Published by Security Testing and Assurance on 3 February 2023
This blog post discusses how the NSEC and NSEC3 DNSSEC records can be abused by attackers to identify valid DNS entries. We introduce a toolΒ to allow penetration testers to carry out these attacks. We also present aΒ whitepaperΒ that examines attacks against NSEC3 in detail and demonstrates these attacks against top-trafficked Internet domains.
Attacking DNS
The Domain Name System (DNS) is the method by which domain names are resolved to IP addresses and other resources. Public (Internet-facing) DNS entries were never intended to be confidential, however entries that may be useful to attackers are routinely found in DNS records. If an attacker knows that a domain like ππππ-ππππ’-ππ-ππππ-πππππππππΉπΎπΊπΏπΈπΊπΎπΉπΏπΈπΊπΈπΉ.ππ‘πππππ.πππΒ exists, this is invaluable for them to target their attacks.
In the earlier days of the Internet, it was common to be able to get a list of all valid domains in a zone using a DNS query known as a Zone Transfer. To prevent leaking information about valid domains to attackers, it now commonplace for DNS servers to prevent zone transfers from unauthorised sources.
Even without the ability to perform zone transfers, attackers have several mechanisms available to identify valid DNS records, such as:
-
- Brute-forcing DNS queries (using wordlists of likely domains to assist)
- Certificate transparency logs
- Domains embedded in code, leaked from APIs etc.
While these mechanisms may recover many records:
-
- They can be very noisy (brute-forcing / wordlists)
- There is no guarantee the results are complete
- It is difficult to find complex records e.g π’ππ-π πππ.πππππ.ππππ-ππ-πΉπΎπΊπΏπΈπΊπΎπΉπΏπΈπΊπΈπΉ.ππ‘πππππ.πππΒ if there is no associated PKI TLS certificate that will identify the domain in certificate transparency logs.
If DNS servers make use of DNSSEC, this adds an additional mechanism that attackers can use to retrieve DNS records β in some cases entire zones.
DNSSEC Background
DNSSEC is a suite of extension specifications to DNS that provides authentication and data integrity to the DNS protocol (but importantly, does not provide availability or confidentiality protections). DNSSEC does this byΒ signing DNSΒ records in a way that is verifiable through a chain of trust. One issue the implementors of DNSSEC grappled with is how do you a sign the response to a query for a record that doesn’t exist?
In traditional DNS without DNSSEC, if you were to lookup aΒ non-existentΒ record, you’d get a DNSΒ NXDOMAINΒ (non-existent domain) error:
$ πππ πΒ πππ-ππ‘ππππππ.πππ’πππ.πππ @πππ·.ππ»π½.ππ’ππππ.πππ.
ππππππ: π½ππ³πΎπΌπ°πΈπ½
With a DNSSEC-aware resolver, if you were to lookup anΒ existingΒ record you will get the answer, and theΒ RRSIGΒ (record set signature) to authenticate the answer and make sure it wasn’t tampered with:
$ πππ πΒ π π π .πππ’πππ.πππ +ππππππΒ @πππ·.ππ»π½.ππ’ππππ.πππ.
π²π½π°πΌπ΄ π π π .πππ.πππ’πππ.πππ.
ππππΈπΆ π²π½π°πΌπ΄ πΆπ…ππΈπΆπ½π°ππππ΄…πΉπ=
Combining the two, what happens if you look up a non-existent record with a DNSSEC-aware resolver?
$ πππΒ πππ-ππ‘ππππππ.πππ’πππ.πππ +ππππππΒ @πππ·.ππ»π½.ππ’ππππ.πππ.
πππ-πππ.πππ’πππ.πππ. π½ππ΄π² πππππππππππππ.πππ’πππ.πππ. π²π½π°πΌπ΄ ππππΈπΆ π½ππ΄π²
NSEC (Next Secure) Records
What happened in the response above? The server can’t sign an empty record, but it also can’tΒ notΒ authenticate the empty response, because while a Person-in-the-Middle might not be able to tamper with DNS responses, they could respond withΒ NXDOMAINΒ to all requests in a “denial of existence” attack.
DNSSEC’s first solution to authenticate non-existent records, known as NSEC (Next Secure), is to return a range for which there are no records. In the example above, we looked up non-existent and the Paypal DNS resolver responded with “πΈ πππ’π ππππ πππ’ πππππππ ππππ πππ πππ-πππ πππ πππππππππππππ”. The RFC requires these ranges are returned in alphabetical order, and that they wrap. As a bonus, it also gives all the record types for the start of the range, now we ππππ ππππ πππ-πππ ππππ’ has a CNAME record (ignoring the RRSIG and NSEC records).
The fact that looking up aΒ non-existentΒ domain revealsΒ existentΒ domains in the response is extremely useful to an attacker trying to identify valid domains. In fact, it is possible to iteratively look up non-existent domains, collect the ranges, then look up the records to retrieve every record for a domain:
…
$ πππ πΒ πΆ.πππππππ.πππ’πππ.πππ +ππππππ @πππ·.ππ»π½.ππ’ππππ.πππ.
πππππππ.πππ’πππ.πππ. π½ππ΄π² πππππππππ.πππ’πππ.πππ. π° ππππΈπΆ π½ππ΄π²
$ πππ πΒ πΆ.πππππππππ.πππ’πππ.πππ +ππππππ @πππ·.ππ»π½.ππ’ππππ.πππ.
πππππππππ.πππ’πππ.πππ. π½ππ΄π² ππππππππ.πππ’πππ.πππ. π²π½π°πΌπ΄ ππππΈπΆ π½ππ΄π²
$ πππ πΒ πΆ.ππππππππ.πππ’πππ.πππ +ππππππ @πππ·.ππ»π½.ππ’ππππ.πππ.
ππππππππ.πππ’πππ.πππ. π½ππ΄π² ππ.πππ’πππ.πππ. π²π½π°πΌπ΄ ππππΈπΆ π½ππ΄π²
…
NSEC3
To address these obvious shortcomings with NSEC, DNSSEC offers an alternative mechanism known as NSEC3. NSEC3Β attempts to prevent the leaking of valid records by hashing returned ranges. Importantly, the ranges still correspond to valid domain records.
$ πππ πΒ πππ-ππ‘ππππππ.ππππππππ.πππ +ππππππ @ππΉ-πΌπΊ.ππππ.πππ.
π½πππππππ… π½ππ΄π²πΉ π½ππ½πΌπΉπππ·… π²π½π°πΌπ΄ ππππΈπΆ
Attacking NSEC3
Because results are hashed, it is no longer possible for an attacker to simply enumerate valid domains. However, the hashesΒ are still hashes of valid domains. The hashing algorithm, salt, iterations, and plaintext are all known, so it is possible for an attacker to hash candidates locally. Recovering valid domains becomes a two-step process:
- The attacker can enumerate all range hashes by iteratively generating hashes locally. Once a hash is generated that falls within a range that is yet to be observed in a response, that request is sent to the nameserver to get new hashed ranges. This process is repeated until all hashed ranges have been retrieved.
- The retrieved hashes can be cracked offline
An example showing the retrieval of multiple hashed ranges is shown below:
$ πππ πΒ πΆπΆπΆπΆ.ππππππππ.πππ +ππππππ @ππΉ-πΌπΊ.ππππ.πππ.
πππΆπ·π·πΎππ… π½ππ΄π²πΉ ππ±π±π»ππ°π½πΆ… π²π½π°πΌπ΄
$ πππ πΒ π»πΊπΉπ·.ππππππππ.πππ +ππππππ @ππΉ-πΌπΊ.ππππ.πππ.
πππΎππ·ππΈπ… π½ππ΄π²πΉ π±πΈπ½πΊπ°π½πΆπΎ… π²π½π°πΌπ΄
…
$ πππ π πππΎπ.ππππππππ.πππ +ππππππ @ππΉ-πΌπΊ.ππππ.πππ.
ππΉπππΈπππ… π½ππ΄π²πΉ ππΊπΌπ
πΆπΏππΈ… π° πΌπ πππ
There are a few items to note about attacking NSEC3:
- Hashes are salted with a salt and the domain, so rainbow tables are of no use
- NSEC3 uses the SHA-1 hashing algorithm, so cracking is fast compared with more modern cryptographic hashing algorithms
- It is possible to estimate the number of valid records in a DNS zone from the hash range returned in NSEC3 responses. For example, if a returned hash range covers 5% of the possible hashes, it can be deduced that there will be roughly 20 records in the domain. The more hash ranges that are observed, the greater the certainty of this calculation.
Tooling to attack NSEC3
To allow security testers to more easily validate issues with NSEC and NSEC3 configuration, we are releasing a tool to automate these attacks –Β “NSEC(3) Walker πΆββοΈ“. It has 3 modes (theΒ READMEΒ has far more detail):
- NSEC walking + dumping
- NSEC3 walking
- NSEC3 post-crack dumping
Whitepaper
In the associated WhitepaperΒ Taking the DNS for a Walk; NSEC3 Prevalence and Recoverability, we also take a deeper dive into the theory behind attacking NSEC3 and demonstrate practical use of these methods against real-world targets. It demonstrates a GPU-based attack on NSEC3 that recovered 44% of names for the internetβs top 20,000 NSEC3-protected DNS zones, partially invalidating NSEC3βs privacy and security goals.
Attribution
This blog post, associated whitepaper, and tool are the work of Harrison Mitchell of CyberCX. The research builds on previous attacks against DNSSEC. For a full list of references, please see the associatedΒ Whitepaper.
