Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th - - PowerPoint PPT Presentation

li living on the edge re focus dn dns efforts orts on on
SMART_READER_LITE
LIVE PREVIEW

Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th - - PowerPoint PPT Presentation

Feb 18, 2023 229 likes •482 views

Li Living on the Edge: (Re)focus DN DNS Efforts orts on on th the e En End-Po Points Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE http://www.nlnetlabs.nl/ Complexity at Core-Middle-Edge moderate Authoritative . complex simple

slide-1
SLIDE 1

http://www.nlnetlabs.nl/

Li Living on the Edge: (Re)focus DN DNS Efforts

  • rts on
  • n th

the e En End-Po Points

Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE

slide-2
SLIDE 2

http://www.nlnetlabs.nl/

Complexity at Core-Middle-Edge

recursive resolver Authoritative . Authoritative net Authoritative ripe application stub OS simple complex moderate e2e-ness simple e2e-ness moderate e2e-ness complex

slide-3
SLIDE 3

http://www.nlnetlabs.nl/

From the ground-up security

… and now for something completely different

slide-4
SLIDE 4

http://www.nlnetlabs.nl/

Customer–Web Portal Interaction

host

browser

web portal

IP address http/https

http server customer

auth name servers

full recursive resolver

slide-5
SLIDE 5

http://www.nlnetlabs.nl/

DNS Spoofing

  • DNS Spoofing by cache poisoning
  • attacker flood a DNS resolver with phony information with bogus DNS results
  • by the law of large numbers, these attacks get a match and plant a bogus

result into the cache

  • Man-in-the-middle attacks
  • redirect to wrong Internet sites
  • email to non-authorized email server
slide-6
SLIDE 6

http://www.nlnetlabs.nl/

The “Too Many CAs” Problem

  • TLS clients have abundance of TAs
  • modern web browsers have 1300+ TAs
  • any of them can issue certificate for example.com

example .com example .com

TLS client accepts both!

credits wes.hardaker@parsons.com

slide-7
SLIDE 7

http://www.nlnetlabs.nl/

Customer–Web Portal Interaction

host

browser

web portal

IP address http/https

http server customer

auth name servers

full recursive resolver too many CAs

CA pinning/HSTS?

slide-8
SLIDE 8

http://www.nlnetlabs.nl/

DNSSEC-Based Secure Customer–Web Portal Interaction

host

browser

web portal

IP address http/https

http server customer

auth name servers

full recursive resolver too many CAs

DNSSEC DANE

slide-9
SLIDE 9

http://www.nlnetlabs.nl/

Resolver Hijack?!

host

browser

web portal

IP address http/https

http server

auth name servers

full recursive resolver too many CAs

DNSSEC DANE

slide-10
SLIDE 10

http://www.nlnetlabs.nl/

Countering Resolver Hijack

  • DNSSEC on the stub
  • DNS-over-TLS

DNSSEC Aware

Recursive resolver

Browser (application) OS

stub

https

DNSKEY DS A

d n s

  • a

r c . n e t

DNSKEY DS

n e t

DNSKEY

·

Validation Recursive resolver

Browser (application) OS

stub

https dns-oarc.net A

← 64.191.0.198

slide-11
SLIDE 11

http://www.nlnetlabs.nl/

Countering Resolver Hijack (cont’d)

  • DNS-over-TLS
  • DNS-over-TLS

Validation Recursive resolver

Browser (application) OS

stub

https dns-oarc.net A

← 64.191.0.198

TLS hijack of DNS-over-TLS Bootstrap the TLSA lookup with regular DNS? Chicken and egg problem.

Validation Recursive resolver

Au A Authorita getdnsapi.net Browser (application) OS

stub

https d n s

  • a

r c . n e t A → ← 6 4 . 1 9 1 . . 1 9 8 DNSSEC Aware

Recursive resolver

_853._tcp.getdnsapi.net TLSA

DNSKEY DS

getdnsapi.net

DNSKEY DS

net

DNSKEY

·

Auth dns-oarc.

security/privacy

Bootstrap the TLSA lookup with regular DNS?

Authenticate DNS-over-TLS with DANE?

slide-12
SLIDE 12

http://www.nlnetlabs.nl/

DNSSEC Data Blob-over-TLS

  • TLSA record + the complete DNSSEC authentication chain embedded

in a TLS extension

  • TLS DNSSEC authentication to prevent “Too many CA’s” problem
  • https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

Validation Recursive resolver

Au A Authorita getdnsapi.net Browser (application) OS

stub

https dns-oarc.net A → ← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY

Auth dns-oarc.n

RRSIGs

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS net DNSKEY DS . DNSKEY RRSIGs
slide-13
SLIDE 13

http://www.nlnetlabs.nl/

DNS Privacy and Standards

  • DNS privacy requirements

Capability Standard DNS-over-TLS RFC7858 Reuse/pipelining/OOOP RFC7766 TCP fast open RFC7413 ENDS0 keep alive RFC7828 ENDS0 padding RFC7830 PKIX support for authentication (various) DNSSEC support (for address lookup and authentication) (various)

slide-14
SLIDE 14

http://www.nlnetlabs.nl/

DNSSEC Roadblocks

Consequences of living on the edge

slide-15
SLIDE 15

http://www.nlnetlabs.nl/

DNSSEC Roadblocks

  • Resolving DNSSEC (to cross the first mile) needs DNSSEC aware

recursive resolver

Authoritative net Authoritative . Authoritative dns-oarc.net WebSrv Browser (application) OS

stub

https

DNSKEY DS A

dns-oarc.net

DNSKEY DS

net

DNSKEY

·

recursi sive re resolver

slide-16
SLIDE 16

http://www.nlnetlabs.nl/

DNSSEC Roadblock Avoidance

  • DNSSEC roadblock avoidance + full recursion capability
  • https://tools.ietf.org/html/rfc8027
slide-17
SLIDE 17

http://www.nlnetlabs.nl/

DNSSEC Roadblock Avoidance

  • DNSSEC roadblock avoidance + full recursion capability
  • https://tools.ietf.org/html/rfc8027
slide-18
SLIDE 18

http://www.nlnetlabs.nl/

IPv6 Only

DNS64

Authoritative com Authoritative . Authoritative twitter.com twitter.com AAAA

→ ←

64:ff9b::68e0:2ac1

IPv4 only Browser (application) OS

stub

https

NAT64

104.244.42.193 https

DNSSEC with DNS64 & NAT64

  • Jen Linkova’s “Let’s talk about IPv6 DNS64 & DNSSEC”
  • https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/
  • With IPv6 prefix discovery, stub can do DNSSEC validation of A RR itself
slide-19
SLIDE 19

http://www.nlnetlabs.nl/

DNSSEC with DNS64 & NAT64

  • IPv6 address synthesis prefix discovery + DNS64 capability
  • https://tools.ietf.org/html/rfc7050
  • https://tools.ietf.org/html/rfc6147

IPv6 Only

DNS64

Authoritative com Authoritative . Authoritative twitter.com Browser (application) OS

stub

NAT64 Privacy resolver

slide-20
SLIDE 20

http://www.nlnetlabs.nl/

KSK Root Rollover

More roadblocks ahead

slide-21
SLIDE 21

http://www.nlnetlabs.nl/

RFC5011 for DNSSEC Validating Stubs

  • DNSSEC validating stub must do RFC5011

In-band RFC5011 tracking with DNSSEC auth chain TLS extension

slide-22
SLIDE 22

http://www.nlnetlabs.nl/

KSK Root Rollover for Stub Library

  • A stub library for DANE
  • runs with user’s privileges
  • no system config
  • bootstrap DNSSEC capabilities
  • https://tools.ietf.org/html/rfc7958
  • unbound-anchor functionality
slide-23
SLIDE 23

http://www.nlnetlabs.nl/

DNSSEC Roadblocks and Standards

  • DNSSEC stubs capability requirements

Capability Standard DNSSEC validation (various) DNSSEC roadblock avoidance RFC8027 IPv6 prefix discovery RFC7050 IPv6 address synthesis RFC6147 Automated trust anchor updates RFC5011 Automated initial trust anchor retrieval RFC7958

slide-24
SLIDE 24

http://www.nlnetlabs.nl/

Living on the Edge

“Final Thoughts”

slide-25
SLIDE 25

http://www.nlnetlabs.nl/

Wrapping Up

  • Stub resolver/library experience complex e2e-ness
  • at the edge of the network many kinds of roadblocks/brokenness
  • DNS-based security from the ground up
  • bootstraps with the stub
  • Closing the gap in the last mile with ongoing work
  • overview of RFCs and drafts
  • most of discussed work is implemented in getdns and its stub resolver Stubby
  • DNSSEC Authentication Chain Extension
  • https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension