SLIDE 1
The Current State of DNS Resolvers and RPKI Protection
By Erik Dekker and Marius Brouwer 1
2
Motivation
Why is this research important?
The Current State of DNS Resolvers and RPKI Protection By Erik - - PowerPoint PPT Presentation
The Current State of DNS Resolvers and RPKI Protection By Erik - - PowerPoint PPT Presentation
The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1 Motivation Why is this research important? 2 Motivation BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times
SLIDE 2
SLIDE 3
3
Motivation
BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times when security problems were less prevalent And is vulnerable for certain attacks For example, BGP is prone to IP Prefix Hijacks
SLIDE 4
4
BGP IP Prefix Hijack
AS666 8.0.0.0/24 C 1.0.0.0/24 A AS1 AS5 AS3 AS4 8.0.0.0/24 B AS2
SLIDE 5
5
Resource Public Key Infrastructure
RPKI comes to the rescue! Documented in RFC 6480 But also in RFC 6481,6482, 6483, 6484, 6485, 6486, 6487, 6488, 6489, 6490, 6491, 6492, and 6493
SLIDE 6
6
How does RPKI work?
RIRs assign IP prefixes to network operators For example RIPE assigns prefixes to SURFnet RPKI allows network operators to sign their assigned IP prefixes To prove that they have the right to originate this prefix The RIRs host the Trust Anchors This results in a Route Origin Authorization (ROA) record Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route Origin Validation) ROV == RPKI filtering
SLIDE 7
7
BGP IP Prefix Hijack with RPKI
AS1 AS2 AS3 AS666 8.0.0.0/24 B 8.0.0.0/24 C 1.0.0.0/24 A Invalid valid ROV ROA AS4 AS5
SLIDE 8
8
DNS
What does this have to do with DNS resolvers?
SLIDE 9
9
BGP IP Prefix Hijack
AS1 AS2 AS3 AS666 8.0.0.0/24 B 8.0.0.0/24 C 1.0.0.0/24 A Invalid valid ROV ROA AS4 9.0.0.0/24 D DNS Server DNS Server 9.0.0.1 AS5 Resolver
SLIDE 10
10
Example
Amazon Route 53 BGP Hijack All traffic directed to MyEtherWallet was hijacked
SLIDE 11
11
Research question
Main question: “What is the state of RPKI filtering on DNS resolvers?” Sub questions: How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection? How does anycast influence the protection of DNS resolvers?
SLIDE 12
12
Scope
No DNSSEC No IPv6
SLIDE 13
13
Method – test setup
RIPE Atlas Probes Can send DNS queries to their resolvers Who query our authoritative DNS servers Beacon TCPdump of all the queries Made a BGP dump
SLIDE 14
14
Method – experiment
- 1. $id.invalid.valid4.rootcanary.net
- 6. $id.invalid4.rootcanary.net
- 2. $id.invalid.valid4.rootcanary.net
- 3. $id.invalid4.rootcanary.net
- 4. $id.invalid4.rootcanary.net
- 5. $id.invalid4.rootcanary.net
- 1. A record
- 2. A record
- 3. Synthesized CNAME
- 4. A record
- 5. Answer
- 6. Answer
Valid Invalid
SLIDE 15
Results
15
SLIDE 16
Results – Probe RPKI Coverage
16
2500 5000 7500 10000 2020−01−23 2020−01−24 2020−01−25 2020−01−26 2020−01−27 2020−01−28 2020−01−29 2020−01−30 2020−01−31 2020−02−01 2020−02−02 2020−02−03 Date Number of Probes Probe Protection Status
Total Probes Unprotected Partially Fully
SLIDE 17
Results – Probe/ Resolver RPKI Coverage
17
5000 10000 15000 2020−01−23 2020−01−24 2020−01−25 2020−01−26 2020−01−27 2020−01−28 2020−01−29 2020−01−30 2020−01−31 2020−02−01 2020−02−02 2020−02−03 Date Probe/Resolver Pairs RPKI Status
Total Unprotected Protected
SLIDE 18
18
Results – Top 10 AS
1000 2000 3000 4000 5000 15169 13335 36692 42 8881 7922 6830 3320 12322 3215 AS Queries RPKI Status
Protected Unprotected
SLIDE 19
19
Results – Top 19 AS highest filtering ASes
1000 2000 3000 4000 13335 12322 3265 7018 7132 553 8473 13030 2119 2860 12392 4739 3301 6939 1741 1241 1759 4802 15943 AS Queries RPKI Status
Protected Unprotected
SLIDE 20
20
Results – Influence of Cloudflare anycast
40 80 120 160 2020−01−23 2020−01−24 2020−01−25 2020−01−26 2020−01−27 2020−01−28 2020−01−29 2020−01−30 2020−01−31 2020−02−01 2020−02−02 2020−02−03 Date Cloudflare Prefixes RPKI Status
Total Unprotected Protected
SLIDE 21
21
Results – Influence of AS path length
0.00 0.25 0.50 0.75 1.00 2 3 4 5 6 7 8 9 10 11 AS Path Length Query Ratio RPKI Status
Unprotected Protected
SLIDE 22
22
Results – Influence of AS path length
100,000 200,000
2 3 4 5 6 7 8 9 10 11 AS Path Length Queries
SLIDE 23
23
Results – Influence of AS path length
100,000 200,000
2 3 4 5 6 7 8 9 10 11 AS Path Length Queries 0.00 0.25 0.50 0.75 1.00 2 3 4 5 6 7 8 9 10 11 AS Path Length Query Ratio RPKI Status
Unprotected Protected
SLIDE 24
24
Conclusions
Main Research Question: “ What is the state of RPKI filtering on DNS resolvers? ”
- How does the length of the AS path between resolver and authoritative DNS server
influence the level of RPKI protection?
- How does anycast influence the protection of DNS resolvers?
SLIDE 25
25
Discussion
- RPKI query coverage ≠ RPKI protected clients
- Atlas probe AS could still be hijacked.
- Small amount of ASes are fully protected
- Expectation: Longer AS path more RPKI protection
- Based on reverse path
- Influence of anycast DNS relatively high and growing
- Population of experiment is western oriented and geek biased
SLIDE 26
26
Future Work
- Take DNS forwarders into account in future research
- Make use of another query generator other than RIPE Atlas for a different population
- Place more beacons in different regions/AS
- Focus on specific open DNS resolvers e.g. Cloudflare and Verisign Public DNS
- Longitudinal study of ongoing data capture
- Analyze which DNS resolvers are aided by filtering along the path.
SLIDE 27
27
Acknowledgements
SLIDE 28
Questions?
28