this post was submitted on 21 Jul 2023
1433 points (98.9% liked)

Technology

59402 readers
3517 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] grandkaiser@lemmy.world 71 points 1 year ago* (last edited 1 year ago) (38 children)

Hi, professional DNS engineer here! if anyone has any questions about the inner workings of DNS or top level domains, ask away! (THIS IS MY MOMENT)

[–] jmanjones@lemmy.world 4 points 1 year ago (1 children)

When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically "copy" from my friend. So what exactly is a DNS Zone Transfer?

[–] grandkaiser@lemmy.world 3 points 1 year ago (1 children)

Friday I was doing a zone transfer! What are the odds?

A zone transfer is like moving houses, except for an authoritative zone.

In DNS, we have what's called an authoritative zone. That means the device hosting the "resource records" (all the data that DNS passes around) is the "ultimate" answer. I.e, it's not cached data. It's not a hosts file. It's not a recursive answer. It's the real deal.

When you want to move the authoritative zone to another server, you do a "zone transfer" that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).

[–] jmanjones@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?

[–] grandkaiser@lemmy.world 1 points 1 year ago* (last edited 1 year ago)

If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a 'bad actor' DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.

Let's say you're Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we're skipping caching & non-authoritative answers for brevity):

  1. You type "lemmy.world" into your browser
  2. Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn't a period. It's the "true" FQDN)
  3. Computer looks at hosts file and doesn't see anything
  4. DNS packets are sent to your configured DNS server. If you don't have one configured, DHCP already configured it for you
  5. Your DNS server performs a recursive search for world by asking the root zone where the "world" Name Serer is
  6. root zone resolves world as:

world. 3600 IN NS v0n0.nic.world.

world. 3600 IN NS v0n1.nic.world.

world. 3600 IN NS v0n2.nic.world.

world. 3600 IN NS v0n3.nic.world.

world. 3600 IN NS v2n0.nic.world.

world. 3600 IN NS v2n1.nic.world.

  1. Your DNS server reaches out to one of those Name Server's (That's what the NS record is for) and asks it where "lemmy" is
  2. world Name Server responds with:

lemmy.world. 300 IN A 172.67.218.212

lemmy.world. 300 IN A 104.21.53.208

  1. Your DNS server contacts your computer and serves it those IP addresses. (A record's are domain name to IP Address)

Now lets say there's a DNS spoof attack:

  1. Before the "world" server can get back to your DNS server, the hackers server interjects with it's own authoritative claim that lemmy is here:

lemmy.world. 300 IN A [attack site IP]

  1. Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.
load more comments (36 replies)