Scanning and Evaluating DNS Deployments in the Internet Johannes - - PowerPoint PPT Presentation

scanning and evaluating dns deployments in the internet
SMART_READER_LITE
LIVE PREVIEW

Scanning and Evaluating DNS Deployments in the Internet Johannes - - PowerPoint PPT Presentation

Nov 18, 2023 641 likes •837 views

Scanning and Evaluating DNS Deployments in the Internet Johannes Naab Master Thesis Intermediate Talk Advisors: O. Gasser, R. Holz, J. Schlamp Supervisor: Prof. G. Carle Chair for Network Architectures and Services Department of Informatics

slide-1
SLIDE 1

Scanning and Evaluating DNS Deployments in the Internet

Johannes Naab

Master Thesis Intermediate Talk Advisors: O. Gasser, R. Holz, J. Schlamp Supervisor: Prof. G. Carle Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen

October 22, 2013

Johannes Naab (TU M¨ unchen) DNS Scan 1

slide-2
SLIDE 2

Agenda

1

DNS Concepts

2

Why is DNS interesting?

3

Related work

4

Preliminary results

5

Schedule

Johannes Naab (TU M¨ unchen) DNS Scan 2

slide-3
SLIDE 3

Domain Name System

Domain with Resource Records Zone with auhoritative name servers . Zone

  • de. Zone
  • net. Zone

Client Resolver Delegation Query/ Response

Figure : DNS Overview based on https://en.wikipedia.org/wiki/File:Domain_name_space.svg

Johannes Naab (TU M¨ unchen) DNS Scan 3

slide-4
SLIDE 4

Why is DNS interesting?

DNS is ubiquitous, nearly everything on the Internet depends

  • n DNS

DNSSEC: use public key cryptography to sign and validate DNS data disruptions can cause major problems Causes for disruptions configuration errors: wrong name server configuration, invalid and/or old data in zone files malicious attacks

Johannes Naab (TU M¨ unchen) DNS Scan 4

slide-5
SLIDE 5

Related Work

Understanding implications of DNS zone provisioning (2008) [1]

analysis of zone transfer data in com. and net. with respect to authoritative name server resilience

DNS Survey: October 2010 [4]

sample of 1% of com., net. and org. zone, statistics for name servers, SOA records, lame and sideway delegations

Quantifying the operational status of the DNSSEC deployment (2008) [2]

12k DNSSEC zones, evaluation of availability, verification (How many trust anchors?, . is signed only since 2010), and validity

Impact of configuration errors on DNS robustness (2004) [3]

active measurement of 50k zones for lame delegations, cyclic dependencies and authoritative name server resilience

Johannes Naab (TU M¨ unchen) DNS Scan 5

slide-6
SLIDE 6

Scope of Work

Obtain data active scanning of global DNS starting points: zone lists and reverse DNS create snapshots of the DNS database scanning DNS efficiently and unobtrusively Analyze data focus on zones, delegations and authoritative name servers consistency of data between the name servers

in the zone itself between the zone and the parent

configuration errors: delegations and dependencies DNSSEC deployments and errors

Johannes Naab (TU M¨ unchen) DNS Scan 6

slide-7
SLIDE 7

Preliminary results

(new) DNS scanner written in python using ldns and twisted existing tools such as dns-scraper don’t provide the necessary features scanner does full DNS resolution starting at the root zone challenges

proper tracking of (circular) dependencies discovering all zone cuts ambiguities in specifications, and not knowing how the name server in question implements it

Johannes Naab (TU M¨ unchen) DNS Scan 7

slide-8
SLIDE 8

Initial Scans

  • com. Zone with 110M domains from zone file

query NS, SOA RR on all name servers, ANY RR on a working name server 1000 raw queries/second/core 100 domains/second/core, 3 days for entire com. zone 3kB of DNS data per Domain (NS and SOA from all NS, one ANY), 300GB of raw query data for one scan unfortunately GoDaddy (domaincontrol.com) drops us Due to previous bugs, only the final 27% (30M) Domains have be analyzed

Johannes Naab (TU M¨ unchen) DNS Scan 8

slide-9
SLIDE 9

Delegations

delegations (NS records) are names (which need to be resolved) authoritative NS records are given by the zone itself for 15% the NS sets of parent and apex don’t match $ dig @a.gtld-servers.net. level3.net. ... ;; AUTHORITY SECTION: level3.net. 172800 IN NS ns1.l3.net. level3.net. 172800 IN NS ns2.l3.net. ... $ dig @ns1.l3.net. level3.net. ns ... ;; ANSWER SECTION: level3.net. 3600 IN NS ns1.level3.net. level3.net. 3600 IN NS ns2.level3.net. ...

Johannes Naab (TU M¨ unchen) DNS Scan 9

slide-10
SLIDE 10

Lame Delegations

  • com. Zone

example.com.

example.com. ns.example.net. A 1.2.3.4

unreachable/REFUSED Figure : Lame Delegations

Johannes Naab (TU M¨ unchen) DNS Scan 10

slide-11
SLIDE 11

Zone Status

all Zones ANY Queries w/o Reply NXDomain GoDaddy Non Auth NS Q. Error Lame NS RR 20 40 60 80 100 % 100.0% 65.4% 1.4% 0.9% 23.6% 6.1% 2.1% 0.6%

29969223 Zones

Johannes Naab (TU M¨ unchen) DNS Scan 11

slide-12
SLIDE 12

RR Type Popularity

A NS SOA MX TXT AAAA PTR CNAME RRSIG DNSKEY NSEC3PARAM SPF 20 40 60 80 100 % 92.2% 91.9% 90.8% 66.5% 27.8% 2.7% 1.3% 0.9% 0.6% 0.6% 0.4% 0.3%

Popularity of RR Types in 19593012 ANY Queries

Johannes Naab (TU M¨ unchen) DNS Scan 12

slide-13
SLIDE 13

Schedule

July August September October November December January 2014 Develop, extend and improve new scanner DNS Scanning Data Analysis and Evaluation Thesis Writing Evaluation existing Tools Preparation and Intermediate Talk

Johannes Naab (TU M¨ unchen) DNS Scan 13

slide-14
SLIDE 14

Thank you for your attention

Thank you for your attention

Questions?

Johannes Naab (TU M¨ unchen) DNS Scan 14

slide-15
SLIDE 15

References I

[1] Andrew J. Kalafut, Craig A. Shue, and Minaxi Gupta. Understanding implications of dns zone provisioning. In Proc. 8th IMC, 2008. [2] Eric Osterweil, Michael Ryan, Dan Massey, and Lixia Zhang. Quantifying the operational status of the dnssec deployment. In Proc. 8th IMC, 2008. [3] Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, and Lixia Zhang. Impact of configuration errors on dns robustness. In Proc. SIGCOMM ’04, 2004. [4] Geoffrey Sisson. Dns survey: October 2010.

Johannes Naab (TU M¨ unchen) DNS Scan 15

slide-16
SLIDE 16

Circular Dependencies

. Zone

  • net. Zone
  • com. Zone

example.com. example.net.

example.com. NS \ ns.example.net. example.net. NS \ ns.example.com.

Figure : Circular Dependencies

Johannes Naab (TU M¨ unchen) DNS Scan 16

slide-17
SLIDE 17

Questionable DNS Configurations

  • nl. Zone

proserve.nl. proserve.nl.

proserve.nl. NS ns1.proserve.nl. proserve.nl. NS ns2.pro-serve.eu. proserve.nl. NS ns3.proserve.org. ns1.proserve.nl. A 80.84.224.85 (Glue)

  • eu. Zone

pro-serve.eu.

pro-serve.eu. NS ns1.proserve.nl. pro-serve.eu. NS ns2.pro-serve.be pro-serve.eu. NS ns3.proserve.nl.

pro-serve.eu.

Apex NS RRSet consistent with delegation according to ns1.proserve.nl. 80.84.224.85 Apex NS RRSet consistent with delegation according to ns1.proserve.nl. 80.84.224.85

Figure : Questionable out of Tree delegation

Johannes Naab (TU M¨ unchen) DNS Scan 17

slide-18
SLIDE 18

Acceptance of Glue Records

. Zone de.

  • de. NS {a,f,z}.nic.de. with Glue
  • de. NS {l,n,s}.de.net. with Glue
  • de. Zone

nic.de. denic.de.

  • net. Zone

de.net. de.net. Zone

de.net. NS ns{1,2,3}.denic.de.

Figure : Influence of acceptance of Glue records

Johannes Naab (TU M¨ unchen) DNS Scan 18