CEG 499/699: Internet Security College of Engineering & CS Wright State University Dayton, Ohio 45435-0001

DNS and NIS Attacks   Prabhaker Mateti   Abstract:    This work is supported in part by NSF DUE-9951380.

Table of Contents

1. Educational Objectives
2. Domain name system
3. Network Information System
4. DNS Attacks
5. NIS Attacks
6. Lab Experiment
7. Acknowledgements
8. References

Educational Objectives

1. Understand how mnemonic host names are mapped to IP addresses.
2. Be alert to the various built-in assumptions of a name service
3. Become familiar with exploits based on violating these assumptions in DNS

Domain name system

DNS is the way that Internet domain names are located and translated into IP (Internet Protocol) addresses. A domain name is a meaningful and easy-to-remember "handle" for an Internet address.

Because maintaining a central list of domain name/IP address correspondences would be impractical, the lists of domain names and IP addresses are distributed throughout the Internet in a hierarchy of authority. There is probably a DNS server within close geographic proximity to your access provider that maps the domain names in your Internet requests or forwards them to other servers in the Internet.

All domain name services listen on port 53 as specified in /etc/services file:

domain 53/tcp
domain 53/udp

Network Information System

NIS is a network naming and administration system for smaller networks that was developed by Sun Microsystems. NIS+ is a later version that provides additional security and other facilities. Using NIS, each host client or server computer in the system has knowledge about the entire system. A user at any host can get access to files or applications on any host in the network with a single user identification and password. NIS is similar to the Internet's Domain Name System (DNS) but somewhat simpler and designed for a smaller network. It's intended for use on local area networks (LANs).

NIS uses the client/server model and the Remote Procedure Call (RPC) interface for communication between hosts. NIS consists of a server, a library of client programs, and some administrative tools. NIS is often used with the Network File System (NFS). NIS is a UNIX-based program.

Although Sun and others offer proprietary versions, most NIS code has been released into the public domain and there are freeware versions available. NIS was originally called Yellow Pages but because someone already had a trademark by that name, it was changed to Network Information System. It is still sometimes referred to by the initials: "YP".

DNS Attacks

Steven M. Bellovin, Using the Domain Name System for System Break­ins, 5th USENIX UNIX Security Symposium, 1995. www.usenix.org/publications/library/proceedings/security95/bellovin.html Required Reading.

NIS Attacks

CERT* Advisory CA-92.13, Topic: SunOS NIS Vulnerability. www.cert.org/advisories/ CA-92.13.SunOS.NIS.vulnerability.html. Required Reading.

Lab Experiment

None.

Acknowledgements

References

1. R. W. Stevens, TCP/IP Illustrated, 1994, Chapter 14.  A very good summary of DNS.  Recommended Reading.
2. Steven M. Bellovin, Using the Domain Name System for System Break­ins, 5th USENIX UNIX Security Symposium, 1995. www.usenix.org/publications/library/proceedings/security95/bellovin.html [local copy]  Required Reading.
3. CERT* Advisory CA-92.13, Topic: SunOS NIS Vulnerability. www.cert.org/advisories/ CA-92.13.SunOS.NIS.vulnerability.html. Required Reading.
4. S. Cheung and K.N. Levitt. 2000. "A Formal-Specification Based Approach for Protecting the Domain Name System." To appear in Workshop on Dependability despite Malicious Faults, New York, June 2000. [Postscript]  http://seclab.cs.ucdavis.edu/papers.html  Reference only.