Well that sounds like my dream job, unfortunately this issue in particular is more of a Lemmy problem, not a DNS problem. See: https://lemmy.nrd.li/comment/190200 for the explanation of why you cant just transfer domains with Lemmy.
Also, if you’re genuinely interested in this field, first you should enter the world of enterprise network engineering. Get Security +, CCNA, and PCNSA. With those certs in hand (and knowledge in your brain), apply to jobs as a network support engineer. Do the work for a few years. Learn BIND. Learn Infoblox. Focus on learning DHCP and subnetting. Learn DNSSEC & IPv6. Experiment with a Pi Hole. Set up a home lab. Apply to jobs with DNS. Start living the good life. This takes about 10 years if you learn fast and are good at interviews.
I only just now saw this post, the last month i have already been going all out to learn everything that i need for my Security+ (then CySec+) i have a 30hr video course im part way thorugh, and ive set up a few VMs with various servers like OWASP Security Shepherd and Dam Vunurable Web App for some more hands on experience as well as testing on my personal production Nextcloud and Jellyfin servers and ive been having alot of fun with it all, i think im pretty solid with DHCP and subnetting already through my home networking adventures. I will look into each of those other Certs and each thing you mention to learn thank you! Ive been deep into various Linux systems since about 2008 and im hoping to leverage that as much as i can(although its left me with a lack of modern Windows experience).
Thank you so much for all the tips! I feel some good things coming as im getting into this as work.
When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically “copy” from my friend. So what exactly is a DNS Zone Transfer?
Friday I was doing a zone transfer! What are the odds?
A zone transfer is like moving houses, except for an authoritative zone.
In DNS, we have what’s called an authoritative zone. That means the device hosting the “resource records” (all the data that DNS passes around) is the “ultimate” answer. I.e, it’s not cached data. It’s not a hosts file. It’s not a recursive answer. It’s the real deal.
When you want to move the authoritative zone to another server, you do a “zone transfer” that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).
Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?
If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
You type “lemmy.world” into your browser
Your computer initiates a stub resolution for lemmy.world. (the trailing dot here isn’t a period. It’s the “true” FQDN)
Computer looks at hosts file and doesn’t see anything
DNS packets are sent to your configured DNS server. If you don’t have one configured, DHCP already configured it for you
Your DNS server performs a recursive search for world by asking the root zone where the “world” Name Serer is
root zone resolves world as:
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
Your DNS server reaches out to one of those Name Server’s (That’s what the NS record is for) and asks it where “lemmy” is
world Name Server responds with:
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Your DNS server contacts your computer and serves it those IP addresses. (A record’s are domain name to IP Address)
Now lets say there’s a DNS spoof attack:
Before the “world” server can get back to your DNS server, the hackers server interjects with it’s own authoritative claim that lemmy is here:
lemmy.world. 300 IN A [attack site IP]
Your DNS server contacts your computer and serves it that IP address. Your computer then contacts the attack site and you get a virus.
Hi, professional DNS engineer here! if anyone has any questions about the inner workings of DNS or top level domains, ask away! (THIS IS MY MOMENT)
Well that sounds like my dream job, unfortunately this issue in particular is more of a Lemmy problem, not a DNS problem. See: https://lemmy.nrd.li/comment/190200 for the explanation of why you cant just transfer domains with Lemmy.
Also, if you’re genuinely interested in this field, first you should enter the world of enterprise network engineering. Get Security +, CCNA, and PCNSA. With those certs in hand (and knowledge in your brain), apply to jobs as a network support engineer. Do the work for a few years. Learn BIND. Learn Infoblox. Focus on learning DHCP and subnetting. Learn DNSSEC & IPv6. Experiment with a Pi Hole. Set up a home lab. Apply to jobs with DNS. Start living the good life. This takes about 10 years if you learn fast and are good at interviews.
I only just now saw this post, the last month i have already been going all out to learn everything that i need for my Security+ (then CySec+) i have a 30hr video course im part way thorugh, and ive set up a few VMs with various servers like OWASP Security Shepherd and Dam Vunurable Web App for some more hands on experience as well as testing on my personal production Nextcloud and Jellyfin servers and ive been having alot of fun with it all, i think im pretty solid with DHCP and subnetting already through my home networking adventures. I will look into each of those other Certs and each thing you mention to learn thank you! Ive been deep into various Linux systems since about 2008 and im hoping to leverage that as much as i can(although its left me with a lack of modern Windows experience).
Thank you so much for all the tips! I feel some good things coming as im getting into this as work.
I left my job as a network engineer to do DDI and it’s been a blast. A lot more to DNS than I could have imagined.
Also, a cat explains DNS.
Ah, thanks for the info! I have no idea how Lemmy stuff works. I only became aware of Lemmy last month.
When I was talking my cyber security / ethical hacking class, we learned how to do zone transfer. The concept never stuck and I basically “copy” from my friend. So what exactly is a DNS Zone Transfer?
Friday I was doing a zone transfer! What are the odds?
A zone transfer is like moving houses, except for an authoritative zone.
In DNS, we have what’s called an authoritative zone. That means the device hosting the “resource records” (all the data that DNS passes around) is the “ultimate” answer. I.e, it’s not cached data. It’s not a hosts file. It’s not a recursive answer. It’s the real deal.
When you want to move the authoritative zone to another server, you do a “zone transfer” that means the new server will copy all the resource records over TCP from current authoritative zone. The reason you may want to do this instead of manually hand-jamming it is that many large organizations have, sometimes, hundreds of resource records (last month I coordinated a zone transfer that was over 1000 records!).
Why would a hacker want to conduct a zone transfer? In otherwords, what is the utility or usefulness of a zone transfer for a hacker (black or white hat)?
If you initiate a zone transfer, you can now claim to be authoritative for a zone. That means you can be a ‘bad actor’ DNS server that serves fake records. In practice, this means that you can redirect people to an attack site.
Let’s say you’re Joe the Random Internet User and you want to go to lemmy.world This is what happens in a non-attack (we’re skipping caching & non-authoritative answers for brevity):
world. 3600 IN NS v0n0.nic.world.
world. 3600 IN NS v0n1.nic.world.
world. 3600 IN NS v0n2.nic.world.
world. 3600 IN NS v0n3.nic.world.
world. 3600 IN NS v2n0.nic.world.
world. 3600 IN NS v2n1.nic.world.
lemmy.world. 300 IN A 172.67.218.212
lemmy.world. 300 IN A 104.21.53.208
Now lets say there’s a DNS spoof attack:
lemmy.world. 300 IN A [attack site IP]
Woot we’re saved.
Why is it always dns
Why is it always DNS?