Hacking Book | Free Online Hacking Learning


key to dns: analysis of isc bind must know

Posted by herskovits at 2020-02-27

*The relevant loopholes involved in this article have been reported to the manufacturer and repaired. This article is only for technical research and discussion, and is strictly prohibited to be used for illegal purposes, otherwise, all consequences will be borne by yourself.

0 x 01

Recently, we have been analyzing the loopholes of DNS protocol. In the process of analysis, it is obvious that the understanding of the analyzed protocol is not in place. Especially for DNS, I also took the course of computer network during my undergraduate course, but the explanation of DNS is very shallow. Generally speaking, there are two test points for the exam: 1. Explain the concept and difference of recursive query and iterative query; 2. Distinguish various types of resource records. This article has a feeling. It mainly talks about the key and difficult points in the DNS protocol knowledge when I analyze the vulnerability, as well as the additional background knowledge involved in the recent analysis of the vulnerability.

0 x 02

Some of them are clear in RFC, so I will not repeat them here. Just a few points.


With the expansion of the Internet, the number of hosts increases, leading to the increase of the number of domain names. In the face of this phenomenon, how to make domain names easy to remember and how to manage domain name data?

The solution is the tree namespace, which is characterized by the same name and folder, from large to small, from the whole to the part; the management block is divided by some mechanism.

Domain and zone

We know that the tree can be infinitely extended. The continuous domain names under the same root of the tree species form a zone, which is managed by a certain organization, and the organization gives one of its own trees to another organization, so that the authorization layer by layer can divide the namespace into manageable blocks.

The program that stores the domain name space information called name server. Name server usually has complete information about some parts of the name space (called a zone), which are loaded from a file. Name server is considered to have permissions for this zone.

We tend to think that domain is DNS, which makes our life easier, but when dealing with DNS servers that store data for our domains (name servers), we need to introduce the term zone because it is essential.

The difference between domain and zone is important, but subtle. Let's use the example below to understand. COM domain is divided into multiple zones, including hp.com zone, sun.com, it.com. At the top of the domain, there is also a com zone.

We need to know that a zone exists in the domain. Name server loads the zone file, not the domain. Zone files contain information about the domain part it is responsible for, which may be the whole domain (sun. Com, it. Com) or just a part of it (HP. COM + pr.hp. Com).

In our example, hp.com domain has two sub domains, namely support.hp.com and pr.hp.com. The first is support.hp.com, which is controlled by its own name server, because it has its own zone, called support.hp.com zone. Second, pr.hp.com is controlled by the same name server responsible for the hp.com zone.

Hp.com zone has only a small amount of information about support.hp.com zone. It just knows support.hp.com itself. If you need more information about support.hp.com, you will be asked to contact the authoritative name servers of this sub domain, which is the name server of this zone.

So you can see that even if support.hp.com is a sub domain, just like pr.hp.com, its setting and control mode are different from pr.hp.com.

Sun.com domain, on the other hand, has a zone (sun.com zone) that contains and controls the entire domain, which is loaded by the authoritative name servers.

Emmm, the above words are rather convoluted, but this should be the simplest explanation at present. You can understand it after reading it several times.

As we know from the above, the zone file is loaded by the authoritative server, and the client queries the IP address corresponding to the domain name through the DNS protocol. If every query starts from here, and the authoritative server cannot implement it, then how to improve the performance of DNS system? The answer is a recursive server. The main function of the recursive server is to help users to do recursive queries; cache the results of the last query, when the same query is returned directly; make the cache expire by some mechanism to ensure that the data updated by the authoritative server can be queried by users. Of course, recursion and caching are not required at the same time. In fact, the DNS address we configured on the host is the address of the recursive server.

Combined with the above knowledge points, we have known the components of DNS system:

1.name space

2. Authoritative name servers loads the zone file, and the domain name can be queried

3. The client uses recursive server to query related domain names

Resource record (RR)

We know that DNS provides a global distributed database, providing the mapping relationship from domain name to IP address. The mapping of domain name to information is called resource record.

The general record format of DNS is as follows:

It refers to domain name, life cycle, network / protocol type, resource record type and resource record data respectively

Let's explain an example

www.xxx.com 600 IN A

Here 600 specifies the time when the recursive server will cache the RR; in represents the Internet, which is the main protocol supported by DNS system at present; a refers to a record, which is the resource record used to map the DNS domain name to the host IP address on the network; refers to the information data associated with the domain name

It should be noted that a domain name can have multiple resource records, and each resource record can have multiple records.

For a domain name, the collection of multiple resource records of the same type is called RRset. RRset is the basic unit of DNS transmission, which means that when querying the information corresponding to a domain name, the DNS system will not return RR, but RRset.

Master / slave server

First of all, it should be clear that both the master server and the slave server can give authoritative answers. Why does the slave server appear? Suppose that when we submit a zone to a name server for resolution, if the only name server fails, users on the Internet cannot obtain the records belonging to the zone. To avoid this problem, a secondary server appears. We will submit the zone to multiple name servers for resolution. Generally, a zone is a primary server, while the secondary server synchronizes the zone file from the primary server on a regular basis. The primary and secondary servers receive queries equally, so they can play the role of load balancing and disaster recovery backup.

Stub resolver:

It is the DNS software library on the host. Its main function is to facilitate the application program to use the DNS system and provide a unified programming interface for the application program developers. It can directly forward queries to the recursive server.

0 x 03

Additional background knowledge encountered in vulnerability analysis:


1) Udns: stub DNS resolver library. The DNS library udns implements the function of thread safe stub DNS resolver. It can be used with the traditional synchronous and asynchronous methods, or with the event loop provided by the application program.


1) DNSSEC: domain name system security extensions (DNSSEC) DNS Security Extensions are a series of DNS Security authentication mechanisms provided by IETF (refer to RFC2535). It provides an extension of source authentication and data integrity, but does not guarantee availability, encryption, and domain name nonexistence.

2) RRset: the collection of multiple resource records of the same type is called resource record set RRset. RRset is the basic unit of DNS transmission, that is, to query some information corresponding to a domain name. DNS system will not return a RR, but a RRset.


1) Dynamic update and prerequisite section: dynamic update enables DNS client computers to register and dynamically update their resource records with the DNS server when changes occur Prerequisites resource records contain a set of resource record prerequisites that must be met when an authoritative DNS service receives an update message


1) Negative cache: negative cache, also known as negative cache, refers to the cache of domain names that failed to query

2) Rrsets: a DNS recordset (rrsets) is a set of records with the same record type, for example, all DNS a records are an RRset.

To sign each zone level, several other record types are introduced:

Resource record signature (rrsig) - signature of RRset

Dnskey - contains the public key used to verify rrsig

Delegate signer (DS) - references dnskey in the child zone and adds it to the domain name registrar


1) DNS lookup finds IP addresses and performs deep DNS lookups for any URL, providing details about common record types such as a, MX, NS, SOA, and TXT.

2) Named: the daemons of the ISC bind server

3) Name server: domain name server. Each domain name server is responsible for the jurisdiction of the zone

4) Delegation: when the COM server is asked to find the permission of region example.com, they often delegate this work to different name servers


1) rndc

The bind distribution contains a remote name daemon control (rndc) program that provides a control channel to perform bind 9 DNS server operations. The rndc command provides access to perform these operations

2) DName records

Rfc2672 describes dName, RFC's title is "non terminal DNS name redirection", which is similar to CNAME, but it does not alias a single name, but aliases the entire domain name. When dName is found, it does not end, but calculates a new name and resolves it


The function is to map the entire subtree of the entire owner identity to the target domain name. This is to create a mechanism to facilitate the renaming of domain names, including the original and newly added domain names, when the network is re planned


1) DNS Cookie: DNS cookie is a lightweight DNS transaction security mechanism, which can provide limited protection for DNS servers and clients, and prevent various increasingly common denial of service and amplification / forgery attacks or cache poisoning attacks caused by off APTH attackers. DNS cookies are compatible with NAT, NAT-PT (network address translation protocol translation) and anycast, and can be deployed step by step. (because DNS cookies only return to the IP address where they were originally received, they cannot be used to track Internet users.)


1)NSEC Record:

The nsec record is linked to the name of the next record in the zone (in the DNSSEC sort order) and lists the record type for the record name.

As part of DNSSEC validation, parsers can use these records to verify that the record name and type do not exist.

Nsec records have the following data elements:

Next domain name: next record name in zone (DNSSEC sort order)

Record type: the DNS record type for this nsec record name.

2)Authoritative Section:

You can query any DNS server to answer the sent query. However, the server can choose to answer queries from the cache. However, if you want to make sure you get an authoritative response, you should ask the server in the authoritative section

Reference link:






*Author: yale1024, reprinted from freebuf.com