Mitigate DNS Cache Snooping with BigIP DNS
Would like to share this with you, I was trying to understand and mitigate DNS cache snooping using BigIP
DNS Cache Snooping: where the attacker checks for the DNS server of the domain what queries have been performed by the internal users and therefore letting see the attacker what sites have been visited.
Example:
I already have queries apple.com using my F5 DNS cache server and records already cached.
root@(basem)(cfg-sync Standalone)(Active)(/Common)(tmos) show ltm dns cache records rrset cache basem | grep apple.com | grep A
apple.com 2391 A IN 17.172.224.47
apple.com 2391 A IN 17.178.96.59
apple.com 2391 A IN 17.142.160.59
How to check if RR already cached using scapy:
>>> request = IP(dst="10.128.10.55")/UDP(dport=53)/DNS(rd=0,qd=DNSQR(qname='apple.com'))
>>> request = IP(dst="10.128.10.55")/UDP(dport=53)/DNS(rd=0,qd=DNSQR(qname='apple.com'))
>>> snoop = sr1(request)
Begin emission:
.................................................Finished to send 1 packets.
.......*
Received 57 packets, got 1 answers, remaining 0 packets
>>>
Reviewing the results:
>>> snoop.display()
[ IP ]
version= 4L
ihl= 5L
tos= 0x0
len= 103
id= 769
flags=
frag= 0L
ttl= 128
proto= udp
chksum= 0x7533
src= 10.128.10.55
dst= 172.16.1.139
\options\
[ UDP ]
sport= domain
dport= domain
len= 83
chksum= 0x6b90
[ DNS ]
id= 0
qr= 1L
opcode= QUERY
aa= 0L
tc= 0L
rd= 0L
ra= 1L
z= 0L
rcode= ok
qdcount= 1
ancount= 3
nscount= 0
arcount= 0
\qd\
When this request is submitted, the response returned does contain multiple answer records (three to be precise), and an ‘ancount’ value of 3. This is indicative of the fact that apple.com is currently cached in the queried DNS server, and hence, has been recently resolved by that server.
Using nmap to discover the cache records:
root@Bassem:~ nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={apple.com}' 10.128.10.55
Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-18 05:23 AST
Nmap scan report for 10.128.10.55
Host is up (0.00006s latency).
PORT STATE SERVICE
53/udp open domain
| dns-cache-snoop: 1 of 1 tested domains are cached.
|_apple.com
Nmap done: 1 IP address (1 host up) scanned in 0.1 seconds
So using DNS header to prevent snooping, I deployed the below iRule to prevent it:
when DNS_REQUEST {
if {[DNS::header rd] == 0} {
log local0. "Disabling cache no RD set in query to mitigate DNS Cache snooping"
DNS::disable cache
}
}
And check the results again using nmap:
root@ubuntu:~ nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.domains={apple.com}' 10.128.10.55
Starting Nmap 6.40 ( http://nmap.org ) at 2017-02-18 05:25 AST
Nmap scan report for 10.128.10.55
PORT STATE SERVICE
53/udp open|filtered domain
|_dns-cache-snoop: 0 of 1 tested domains are cached.
Though domains will still served from cache