD is a "registry").
  • Registro.it The owner of the .it domain (Consiglio Nazionale delle Ricerche, Pisa). Come diventare un Registrar (DNS provider) in grado di creare domini sotto .it.

Alcuni attacchi importanti

• Global DNS Hijacking Campaign: DNS Record Manipulation at Scale ... a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
• DNS Hijacking Abuses Trust In Core Internet Service ...a new cyber threat campaign that we are calling "Sea Turtle," which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised.
• DNS hijacks at two cryptocurrency sites point the finger at GoDaddy, again Two cryptocurrency portals are currently dealing with DNS hijacking attacks that are redirecting visitors to fake versions of their websites where crooks are trying to collect seed phrases and private keys from visitors so they can access wallets and steal their funds.
• Hackers breached Greece's top-level domain registrar State-sponsored hackers have breached ICS-Forth, the organization that manages Greece's top-level domain country codes of .gr and .el.
• UK domain registry Nominet confirms breach via Ivanti zero-day Nominet, the official .UK domain registry and one of the largest country code registries, has confirmed that its network was breached two weeks ago using an Ivanti VPN zero-day vulnerability. The company manages and operates over 11 million .uk, .co.uk, and .gov .uk domain names and other top-level domains, including .cymru and .wales. It also ran the U.K.'s Protective Domain Name Service (PDNS) on behalf of the country's National Cyber Security Centre (NCSC) until September 2024, protecting over 1,200 organizations and over 7 million end users.

Sequestri di domini

• DOJ, Microsoft seize dozens of domains ‘used by Russian intelligence agents’ Uno dei numerosissimi casi di cronaca relativi al "sequestro" (disattivazione) di domini associati ad attività fraudolenta. In questo caso una campagna di spear phishing (cioè phishing mirato verso persone specifiche) attribuita ad una organizzazione associata al governo russo.

• Italy demands Google poison DNS under strict Piracy Shield law Italy is using its Piracy Shield law to go after Google, with a court ordering the Internet giant to immediately begin poisoning its public DNS servers. The goal is to prevent illegal football streams, but the effort has already caused collateral damage.

Altri link

Argomenti non inclusi nel programma del corso.

• The Internet Domain Name System Explained for Non-Experts Una descrizione di come è realizzato il DNS (come interagiscono i name server tra loro e molto altro).
• Root Name Servers The 13 root name servers are operated by 12 independent organisations.
  • Each IP address used for root name servers actually corresponds to many different servers, thanks to a technology called anycast that we will not study in this course (thus the number of root name servers is much greater than 13). This interaction with ChatGPT provides an overview of how anycast works.
• Root Name Servers Traffic Count of queries made to root name servers (daily averages): They are in the order of hundreds of billions queries every day.

Can I block the DNS in an entire nation?

Robustness analysis of DNS paths and web access paths in public administration websites Computer Communications, Dec. 2021, Alberto Bartoli.

In this paper we examine the dependence of a large set of public administration websites on DNS entities for four different countries: Italy, Germany, UK and US. We collected the dependencies of those websites from DNS zones, nameservers, networks and assessed the potential global impact of localized attacks on those entities:

• How many websites could be affected, whether in name resolution or web server access, by an attack on a single zone, nameserver, network?
• How prevalent is the usage of groups of IP addresses, networks for providing redundancy? How many websites could be affected by an attack to one of those groups?

Wireshark DNS Exercises

Download network capture dns_recursivequery_client.pcapng and analyze it with Wireshark.

• Intro to Wireshark: Basics + Packet Analysis An excellent and focused video introduction. Warmly suggested (up to minute 8:10; at that point it starts discussing TCP Congestion, excellent discussion but far beyond this course).
• You may analyze the above network capture also with Python Scapy. Here you can find an interaction with ChatGPT for obtaining the code that answers the questions below. I have not checked it for correctness but I think it more or less works.

Questions:

• How long is this capture in seconds?
• What is the IP address of the DNS server?
• What is the IP address associated with the first name being asked?
• How many names are resolved?
• How long did it take, on the average?

Suppose you have the ability to modify the DNS response to the first DNS request; you want to drive the requesting client to 131.114.9.252.

• Write the byte sequence corresponding to the DNS response that you should send.
• Emphasize the portions of the DNS response that can be constructed in advance and those that depend on the matching request and thus must be constructed on the fly.

Suggestions (not to be executed in sequence...just suggestions):

• Statistics--> DNS
• Statistics-->Flow graph
• Display filters: dns.flags.rcode != 0 Indicates which dns requests could not be correctly resolved
• Select DNS response in middle window / Right click / Copy byte as HEX dump or as HEX stream

https://github.com/chrissanders/packets/blob/master/dns_lab.pcapng Same questions as above.

https://github.com/chrissanders/packets/blob/master/http_espn.pcapng Same questions as above.