1. In collaboration with HKCERT and HKIRC 19-21 July 2016
DNSSEC Training
In collaboration with HKCERT and HKIRC
19-21 July 2016
29 June 2016
2.0

2. Agenda Day 2: Lab: Configuring Reverse DNS Troubleshooting
DNS Security Overview
DNS Transaction Signature (TSIG)
Lab: TSIG configurations

3. Overview Troubleshooting and ACL DNS Overview BIND DNS Configuration
Recursive and Forward DNS
Reverse DNS
Troubleshooting and ACL
DNS Security Overview
DNS Transactions
DNS Security Extensions (DNSSec)
DNSSec Key Management and Automation

4. Why Troubleshoot? What Can Go Wrong? Misconfigured zone
Misconfigured server
Misconfigured host
Misconfigured network

5. Tools BIND Logging Facility named's built-in options
ping and traceroute
tcpdump and wireshark
dig and nslookup

6. The Best Way To Handle Mistakes
Assume You Will Make Them
Prepare The Name Server via Logging

7. BIND Logging Telling named which messages to send
category specification
Telling named where to send messages
channel specification

8. BIND channels BIND can use syslog
BIND can direct output to other files
channel my_dns_log {
file "seclog" versions 3 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3; };

9. BIND Categories BIND has many categories
Short descriptions of each can be found in the Administrator's Reference Manual (ARM)
category queries { my_dns_log; };

10. So You've Set Up A Server What tests should be done?
Test if the server up
Is the (right) server running?
Is the machine set up correctly?
Test if data is being served
Has the zone loaded?
Have zone transfers happened?

11. Checking the Configuration
To see named start, use the -g flag
Keeps named process in the foreground
Prints some diagnostics
But does not execute logging
When satisfied (i.e. no errors), kill the process and start without –g flag to run in the background
Other option
% named-checkconf (check for syntax only)

12. Is the Server Running? Make sure the server is running
version.bind chaos txt
This makes the name server do the simplest lookup it can - its version string
This also confirms which version you started
Common upgrade error: running the old version

13. Is the Server Data Correct?
Check the serial number to make sure the zone has loaded
<zone> soa
Also test changed data in case you forgot to update the serial number
In the secondary server, this check is made to see if the zone transferred

14. Is the Server Reachable?
If the dig tests fail, its time to test the environment (machine, network)
ping <server machine ip address>
This tests basic network flow, common errors
Network interface not UP
Routing to machine not correct
Pinging locally is useful
Confirms that the IP address is correctly configured

15. Is the Server Listening?
If the server does not respond, but machine responds to ping
look at system log files
telnet server 53
firewall running?
Server will run even if it can't open the network port
logs will show this
telnet opens a TCP connection, tests whether port was opened at all

16. Using the Tools named itself Dig or nslookup host diagnostics
packet sniffers

17. Built in to named named -g to retain command line
named -g -c <conf file>
named -d <level>
sets the debug output volume
<level>'s aren't strictly defined
-d 3 is popular, -d 99 gives a lot of detail

18. dig domain internet groper best tool for testing
shows query and response syntax
Included in the software

19. Flags Flags Meaning AA Authoritative answer RD Recursion desired RA
Recursion Available AD
Authenticated Data (DNSSEC only) CD
Status
Response Code
0 - NOERR
No error
1 - FORMERR
Format error
2 - SERVFAIL
Nameserver unreachable
3 - NXDOMAIN
Domain name not existing
4 - NOTIMPL
Not implemented
5 - REFUSED
Request refused

20. Non-BIND Tools Tools to make sure the environment is right
Tools to look at server machine
Tools to test network
Tools to see what messages are on the network

21. ifconfig Interface configuration ifconfig -a
An operating system utility that shows the status of interfaces
Warning, during boot up, ifconfig may configure interfaces after named has started
named can't open delayed addresses

22. ping Checks routing, machine health
Most useful if run from another host
Could be reason "no servers are reached"
Can be useful on local machine - to see if the interface is properly configured

23. traceroute
If ping fails, traceroute can help pinpoint where trouble lies
the problem may be routing
if so - it's not named that needs fixing!
but it is important to know

24. tcpdump and wireshark
Once confident in the environment, problems with DNS setup may exist
To see what is happening in the protocol, use traffic sniffers
These tools can help debug "forwarding" of queries

26. Overview Troubleshooting and ACL DNS Overview BIND DNS Configuration
Recursive and Forward DNS
Reverse DNS
Troubleshooting and ACL
DNS Security Overview
DNS Transactions
DNS Security Extensions (DNSSec)
DNSSec Key Management and Automation

27. Address Match List Elements: Used for: Individual IP addresses
Addresses or netmask pairs
Names of other ACLs
Key names
Used for:
Restricting queries & zone xfer
Authorizing dynamic updates
Selecting interfaces to listen on
Sorting responses

28. Notes on Address Match list
Elements must be separated by “ ; ”
The list must be terminated with a “ ; ”
Elements of the address match list are checked sequentially
To negate elements of the address match list prepend them with “!”
Use acl statement to name an address match list
ACL must be defined before it can be used elsewhere

29. Example: Address match lists
For network
{ /24; }
For network plus loopback
{ /24; ; ::1; }
Addresses plus key name
{ /24; ; example.com;}

30. ACL Statement Syntax: acl <acl name> { address match list>};
Example:
acl internal { ; /24; };
acl dynamic-update { key dhcp.apnic.net; };

31. Notes on ACL Statement The ACL name need not be quoted
There are four predefined ACLs:
any (Any IP address)
none (No IP address)
localhost (loopback, )
localnets (all networks that is directly connected to the server)

32. Blackhole
options {
blackhole { ACL-name or itemized list; }; };

33. Allow-transfer zone "myzone.example." { type master;
file "myzone.example.";
allow-transfer { ACL-name or itemized list; }; };

34. Allow-Query zone "myzone.example." { type master;
file "myzone.example.";
allow-query { ACL-name or itemized list; }; };

35. Listen-on options { listen-on port # { ACL- name or itemized list;};

36. Masters
masters name { masters_list | ip_addr }; Ex: masters nsX { ; 2001:db8::1 ; }; zone “example.com” { type slave; masters { nsX; }; file “/link/to/db.example.com”; };
New slide

37. Summary
ACLs and Configuration options can be used to create simple split DNS
It is cumbersome and difficult to maintain
Good operational practice suggests that ACLs and configuration options be reviewed regularly to ensure that they accurately reflect the desired behavior

38. Views
a powerful new feature of BIND 9 that lets a name server answer a DNS query differently depending on who is asking
useful for implementing split DNS setup without having to run multiple servers

39. Views
view view_name [class] { match-clients { address_match_list } ; match-destinations {
address_match_list } ; match-recursive-only yes_or_no ; [ view_option; ...] [ zone_statement; ...] };

40. Example Config
view "internal" { // This should match our internal networks match-clients { /8; }; // Provide recursive service to internal clients only recursion yes; // Provide a complete view of the example.com zone // including addresses of internal hosts zone "example.com" { type master; file "example-internal.db"; }; };

41. Example Config (2)
view "external" { // Match all clients not matched by the previous view match-clients { any; }; // Refuse recursive service to external clients recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts zone "example.com" { type master; file "example-external.db"; }; };

43. Overview DNS Security Overview DNS Overview BIND DNS Configuration
Recursive and Forward DNS
Reverse DNS
Troubleshooting
DNS Security Overview
DNS Transactions
DNS Security Extensions (DNSSec)
DNSSec Key Management and Automation

44. Crypto Review Most security applications use crypto algorithms
Symmetric key
Public key crypto
One-way hash functions

45. Symmetric Key Crypto Uses a single key to encrypt and decrypt data
Also known as a secret-key or private key algorithm
The key must be kept a “secret” to maintain security
key lengths ranging from 40 to 256 bits
Examples of symmetric key algorithms:
DES, 3DES, AES, IDEA, RC5, RC6, Blowfish

46. Symmetric Encryption Plaintext Ciphertext Plaintext Symmetric Key
ALGORITHM
DECRYPTION
ALGORITHM
Plaintext
Ciphertext
Plaintext
Encryption Key
Decryption Key
Shared Key
Symmetric Key
Cryptography
Same shared secret key

47. Asymmetric Key Crypto Uses a public-private keypair
Also called public key crypto
Use one key to sign data, then the other key to verify
Examples:
RSA, DSA, El Gamal, Diffie-Hellman, PKCS

48. Asymmetric Encryption
ALGORITHM
DECRYPTION
ALGORITHM
Plaintext
Ciphertext
Plaintext
Encryption Key
Decryption Key
Public Key
Private Key
Asymmetric Key
Cryptography
Different keys

49. Hash Functions produces a condensed representation of a message
takes an input message of arbitrary length and outputs fixed-length code
The fixed-length output is called the hash or message digest
A form of signature that uniquely represents the data
Uses:
Verifying file integrity - if the hash changes, it means the data is either compromised or altered in transit.
Digitally signing documents
Hashing passwords

50. Hash Functions Message Digest (MD) Algorithm
Outputs a 128-bit fingerprint of an arbitrary-length input
MD4 is obsolete, MD5 is widely-used
Secure Hash Algorithm (SHA)
SHA-1 produces a 160-bit message digest similar to MD5
Widely-used on security applications (TLS, SSL, PGP, SSH, S/MIME, IPsec)
SHA-256, SHA-384, SHA-512 can produce hash values that are 256, 384, and 512-bits respectively

51. Digital Signature a message appended to a packet
used to prove the identity of the sender and the integrity of the packet
how it works:
sender signs the message with own private key
receiver uses the sender’s public key to verify the signature

52. Message Authentication Code
Provides integrity and authenticity
How it works:
In the sender side, the message is passed through a MAC algorithm to get a MAC (or Tag)
In the receiver side, the message is passed through the same algorithm
The output is compared with the received tag and should match
Uses the same secret key
Can also use hash function to generate the MAC, called Hash-based Message Authentication Code (HMAC)

53. DNS Security - Background
The original DNS protocol wasn’t designed with security in mind
As the Internet grows, it has become less trustworthy
Some security problems:
Using reverse DNS to impersonate hosts
Software bugs (buffer overflows, bad pointer handling)
Cache poisoning (putting inappropriate data into the cache)

54. DNS Protocol Vulnerability
DNS data can be corrupted as it transfers between primary server, resolver or forwarder
There is no way to check the validity of DNS data
Resolver implementation can be exploited (predictable transaction ID, buffer overflow, pointer handling)
Caching forwarders can be polluted
Corrupted DNS data might end up in caches and stay there for a long time
DNS transactions can be compromised
Primary server sending data to wrong secondary server

55. DNS: Data Flow Zone file Dynamic updates master slaves resolver 1 4 2
Zone administrator
Zone file 1 4
master
Caching forwarder 2
slaves 3 5
Dynamic
updates
resolver

56. DNS Vulnerabilities Zone file Dynamic updates Corrupting data
Impersonating master
Cache impersonation
Zone administrator
Zone file 1 4
master
Caching forwarder 2
slaves 3 5
Dynamic
updates
resolver
Cache pollution by
Data spoofing
Unauthorized updates
Server protection
Data protection

57. (pretending to be the authoritative zone)
DNS Cache Poisoning
(pretending to be the authoritative zone) 3
I want to access 1
2001:DB8::9
QID=64569
QID=64570
QID=64571
DNS Caching
Server
match!
Client
QID=64571 2
Root/GTLD
Webserver (
2001:DB8::1)
QID=64571
ns.example.com 3
2001:DB8::1

58. DNS Amplification
A type of reflection attack combined with amplification
Source of attack is reflected off another machine
Traffic received is bigger (amplified) than the traffic sent by the attacker
UDP packet’s source address is spoofed

59. DNS Amplification Queries for www.example.com DNS Recursive server
Root/GTLD
Queries for
DNS Recursive server
ns.example.com
Compromised
Machines
(spoofed IP)
2001:DB8::1
Victim Machine
Attacker

60. Open Resolvers
DNS servers that answer recursive queries from any host on the Internet
pose some “significant threat” to the global network infrastructure
Often used in DNS-based DDoS attacks
There’s a project that maps out open resolvers on the Internet
Open Resolver Project -
Some utility available to check if running an open resolver

61. Open Resolvers As of 28 Aug 2014:
servers responded to udp/53 probe
As of 15 May 2016:
servers responded to udp/53 probe
Reference: Open Resolver Project

62. Open Resolvers Statistics
Source: DNS Measurement Factory

63. DNS Changer
“Criminals have learned that if they can control a user’s DNS servers, they can control what sites the user connects to the Internet.”
How: infect computers with a malicious software (malware)
A malware changes the user’s DNS settings with that of the attacker’s DNS servers
Points the DNS configuration to DNS resolvers in specific address blocks and use it for their criminal enterprise
Source: DCWG

64. DNS Changer
IP addresses used by malware. These blocks have now been cleaned and re-allocated.
through
through
through
through
through
through
An adhoc group – DNS Changer Working Group – was created in 2012 to help remediate these malicious DNS servers
Source: DCWG

65. DNS Hijacking Also called DNS redirection Can be achieved when
User’s DNS settings has been modified through malware
DNS server has been compromised to provide incorrect responses

66. DNS-Based DDoS attacks are common and remarkably simple

67. Case: Attack at Spamhaus

68. Case: DNS Query Floods
(May 2014) Targeted a chat service provider under Akamai
Bandwidth used maxed at 119 Gbps
Resulted to 110 Mpps – one of the highest packet-per- second (pps) rate for Akamai in 2014
Source: Prolexic Q Global Attack Report

69. Case: DDoS attack on DNS Provider NS1

70. Why is DNS prone to DDoS attacks?
DNS uses UDP
UDP = best effort, connectionless transmission
Easy to spoof the source address
Similar case with NTP, SNMP, SSDP, Chargen protocols
Each query returns large responses
EDNS0 allows DNS messages to carry bigger data
DNSSEC returns large replies
It’s usually open to all
Open resolvers

71. Basic DNS Security Practices
Run the most recent version of the DNS software or apply the latest patch
Restrict queries
Prevent unauthorized zone transfers
Run BIND with the least privilege (use chroot)
Randomize source ports
Secure the box
Implement TSIG and DNSSEC

72. DNS DDoS Mitigation
Set up monitoring to know when you are being attacked
Use previous statistics to know your baseline load
Avoid single point of failure
DNS server, router, firewall, uplinks, etc
Authoritative nameservers must be geographically distributed
Provision for your DNS infrastructure
Find your DNS capacity (using tools like dnsperf)
Be ready to deploy more as needed
Deploy anycast
Attack is isolated in one group at a time
Alternatively use cloud-based DNS providers
Don’t run an open resolver!

73. Response Rate Limiting (RRL)
Protects against DNS amplification attack
Implemented in CZ-NIC Knot (v1.2-RC3), NLNetLabs NSD (v3.2.15), and ISC BIND 9 (v9.9.4) release
rate-limit {
responses-per-second 5;
log-only yes; };
If using older versions, a patch is available from
patch –p0 -l

74. Sender Policy Framework (SPF)
Using DNS for validation
Checks the sender IP address
Defined in RFC 4408 with updates in RFC 6652
apnic.net IN TXT "v=spf1 mx a:clove.apnic.net a:asmtp.apnic.net ip4: /24 ip4: /24 ip4: /32 ip4: /32 ip4: /32 include:_spf.google.com -all"

75. DANE DNS-Based Authentication of Named Entities
RFC 6698 (proposed standard)
“secure method to associate the certificate that is obtained from the TLS server with a domain name using DNS”
Adds a TLSA resource record

76. DNS RPZ Resource Policy Zone
Developed for ISC Bind. Built in from version 9.8
Turns a recursive DNS server into a “DNS firewall”
“reputation-based” zones
Like creating a reputation server for recursive DNS servers
Function is similar to DNSBL for SMTP servers
Blocks DNS resolution to malicious hosts

78. Overview DNS Transactions DNS Overview BIND DNS Configuration
Recursive and Forward DNS
Reverse DNS
Troubleshooting
DNS Security Overview
DNS Transactions
DNS Security Extensions (DNSSec)
DNSSec Key Management and Automation

79. Transactions - Protected Vulnerabilities
Impersonating master
Zone administrator
Zone file
master
Caching forwarder
Dynamic
updates
slaves
resolver
Unauthorized updates
DNS query/response, zone transfers,
Dynamic updates

80. DNS Transactions Remote Name Daemon Controller (RNDC)
Protects the remote CLI administration using shared key
Prevents unauthorized access to named
Transaction Signature (TSIG)
Protects transactions using shared keys between both parties
SIG(0)
Protects transactions using asymmetric key (public and private keypair)

81. What is Transaction Signature?
A mechanism for protecting a message from primary to secondary (and vice versa)
Provides secure communication of queries and responses
Also protects zone transfers and dynamic updates
How?
A keyed-hash is applied so recipient can verify the message source
Based on a shared secret - both sender and receiver are configured with it

82. TSIG example verification verification AXFR AXFR Sig ... Query: AXFR
Master
Slave
Slave
KEY: %sgs!f23fv
KEY: %sgs!f23fv
KEY: %sgs!f23fv
verification
Sig ...
Response: Zone
SOA …
Sig ...
SOA …

83. TSIG steps
Generate secret
Communicate secret
Configure servers
Test

84. TSIG - Names and Secrets
A name is given to the key, the name is what is transmitted in the message (so receiver knows what key the sender used)
TSIG secret value
A value determined during key generation
Usually seen in Base64 encoding

85. TSIG – Generating a Secret
dnssec-keygen
A simple tool to generate keys
Used here to generate TSIG keys
dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key>

86. TSIG – Generating a Secret
Example
> dnssec-keygen –a HMAC-SHA256 –b 256 –n HOST ns1- ns2.pcx.net
This will generate the key
Kns1-ns2.pcx.net
>ls
Kns1-ns2.pcx.net key
Kns1-ns2.pcx.net private

87. TSIG – Generating a Secret
TSIG is used in server configuration, not in zone file
Could be confusing because it looks like RR
ns1-ns2.pcx.net. IN KEY nEfRX9…bbPn7lyQtE=

88. TSIG – Configuring Servers
Configuring the key
key { algorithm ...; secret ...;}
Making use of the key
server x { key ...; }
where x is the IP address of the other server

89. Configuration Example – named.conf
Primary server
key ns1-ns2.pcx. net {
algorithm hmac-md5;
secret "APlaceToBe"; };
server {
keys {ns1-ns2.pcx.net;};
zone "my.zone.test." {
type master;
file “db.myzone”;
allow-transfer {
key ns1-ns2.pcx.net ;};
Secondary server
key ns1-ns2.pcx.net {
algorithm hmac-md5;
secret "APlaceToBe"; };
server {
keys {ns1-ns2.pcx.net;};
zone "my.zone.test." {
type slave;
file “myzone.backup”;
masters { ;};
You can save this in a file and refer to it in the named.conf
using ‘include’ statement:
include “/var/named/master/tsig-key-ns1-ns2”;

90. TSIG Testing - dig dig @localhost example.net AXFR \
You can use dig to check TSIG configuration
dig @<server> <zone> AXFR -k <TSIG keyfile>
example.net AXFR \
-k Kns1-ns2.pcx.net key
A wrong key will give “Transfer failed” and will be logged on the server’s using the security-category

91. TSIG Testing - Time TSIG is time sensitive
Message protection expires in 5 minutes
Make sure time is synchronized
For testing, set the time
In operations, (secure) NTP is needed

92. TSIG steps Generate secret Communicate secret Configure servers Test
dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key>
Communicate secret
scp <keyfile>
Configure servers
key { algorithm ...; secret ...;}
server x { key ...; }
Test
<zone> AXFR -k <keyfile>