Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Use of Mixed Case DNS Queries InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Use of Mixed Case DNS Queries

Published: 2012-01-18
Last Updated: 2012-01-18 01:05:49 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

   In my DNS server query logs, I am starting to see more queries using mixed case, like for example:

jOHanNEs.HoMePC.OrG
www.HOMEPC.ORg
wWW.Homepc.org
Www.HoMepC.ORg
WwW.homepc.ORg
WwW.HOmepc.oRG
WWw.homePc.oRg

   These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.

For example, the first value show above ( www.HOMEPC.ORg ) represents a value of 11100000001 . How does this help DNS security? Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query. For example:

> dig WwW.HoMePc.OrG 

; <<>> DiG 9.7.3-P3 <<>> WwW.HoMePc.OrG 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;WwW.HoMePc.OrG. IN A

;; ANSWER SECTION:
WwW.HoMePc.OrG. 100 IN A 70.91.145.9
.. [rest of answer omited] ...

As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliveratly encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.

While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.

Right now, none of the major DNS servers appear to support this feature. A Google search only found two pieces of software that do:

Unbound: https://calomel.org/unbound_dns.html: see "use-caps-for-id"
pydig: http://www.huque.com/software/pydig/ 

I would be interested to learn if there are other DNS servers (or DNS related software) that supports this method.

References:
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
http://courses.isi.jhu.edu/netsec/papers/increased_dns_resistance.pdf

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dns dnssec
7 comment(s)
Diary Archives