discovery method for a dnssec validating stub resolver
play

Discovery method for a DNSSEC validating stub resolver Xavier - PowerPoint PPT Presentation

Nov 10, 2023 •235 likes •446 views

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor: Willem Toorop System and Network Engineering Universiteit van Amsterdam Research Project 2 Xavier Torrent Gorj on Supervisor: Willem Toorop

  1. Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj´ on Supervisor: Willem Toorop System and Network Engineering Universiteit van Amsterdam Research Project 2 Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 1 / 20

  2. Outline Introduction 1 Problem Statement Research Question Related Work Project Development 2 Approach Measurements Closing 3 Conclusions Future Work Questions Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 2 / 20

  3. Motivation Insert motivational quote here. Engineering Motto #1 : Live the present If it works, do not change it. Engineering Motto #2 : Life is unfair When things work you never get a ”thank you” . When things do not work, you better run for your life. . . Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 3 / 20

  4. Motivation The DNSSEC chain of trust blame. 1 NASA.GOV ”blocked” by Comcast when implementing DNSSEC 1 (2012). 2 .GOV zones not resolving due errors in the DNSSEC configuration 2 (2014). 3 HBO NOW blocked due invalid signature at their servers 3 (2015). Change creates problems. . . . . . and users tend to blame the Internet Service Providers, which makes them reluctant of adopting ”new” standards. Which makes legacy prevail. And we were told that was bad? 1 http://bit.ly/1GOrHxR 2 http://bit.ly/1gbP7aP 3 http://bit.ly/1GoasVi Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 4 / 20

  5. Motivation Buying cheap is expensive. . . Figure: DNSSEC may be ”blocked” by DNS forwarders, or the home router. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 5 / 20

  6. Research Question How can a stub resolver use a discovery method to process data from a recursive resolver? Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 6 / 20

  7. Related Work OS3 likes DNS. DNSsec Revisited RP 2014, Anastasios Poulidis, Hoda Rohani Measuring the deployment of DNSSEC over the Internet RP 2014, Nicolas Canceill DNSSEC deployment maps http://www.internetsociety.org/deploy360/dnssec/maps/ RFCs 1035, 2671, 4033, 4034, 4035, 5155. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 7 / 20

  8. Approach Research HOWTO Measure DNSSEC security aware resolvers This part of the research has been done by using RIPE ATLAS. Define a course of action for a stub resolver Try to maintain as much scalability (shared cache) as possible. Tools used Ubuntu 15.04, Python 2.7.9, Python DPKT library, RIPE ATLAS. Special mention to the ’atlas’ python class, courtesy of NLnet. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 8 / 20

  9. Approach Research HOWTO RIPE ATLAS RIPE ATLAS is an online tool that can be used to query probes spread worldwide (mostly Europe) to get diverse measurements. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 9 / 20

  10. Designing the Measurements Decisions, decisions. . . We performed four different types of measurements: Basic DNS. Basic DNSSEC. NXDOMAIN Handling test. Wildcard Handling test. NXDOMAIN NXDOMAIN answers are –supposed to be– obtained when querying for a non-existant name. Wildcards DNS wildcard records are used to match any name that is not defined and is matched by the wildcard. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 10 / 20

  11. Filtering results ”Do it right or do not, there is no try.” Public DNS We filtered the probes using public DNS servers as their resolvers, as this would likely inflate numbers. Loopback addresses A number of probes were using a loopback address ( 127.0.0.1 ) as their resolver. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 11 / 20

  12. Measurement Results: NXDOMAIN Handling (NSEC) Not that promising. . . Received Resource Records Percentage No RR 22.27% Only SOA 21.49% SOA + NSEC + RSIG(x2) 56.23% Over 10.000 measurements. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 12 / 20

  13. Measurement Results: NXDOMAIN Handling (NSEC3) NSEC3 shares a similar fate. Received Resource Records Percentage No RR 12.44% Only SOA 27.68% SOA + RRSIG 3.62% SOA + NSEC3(x3) + RSIG(x3) 0.58% SOA + NSEC3(x4) + RSIG(x3) 57.86% Over 10.000 measurements. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 13 / 20

  14. Measurement Results: Wildcard Handling ”Never tell me the odds.” Received Resource Records Percentage No RR 31.59% NSEC + RRSIG 11.92% NS(x3) 6.93% NS(x3) + RRSIG 13.48% NS(x3) + RRSIG + NSEC 1.10% NS(x3) + RRSIG(x2) + NSEC 34.98% Over 10.000 measurements. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 14 / 20

  15. Forcing communication with ISP Resolver Getting the address Query for an A record to echo.v4.nlnetlabs.nl. Server does not reply a fixed record, but replies with the IP of the recursive resolver! The results. . . Querying directly the recursive resolver increased the DNSSEC query success to 80%! Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 15 / 20

  16. Discovery Method ”Are we there yet? Are we there yet?” 1 Primary DNS server: Working 56% of the time for NXDOMAIN and 35% for wildcards. 2 Secondary DNS server: Tends to not be useful unless the secondary is set to be from a different ’provider’. 3 Directly access ISP DNS server: Our measurements indicate that this would rise success chance to approximately 80% (if ISPs do not block this). 4 Use a public DNS server: p.e. Google public DNS resolvers can process DNSSEC queries. 5 Full recursion from stub resolver Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 16 / 20

  17. Conclusions DNSSEC is still not properly implemented, at a resolver level, in most –cheap– hardware. Errors are difficult to troubleshoot as they may originate at different points of the DNS communication. Querying directly the ISP resolver helps the issue. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 17 / 20

  18. Future Work But wait, there is more. . . ! It would be interesting to use an alternative method, rather than RIPE ATLAS, to determine the validity of the data we gathered. The dataset retrieved from RIPE could be studied in more depth than what 2 weeks of RP allow for. . . About the Checking Disabled bit. . . Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 18 / 20

  19. Future Work Future as in. . . next week. Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 19 / 20

  20. Questions Xavier Torrent Gorj´ on Supervisor: Willem Toorop Discovery method for a DNSSEC validating stub resolver 20 / 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What

A flexible DNSSEC-validating Resolver Ondej Sur ondrej.sury@nic.cz 7.3.2016 What is Knot DNS Resolver? Platform for building recursive DNS service Open-source DNS Resolver (GPLv3+) Full DNSSEC support: RFC 6650

265 views • 12 slides
A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for

A new stub resolver Willem Toorop willem@nlnetlabs.nl API is: A DNS API specification (for resolving) by and for application developers (for application) First implementation by LABS and From Verisign: From NLnet Labs: Theogene Bucuti,

1.63k views • 113 slides
ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016

ECDSA P-256 support in DNSSEC-validating Resolvers Geoff Huston APNIC Labs February 2016 ECDSA Elliptic Curve Cryptography allows for the construction of strong public/private key pairs with key lengths that are far shorter than

416 views • 27 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC

TLS and DNSSEC wrap-up CS 161: Computer Security Prof. David Wagner April 14, 2013 DNSSEC Mallory attacks! www.google.com A? Clients ns1.evil.com www.google.com. A 6.6.6.6 Resolver DNSSEC Mallory attacks! www.google.com A?

510 views • 30 slides
DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I

DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I

DNSSEC on Campus By Michael Sinatra University of California, Berkeley You didnt think I was really going to use that font, did you? What we did Began validating DNSSEC responses on our caching resolvers using ISC DLV in October 2008

504 views • 21 slides
Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Joe Abley AfNOG

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Joe Abley AfNOG

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Joe Abley AfNOG Workshop, AIS 2017, Nairobi Recap DNS is a distributed database Stub asks Resolver for information Resolver traverses the DNS delegation tree

427 views • 39 slides
Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 tzNOG 4 Workshop, Dar es Salaam Recap DNS is a distributed database Stub asks Resolver for information Resolver traverses the DNS delegation tree to find

799 views • 39 slides
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in

DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft Windows DNS Server Widely deployed in enterprises Fair presence in the DNS resolver space Standards compliant and interoperable Secure and scalable DNSSEC in Windows DNS

266 views • 14 slides
Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Michuki Mwangi AfNOG

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Michuki Mwangi AfNOG

Domain Name System (DNS) Session 3: Authoritative Name Server using BIND9 Michuki Mwangi AfNOG Workshop, AIS 2019, Kampala Recap ! DNS is a distributed database ! Stub asks Resolver for information ! Resolver traverses the DNS delegation tree

523 views • 39 slides
Perspectives on Efficacy Standards Development of a Standard Test Method for Validating the

Perspectives on Efficacy Standards Development of a Standard Test Method for Validating the

Perspectives on Efficacy Standards Development of a Standard Test Method for Validating the Antimicrobial Efficacy of Whole Room UV Devices Matthew Hardwick, PhD ResInnova Laboratories 1 INTRO Ultraviolet germicidal irradiation has a

387 views • 21 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij

DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij

DNSSEC & fragmentation a prickly combination Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl The problem in 1 slide Authoritative Name Server Firewall Recursive Caching Name Server (resolver) 2 SURFnet:

442 views • 13 slides
DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and

DNS/DNSSEC/DPRIVE IETF 96 Hackathon Problem Solved DNS security and privacy enhancements and interoperabilty Method of Solution multiple user stories, multiple open source prototypes Highlight 1: DNSSEC

246 views • 12 slides
Validating the PRIDIT method for determining hospital g p quality with outcomes data Robert

Validating the PRIDIT method for determining hospital g p quality with outcomes data Robert

Validating the PRIDIT method for determining hospital g p quality with outcomes data Robert Lieberthal, PhD, Dominique Comer, PharmD, Katherine OConnell, BS August 12 2011 August 12, 2011 Acknowledgements Funding provided by the

171 views • 15 slides
NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

MINDSET The work of Carol Dweck MOST PEOPLE ARE HELD BACK NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time you had a major setback, failure or rejection in your life. Did you hear the fixed

199 views • 17 slides
Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007 How do you manage your 169 Web 2.0 accounts today? Does your SSO consist of A login (e.g. johndoe) + 2

599 views • 46 slides
UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform

UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform

UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform strategy. IT IS VERY SIMPLE.. IF PUPILS ARE NOT WEARING THIS ON THE FIRST, OR

204 views • 17 slides
Explanation On October 1 st, The Meadows joined their family of schools, which means we are now

Explanation On October 1 st, The Meadows joined their family of schools, which means we are now

Our conversion to an Academy Childrens Explanation On October 1 st, The Meadows joined their family of schools, which means we are now an Academy. Who are The Shaw Education Trust? What is an Academy? Why have we made this decision? Shaw

216 views • 10 slides
Mapping a New Direction Using Process Maps to Improve your business and your forms Outline

Mapping a New Direction Using Process Maps to Improve your business and your forms Outline

Mapping a New Direction Using Process Maps to Improve your business and your forms Outline Workshop goals Introduction Tools (map styles and conventions) Analysis Examples Workshop Goals - to understand the uses and

658 views • 55 slides
Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality

Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality

Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality Measures Presentation Moderator: Karen VanBourgondien Education Coordinator, HSAG Speaker: Elizabeth Bainger Program Lead, Hospital OQR Program, CMS

449 views • 26 slides
Unleashing Creativity with Zynq Agenda 1. Project presentation in pictures . 3 slides 2.

Unleashing Creativity with Zynq Agenda 1. Project presentation in pictures . 3 slides 2.

Unleashing Creativity with Zynq Agenda 1. Project presentation in pictures . 3 slides 2. Description of modules built with Vivado . 12 slides 3. Conclusions . 4 slides High igh-End A nd Audio P Play aybac ack 2004: PC-based bulky

445 views • 21 slides
DEVELOPMENT OF NEXT GENERATION SUBMARINE LINE TERMINAL EQUIPMENT LINE TERMINAL EQUIPMENT

DEVELOPMENT OF NEXT GENERATION SUBMARINE LINE TERMINAL EQUIPMENT LINE TERMINAL EQUIPMENT

conference & convention enabling the next generation of networks & services DEVELOPMENT OF NEXT GENERATION SUBMARINE LINE TERMINAL EQUIPMENT LINE TERMINAL EQUIPMENT Hiroshi Ogiwara FUJITSU LIMITED conference & convention

190 views • 15 slides

More recommend