Tuesday, February 17, 2009

Playing with DNS servers... some more

Killing time in the metro by listening to podcasts of past security conferences, I got the idea of using DNS caches to check IP-spoofing capability.

Now, the easiest way to check if you can send packets to the Internet with a fake source IP address would be with two computers (in different ASs), but that's no fun, is it? :)

Basically, the idea is you can know from a DNS caching server if you are the first client getting the reply to some query by either
  • asking it about a domain for which it would have to recurse, while forbidding recursion: if you get a positive reply this means somebody else asked the same question before you
  • comparing maximum Time-To-Live value for the test domain with the TTL value you received in the reply: if different, this too means somebody else asked the same question before you
So, if you issue an improbable query (for example 0.577493021235...325521009964.ws which will resolve correctly because .ws uses wildcard records) to a DNS caching server while faking the source IP address, and then issue the very same query from your real IP address a couple of seconds after, the reply to the latter will tell if the DNS server received the former.

The only problem is making sure no network equipment enforced a real source IP address on the packets... Some ISPs might simply rewrite the source IP address (instead of just dropping the packet, which most of them do) : this is easy to detect because you would get replies to both the "fake" and real queries. NAT routers are more annoying: mine accepts the fake public IP address as source to the packets, stores it in its table, forwards the packets with its real IP address, and when the replies arrive... doesn't know whom to send the packets to, other than to the DMZ (which is noticeable because it starts sending ARP requests for it)... Stupid, stupid NAT router!

Anyway, here's the code.