Special topics in cybersecurity

Computer science / Cybersecurity

Topic 02
DNS, HTTP
What happens when you type a URL and press
enter?

2
Domain Name System (DNS)

• The Domain Name System is a hierarchical and distributed name

service that provides a naming system for computers, services,
and other resources on the Internet or other Internet Protocol
networks. It associates various information with domain names
assigned to each of the associated entities

3
DNS

demo.com

171.40.230.105

4
How does the "DNS server" work?

Root Nameserver

demo.com

demo.com? “.com”
Nameserver
See “demo.com” NS
171.40.230.105

“demo.com”
Nameserver

5
What happens when you type a URL and press
enter?
1. Client asks DNS Recursive Resolver to lookup a hostname (demo.com).
2. DNS Recursive Resolver sends DNS query to Root Nameserver
• Root Nameserver responds with IP address of TLD Nameserver (".com" Nameserver)
3. DNS Recursive Resolver sends DNS query to TLD Nameserver
• TLD Nameserver responds with IP address of Domain Nameserver (“demo.com"
Nameserver)
4. DNS Recursive Resolver sends DNS query to Domain Nameserver
• Domain Nameserver is authoritative, so replies with server IP address.
5. DNS Recursive Resolver finally responds to Client, sending server IP
address (171.40.230.105)

6
DNS + HTTP

DNS
Recursive
Resolver

HTTP Request
Client Server
171.40.230.105
HTTP Response

7
Attacks on DNS ?
………………………………………………………

8
DNS hijacking

• Attacker changes target DNS record to point to attacker IP address

• Causes all site visitors to be directed to attacker's web server

• Motivation
• Phishing
• Revenue through ads, cryptocurrency mining, etc.

• How do they do it?

9
DNS hijacking

Hijacked
DNS
Resolver
Malicious
Server
8.8.8.8

Client
Server
171.40.230.105

10
DNS hijacking vectors

• Hijacked recursive DNS resolver (shown previously)

• Hijacked DNS nameserver
• Compromised user account at DNS provider
• Malware changes user's local DNS settings
• Hijacked router

11
12
DNS privacy

• Queries are in plaintext

• ISPs have been known to sell this data
• Pro tip: Consider switching your DNS settings to 1.1.1.1 or
another provider with a good privacy policy

13
14
 HTTP
What
happens
when you

…
type a URL
and press
enter?

15
HTTP

Request

Client Server
Response

16
Demo: Make an HTTP request

curl https://twitter.com
curl https://twitter.com > twitter.html
open twitter.html

17
HTTP request

GET / H T T P / 1 . 1
Host: twitter.com
User-Agent: Mozilla/5.0 . . .

18
HTTP response

HTTP/1.1 200 OK

Content-Length: 9001

Content-Type: text/html; charset=UTF-8

Date: Tue, 24 Sep 2019 20:30:00 GMT

<!DOCTYPE html ...

19
HTTP

• Client-server model - Client asks server for resource, server

replies
• Simple - Human-readable text protocol
• Extensible - Just add HTTP headers
• Transport protocol agnostic - Only requirement is reliability
• Stateless - Two requests have no relation to each other

20
HTTP is stateless?

• Obviously, we interact with "stateful" servers all the time

• "Stateless" means the HTTP protocol itself does not store state
• If state is desired, is implemented as a layer on top of HTTP

21
HTTP Status Codes

• 1xx - Informational ("Hold on")

• 2xx - Success ("Here you go")
• 3xx - Redirection ("Go away")
• 4xx - Client error ("You messed up")
• 5xx - Server error ("I messed up")

22
HTTP Success Codes

• 200 OK - Request succeeded

• 206 Partial Content - Request for specific byte range succeeded

23
Range Request

GET /video.mp4
HTTP/1.1 Range:
bytes=1000-1499

Response
HTTP/1.1 206 Partial Content
Content-Range: bytes 1000-1499/1000000

24
HTTP Redirection Codes

• 301 Moved Permanently - Resource has a new permanent URL

• 302 Found - Resource temporarily resides at a different URL
• 304 Not Modified - Resource has not been modified since last
cached

25
HTTP Client Error Codes

• 400 Bad Request - Malformed request

• 401 Unauthorized - Resource is protected, need to authorize
• 403 Forbidden - Resource is protected, denying access
• 404 Not Found - Ya'll know this one

26
HTTP Server Error Codes

• 500 Internal Server Error - Generic server error

• 502 Bad Gateway - Server is a proxy; backend server is
unreachable
• 503 Service Unavailable - Server is overloaded or down for
maintenance
• 504 Gateway Timeout - Server is a proxy; backend server
responded too slowly

27
HTTP with a proxy server

Request Request
Client Proxy Server
Response Response

28
HTTP proxy servers

• Can cache content

• Can block content (e.g. malware, adult content)
• Can modify content
• Can sit in front of many servers ("reverse proxy")

29
HTTP request (…)

GET / H T T P / 1 . 1
Host: example.com
User-Agent: Mozilla/5.0 . . .

30
HTTP headers

• Let the client and the server pass additional information with an
HTTP request or response
• Essentially a map of key-value pairs
• Allow experimental extensions to HTTP without requiring protocol
changes

31
Useful HTTP request headers

• Host - The domain name of the server (e.g. example.com)

• User-Agent - The name of your browser and operating system
• Referrer - The webpage which led you to this page (misspelled)
• Cookie - The cookie server gave you earlier; keeps you logged in
• Range - Specifies a subset of bytes to fetch

32
Useful HTTP request headers (…)

• Cache-Control - Specifies if you want a cached response or not

• If-Modified-Since - Only send resource if it changed recently
• Connection - Control TCP socket (e.g. keep-alive or close)
• Accept - Which type of content we want (e.g. text/html)
• Accept-Encoding - Encoding algorithms we understand (e.g.
compress (algorithm/s))
• Accept-Language - What language we want (e.g. es)

33
Make an HTTP request with headers

curl https://twitter.com --header "Accept-Language: es" --silent | grep JavaScript

curl https://twitter.com --header "Accept-Language: ar" --silent | grep JavaScript

34
Useful HTTP response headers (…)

• Date - When response was sent

• Last-Modified - When content was last modified
• Cache-Control - Specifies whether to cache response or not
• Expires - Discard response from cache after this date
• Set-Cookie - Set a cookie on the client
• Vary - List of headers which affect response; used by cache

35
Useful HTTP response headers (…)

• Location - URL to redirect the client to (used with 3xx responses)

• Connection - Control TCP socket (e.g. keep-alive or close)
• Content-Type - Type of content in response (e.g. text/html)
• Content-Encoding - Encoding of the response (e.g. gzip)
• Content-Language - Language of the response (e.g. ar)
• Content-Length - Length of the response in bytes

36
37
Demo: Implement an HTTP client

• Not magic!
• Steps:
• Open a TCP socket
• Send HTTP request text over the socket
• Read the HTTP response text from the socket

38
Demo: Implement an HTTP client
import socket

sock = socket.create_connection(('example.com', 80))

request = b"GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"

sock.sendall(request)

while True:
data = sock.recv(4096)
if not data:
break
print(data.decode(), end='')

sock.close()

39
What happens when you type a URL and press
enter?
1. Perform a DNS lookup on the hostname (example.com) to get an IP address
(1.2.3.4)
2. Open a TCP socket to 1.2.3.4 on port 80 (the HTTP port)
3. Send an HTTP request that includes the desired path (/)
4. Read the HTTP response from the socket
5. Parse the HTML into the DOM
6. Render the page based on the DOM
7. Repeat until all external resources are loaded:
• If there are pending external resources, make HTTP requests for these (run steps 1-4)
• Render the resources into the page

40
 example.com DNS Recursive NS
NS
Resolver NS
171.200.216.205

GET /
200 OK, <!doctype html …

Client GET /style.css

GET /logo.png
Server

200 OK, body { color: blue; }

200 OK, <binary image data>

171.200.216.205

41
Self-study

• Reading
• An overview of HTTP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Overview
• A typical HTTP session
https://developer.mozilla.org/en-US/docs/Web/HTTP/Session
• HTTP headers
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

42