dns security in the broadest sense some good news some bad
play

DNS Security in the Broadest sense Some good news, some bad Bert - PowerPoint PPT Presentation

Mar 05, 2024 •156 likes •510 views

DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT Agenda DNS is scary & complex DNS is everywhere Embedded 1984 vintage code Threats: Availability, integrity, code exploitation

  1. DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT

  2. Agenda ● DNS is scary & complex ● DNS is everywhere – Embedded 1984 vintage code ● Threats: – Availability, integrity, code exploitation ● Integrity: current risk of spoofing with numbers – Fast case (meh), slow case (worrying) – Countermeasures: ● DNSSEC + things that help 'today' – Plug: PowerDNSSEC.ORG ● So.. should we worry?

  3. Who am I? ● Briefly, so you know who I am, and why I might know what I am talking about ● PowerDNS, open source nameserver, authoritative & caching – Around since 1999 ● Powers HAR2009 , CCC camps, xs4all, UPC, Deutsche Telekom, AOL, Club Internet DNS caches ● Powers 40+% of all .nl domains, 50+% of all .de domains (and HAR2009!) ● .. not the biggest nameserver, but not the smallest either

  4. A DNS Packet, in the age of XML ● All in one UDP packet, binary, variable length fields +----------------------------------------------------+ |Source IP | Source Port | Dest.IP | Dest. Port | +----------------------------------------------------+ |ID | QR | QCODE | AA | TC | RD | RA | "Z" | RCODE | |QDCOUNT | ANCOUNT | NSCOUNT | ARCOUNT | +----------------------------------------------------+ ← |NAME | TYPE | CLASS | question ← |NAME | TYPE | CLASS | TTL | RDLENGTH | RDATA | answer ← |NAME | TYPE | CLASS | TTL | RDLENGTH | RDATA | answer ← |NAME | TYPE | CLASS | TTL | RDLENGTH | RDATA | answer +----------------------------------------------------+ 32 bits 16 bits variable length

  5. A DNS Packet 2 ● All in one UDP packet, uncompressed answer +----------------------------------------------------+ |Source IP | Source Port | Dest.IP | Dest. Port | +----------------------------------------------------+ |ID | 1 | QCODE | 1 | TC | RD | RA | "Z" | RCODE | | 1 | 4 | 0 | 0 | +----------------------------------------------------+ ← |\3www\7har2009\3org\0 | AAAA | IN | question |\3www\7har2009\3org\0 | CNAME| IN | 60 | 16 | ← \4srv1\7har2009\3org\0 | answer ← |\3www\7har2009\3org\0 | AAAA | IN | 60 | 16 | ::1 | answer ← |\3www\7har2009\3org\0 | AAAA | IN | 60 | 16 | ::2 | answer ← |\3www\7har2009\3org\0 | AAAA | IN | 60 | 16 | ::3 | answer +----------------------------------------------------+ 32 bits 16 bits variable length

  6. A DNS Packet compress with POINTERS! ● Fun to be had: loops, pointers to outside of packet, signed/unsigned ● errors, records longer than packet, embedded NULLs! (think SSL..) +----------------------------------------------------+ |Source IP | Source Port | Dest.IP | Dest. Port | +----------------------------------------------------+ |ID | 1 | QCODE | 1 | TC | RD | RA | "Z" | RCODE | |1 | 4 | 0 | 0 | +----------------------------------------------------+ ← |\3www\7har2009\3org\0 | AAAA | IN | question |\c0\0c | CNAME| IN | 60 | 18 | ← \4srv1\c0\16 | answer ← |\c0\25 | AAAA | IN | 60 | 16 | ::1 | answer ← |\c0\25 | AAAA | IN | 60 | 16 | ::2 | answer ← |\c0\25 | AAAA | IN | 60 | 16 | ::3 | answer +----------------------------------------------------+ 32 bits 16 bits variable length

  7. Conclusion: DNS is hard ● DNS is hard, perhaps too hard for the current spoiled generation of coders – Variable length fields – Implementations that implement the bare minimum ● Or think that '\c0\0c' means “answer here” (xs4all e-tech story) – Internal packet pointers ● Loops! – Need to do each and everything right in order to maintain security – “Why not use XML?” Or RPC?

  8. DNS is everywhere Root Browser Resolver / Cache 1 Stub resolver MUA {G/CC}TLD Resolver / Cache 2 Owner MTA

  9. DNS is everywhere.. Root Browser Resolver / Cache 1 €20 Stub resolver MUA {G/CC}TLD ADSL router Resolver / Cache 2 Owner MTA

  10. It is REALLY everywhere!!1! V DLV I Lookaside R Adv€rtising U Stub S Root Browser S Resolver / C Cache 1 A €20 N Stub resolver MUA {G/CC}TLD ADSL router N E Resolver / R Cache 2 / Owner MTA P C Stub Censorship F W WIFI / LAN Game Photo Printer Webcam Console camera

  11. DNS Threats ● Availability – No DNS = No Service = “My internets don't work!” – One typical resolver services up to 100,000 subscribers – Largest authoritative servers host 8,000,000+ zones ● Exploitation – Once exploited, integrity & availability are damaged – Plus all other software on same server/client! ● Integrity – DNS sends you the wrong way -> the internet changes (and your Euros follow!)

  12. DNS Availability (bad news) ● Childishly easy to DoS – Especially resolvers – 10k well-designed queries/s will kill most resolvers – 50k well-designed queries/s will kill most auth servers ● In some cases, simply by filling the pipe with answers ( DNSSEC - 4kbyte/answer ) ● Akamai and friends have stacks and stacks of nameservers to deal with this threat ● A well known incumbent telco is aiming for no less than a 20-fold “overkill” in resolver performance ● As an attack, not used all that much (yet) – Easier to just blast packets

  13. DNS Exploitation: stubs Stub: the bit of code that talks DNS from apps ● DNS (stub) code often regarded as 'magic', and rarely touched ● In many C libraries, code from 1984 can be found ● – As a typical example, over 70% of the GNU libc DNS code is 'dead' PowerDNS reliably crashed any and all applications linked ● against a well known C library by being 'different' Stubs appear everywhere, whenever someone feels the need to do ● better than the system stub No one really cares... ● – Original XP used '1' or '2' as its '''random''' DNS transaction ID Black/grey hats: there is GOLD in them hills ● – Hint: try TC=1 packets to force TCP fallback!

  14. DNS Exploitation: SOHO routers ● Small, residential, routers typically announce themselves as nameserver over DHCP – And then relay to the ISP if needed ● Nominet (UK Registry) DNSSEC research suggests that many of these routers actually process DNS and think about it – And kill lots of things in the process :-( ● PowerDNS reliably crashed the routers of xs4all subscribers simply by being 'different' ● And once you own the DNS.. you own the internets – Some of these devices deployed by the million... – Not chosen because of the quality!

  15. DNS Exploitation: servers ● The actual DNS servers (authoritative and caching) are frequent targets of attacks and exploitation ● These are high profile targets however, so it is not that easy to find (new) security problems ● However, the overall record of DNS server security is not very good – All major implementations have had potentially exploitable defects (except, of course, djbdns) – As said before, DNS is hard

  16. DNS Integrity, spoofing (HOT!) ● Integrity: the DNS answer you decide to trust should contain the authentic, original and correct data ● If you trust the wrong data, your packets go to the wrong server – And your Euros will (eventually) follow ● And since DNS is the gateway to the internet, this is a “big thing” ● And.. there is reason to worry

  17. DNS Spoofing ● Very briefly, more detail in “Cracking the Internet” presentation tomorrow, 14:00, by Rick van Rein and Roland van Rijswijk ● DNS queries and responses are like bricks – Anyone (*) can throw back bricks, containing 'better and improved' answers – This is called 'spoofing' ● The 'correct' response brick has the right numbers and names on it (*) not quite true – BCP38

  18. DNS integrity: spot the right answer ● The correct response to a DNS query is recognized by: – Having the same DNS transaction ID as the question (16 bits) – Arriving from the IP address the query was sent to – Arriving on the same protocol and port number the query was sent from (15 bits) – (except for some errors) matching the question name and question type of the original query – Being the first answer that matches these conditions – And doing so within a short timeframe ● Attackers can fake all the attributes above, but they have to guess 15+16 bits, around 1:2000000000 chance

  19. DNS Integrity: pre-Kaminsky ● Pre-Kaminsky, only Dan Bernstein, MaraDNS and PowerDNS did source port randomization ● So, spoof chance was 1:65535, instead of 1:2000000000 – Oops ● However, pre-Kaminsky, we assumed we would have only 1 attempt to spoof per TTL expiration – “24 times/day” ● Post-Kaminsky, as many attempts possible as the resolver can process ● More details in “Cracking the Internet” tomorrow

  20. Chance to be spoofed, static source port, 50kqps, 10 seconds (oops)

  21. Chance to be spoofed, random source port, 50kqps, 36 hours

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Social Media and the Church God is always good news; we are the ones who make ourselves

Social Media and the Church God is always good news; we are the ones who make ourselves

Social Media and the Church God is always good news; we are the ones who make ourselves irrelevant when we are not good news. And when we are good news, God's people see growing churches. - Archbishop Justin Welby The crucial, free tools

432 views • 29 slides
Does Anybody Really Need Open Routers? Jon Turner www.arl.wustl.edu/~jst Good News and Bad News

Does Anybody Really Need Open Routers? Jon Turner www.arl.wustl.edu/~jst Good News and Bad News

Does Anybody Really Need Open Routers? Jon Turner www.arl.wustl.edu/~jst Good News and Bad News Good news good hardware is available ATCA has made world-class router hardware available n can buy all the parts needed for 120 Gb/ s

439 views • 8 slides
Good News and Bad News in the Market for Charitable

Good News and Bad News in the Market for Charitable

Good News and Bad News in the Market for Charitable Giving: Experimental Evidence Luigi Butera Jeffrey Horn George Mason University Science

480 views • 24 slides
GOOD NEWS! A counter cultural movement Mark 1:1-2 This is the Good News about Jesus the Messiah,

GOOD NEWS! A counter cultural movement Mark 1:1-2 This is the Good News about Jesus the Messiah,

GOOD NEWS! A counter cultural movement Mark 1:1-2 This is the Good News about Jesus the Messiah, the Son of God. It began just as the prophet Isaiah had written: Am I GOOD NEWS? GOOD NEWS! A counter cultural movement 2 Corinthians 2:15-16

353 views • 22 slides
Everyone has inside of him a piece of good news . The good news is that you dont know how

Everyone has inside of him a piece of good news . The good news is that you dont know how

10/05/2017 Everyone has inside of him a piece of good news . The good news is that you dont know how great you can be ! How much you can love ! What you can accomplish ! And what your potential is ! - Anne Frank 1 10/05/2017 What Is

167 views • 16 slides
Colleges: The Good News, The Bad News, and Improving ESL Services NICK DAVID & KUANG LI

Colleges: The Good News, The Bad News, and Improving ESL Services NICK DAVID & KUANG LI

English Learners at Community Colleges: The Good News, The Bad News, and Improving ESL Services NICK DAVID & KUANG LI BOSTON UNIVERSITY The Good News: Research in a Neglected Field Non-native English Speakers in US 1990 31.8 million

778 views • 20 slides
In Intr troducti duction to Li on to Lite terat rature ure Literature, in its broadest

In Intr troducti duction to Li on to Lite terat rature ure Literature, in its broadest

In Intr troducti duction to Li on to Lite terat rature ure Literature, in its broadest sense, is everything has ever been written. It includes childrens magazine and pamphlets on road safety, as well as the novel of Leo Tolstoy and

963 views • 21 slides
The quantity of a small set You perceive the parts and put together the whole can be intuitively

The quantity of a small set You perceive the parts and put together the whole can be intuitively

Making Sense of Number Sense Definition Number sense is .good intuition about numbers Making Sense of Number Sense and their relationships . It develops gradually as a result of exploring numbers, visualizing them in a variety of contexts

339 views • 9 slides
The Three Ss: Good Science, Good Sense, Good Sensibilities norecopa.no/3S ADRIAN SMITH PENNY

The Three Ss: Good Science, Good Sense, Good Sensibilities norecopa.no/3S ADRIAN SMITH PENNY

LAVA-ESLAV-ECLAM Joint Conference Edinburgh, 25 - 26 September 2017 The Three Ss: Good Science, Good Sense, Good Sensibilities norecopa.no/3S ADRIAN SMITH PENNY HAWKINS RSPCA RESEARCH ANIMALS DEPARTMENT NORECOPA The aim of this

252 views • 14 slides
Deep learning for speech synthesis The good news, the bad news, and the fake news Scott

Deep learning for speech synthesis The good news, the bad news, and the fake news Scott

Deep learning for speech synthesis The good news, the bad news, and the fake news Scott Stevenson scott@faculty.ai The fake news 2 3 4 The effect of hot mic incidents Hot mic incidents Incidents can change can bring huge

395 views • 36 slides
Good news, everybody! Understanding Guile 2.2 Performance FOSDEM 2016 Andy Wingo

Good news, everybody! Understanding Guile 2.2 Performance FOSDEM 2016 Andy Wingo

Good news, everybody! Understanding Guile 2.2 Performance FOSDEM 2016 Andy Wingo wingo@{igalia,pobox}.com https://wingolog.org Good news, everybody! Guile is faster! Woo hoo! Bad news, everybody! The expert Lisp programmer eventually

1.11k views • 39 slides
IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name

IT Security Compliance Management can be done right! (and make sense doing so) 1 Hi. My name is Adrian Wiesmann. I work as an IT Security Officer for a Swiss Financial Institute and my daywork is to bother, to pester and to annoy to help

638 views • 39 slides
Current Research Trends Laux, 2019 The Good News The Bad News Researchers can

Current Research Trends Laux, 2019 The Good News The Bad News Researchers can

Current Research Trends Laux, 2019 The Good News The Bad News Researchers can demonstrate that Many of our assumptions about how in most cases students who study students develop intercultural abroad have higher levels of

389 views • 28 slides
NATURE A d o p t t h e p a c e o f n a t u r e : h e r s e c r e t i s p a t i e n c e .

NATURE A d o p t t h e p a c e o f n a t u r e : h e r s e c r e t i s p a t i e n c e .

NATURE A d o p t t h e p a c e o f n a t u r e : h e r s e c r e t i s p a t i e n c e . Things like weather, organisms, INTRODUCTION landforms, celestial bodies and much more are part of nature Nature, in the broadest sense, is

353 views • 10 slides
Grid generation for SCHISM with SMS Eli Ateljevich, DWR Joseph Zhang, VIMS 1 The good news and

Grid generation for SCHISM with SMS Eli Ateljevich, DWR Joseph Zhang, VIMS 1 The good news and

Grid generation for SCHISM with SMS Eli Ateljevich, DWR Joseph Zhang, VIMS 1 The good news and bad news Bad news o UG grid generation is often a laborious and iterative process o Steepest part of the learning curve for UG models o This is

862 views • 49 slides
The Torah does not prohibit crying. Baruch HaTov VeHameitiv. When receiving bad news we

The Torah does not prohibit crying. Baruch HaTov VeHameitiv. When receiving bad news we

1. Coping with Bad News 1 Gemara Brachos 54a 2 When receiving good news we say, Chofetz Chaim The Torah

186 views • 6 slides
DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

Scaling DNS Requirements Large domain registrar A few hundred thousand domains using our DNS. Nearly a million domains Still growing Need fast updates on the authoritative servers Especially when a new domain is added

557 views • 21 slides
FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

x January 2018 FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer 1 Key M Messages es Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.

364 views • 11 slides
Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between networks, in which

462 views • 29 slides
Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St.

Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St.

Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St. Paul, Minnesota Twitter: @deliriousguy Web: http://da-man.com/ Customer Success Engineer, Pantheon What We Will Cover Gather Website

478 views • 31 slides
DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC

DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC

DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 59 - Lisbon - October 2009 1 DNSwitness: recent developments and the new passive monitor / Where are we in the talk? Reminder

689 views • 67 slides
Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes handshake agreement? Or is it something not so sinister? What do you think? Lobbying is Political to be political, as per the IRS, means to engaged in

214 views • 5 slides
Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron

Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron

Operators Deep Dive Graham Hayes / HP Ron Rickard / eBay Inc. Graham Hayes - HP Cloud Ron Rickard Sr. Cloud Engineer, eBay Inc. rrickard@ebaysf.com irc.freenode.net: rjrjr Agenda Designate Overview Designate REST API Designate and Neutron

571 views • 33 slides
DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY

DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY

Mario Almeida, Alessandro Finamore, Diego Perino, Narseo Vallina-Rodriguez, Matteo Varvello CoNEXT 2017 - Seoul/Incheon, South Korea DISSECTING DNS STAKEHOLDERS IN MOBILE NETWORKS 2 CoNEXT 2017, Seoul/Incheon WHY TO STUDY DNS IN MOBILE

476 views • 28 slides

More recommend