본문 바로가기
Ryu's Tech

DNS [ Domain Name Service ]

Ryusstory 2010. 11. 2. 14:15





  • 일반적으로 인터넷을 사용하는데 있어서는 IP Address를 사용하지만 이는 user에게는 이를 분류하거나 사용하는데 어려움을 겪게 된다. 그래서 주소를 문자로 사용하기 위해서 Domain name 이라는 것을 사용하게 되었으며, Domain name 과 IP address를 매핑하여 주는 것이 Domain Name Service이다.
    • networks.msft <-mapping-> 192.168.1.0 /24


 

  • 계층적 구조 ( Name Space )




  • Fully Qualified Domain Name (FQDN)




  • DNS 서버의 과정
    •  DNS Cache Table
      • ipconfig /displaydns
      • 등록방법
        • 동적 : DNS 기타 다른 시스템으로부터 얻어 옴
        • 수동 : hosts 파일에 등록
    • DNS 서버 질의
    • dnbtstat -c (NetBios Cache Table)
    • WINS 서버 질의
    • Broadcast
    • LMHost 파일 질의


Step 1: The User’s PC with ip address "My IP Address" makes a DNS query to the Primary DNS Server configured in it’s TCP/IP properties, asking to resolve the ip address for some-webserver.com.

Step 2 to Step 7 (Recursive Query): User’s Primary DNS Server is not authoritative for the domain some-webserver.com. So, it asks the Root Servers which then points it to .com Namespace from where it learns about the Primary DNS Server of some-webserver.com, which replies with the IP Address of some-webserver.com.

Step 8: The IP Address of some-webserver.com is cached in the User’s Primary DNS Server and it replies to the User’s PC with the IP Address for some-webserver.com.


 






Step 1: The attacker sends a signal to the compromised PCs to start DNS queries.

Step 2: All compromised PCs with spoofed ip address "Victim IP Address" make a DNS query to the Primary DNS Servers configured in their TCP/IP properties, asking to resolve the ip address for some-webserver.com.

Step 3 to Step 8 (Recursive Query): User’s Primary DNS Servers are not authoritative for the domain some-webserver.com. So, they ask the Root Servers which then points them to .com Namespace from where they learn about the Primary DNS Server of some-webserver.com, which replies with the IP Address of some-webserver.com.

Step 9: The IP Address of some-webserver.com is cached in the User’s Primary DNS Servers and they reply to the Victim’s Server (Victim IP Address) with the IP Address for some-webserver.com. The reply goes to Victim’s Server because the attacker has used this Spoofed Source IP address. The matter is made worse because this reply can be amplified up to factor of 73.



 

  • DNS Cache 확인
    • ipconfig /displaydns
  • DNS Cache 삭제
    • ipconfig /flushdns

'Ryu's Tech' Related Articles

티스토리툴바