1 00:00:06,780 --> 00:00:09,930 - [Instructor] Let's go over a few DNS-related attacks. 2 00:00:09,930 --> 00:00:11,636 The first one that I'm gonna share with you 3 00:00:11,636 --> 00:00:15,230 is the DNS cache poisoning attack. 4 00:00:15,230 --> 00:00:17,320 And it's basically an attack that has been used 5 00:00:17,320 --> 00:00:19,580 by many threat actors in the past. 6 00:00:19,580 --> 00:00:23,330 And basically, in short, it involves the manipulation 7 00:00:23,330 --> 00:00:27,113 of the DNS resolver cache through the injection 8 00:00:27,113 --> 00:00:29,490 of corrupted DNS data. 9 00:00:29,490 --> 00:00:32,043 And this is actually done to force the DNS server 10 00:00:32,043 --> 00:00:35,420 to send the wrong IP address to the victim. 11 00:00:35,420 --> 00:00:37,148 And then, of course, redirecting the victim 12 00:00:37,148 --> 00:00:40,761 to the attacker's system or a malicious website 13 00:00:40,761 --> 00:00:43,810 or any other site that the attacker 14 00:00:43,810 --> 00:00:47,100 actually wants the victim to visit. 15 00:00:47,100 --> 00:00:50,130 DNS cache poisoning attacks can also combine elements 16 00:00:50,130 --> 00:00:54,170 of social engineering to basically manipulate the victims 17 00:00:54,170 --> 00:00:56,950 to download malware, 18 00:00:56,950 --> 00:00:59,660 ask the victim to enter sensitive information 19 00:00:59,660 --> 00:01:03,840 in some type of form or any other spoof application. 20 00:01:03,840 --> 00:01:07,110 There are many different mitigations against this attack. 21 00:01:07,110 --> 00:01:08,290 Nowadays, as a matter of fact, 22 00:01:08,290 --> 00:01:11,260 you actually can configure DNS servers 23 00:01:11,260 --> 00:01:15,390 to rely as little as possible on the trust relationship 24 00:01:15,390 --> 00:01:19,360 with other DNS servers in order to mitigate these attacks. 25 00:01:19,360 --> 00:01:22,550 DNS servers like BIND and for the longest time, actually, 26 00:01:22,550 --> 00:01:25,403 BIND 9.5 and higher, provide features 27 00:01:25,403 --> 00:01:29,200 that actually help prevent DNS cache poisoning attacks. 28 00:01:29,200 --> 00:01:32,189 However, unfortunately nowadays, still a lot 29 00:01:32,189 --> 00:01:35,083 of people are configuring their DNS servers 30 00:01:35,083 --> 00:01:37,331 in an unsecure way and attackers 31 00:01:37,331 --> 00:01:39,740 actually can manipulate them. 32 00:01:39,740 --> 00:01:42,770 Another concept that I want to go over with you 33 00:01:42,770 --> 00:01:45,260 is DNS zone transfer 34 00:01:45,260 --> 00:01:48,503 and DNS zone transfer attacks. 35 00:01:48,503 --> 00:01:52,250 A DNS zone transfer is basically the process 36 00:01:52,250 --> 00:01:57,140 where a DNS server passes a copy of part of its database, 37 00:01:57,140 --> 00:02:01,866 which is actually called a zone, to another DNS server. 38 00:02:01,866 --> 00:02:06,450 This actually allows you to have more than one DNS server 39 00:02:06,450 --> 00:02:08,510 and be able to answer queries 40 00:02:08,510 --> 00:02:12,450 about a particular zone in your environment. 41 00:02:12,450 --> 00:02:15,027 Now there's a master DNS server and the concept 42 00:02:15,027 --> 00:02:17,400 I'll call a slave DNS server. 43 00:02:17,400 --> 00:02:21,810 And basically the slave or the secondary asks the master 44 00:02:21,810 --> 00:02:24,833 for a copy of the records for that zone. 45 00:02:26,120 --> 00:02:29,820 So a best practice is actually to restrict zone transfers 46 00:02:29,820 --> 00:02:33,790 and at the minimum you tell the master 47 00:02:33,790 --> 00:02:36,140 what the IP address of the slave server 48 00:02:36,140 --> 00:02:39,240 and not to transfer to anybody else. 49 00:02:39,240 --> 00:02:41,350 Also, another better way to do this 50 00:02:41,350 --> 00:02:44,322 is to digitally sign the transfers. 51 00:02:44,322 --> 00:02:45,547 So you will ask us, 52 00:02:45,547 --> 00:02:49,630 "So why would an attacker want to perform a zone transfer?" 53 00:02:49,630 --> 00:02:53,640 Well basically by an attacker performing a zone transfer, 54 00:02:53,640 --> 00:02:55,020 he can actually collect a lot 55 00:02:55,020 --> 00:02:57,050 of information from a corporate network, 56 00:02:57,050 --> 00:03:00,520 and sometimes exposing their internal IP addresses 57 00:03:00,520 --> 00:03:03,300 and servers and computers and desktops 58 00:03:03,300 --> 00:03:06,050 and any other elements within their network. 59 00:03:06,050 --> 00:03:08,350 And they actually collect this information 60 00:03:08,350 --> 00:03:10,020 to, you know, perform other attacks 61 00:03:10,020 --> 00:03:12,400 or find vulnerabilities and so on. 62 00:03:12,400 --> 00:03:15,220 Now, to collect information about 63 00:03:16,410 --> 00:03:20,203 the zone transfer, you can actually use the axfr parameter 64 00:03:21,560 --> 00:03:25,000 as I'm actually showin' in here, with the host command. 65 00:03:25,000 --> 00:03:27,610 So, basically, in this case, I'm actually doin' 66 00:03:27,610 --> 00:03:28,697 host 67 00:03:28,697 --> 00:03:29,730 - t 68 00:03:29,730 --> 00:03:30,856 axfr 69 00:03:30,856 --> 00:03:34,183 and then you actually have a domain name and the DNS server. 70 00:03:35,140 --> 00:03:38,100 Now the dig command is very useful 71 00:03:38,100 --> 00:03:42,630 for performing DNS queries on specific DNS servers. 72 00:03:42,630 --> 00:03:47,300 Think of it as a more powerful version of the host command. 73 00:03:47,300 --> 00:03:49,260 Now there's an entity called digi.ninja 74 00:03:49,260 --> 00:03:53,980 that actually has a domain name called zonetransfer.me 75 00:03:53,980 --> 00:03:55,370 that you can actually use for testing. 76 00:03:55,370 --> 00:03:59,350 So you can try to play with that domain 77 00:03:59,350 --> 00:04:01,406 using the host and dig commands 78 00:04:01,406 --> 00:04:03,163 as I'm showin' in the screen.