DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

Slides:

Advertisements

Similar presentations

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

Advertisements

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

IETF 71: NETLMM Working Group – Proxy Mobile IPv6 1 Proxy Mobile IPv6 111 draft-ietf-netlmm-proxymip6-11.txt IETF 71: NETLMM Working Group – Proxy Mobile.

DNS46 for the IPv4/IPv6 Stateless Translator

Renumbering Networks: RFC 4192 Fred Baker. How RFC 4192 came to be I heard one too many times on operational lists it is impossible to renumber a network.

Requirements for IPv6 Customer Edge Routers draft-ietf-v6ops-ipv6-cpe-router-02 IETF 76, Hiroshima November 8-13, 2009 v6ops Working Group Hemant Singh.

Applications Test Results in MIF environment draft-zheng-mif-apps-test-02.txt IETF 81 Quebec City.

ES-4000 Mail Server Appliance. Example Definition Combine RS-3000 and ES-4000 to setup mail server with Mail Security feature. RS-3000 – WAN IP:

IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.

Secure Network Bootstrapping Infrastructure May 15, 2014.

IPv6 DNS issues draft-ietf-dnsop-ipv6-dns-issues-00.txt

Ken Calvert* University of Kentucky *Speaking for myself only.

An Engineering Approach to Computer Networking

The Microsoft Solution. "Brussels police department, how may I assist you?”

1IETF56 DNSOP WG The Autoconfiguration of Recursive DNS Server and the Optimization of DNS Name Resolution in Hierarchical Mobile IPv6 Jae-Hoon Jeong,

Foundations of Network and Computer Security J J ohn Black Lecture #25 Nov 23 rd 2004 CSCI 6268/TLEN 5831, Fall 2004.

1IETF59 DNSOP WG IPv6 DNS Discovery Issues Jaehoon Paul Jeong ETRI 1st March th IETF – Seoul,

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

1 DNSOPS / Vienna IETF / July 2003 / Bob Hinden IPv6 DNS Discovery, and why it is important Bob Hinden.

A Social Story for Students

Prefix allocation in small networks Fred Baker. Allocating prefixes Methods: Manually (let’s not) Automatically using DHCP/DHCPv6 Automatically using.

LIS Discovery using IP address and Reverse DNS draft-thomson-geopriv-res-gw-lis-discovery-03 Ray Bellis, Advanced Projects, Nominet UK IETF 77, GeoPriv.

Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.

Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.

IPv6 RADIUS attributes for IPv6 access networks draft-lourdelet-radext-ipv6-access-01 Glen Zorn, Benoit Lourdelet Wojciech Dec, Behcet Sarikaya Radext/dhc.

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

Cisco 1 - Networking Basics Perrine. J Page 19/17/2015 Chapter 9 What transport layer protocol does TFTP use? 1.TCP 2.IP 3.UDP 4.CFTP.

Draft-thomson-geopriv-res-gw-lis-discovery Ray Bellis Nominet UK IETF79.

Practical Considerations for supporting Emergency Calls Brian Rosen Emergicom.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Draft-engelstad-manet- name-resolution-00.txt IETF 57, Vienna MANET WG meeting Paal Engelstad, Telenor R&D / UniK.

IETF 531 DNS Discovery Update draft-ietf-ipv6-dns-discovery-04.txt Dave Thaler

DNS based IP NetLocation Service China Telecom Guangzhou Institute

Proposals. Introducing the Problem Depending on what your readers know Explain how the problem came to be Explain what attempts have been made to solve.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

Home Gateways and DNS Ray Bellis, Advanced Projects, Nominet UK IETF 76, Hiroshima, 9 th November 2009.

Doc.: IEEE /0040r1 Submission May 2011 Miika Laaksonen, NokiaSlide 1 Coexistence Discovery Procedures Notice: This document has been prepared.

DNS Hijack Demonstration (Diverting User Application via DNS) Giovanni Marzot, Ólafur Guðmundsson,

DNS Discovery Discussion Report Draft-ietf-ipngwg-dns-discovery-01.txt.

1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Information-Centric Networks Section # 3.1: DNS Issues Instructor: George Xylomenos Department: Informatics.

DNS Discovery Update draft-ietf-ipngwg-dns-discovery-03.txt Dave Thaler

A Framework for Session Initiation Protocol User Agent Profile Delivery (draft-ietf-sipping-config-framework-11) SIPPING – IETF 68 Mar 19, 2007 Sumanth.

Well known site local unicast addresses to communicate with recursive DNS servers draft-ietf-ipv6-dns-discovery-07.txt

A PC Wakes Up A STORY BY VICTOR NORMAN. Once upon a time…  a PC (we’ll call him “H”) is connected to a network and turned on. Aside: The network looks.

Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Ele Hepworth (*), Robert Hancock, Srinivas.

&. & DNS and IPv6 IPv6 Summit, Canberra 31st October & 1 st November 2005 Chris Wright, Chief Technology Officer &

1 © Process Software Corp. DHCP Failover Protocol Jeff DECUS Europe 2000 Thursday, 13 Apr :00 - 9:45.

EDNS0 - the need for speed Lawrence Conroy Roke Manor Research This draft has been produced by Lawrence Conroy

Related Issues Which layer URP should operate? Candidate: Network Layer, or Application Layer Discovery of Registration Agent (RA) (depends upon who initiates.

Easy 802.1X Onboarding with EAPConfig files and Supplicant Configuration Automatic Discovery (SCAD) Gareth Ayres (Speaker) Stefan.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.

A Speculation on DNS DDOS

draft-rescorla-fallback-01

draft-nortz-optimal-amt-relay-discovery-00

Living on the Edge: (Re)focus DNS Efforts on the End-Points

TURN Server Auto Discovery draft-patil-tram-turn-serv-disc-00

A Speculation on DNS DDOS

San Diego 802.1CQ discussions

An Engineering Approach to Computer Networking

PIM Backup DR Mankamana Mishra IETF-102

Presentation transcript:

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009

The Fundamental Problem… ISP DNS DNS settings learnt via DHCP or PPP/IPCP DHCP DISCOVER DHCP OFFER DNS Servers (6) = FAIL Please try again – the DNS proxy on doesnt work properly (see RFC5625)

The Chicken and Egg Problem… ISP DNS DNS settings learnt via DHCP or PPP/IPCP DHCP DISCOVER DHCP OFFER DNS Servers (6) = FAIL Still not right – you dont know the real DNS servers because the LAN came up before the WAN. Didnt you fix that proxy yet?

The Configuration Problem… ISP DNS End-user configures DNS settings DHCP DISCOVER DHCP OFFER DNS Servers (6) = FAIL Uh-oh - someone forgot to implement TR124 requirement LAN.DNS.2. End-user supplied DNS settings SHOULD be in the DHCP OFFER. BTW – your proxy still doesnt work properly!

The Proposed Solution… ISP DNS Let the DHCP stuff happen Use the DNS proxy initially … to ask the recursive DNS server for a list of real DNS servers Then use those instead! IN A? domain.local.arpa. IN A

The Proposed Solution… ISP DNS Let the DHCP stuff happen Use the DNS proxy initially … to ask the recursive DNS server for a list of real DNS servers Then use those instead! IN A? domain.local.arpa. IN A

A little more detail Why were proposing this: –Because DNS proxies dont work! to get DNSSEC through to get TCP queries through The draft reserves local.arpa. –for use within a networks administrative boundaries –and domain.local.arpa for this application Version -02 will have NXDOMAIN redirect detection –probably via nxdomain.local.arpa. –if nxdomain.local.arpa == domain.local.arpa then ignore the results, your ISP is trapping NXDOMAIN

Things weve thrown out already Anycast –If youre going to use an Anycast address to discover DNS, you might as well use that address for all DNS!.local –Too much baggage

Things were still figuring out! Does the bootstrap query need additional protection, and if so, how? –DNSSEC no good, proxies break it! –A random nonce prefix? –Something else? Interaction with DNSSEC-signed.arpa –If IANA has an NSEC[3] record that says local.arpa doesnt exist, then the locally-supplied copy is bogus

Any Questions?