Advertisment

Authenticate with DNS

author-image
PCQ Bureau
New Update

It seems unbelievable that in these days of massive malware attacks and spam, hardly anyone seems to have thought of roping in the services offered by the ubiquitous DNS for purposes of authentication and validation.

Advertisment

In this series, we'll be looking at re-writing infrastructure servers, in parts, for the above purposes. As the first of these, we take the DNS server and we'll see how and what parts of it can be re-done. Here we've not provided the project's source code, but we will examine that in detail in our next part. Our code is demonstrated in VB.NET, but this can be easily ported to other languages such as C# or Perl or C/C++. We are assuming that you have a working knowledge of DNS.

Why re-write the server?

Why don't we simply write an 'extension' and plug it into an existing DNS implementation like BIND, Windows DNS, etc? The trouble is that it wouldn't be easy to tamper with a running DNS. Moreover, each system is written in a different language, with different semantics). It might be easier to just write a mini-DNS system that uses the other servers to do its job.

Transmission

DNS systems communicate through TCP and UDP packets, usually on port 53. RFC 1035 states that although we need not implement both ports, it would be useful to have them around for redundancy. We can also add additional ports for increased processing capacity, and add special ports for encrypted communications. To comply, all we need to do is construct a 'structure' object in our program and transmit that using the networking features our language provides. For example, to transmit an 'A' record, we do the following.

Advertisment
Direct Hit!
Applies to: Advanced system programmers
USP: Using DNS server as a validation mechanism
Links:
http://www.ietf.org/rfc/rfc1035.txt 

Structure DNS_A

Dim RR_Name As String

Dim RR_Type As UInt16

Dim RR_Class As String

Dim TTL As Int32

Dim RDLength As UInt32

Dim RData As String

Shared Function ToString() As String

' code to make a single 

' padded string out of all the values

End Function

End Structure

Dim varDNSA As DNS_A

.

objTCPSocket.Send( _

Encoding.UTF8.GetBytes( _

varDNSA.ToString() _

) _

)

Advertisment

It is as simple as that. Similarly, we would receive an octet stream of bytes, which will need to be examined. Once found what data (or query) it contains, we can split it into its composite fields, and load them into a similar structure for further processing.

Signing communications

Assume that we went ahead and deployed several of our modified DNS servers around our network. How would we ensure that these could communicate special commands or information to each other, without the fear of unauthorized programs sending unexpected data to them? Easy, for some commands or data to be processed-record updates, for example-we could require (PGP) digital signatures to be embedded. Packets arriving without them would face restricted processing or completely discarded. For example,

objTCPSocket.Receive(varIncomingPacket)

If (varIncomingPacket.Length > 256) Then

' has PGP key

TestAndUpdate(varIncomingPacket)

Else

' normal transmission

TestOnly(varIncomingPacket)

End If

Advertisment

Another use would be to help eliminate spam by looking at the senders of e-mail. One way spam operates is by giving you a 'From' address that does not exist-either there is no such mailbox, or there is no such mail domain or both. In our solution, we will simply try to check if that mail domain exists, although this is not really sufficient. Writing a plug-in for your mail server for this may not be easy, but we can hook it up easier, if it leaned more towards our DNS deployment. We can also implement a new DNS query to make this a single step process and have our DNS carry out the required validations black-boxed. Assume you received e-mail from the address: 'johndoe@mailer01. onlyspam.net'. We can test the domain string, thus, giving:

QUERY: SPAMCHECK mailer01.onlyspam.net

--- 'A' record of 'mailer01.onlyspam.net'

--- 'CNAME' record of 'mailer01.onlyspam.net'

REPLY: IS_SPAM

The domain could still be registered and used for spamming, in which case our above test would pass. 

Advertisment

Network resource authentication

On any network, even if the IP addresses are assigned by DHCP, you would know what the valid ranges for any 'desirable' system are, that would come onto your network. Your DHCP can be configured to instruct each client computer to register itself with the DNS on your network. What this would do is add an 'A' and a corresponding 'PTR' record on your DNS-of course, you will need to first create the appropriate forward and reverse zones for each domain and workgroup you have.

Now, when a machine requests access to your LAN's resources, you could have its IP address and name looked up in the DNS against the PTR and A records respectively. Testing both fields gives protection against IP-spoofing infiltration attacks.

Mail checks and databases

A DNS can also be tapped as a ready-reference mail address book using the MB record, which gives you a simple listing of e-mail addresses available for a DNS domain. You can extend this using TXT records that will allow you to append miscellaneous information (like designation, department and extension number) to the e-mail address. In our case, we combine the two records to create a new resource called the CMB (Corporate Mail Box), where the first two fields (shown below) come from the MB record and the last one is an alias for the TXT record.

Advertisment

Structure DNS_CMB

Dim MailDomain As String

Dim MailBoxName As String

Dim AdditionalInfo As String

End Structure

These are just a few of the many things we could do with our own implementation. In our next part, we will implement the different classes required to build our DNS server.

Sujay V Sarma

Advertisment

Stay connected with us through our social media channels for the latest updates and news!

Follow us: