Forum Discussion

Bassem_Saleh_23's avatar
Bassem_Saleh_23
Historic F5 Account
Feb 21, 2017

Mitigate DNS Cache Snooping with BigIP DNS

Would like to share this with you, I was trying to understand and mitigate DNS cache snooping using BigIP

DNS Cache Snooping: where the attacker checks for the DNS server of the domain what queries have been performed by the internal users and therefore letting see the attacker what sites have been visited.

Example:

I already have queries apple.com using my F5 DNS cache server and records already cached.

root@(basem)(cfg-sync Standalone)(Active)(/Common)(tmos) show ltm dns cache records rrset cache basem | grep apple.com | grep A
apple.com                             2391     A      IN     17.172.224.47
apple.com                             2391     A      IN     17.178.96.59
apple.com                             2391     A      IN     17.142.160.59

How to check if RR already cached using scapy:

>>> request = IP(dst="10.128.10.55")/UDP(dport=53)/DNS(rd=0,qd=DNSQR(qname='apple.com'))
>>> request = IP(dst="10.128.10.55")/UDP(dport=53)/DNS(rd=0,qd=DNSQR(qname='apple.com'))
>>> snoop = sr1(request)
Begin emission:
.................................................Finished to send 1 packets.
.......*
Received 57 packets, got 1 answers, remaining 0 packets
>>> 

Reviewing the results:

>>> snoop.display()
[ IP ]
  version= 4L
  ihl= 5L
  tos= 0x0
  len= 103
  id= 769
  flags= 
  frag= 0L
  ttl= 128
  proto= udp
  chksum= 0x7533
  src= 10.128.10.55
  dst= 172.16.1.139
  \options\
[ UDP ]
     sport= domain
     dport= domain
     len= 83
     chksum= 0x6b90
[ DNS ]
        id= 0
        qr= 1L
        opcode= QUERY
        aa= 0L
        tc= 0L
        rd= 0L
        ra= 1L
        z= 0L
        rcode= ok
        qdcount= 1
        ancount= 3
        nscount= 0
        arcount= 0
        \qd\

When this request is submitted, the response returned does contain multiple answer records (three to be precise), and an ‘ancount’ value of 3. This is indicative of the fact that apple.com is currently cached in the queried DNS server, and hence, has been recently resolved by that server.

Using nmap to discover the cache records:

root@Bassem:~ nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={apple.com}' 10.128.10.55

Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-18 05:23 AST
Nmap scan report for 10.128.10.55
Host is up (0.00006s latency).
PORT   STATE SERVICE
53/udp open  domain
| dns-cache-snoop: 1 of 1 tested domains are cached.
|_apple.com

Nmap done: 1 IP address (1 host up) scanned in 0.1 seconds

So using DNS header to prevent snooping, I deployed the below iRule to prevent it:

when DNS_REQUEST {
    if {[DNS::header rd] == 0} {
        log local0. "Disabling cache no RD set in query to mitigate DNS Cache snooping"
        DNS::disable cache
    }
}

And check the results again using nmap:

root@ubuntu:~ nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={apple.com}' 10.128.10.55

Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-18 05:25 AST
Nmap scan report for 10.128.10.55
PORT   STATE         SERVICE
53/udp open|filtered domain
|_dns-cache-snoop: 0 of 1 tested domains are cached.

Though domains will still served from cache

No RepliesBe the first to reply