Question regarding question 7 of the Quiz 2 - 2020

Question regarding question 7 of the Quiz 2 - 2020

by Devrim Celik -
Number of replies: 4

Hello,

in question 7, my intuitive answer would have been c) (both of the above), however I thought the following and selected b) instead: Persa would pose as the local DNS server, thus serving IP addresses. My problem is this: How can she try to "sell" her IP address as on of a web server, if her IP address is known by every end-host as the local DNS server? This, in combination with the fact that we determined that every computer can only have IP address, led me to believe that a) was not possible.

Maybe I overthought it, but how would it work?

Thanks in advance.

In reply to Devrim Celik

Re: Question regarding question 7 of the Quiz 2 - 2020

by Katerina Argyraki -

:)

Awesome question. 

Two relevant points:

- When Persa impersonates the local DNS server, she does not use her own IP address to respond to DNS requests, she uses the IP address of the local DNS server. More precisely, the packets that leave Persa's computer (carrying fake DNS responses) specify, in their network-layer header, the IP address of the local DNS server as the source IP address. So, Persa's IP address is not known to everyone as the IP address of the local DNS server.

- Technically, a computer may act both as a DNS server and a web server. So, even if Persa acted as a local DNS server and used her own IP address to send DNS responses, she could still specify her own IP address as that of a web server. Of course, you are right, that should look suspicious, because today it is unlikely (though technically possible) for the same computer to act as both DNS and web server. That said, the fact that it would look suspicious to a human does not necessarily mean that it would look suspicious to a computer. By default, a DNS client would not double-check that the mapping returned in a DNS response "makes sense."

Do the above answer?

In reply to Katerina Argyraki

Re: Question regarding question 7 of the Quiz 2 - 2020

by Devrim Celik -

Thanks for the quick answer! :)

Regarding your first point, I assume that the messages leaving for the local DNS from the end hosts are carrying the IP addresses of the genuine local host, but are intercepted by Persa in this case? So neither sending, nor receiving, would leave any regarding her presence? Is there really now way to now, which ("direct") origin a package has that was send to me? E.g., I think DNS make uses of both UDP & TCP (for different purposes) and establishing a TCP connection with her must give me as a end host some information about her IP address, no?

In reply to Devrim Celik

Re: Question regarding question 7 of the Quiz 2 - 2020

by Devrim Celik -

Excuse my awful spelling:

- would leave *trace* any regarding her presence

- is there really *no* way to *know*

- makes *use* of both

In reply to Devrim Celik

Re: Question regarding question 7 of the Quiz 2 - 2020

by Katerina Argyraki -

This is another great question.

In this scenario we are discussing, Persa does not intercept any of the DNS requests sent by other end-systems. Each DNS request carries the true IP address of the local DNS server as its destination IP address, so it does not normally go to Persa. Persa *guesses* that end-system X sent a DNS request and sends a fake DNS response. 

Also, in this scenario, the victim end-systems and the local DNS server (and Persa) use UDP at the transport layer. (We said in class that the communication between DNS clients and DNS servers is typically UDP; between DNS servers it can be TCP).

If end-systems and the local DNS server used TCP at the transport layer, then, indeed, it would be much harder for Persa to impersonate the DNS server. You are already getting the idea, and we will discuss it in detail at the next lecture (when we focus on TCP).