The hosts File and the DNS Resolver Cache
>> Before DNS, Domain Name System, hit the networking scene in 1984,
a text file called hosts.txt was manually maintained and shared
by Stanford Research Institute for the ARPANET, Advanced Research Projects Agency Network.
The file mapped networks, gateways, and host names to IP addresses for member organizations.
[silence]
Operating systems today have a text file called hosts that maps host names, or FQDNs,
Fully Qualified Domain Names, to IP addresses.
This file might seem like a relic of the past, since DNS seems to do the same thing today.
However, believe it or not, the hosts file is used by both malware and anti-virus software.
I'm going to open up Notepad as an administrator.
I bet no one's ever said that before.
I'm going to click "File."
"Open," and I'm going to browse to C > Windows > System32 > Drivers > etc. I'm going
to change to "All Files."
And, I'm going to open up "hosts."
Yes, this file, even on Windows, has no extension.
It's just "hosts."
Everything in this file is commented out with the pound sign.
There is nothing in play.
Let's add an entry to this file.
[silence]
I'm going to map the IP address of 129 21 1 40 to the fully qualified domain name
of www.jonathanscottweissman.edu.
I'm going to save the file.
Let's open up a Windows command line interface,
and type IP config space forward slash flush DNS.
This will flush my client's DNS resolver cache.
There are two ways entries are added to the host DNS resolver cache.
The first, and obvious, way, replies to DNS queries.
When the host sends a DNS query to its DNS server, the DNS server,
after doing some querying on the client's behalf, will give back the answer to the client.
The second way entries get added to the client's DNS resolver cache is the hosts file.
Let's execute this command.
Let's open up a Windows command line interface.
IP config space forward slash flush DNS will clear my client's DNS resolver cache.
There are two ways entries are added to the host DNS resolver cache.
The first, and obvious, way, replies to DNS queries.
When the host sends a DNS query to its DNS server, the DNS server,
after doing some querying on the client's behalf, will give back the answer to the client.
The client will cache it at that point and use it.
The second way entries get added to the client's DNS resolver cache is the hosts file.
Let's execute this command.
IP config space forward slash display DNS will show us the DNS resolver cache.
[silence]
The output shows that the entry we added
to the host file has been re-added to the host DNS resolver cache.
With a TTL, Time To Live, of zero seconds.
This TTL, though, doesn't decrement like a TTL from a DNS response would.
When the TTL of a DNS record received from a DNS server goes down to zero, its record is removed
from the DNS resolver cache, and won't be visible
from IP config space forward slash display DNS anymore.
If the host needs the name resolved into its IP address again, a new query will be issued
from the host to its DNS server to resolve the name into its IP address.
Entries from the hosts file are always going to be in the DNS resolver cache,
automatically added back when its flushed with a dummy TTL value of zero seconds.
You'll notice two records here.
The first, an A, address record, maps a name into its corresponding IPv4 address.
The second, a PTR, Pointer record, maps an address shown here
in DNS reverse lookup format, into its corresponding name.
Using the hosts File to Redirect Traffic to Malicious Servers Demo
>> And now, the moment you've all been waiting for.
I'm going to open up a browser, and head on over to www.jonathanscottweissman.edu, and bam!
I see the RIT website.
My machine didn't even bother to ask my DNS server for the IP address
of www.jonathanscottweissman.edu.
It already knew the IP address of 129 21 1 40, which was automatically added
to the DNS resolver cache as soon as I saved my updated hosts file.
So, how might malware use the hosts file?
Two ways, actually.
First, malware can use the hosts file to redirect traffic to malicious servers.
For example, traffic to ad servers can be intercepted
and replaced with ads from a malware author.
What about redirecting your traffic intended for LinkedIn.com to a fake spoofed version
that either contains a drive-by download exploit kit,
or just steals your credentials as you enter them?
Just imagine that www.jonathanscottweissman.edu is a domain that I want to go to,
but instead of going there, I'm redirected to an attacker's site.
Although in this case, I'm just redirecting myself to www.rit.edu.
Using the hosts File for a DoS Attack Demo
A second way malware could use the hosts file is for a denial of service attack.
Let's add this entry.
This binds the loopback address to www.edx.org.
Let's open up a browser, and head on over to www.edx.org.
This site can't be reached?
Hmm. Why didn't it load?
Because the new entry in the hosts file that was automatically merged to the DNS resolver cache,
said the edx.org website is on this machine, 127 0 0 1.
Of course, there is no such website on this machine,
and that's why I'm seeing this message in the browser.
So, malware can write to the hosts file, and block your traffic to update servers
of operating systems, like Windows Update, and security vendors.
This will keep the malware from being detected by patches and updates.
Using the hosts File for Protection Demo
What can AV, anti-virus, software do with the hosts file?
Here's a look at possibly the greatest example at someonewhocares.org slash hosts.
"How to make the internet not suck (as much)."
Use this file to prevent your computer from connecting to selected internet hosts.
This is an easy and effective way to protect you from many types of spyware,
reduces bandwidth use, blocks certain pop-up traps, prevents user tracking by way
of web bugs embedded in spam, provides partial protection to IE
from certain web-based exploits, and blocks most advertising you would otherwise be subjected
to on the internet.
[silence]
The local hosts section seems innocent enough, but then, shock sites.
Hijack sites.
Spyware sites.
Malware sites.
Double click sites, and more.
[silence]
This is what AV software does.
It maps 127 0 0 1 to known malicious domains.
Instead of your machine going to a known malicious domain,
you'll see one of those "This site can't be reached" messages in your browser window,
and this time, it's a good thing.
Simply copy and paste the the text from the site right into your hosts file,
and come back for updates from time to time.
This page is updated almost every day.
扫一扫
3655
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
