Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Use of Mixed Case DNS Queries - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Use of Mixed Case DNS Queries

   In my DNS server query logs, I am starting to see more queries using mixed case, like for example:

jOHanNEs.HoMePC.OrG
www.HOMEPC.ORg
wWW.Homepc.org
Www.HoMepC.ORg
WwW.homepc.ORg
WwW.HOmepc.oRG
WWw.homePc.oRg

   These queries appear to be the result of DNS servers supporting a relatively new DNS security mechanism, "0x20 Bit encoding". The approach got its name from encoding a bit value using the case of letters. if bit 0x20 is set in a byte, the letter is lower case. If it is cleared, the letter is upper case.

For example, the first value show above ( www.HOMEPC.ORg ) represents a value of 11100000001 . How does this help DNS security? Host names are not case sensitive. However, the case is maintained. The answer will use the same mixed case as the query. For example:

> dig WwW.HoMePc.OrG 

; <<>> DiG 9.7.3-P3 <<>> WwW.HoMePc.OrG 
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15335
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; QUESTION SECTION:
;WwW.HoMePc.OrG. IN A

;; ANSWER SECTION:
WwW.HoMePc.OrG. 100 IN A 70.91.145.9
.. [rest of answer omited] ...

As it turns out, almost all DNS servers follow this behaviour. The new part is that now some DNS servers start to deliveratly encode a random value into each query they send, and then verify if the value is maintained in the response. This in effect adds additional bits to the query id.

While this is clearly a "hack", it is a pretty attractive one. If your DNS server supports this feature, it will automatically gain a few more bits of "spoofing resistance". The DNS servers it connects to do not need to change anything. Unlike for DNSSEC, which is of course the real fix, but requires extensive work to configure,and has to be configured for each zone.

Right now, none of the major DNS servers appear to support this feature. A Google search only found two pieces of software that do:

Unbound: https://calomel.org/unbound_dns.html: see "use-caps-for-id"
pydig: http://www.huque.com/software/pydig/ 

I would be interested to learn if there are other DNS servers (or DNS related software) that supports this method.

References:
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
http://courses.isi.jhu.edu/netsec/papers/increased_dns_resistance.pdf

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Johannes

3033 Posts
ISC Handler
http://code.google.com/speed/public-dns/docs/security.html#randomize_case
Anonymous

Posts
Tor (when run as an exit node) always does random mixed-case DNS queries. I assume for security reasons as well?

Example from just a few seconds ago:

08:18:58.615437 IP my.tor.exit.node.1194 > 4.2.2.2.53: 2617+ A? GEOIp.VIdaLIa-ProjEcT.net. (43)
08:18:58.731285 IP 4.2.2.2.53 > my.tor.exit.node.1194: 2617 NXDomain 0/1/0 (111)
08:19:34.467587 IP my.tor.exit.node.1195 > 4.2.2.3.53: 4839+ A? wWw.GOOGle.COm. (32)
08:19:34.528849 IP 4.2.2.3.53 > my.tor.exit.node.1195: 4839 6/0/0 CNAME www.l.GOOGle.COm., A 74.125.224.212, A 74.125.224.208, A 74.125.224.209, A 74.125.224.210, A 74.125.224.211 (132)
Anonymous

Posts
A while ago, I had to deactivate that feature in unbound because a lot of websites didn't work anymore.

It turned out to be a GoDaddy "feature" on their domaincontrol.com servers:
http://unbound.net/pipermail/unbound-users/2011-June/001849.html

It seems to be fixed, as their servers return fixed case and I turned it the flag back on sometime late 2011 and haven't any major issues so far.
Anonymous

Posts
Is a few bits extra of spoofing resistance worth the potential issues? Probably not. If the spoofer can guess 16 bits, they can probably guess 18; most likely by having a packet intercepted with the original query.

And this is kind of in violation of the robustness principal.
DNS servers that always replace lowercase, uppercase, or with the record matching the zone, will be detected as "spoofing", even though they are not.

Therefore those domains will be unable to be resolved, even though they are valid domains!

Discarding the DNS response because the case of letters in the response is different would be a RFC violation on the client side.


I will admit that it is a very clever hack. But one that is not at all attractive for implementation on production recursive DNS servers/client resolvers.
Mysid

146 Posts Posts
Don't do that. The last (farthest right) component is allowed to be case sensitive.
Anonymous

Posts
Vantio also does this. It generally works well, although there are some weird authoritative servers that can't cope with mixed-case queries.
Anonymous

Posts
Stupid Q. I'm obviously missing something very basic. How does this feature enhance security? What exactly does it help protect against?
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!