Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

Published byMelvin Prestidge Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction."— Presentation transcript:

1 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction to DNS and its vulnerabilities Olaf M. Kolkman olaf@nlnetlabs.nl Olaf M. Kolkman olaf@nlnetlabs.nl

2 2 DNS and DNSSEC in a Nutshell D N S a n d D N S S E C i n a N u t s h e l l source: http://upload.wikimedia.org/wikipedia/commons/b/b7/KoreanPineSeeds.jpg http://upload.wikimedia.org/wikipedia/commons/b/b7/KoreanPineSeeds.jpg

3 3 Device queries Recursive Nameserver D e v i c e q u e r i e s R e c u r s i v e N a m e s e r v e r Recursive Nameserver Recurses over Authoritative nameservers R e c u r s i v e N a m e s e r v e r R e c u r s e s o v e r A u t h o r i t a t i v e n a m e s e r v e r s Results are cached R e s u l t s a r e c a c h e d The DNS is highly distributive T h e D N S i s h i g h l y d i s t r i b u t i v e DNS is implemented through 100s of thousands of machines D N S i s i m p l e m e n t e d t h r o u g h 1 0 0 s o f t h o u s a n d s o f m a c h i n e s

4 4 Stub ResolverRecursive Nameservers Authoritative Nameservers www.nlnetlabs.nl A root.hints: location of the root servers referral: nl NS www.nlnetlabs.nl A referral: nlnetlabs.nl NS Answer: www.nlnetlabs.nl A 213.154.224.1www.nlnetlabs.nl ROOT NL NLnetLabs.N L www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A 213.154.224.1

5 5 Attack Surface On the Wire or through Compromise O n t h e W i r e o r t h r o u g h C o m p r o m i s e Whoa, that looks bad!!! Who Uses This System? W h o a, t h a t l o o k s b a d ! ! ! W h o U s e s T h i s S y s t e m ? Compromise of systems C o m p r o m i s e o f s y s t e m s Bugs and implementation mistakes B u g s a n d i m p l e m e n t a t i o n m i s t a k e s

6 http://www.nlnetlabs.nl/ ©2011 Stichting NLnet Labs Mail server Internet Recursive DNS enterprise

7 http://www.nlnetlabs.nl/ ©2011 Stichting NLnet Labs Mail server Internet Recursive DNS enterprise

8 8 Recursive Nameserver Query: STUB Resolver Authoritative Nameserver Atacker Query: Query: Response: Answer: Response: Cache hit Response:

9 9 Recursive Nameserver Query: STUB Resolver Authoritative Nameserver Atacker Query: Query: Response: Answer: Response: Cache hit Response: Response: Success depends on legacy and speed of network. And on various properties that the attacher needs to match Query ID Source Port 0X200X20

10 10 TTL saves you?!? I dont think so.... Dan Kaminskys image from zdnet.com Security Popstar

11 11 Recursive Nameserver Query: asdf23sadf.webcam.com STUB Resolver Authoritative Nameserver Atacker Query: www.webcam.com Response: www.webcam.com Answer: Response: webcam.com NS ns1.webcam.com webcam.com NS ns1.webcam.co ns1.webcam.com A 10.6.6.6 Query: asdf23sadf.webcam.com Response: asdf23sadf.webcam.com Query to 10.6.6.6 asdf23sadf.webcam.com Query to 10.6.6.6 www.webcam.com Try Delegation s Abuse a 25 year old protocol requirement

12 12 Do attacks happen in practice? Would you tell? Would you notice?

13 13 Why would one attack the DNS? Do attacks happen in practice? While one could be doing other things

14 14 How to Protect?

15 15 Follow the Organizing your life Paying your Tax Your weekly security update Short-selling your stock Mon y Why would one attack the DNS?

16 16 Mon y Dont all these transactions use SSL and Certificates?

17 17 The role of a CA 3rd party trust broker SubjectRequestsSubjectRequests RA performs checks RA tells CA to sign Browser trusts CA signed certificates EV Extended Validation EV

18 18 However all these little men are a wee bit expensive AUTOMATE THE LOT

19 19 DV Domain Validation DV Subject: Please sign certificate for Example.com Example.com RA sends a mail to well known address @example.com @example.com When mail returned CA will sign

20 20 DV Domain Validation DV All these checks are based on information fetched from the DNS Hold that thought for Jakobs presentation Hold that thought for Jakobs presentation

21 21 Secondary DNS primary DNS Registrars & Registrants Registry Secondary DNS Server vulnarability Man in the Middle spoofing & Man in the Middle DNS System Vulnerabilities Vulnerabilities Provisioning Vulnarabilities

22 22 What can one do to protect... (skipping DNSSEC) What can one do to protect... (skipping DNSSEC)

23 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Taking Unbound as example Other servers might make other choices, but any modern resolver takes similar approaches

24 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Security Choices in Unbound In general, a modern paranoid resolver DNSSEC support. RFC 2181 support completely Fine grained. Keeps track of where RRSets came from and won't upgrade them into answers. Does not allow RRSets to be overridden by lower level rrsets

25 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Filtering Scrubber: Only in-bailiwick data is accepted in the answer The answer section must contain only answer CNAME, DNAME checked that chain is correct CNAME cut off and only the first CNAME kept Lookup rest yourself do not trust other server DNAME synthesize CNAME by unbound do not trust other server. Also cut off like above. DNAME from cache only used if DNSSEC-secure.

26 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Filtering II No address records in authority, additional section unless relevant – i.e. mentioned in a NS record in the authority section. Irrelevant data is removed When the message only had preliminary parsing and has not yet been copied to the working region of memory

27 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Entropy Randomness protects against spoof Arc4random() (OpenBSD): crypto strong. May not be perfectly random, but predicting it is a cryptographical breakin. Real entropy from OS as seed Query id – all 16 bits used. Port randomisation – uses all 16bits there, goes out of its way to make sure every query gets a fresh port number

28 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Entropy II Destination address, and ipv4/ipv6. RTT band of 400msec (=everything). Its not the timewindow but the randomness Query aggregation – same queries are not sent out – unless by different threads Qname strict match checked in reply 0x20 option Harden-referral-path (my draft) option Can use multiple source interfaces! 4 outgoing IP address add +2 bits

29 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Other measures Not for the wire itself Heap function pointer protection (whitelisted) Chroot() by default User privileges are dropped (lots of code!) ACL for recursion No detection of attacks – assume always under attack version.bind hostname.bind can be blocked or configured what to return (version hiding) Disprefer recursion lame servers – they have a cache that can be poisoned

30 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Arms Race... Introducing DNSSEC

31 31 MetaphorMetaphor Metaphor

32 32 primary DNS Secondary DNS Registrars & Registrants Registry Secondary DNS End to End Security

33 33 All done using Public Key crypto DNSKEY: public key from the keypair RRSIG: Signatures made with a private key from the keypair NSEC and NSEC3 For pre-calculated Denial of Existence NSEC and NSEC3 For pre-calculated Denial of Existence DS For delegating Security DS

34 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License But more on that later Let us have a look at another cryptographic DNS protection mechanism

35 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Securing Host- Host Communication

36 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Secondary DNS primary DNS Registrars & Registrants Registry Secondary DNS Data flow through the DNS What should you protect... HOST Security TSIG TSIG (rarely)

37 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Transaction Signature: TSIG TSIG (RFC 2845) – Authorising dynamic updates and zone transfers – Authentication of caching forwarders – Independent from other features of DNSSEC One-way hash function – DNS question or answer and timestamp Traffic signed with shared secret key Used in configuration, NOT in zone file

38 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License SOA … SOA SIG: FOOB@R Master TSIG Example Slave KEY: $h@r3dS3cr3t AXFR Sig: B1@F00 SOA … SOA SIG: FOOB@R verification Query: AXFR Response: Zone AXFR Sig: B1@F00 AXFR Sig: B1@F00

39 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License TSIG for Zone Transfers 1. Generate secret 2. Communicate secret 3. Configure servers 4. Test

40 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Importance of the Time Stamp TSIG/SIG(0) signs a complete DNS request / response with time stamp – To prevent replay attacks – Currently hardcoded at five minutes Operational problems when comparing times – Make sure your local time zone is properly defined – date -u will give UTC time, easy to compare between the two systems – Use NTP synchronisation!

41 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Authenticating Servers Using SIG(0) Alternatively, it is possible to use SIG(0) – Not yet widely used – Works well in dynamic update environment Public key algorithm – Authentication against a public key published in the DNS SIG(0) specified in RFC 2931

42 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Cool Application Use TSIG-ed dynamic updates to configure configure your laptops name My laptop is know by the name of aagje.secret-wg.org – http://ops.ietf.org/dns/dynupd/secure-ddns- howto.html – Mac OS users: there is a bonjour based tool. www.dns-sd.org

43 © 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

Download ppt "© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Similar presentations

Ads by Google