0

I know that many clients in the same network has a same DNS (Most of time but it can be changed.)

But is there anyway to understand what DNS Server that an specific IP (Over Internet) uses through the weaknesses in UDP ?

Update 1 : It's clear that it is possible to see DNS Packets with MITM attacks. Lets assume that example.com's IP Address is 1.2.3.4 so I mean what DNS Server this IP uses when wants to ask for someone's IP.

I ask it because I saw that Michael Howard in "25 deadly programming sins" explains that its possible to find someone's DNS Server over Internet .

But I can't find anything about it with googling.

By weaknesses, I mean that every time you ask a DNS Server for an IP the replay can be from different source (and it's normal in DNS Servers and most of Operating System will accept it ! ) and you know that UDP source IP's can be spoofed easier than TCP (as DNS uses UDP).

Mohammad Sina Karvandi
  • 245
  • 2
  • 11
  • 1
    It is unclear where the attacker is and what the attacker can do. If the attacker is in the path of the client and can sniff the traffic then of course he can see which DNS server is used. That does not need some unspecified weakness in UDP. – Steffen Ullrich Nov 01 '16 at 21:16
  • Can you elaborate on "weaknesses in UDP" ? – ndrix Nov 01 '16 at 21:29
  • @m1ke see my updates – Mohammad Sina Karvandi Nov 01 '16 at 21:40
  • @m1ke I think this simply means that it is easier to intercept in real time because it does not fragment and reassemble in the same way TCP does. (this is just a guess) – Nick Mckenna Nov 01 '16 at 21:49
  • The book mentions that a client can't trust DNS for trusting who it talks to (for downloading updates, binaries, ..). For this, you need TLS to ensure you're talking to the right endpoint - regardless of which DNS server gave you the IP address mapping. – ndrix Nov 02 '16 at 23:21

2 Answers2

2

The answer on how the attacker might find your DNS is actually explained in "24 deadly sins of software security" you probably refer to:

  • Either the attacker is in the same network and uses the same server or can sniff what server you are using.
  • Or the attacker can provoke a DNS request to its own domain (where the attacker has full control over the DNS server) from your host. This can be done for example with a targeted advertisement in a website, a link in a mail etc. The attacker can then see where the DNS request originated which is probably the server you asked to resolve the hostname. Of course this only works if you use public servers and not a recursive DNS server inside your local network.

No "weakness" of UDP is needed to get these information.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Well, I think you're right. But would you please explain me more about the second item. – Mohammad Sina Karvandi Nov 01 '16 at 22:30
  • @ᔕIᑎᗩKᗩᖇᐯᗩᑎᗪI: if you would ask a specific question I might be able to explain it. But from just an unfocused *"explain me more"* I'm not able to understand where your problem is. – Steffen Ullrich Nov 02 '16 at 05:01
1

I could see someone simply looking at network traffic and seeing one IP speaking DNS to another. Where this is insecure has to do with how DNS was designed. DNS was one of the more early protocols and features no encryption by default (As Dan Kaminsky will say "it's part of the world wrapper security".) Most of the time DNS works without any encryption so it is trivial to execute a Man in The Middle Attack. If possible, could you elaborate on "A weakness in UDP"?

Nick Mckenna
  • 507
  • 2
  • 8