Skip to content

Page195

SMTP, POP, and IMAP

SMTP is the Simple Mail Transfer Protocol, used to transfer email between servers. SMTP servers listen on TCP port 25. POPv3 (Post Office Protocol) and IMAP (Internet Message Access Protocol) are used for client-server email access, using TCP ports 110 and 143, respectively.

DNS

DNS is the Domain Name System, a distributed global hierarchical database that translates names to IP addresses, and vice versa. DNS uses both TCP and UDP: small answers use UDP port 53; large answers (such as zone transfers) use TCP port 53.

Two core DNS functions are gethostbyname() and gethostbyaddr(). Given a name (such as www.syngress.com), gethostbyname returns an IP address, such as 192.0.2.187. Given an address such as 192.0.2.187, gethostbyaddr returns the name, www.syngress.com.

Authoritative name servers provide the “authoritative” resolution for names within a given domain. A recursive name server will attempt to resolve names that it does not already know. A caching name server will temporarily cache names previously resolved.

DNS Weaknesses

DNS uses the unreliable UDP protocol for most requests, and native DNS provides no authentication. The security of DNS relies on a 16-bit source port and 16-bit DNS query ID. Attackers who are able to blindly guess both numbers can forge UDP DNS responses.

A DNS cache poisoning attack is an attempt to trick a caching DNS server into caching a forged response. If bank.example.com is at 192.0.2.193, and evil.example.com is at 198.18.8.17, an attacker may try to poison a DNS server’s cache by sending the forged response of “bank.example.com is at 198.18.8.17.” If the caching DNS name server accepts the bogus response, it will respond with the poisoned response for subsequent bank.example.com requests (until the record expires).

DNSSEC

DNSSEC (Domain Name Server Security Extensions) provides authentication and integrity to DNS responses via the use of public key encryption. Note that DNSSEC does not provide confidentiality: it acts like a digital signature for DNS responses.

Building an Internet-scale Public Key Infrastructure is a difficult task, and DNSSEC has been slowly adopted for this reason. Security researcher Dan Kaminsky publicized an improved DNS cache poisoning attack in 2008, which has led to renewed calls for wider adoption of DNSSEC. See https://www.kb.cert.org/vuls/id/800113 for more details on the improved cache poisoning attack and defenses.

DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are two competing standards that transfer and encrypt DNS traffic via TLS. DoT uses a dedicated port (TCP port 853), while DoH uses HTTPS on TCP port 443. Unlike DNSSEC, both provide confidentiality between the client resolver and the DoT or DoH server. DoH has won a larger market share, and is currently used by default by Firefox in the United States.