A network program is any use that runs on one computer and provides services to another utilisation lengthways on a several legion over the meshing. Most meshing applications use a client-server structure, where the server is programmed to supply some work to the guest.
Protection analysts requirement to understand how frequent system applications and protocols use since these applications and protocols can be old during varied attacks. For illustration, SQL injections are frequently misused by attackers to solution collection from an SQL database. Thus, security analysts should see how SQL ask serve.
This country describes these frequent web applications and protocols which can be leveraged to execute attacks:
DNS is a globally rationed, ascendible, graded, and dynamical database that provides a function between hostnames, IP addresses (both IPv4 and IPv6), matter records, collection mercantilism entropy, jargon computer entropy, and so on, characterized in the DNS imagination records
HTTP is the inexplicit rule that is victimised by the Humanity Spreading Web. The HTTP prescript defines how messages are formatted and transmitted, and what actions web servers and browsers should love in salutation to various commands
HTTPS is the secured version of the HTTP protocol. HTTPS is HTTP over (TLS or SSL)
SQL, which is victimized to query, operate, and dispense relational database direction systems much as Microsoft SQL computer, Oracle, or MySQL, and so on
IP protocols that are victimized for send feat: SMTP, POP, and IMAP.
DNS provides mappings between the patron obloquy and IP addresses, or added mappings. For warning, DNS can map concourse obloquy, specified as patron.warning.com, to IP writing, specified as 192.168.40.100 (or the IPv6 accost). DNS operate enables admittance to the fabric resources by their obloquy instead of having to mention their IP addresses.
In constituent to function breadstuff calumny to IP addresses, DNS can action varied otherwise types of map. Apiece correspondence write is defined in a contrasting identify of RR. For instance, an RR that maps a host refer to an IPv4 speak is titled an A accomplishment, an RR that maps a area analyze to a identify of accumulation servers for that domain is called an MX enter, and an RR that maps the name server for the environment is titled an NS disk. Author resource tape types much as AAAA, and PTR, are discussed afterwards in this issue.
The guest opinion of DNS is titled a DNS resolver. The DNS inventiveness function touch is realized by a DNS resolver sending a DNS query to a DNS server requesting the assemblage that is characterized in an RR.
DNS is a supercritical rule for the mesh dealings but weaknesses in the feat of the DNS prescript allow it to be victimized and misused for vixenish activities. Warranty analysts should understand DNS dealings to be able to know and detect DNS-based attacks.
DNS primarily uses UDP opening 53 for DNS queries and responses. DNS queries exist of a UDP communicate from the consumer followed by a UDP salutation from the DNS computer. TCP porthole 53 is misused when the DNS response data filler exceeds 512 bytes, or for tasks specified as regulate transfers. Structure dealing is a type of DNS transaction. Regularize acquisition is misused by the DNS administrators to replicate the DNS databases across a set of DNS servers.
DNS Unfocused Database
DNS is a globally strewn, ascendable, hierarchic, and propellant database. No solitary DNS server on the Net contains the entire DNS database. Authority over the various parts of the DNS database is delegated to polar DNS servers in the Net.
The DNS database is unagitated of a hierarchic region sanction grapheme that contains a tree-like collection artefact of linked land calumny (nodes). The tree-like aggregation plaything for the orbit obloquy space starts at the root, which is represented by the “dot” (.), which is the topmost story of the DNS organization. Although it is not typically displayed in individual applications, the DNS dig is represented as a trailing dot in an FQDN. For representation, the right-most dot in “http://www.cisco.com.” represents the descriptor zone. From the delve regularise, the DNS hierarchy is then city into subdomain (branches) zones.
Apiece FQDN is unflurried of one or writer labels. Labels are unconnected with a dot (.), and may contain a peak of 63 characters. An FQDN may take a extremum of 255 characters, including the dot (.). Labels are constructed from appropriate to faction, where the declare at the far right is the TLD for the environment study. For illustration, .com is the TLD for http://www.whitefish.com because it is the adjudge furthest to the redress.
Resourcefulness platter: The RR defines the DNS information types that are stored in the DNS database. The most unwashed types of RRs are for SOA, IP addresses (A and AAAA), SMTP assemblage servers (MX), denote servers (NS), pointers for setback DNS lookups (PTR), and land traducement aliases (CNAME). An RR is unflustered of the stalking comedian: Found, Typewrite, Gathering, TTL, RDLENGTH, and RDATA.
Computer style OSs or applications use rattling bladelike injure DNS resolvers. Typically, portion DNS resolvers issue DNS queries to the DNS recursive resolvers-not only for DNS accumulation almost the inside resources, but also for DNS entropy near publically enrolled domains.
DNS recursive resolver is a DNS server that processes the clients’ DNS queries. The DNS recursive server queries the required definitive DNS servers for the RR assemblage, then the DNS recursive server provides the solvent endorse to the DNS guest. Typically, DNS recursive resolvers are intramural to an activity and should only appropriate DNS queries from interior clients.
Coarse DNS recursive resolvers are DNS recursive resolvers that assign queries from all IP addresses and are exposed to the Net. Examples of open country DNS recursive resolvers include GoogleDNS (22.214.171.124) and Cisco OpenDNS (126.96.36.199 and 188.8.131.52). Attackers oft ikon for unstoppered DNS recursive resolvers to use them in reflection or amplification DDoS attacks. Organizations must study care in managing and monitoring their susceptible DNS recursive resolvers.
Classical DNS computer is accountable for all the orbit’s RRs. The official DNS computer returns answers to the DNS queries with info that is stored in the RRs for a field name grapheme that is stored on the anaesthetic server. Standard DNS servers offer the influential responses to the DNS recursive resolvers. The authoritative DNS servers are unclothed to the Net and mostly let DNS queries from all IP addresses.
Zones: In component to state metameric into domains, the DNS argot place is divided into zones to simplify DNS database direction. A structure is a close apportioning of the field itemize grapheme in the DNS for which the administrative trustiness has been delegated to a lone administrator. A govern is the authorised author for assemblage near each environment that is included in the zona.
A zona file is a matter record that describes a DNS govern, and contains a slant of the regularize’s resource records.
DNS RR Types
The mass are examples of DNS resourcefulness disk types:
A preserve: Misused to map army traducement to the IPv4 writing of the army. In an A record, eightfold IP addresses can correspond to a only army plant. There can also be triplex breadstuff traducement each of which maps to the equal IP writing. There must be a reasonable A tape in the DNS for the multitude.realm.denote in rule for a overlook, much as telnet army.area.charge: AAAA is utilized to map hostnames to the IPv6 direction of the host.
MX fact: MX maps a environment analyse to a listing of cataphract servers for that field.
PTR achievement: A PTR points to a jurisprudence vernacular. The most frequent use is for implementing verso DNS lookups, map an IP communicate to the hostname.
NS fact: An NS book identifies the DNS servers that are judicious (definitive) for a zona.
CNAME disc: A CNAME platter is victimised to set that a demesne sept is an a.k.a. for added area obloquy, which is the “canonical” domain argot.
TXT disc: A TXT record is used to connect any capricious text with a hostname. This fact identify is only utilized in precise cases much as Land Keys Identified Collection, utilized as a method to observe telecommunicate spoofing.
SOA list: Apiece order contains an SOA save. The SOA save identifies the constitute server that is the soul inspiration of assemblage for the collection within the order. The SOA record also contains different remaining parameters that delimitate the conduct of the DNS server.
The nslookup Inferior
The nslookup cloth inferior is easy on numerous operative systems, specified as Windows and Unix, for querying the DNS database for domain calumny, IP communicate procedure, or any specialized DNS create.
The figure below shows an example from a Microsoft DNS server. In this example, the domain name is secure-x.local. The hq-srv.secure-x.local host is the name server for the secure-x.local domain, as configured by the NS record. The A records are used to map the host name to the IP address. For example, the hq-srv host name is mapped to the 192.168.1.2 IP address, the inside-srv host name is also mapped to the 192.168.1.2 IP address, and so on. The fully qualified domain names for these two host names are hq-srv.secure-x.local and inside-srv.secure-x.local.
The following diagram illustrates a sample of the DNS hierarchy starting from the root (.). For example, everything below the .org TLD is in the .org domain, and everything below the .cisco.com domain name space is in the .cisco.com domain.
The figure below shows the DNS query/response flow between the stub DNS resolver, the DNS recursive resolver, and the authoritative DNS server.
The examples below are taken from a Cisco lab environment, .public and .private are used instead of .com and .local to avoid conflicting with real and commonly used domain name spaces.
A record: Using the
nslookup utility, it shows that the dmz.secure-x.public host that is resolved to the IP address of 192.0.2.50 from the 184.108.40.206 DNS server, and the 220.127.116.11 DNS server is not the authoritative DNS server for the secure-x.public domain.
PTR record: In this example, using the
nslookup utility, the
set q=ptr option can be used to examine the PTR record. In this example, the PTR record from DNS shows 192.0.2.50 resolves to the various hostnames in the secure-x.public domain, such as dmz.secure-x.public.
MX record: In this example, using the
nslookup utility, the
set q=mx option can be used to examine the MX record. In this example, the MX record from DNS shows that 192.0.2.55 is the mail server for the secure-x.public domain.