It seems unbelievable that in these days of massive malware attacks and spam, hardly anyone seems to have thought of roping in the services offered by the ubiquitous DNS for purposes of authentication and validation.
In this series, we'll be looking at re-writing infrastructure servers, in parts, for the above purposes. As the first of these, we take the DNS server and we'll see how and what parts of it can be re-done. Here we've not provided the project's source code, but we will examine that in detail in our next part. Our code is demonstrated in VB.NET, but this can be easily ported to other languages such as C# or Perl or C/C++. We are assuming that you have a working knowledge of DNS.
Why re-write the server?
Why don't we simply write an 'extension' and plug it into an existing DNS implementation like BIND, Windows DNS, etc? The trouble is that it wouldn't be easy to tamper with a running DNS. Moreover, each system is written in a different language, with different semantics). It might be easier to just write a mini-DNS system that uses the other servers to do its job.
Transmission
DNS systems communicate through TCP and UDP packets, usually on port 53. RFC 1035 states that although we need not implement both ports, it would be useful to have them around for redundancy. We can also add additional ports for increased processing capacity, and add special ports for encrypted communications. To comply, all we need to do is construct a 'structure' object in our program and transmit that using the networking features our language provides. For example, to transmit an 'A' record, we do the following.
|
Structure DNS_A
Dim RR_Name As String
Dim RR_Type As UInt16
Dim RR_Class As String
Dim TTL As Int32
Dim RDLength As UInt32
Dim RData As String
Shared Function ToString() As String
' code to make a single
' padded string out of all the values
End Function
End Structure
Dim varDNSA As DNS_A
.
objTCPSocket.Send( _
Encoding.UTF8.GetBytes( _
varDNSA.ToString() _
) _
)
It is as simple as that. Similarly, we would receive an octet stream of bytes, which will need to be examined. Once found what data (or query) it contains, we can split it into its composite fields, and load them into a similar structure for further processing.
Signing communications
Assume that we went ahead and deployed several of our modified DNS servers around our network. How would we ensure that these could communicate special commands or information to each other, without the fear of unauthorized programs sending unexpected data to them? Easy, for some commands or data to be processed-record updates, for example-we could require (PGP) digital signatures to be embedded. Packets arriving without them would face restricted processing or completely discarded. For example,
objTCPSocket.Receive(varIncomingPacket)
If (varIncomingPacket.Length > 256) Then
' has PGP key
TestAndUpdate(varIncomingPacket)
Else
' normal transmission
TestOnly(varIncomingPacket)
End If
Another use would be to help eliminate spam by looking at the senders of e-mail. One way spam operates is by giving you a 'From' address that does not exist-either there is no such mailbox, or there is no such mail domain or both. In our solution, we will simply try to check if that mail domain exists, although this is not really sufficient. Writing a plug-in for your mail server for this may not be easy, but we can hook it up easier, if it leaned more towards our DNS deployment. We can also implement a new DNS query to make this a single step process and have our DNS carry out the required validations black-boxed. Assume you received e-mail from the address: 'johndoe@mailer01. onlyspam.net'. We can test the domain string, thus, giving:
QUERY: SPAMCHECK mailer01.onlyspam.net
--- 'A' record of 'mailer01.onlyspam.net'
--- 'CNAME' record of 'mailer01.onlyspam.net'
REPLY: IS_SPAM
The domain could still be registered and used for spamming, in which case our above test would pass.
Network resource authentication
On any network, even if the IP addresses are assigned by DHCP, you would know what the valid ranges for any 'desirable' system are, that would come onto your network. Your DHCP can be configured to instruct each client computer to register itself with the DNS on your network. What this would do is add an 'A' and a corresponding 'PTR' record on your DNS-of course, you will need to first create the appropriate forward and reverse zones for each domain and workgroup you have.
Now, when a machine requests access to your LAN's resources, you could have its IP address and name looked up in the DNS against the PTR and A records respectively. Testing both fields gives protection against IP-spoofing infiltration attacks.
Mail checks and databases
A DNS can also be tapped as a ready-reference mail address book using the MB record, which gives you a simple listing of e-mail addresses available for a DNS domain. You can extend this using TXT records that will allow you to append miscellaneous information (like designation, department and extension number) to the e-mail address. In our case, we combine the two records to create a new resource called the CMB (Corporate Mail Box), where the first two fields (shown below) come from the MB record and the last one is an alias for the TXT record.
Structure DNS_CMB
Dim MailDomain As String
Dim MailBoxName As String
Dim AdditionalInfo As String
End Structure
These are just a few of the many things we could do with our own implementation. In our next part, we will implement the different classes required to build our DNS server.
Sujay V Sarma