Domain Name System

Question 1

Define

Host Names

DNS

Answer 1

Mnemonic/easily memorable for humans

Question 2

Define

Domain Name System

DNS

Answer 2

Provides translation from host name to IP address

Question 3

DNS is what type of distributed database that leverages what?

DNS

Answer 3

A performance-critical distributed database that leverages caches

Question 4

Why is DNS needed?

DNS

Answer 4

For SOP assumptions and web security

Question 5

What is the hiearchy of name servers?

DNS

Answer 5

Root servers > Authoritative name servers > Local Name resolver

Question 6

Where are root servers?

DNS

Answer 6

Hardcoded into other servers

Question 7

What are root servers for?

DNS

Answer 7

Top-level domains (TLD)

Question 8

What are authoritative name servers for?

DNS

Answer 8

Subdomains

Question 9

What does local name resolvers do?

DNS

Answer 9

Caches name resolution results

Question 10

What does the local name resolver go to for non-cached names?

DNS

Answer 10

Authoritative name servers

Question 11

Describe

DNS Lookup

DNS

Answer 11

1. Client requests information
2. Local resolver fetches from Root DNS => TLD DNS server => Authoritative DNS sever
3. Local resolver returns information to client

Question 12

Describe

Components of DNS Packet

DNS

Answer 12

Source/dest ports, length, checksum, query ID, questions/answers, authority, additional info

Question 13

List DNS Resource Records

DNS

Answer 13

• Address Mapping (A)
• Canonical Name (CNAME)
• Mail Exchanger (ME)
• Name Server (NS)
• Start of Authority (SOA)

Question 14

Define

DNS Resource Record: Address Mapping (A)

DNS

Answer 14

Maps host to IP Address

Question 15

Define

DNS Resource Record: Canonical Name (CNAME)

DNS

Answer 15

Maps host to alias

Question 16

Define

DNS Resource Record: Mail Exchanger (ME)

DNS

Answer 16

Directs email to a specific server

Question 17

Define

DNS Resource Record: Start of Authority (SOA)

DNS

Answer 17

Specifies core information (name server, email of domain admin)

Question 18

Define

DNS Caching

DNS

Answer 18

Holds the responses for repeated translations

Question 19

Describe

DNS Caching: Negative Queries

DNS

Answer 19

Non-existing host names

Question 20

Limitation of DNS Caching

DNS

Answer 20

Cache will periodically time out

Question 21

Who controls the DNS cache and what happens to it at every record?

DNS

Answer 21

DNS cache is controlled by data owner and it is passed with every record

Question 22

Define

Kamisky Blind Spoofing

DNS

Answer 22

Injecting forged replies with different IDs in hopes of matching victim’s queries

Question 23

Defenses against Kamisky Blind Spoofing

DNS

Answer 23

• Usage of random source ports
• Increased entorpy/load of DNS

Question 24

Components of DNS Query

DNS

Answer 24

• Question includes query
• ID
• Answer section = resource record + IP addr of domain name + lifetime of cache to answer
• Authority of host name servers behind the answers
• Additional section = supplemental info

Question 25

When sent over UDP, DNS is unable to protect what?

DNS

Answer 25

CIA

Question 26

Two DNS threats

DNS

Answer 26

Malicious DNS server and eavesdropping

Question 27

Describe

DNS Threat: Malicious DNS Server

DNS

Answer 27

Fools the user to answer DNS queries on a fake DNS server to gain access to information

Question 28

Defenses against Malicious DNS Server

DNS

Answer 28

Client doesn’t accept record in the Additional Section if domain of user doesn’t match their request

Question 29

Describe

DNS Threat: Eavesdropping for off-path attackers

DNS

Answer 29

Blind spoofs and races against actual DNS server using Additional field

Question 30

What do off-path eavesdroppers need for an DNS eavesdropping attack?

DNS

Answer 30

The port (typically 53) and the ID

Question 31

How do off-path attackers obtain ID for DNS eavesdropping attack?

DNS

Answer 31

Trick the user into submitting a lookup query into the DNS

Question 32

Defense against Eavesdropping

DNS

Answer 32

Censorship

Question 33

Describe

DNS Security Extensions (DNSSEC)

DNS

Answer 33

Providing an origin of authentication and integrity through a chain of trust

Question 34

Describe

DNSSEC’s Chain of Trust

DNS

Answer 34

Each lookup level is signed with a DNS private key and vouched by public keys of the upper layers

Question 35

What is the order for the DNSSEC Chain of Trust?

DNS

Answer 35

DNS => DNSKEY => DS => …

Question 36

Where are the root public keys for the DNSSEC?

DNS

Answer 36

Hardwired into the servers

Question 37

Two types of DNSSEC Keys

DNS

Answer 37

Key-Signing Keys (KSK) and Zone-Signing Keys (ZSK)

Question 38

Define

Key-Signing Keys (KSK)

DNS

Answer 38

DNSKEY/public key zones