Transcript Slide 0

In cooperation with:
DNSSEC
Restoring trust in DNS
Roland van Rijswijk
roland.vanrijswijk [at] surfnet.nl
September 18th 2009
About us
High quality and high bandwith network for
higher education and research
Shared ICT innovation centre for academia
Over 180 connected institutions (universities,
polytechnics, vocational education, hospitals,
research institutions) with 1 million end-users
Independent consultancy company
Cryptography expertise
Internet security expertise
1
SURFnet. We make innovation work
Overview
- First half:
- Attacks on DNS
- Second half:
- DNSSEC in detail
- Questions: please ask!
2
SURFnet. We make innovation work
DNS: Roadsigns for the net
3
SURFnet. We make innovation work
DNS: insecurity by design?
- DNS was designed in the early Internet era
- Everybody more or less knew everybody
else
- And everybody trusted everybody else
- Bottom line:
Security was not a design criterion
4
SURFnet. We make innovation work
Threats to DNS
- Availability
- If DNS is not available, the internet is broken (users think)
- A typical DNS resolver services 100000+ end users
- Some authoritative servers host over 8 million zones
- Exploitation
- On an exploited server availability and integrity are broken
- Plus the attacker can gain access to all other software on the
same server/client
- Integrity
- DNS gives the wrong answer and sends you the wrong way
5
SURFnet. We make innovation work
Slide content courtesy of Bert Hubert (PowerDNS)
Why attack DNS?
- DNS is everywhere:
- In your phone, in your laptop, in your PC…
- But also in your car, in an ATM, in your
elevator, …
- It is very hard to protect DNS against attacks
(currently)
- It is very easy to attack a lot of users
6
SURFnet. We make innovation work
Let’s start simple
www.piggybank.dom A?
Referral to auth.
DNS resolver
Root & TLD servers
www.piggybank.dom
www.piggybank.dom A?
A: 123.45.67.89
Authoritative server
Client
Answer:
man ina the
middle
attack
Question:a name
general
attack
model
that is applicable to this setup
Beyond M-i-t-M: spoofing
IP
headers & stuff
src IP = 192.87.106.101 (ns1.surfnet.nl)
dst IP = 208.77.188.166 (www.example.com)
UDP
src port = 53
dst port = 4321
headers & stuff
DNS
QID = 1201
some flags
Question# = 1
Answer# = 1
Authority# = 3
Add. record# = 3
Q?
A record for www.surfnet.nl
Ans.
www.surfnet.nl = 194.171.26.203
Aut.
surfnet.nl = ns1.surfnet.nl
Aut.
surfnet.nl = ns2.surfnet.nl
Aut.
surfnet.nl = ns3.surfnet.nl
Add.
ns1.surfnet.nl = 192.87.106.101
Add.
ns2.surfnet.nl = 192.87.36.2
Add.
ns3.surfnet.nl = 195.169.124.71
Cache poisoning
www.piggybank.dom A?
Referral to auth.
DNS resolver
Root & TLD servers
www.piggybank.dom
www.piggybank.dom A?
A: 123.57.89.15
Authoritative server
Client
Answer: introduce
Question:
how can aI rogue
target a specific name?
client
Rogue responder
So where do we go today? ;-)
10
SURFnet. We make innovation work
Is it really a threat?
Yes because:
- Source port randomisation was not
common practice before Kaminsky
- Query ID randomisation wasn’t common
practice either
No because:
- You can only attempt to poison a name a
few times per day (why?)
11
SURFnet. We make innovation work
Cache poisoning++
- Dan Kaminsky published an attack at last
year’s Black Hat conference
- No need to wait for a resolver to take
initiative, no need to wait for TTL expiry…
12
SURFnet. We make innovation work
Preparing for Kaminsky
IP
headers & stuff
src IP = 192.87.106.101 (ns1.surfnet.nl)
dst IP = 208.77.188.166 (www.example.com)
UDP
src port = 53
dst port = 4321
headers & stuff
DNS
QID = 1201
some flags
Question# = 1
Answer# = 1
Authority# = 3
Add. record# = 3
Q?
A record for www.surfnet.nl
Ans.
www.surfnet.nl = 194.171.26.203
Aut.
surfnet.nl = ns1.surfnet.nl
Aut.
surfnet.nl = ns2.surfnet.nl
Aut.
surfnet.nl = ns3.surfnet.nl
Add.
ns1.surfnet.nl = 192.87.106.101
Add.
ns2.surfnet.nl = 192.87.36.2
Add.
ns3.surfnet.nl = 195.169.124.71
Attack in action
QID=1234
12345.piggybank.dom A???
go to piggybank auth.
Root & TLD servers
DNS resolver
12345.piggybank.dom A???
12345.piggybank.dom
A???QID=1235
12345.piggybank.dom
A: 123.45.67.89
QID=1234
QID=1233
QID=1235
Additional:
NS piggybank.dom
Authoritative server
Success!
Rogue responder
Rogue authoritative
Spoofed additional section
;; QUESTION SECTION:
;abcde.piggybank.dom.
IN
A
582
IN
A
123.45.67.89
piggybank.dom.
3161
IN
NS
ns1.piggybank.dom.
piggybank.dom.
3161
IN
NS
ns2.piggybank.dom.
ns1.piggybank.dom.
604800
IN
A
123.45.67.1
ns2.piggybank.dom.
604800
IN
A
123.45.67.2
;; ANSWER SECTION:
abcde.piggybank.dom.
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
15
SURFnet. We make innovation work
Attack in action
DNS resolver
Root & TLD servers
www.piggybank.dom
www.piggybank.dom A?
www.piggybank.dom
A: 123.45.67.89A?
www.piggybank.dom
A: 123.45.67.89
Authoritative server
Vulnerable end user
Rogue authoritative
So it’s even worse!
17
SURFnet. We make innovation work
Impact on threat level (1)
- Kaminsky is happening (we think, but is damn hard to detect):
- Wide-scale patching has been rolled out
- But research shows:
Poisoning unpatched BIND: ±3 seconds
Poisoning patched BIND: 1-11 hours (source: NIC.cz)
18
SURFnet. We make innovation work
Impact on threat level (2)
- Kaminsky is happening on our network!
19
SURFnet. We make innovation work
Impact on threat level (3)
- Kaminsky is happening on our network!
20
SURFnet. We make innovation work
Impact on threat level (4)
- Kaminsky is happening on our network!
21
SURFnet. We make innovation work
The slow attack
- Brute force attacks are easy to detect
- But the slow attack
is very insidious…
research by Bert Hubert
(PowerDNS) shows:
Graph courtesy of Bert Hubert
22
SURFnet. We make innovation work
Summary
Zone file
er
ie
up
da
qu
ic
s
m
s
te
ie
er
Caching resolver
na
qu
Stub resolver
zone transfers
queries
dy
Master
s
Slaves
Man in the
middle
Cache
poisoning
Data
modification
Master
spoofing
Spoofed
updates
Corrupt data
Break time
What is DNSSEC?
(1)
- DNSSEC is an extension to DNS specified
by the IETF in a number of RFCs
- Actively developed since 1997
- According to RFC 4033:
“The Domain Name System Security Extensions
(DNSSEC) add data origin authentication and data
integrity to the Domain Name System.”
25
SURFnet. We make innovation work
What is DNSSEC?
(2)
- DNSSEC makes it possible to check the authenticity of
DNS records
- This is accomplished using public key cryptography
- What DNSSEC does not do:
- Provide confidentiality
- Protect against threats to the name server (DDoS,
etc.)
- Guarantee correctness of the DNS data (only
authenticity)
- Protect against phishing, typosquatting, etc.
26
SURFnet. We make innovation work
Cryptography in DNSSEC (1)
- Public key cryptography
- RSA, DSA, (Elliptic Curve)
- All based on a common principle: the keypair
- Private Key is used to sign
well protected, hidden from outsiders
- Public Key is used to verify
must be widely published
27
SURFnet. We make innovation work
Cryptography in DNSSEC (2)
- Signing takes place at zone level
- 2-tiered key model:
- Key Signing Key
- Large key size (≥ 2048 bits RSA)
- Long validity (≥ 1 year)
- Used to sign Zone Signing Key
- Zone Signing Key
- Smaller key size (≥ 1024 bits RSA)
- Short validity (± 1 month)
- Used to sign the zone (resource records)
28
SURFnet. We make innovation work
Signing DNS zones
- Additional resource records (RRs)
- For public keys:
- DNSKEY, DS
- For signatures:
- RRSIG
- For authenticated denial-of-existence:
- NSEC, NSEC3
- Zones become quite a bit larger
29
SURFnet. We make innovation work
Validating a response
 Query “www.nist.gov” @ns1.nist.gov
 IN
 IN
A
RRSIG
www.nist.gov
129.6.13.45
156 0020502000151804A10
623C49E8D53CF7E6046E69
737403676F7600...  signature!
- Validate this signature against the “nist.gov”
zone public zone signing key
- It’s the resolver’s job to do this!
- How do I find and trust the “nist.gov” key?
30
SURFnet. We make innovation work
Current deployment
- Deployed on several TLDs:
- ccTLD’s: .bg, .br, .cz, .pr, .se
- generic TLD’s: .org, .gov, .museum
- Announced for more TLDs:
- generic TLD’s: .com and .net (2011)
(> 65% of all domains!)
- Good news: root is likely to be signed
before end of 2009 (bad news: politics…)
- Many (cc)TLD’s still to announce strategy
31
SURFnet. We make innovation work
Trust chain
Trusts
DNS root (.)
Not signed = no trust possible yet
Signing keys for .gov
Used to sign .gov zone
zone
Trusts
TRUST CHAIN
.gov
contains
nist.gov public key
Signing keys for nist.gov
Used to sign nist.gov zone
nist.gov
zone
contains
signed record for www.nist.gov
Islands of trust
.
com
gov
nl
org
verisign
nist
surfnet
isc
www
showcase
= island of trust
33
SURFnet. We make innovation work
www
Finding trust anchors
- Managing trust anchors by hand is hard work
- IANA has made the “Interim Trust Anchor
Repository” (ITAR) available
https://itar.iana.org/
- ISC has introduced “DNSSEC look-a-side
validation” (DLV) and made a repository available
- No standard way to trust the trust anchors of
these repositories
- These are interim solutions
34
SURFnet. We make innovation work
DLV
.
com
gov
nl
org
verisign
nist
isc
surfnet
www
www
showcase
Query trust anchors
DLV
= island of trust
= archipelago of trust
My ISP resolver
Key management
(1)
- Key Signing Key and Zone Signing Key have a
limited validity; this requires regular roll-overs:
Rollover #1
Key #1
Rollover #2
Key #2
Rollover #3
Key #3
Key #4
Key is used for signing
Key has been announced but is not yet valid
Key is still valid but no longer used for signing
36
SURFnet. We make innovation work
Key management
(2)
- Keys need to be stored securely
 off-line, smart card, Hardware
Security Module (HSM), ...
- Administrators need to plan for emergency
key roll-over
- The parent has to be notified of new keys
for a domain (this needs to be automated)
37
SURFnet. We make innovation work
Future
Growth slows,
latecomers are
coming on-line
DNSSEC usage
Rapid growth of
#signed zones
Adoption takes off, multiple
TLDs start offering
DNSSEC, default support
in major operating systems
Current phase, early adopters
are starting with DNSSEC,
momentum is slowly gathering,
standards mature
Initial phase, researchers
realise DNS needs to be
secured
research
early adopters
early 00's
38
SURFnet. We make innovation work
2009
commodity
2009 future
latecomers
future
Criticism on DNSSEC
The Top-10 Reasons Why DNSSEC Is the String Theory
the Internet
-ofEven
the critics agree that DNSSEC is the only
10.available
Adds many new
dimensions
an already
complex problem
solution
attothe
moment
9. Hogs all the research funds
many
careers riding
on itthat DNSSEC is perfect… far from
-8. Has
That
doesn’t
mean
7. Widely
hailed by expert and layman alike as the next big thing
it
6. Responds to shortcomings by reinventing itself and doubling its complexity
its third iteration
to succes
-5. On
DNSSEC
is hard
(especially compared to ‘ordinary’
4. Attracts
brightest
minds offorgiving)
the industry
DNS, the
which
is very
3. Cult-like following among believers
on the verge of solving a real world problem
-2. Always
The (un)availability
of easy-to-use tools is hindering
1. Will be ready in 6 months!
deployment of signed zones
Bert Hubert (PowerDNS)
39
SURFnet. We make innovation work
DNSSEC software
- But there is light on the tool horizon:
-
OpenDNSSEC (www.opendnssec.org)
Secure64 DNS Signer
Xelerance DNSX Signer
ZKT (Zone Key Tool, www.hznet.de/dns/zkt)
PowerDNS + DNSSEC = PowerDNSSEC
other vendors have announced products
- For resolvers it’s a different matter, tools are
widely available:
- Unbound (by NLnetLabs)
- BIND 9.x and up
- Windows Server announced (2008 R2, Server 7)
40
SURFnet. We make innovation work
Alternatives
(1)
- Continue patching against attacks (keep
using traditional DNS)
- This is an arms race
- The race is already being lost!
(remember the 6 weeks attack that Bert Hubert
talked about yesterday)
- SSL/TLS
- Too heavyweight to use on connections
to DNS servers
- Does not secure a domain against
cache-poisoning; getting an SSL
certificate is easy
41
SURFnet. We make innovation work
Alternatives
(2)
- TSIG/SIG(0)
- TSIG is based on shared secrets (does
not scale)
- SIG(0) secures transactions (no
authentication of records!)
- DNScurve
- Based on elliptic curve crypto
- Can do much more than DNSSEC
- Only proves authenticity online
(forwarder based)
- No widescale deployment/support
42
SURFnet. We make innovation work
Alternatives
(3)
- DNS 0x20
- Based on using capitalisation to
introduce extra entropy into a query
- Capitalise parts of the query at random
and check that the capitalisation in the
answer matches the query
- Should be compatible with existing DNS
infrastructure (RFC 4343)
- But depends on all name server
software to implement literal query
copying (most do)
- Criticism: it’s still an arms race
- And it doesn’t protect ‘.’
43
SURFnet. We make innovation work
Summary
- What does DNSSEC do for you?
- You can prove the authenticity of the
records in your domain
- You can check the authenticity of the
records of others
- You effectively protect yourself against
attacks like Kaminsky’s
44
SURFnet. We make innovation work
What have we done?
- SURFnet’s resolvers perform DNSSEC validation:
45
SURFnet. We make innovation work
What are we going to do?
- Extend our managed DNS service with
DNSSEC support
- Testing DNSSEC appliances as they appear
on the market
- Keep supporting OpenDNSSEC
- Give talks like this one :-)
46
SURFnet. We make innovation work
What can you do?
- Gather knowledge on DNSSEC
- SURFnet DNSSEC white paper (www.dnssec.nu)
- Available at the end of this class
- Update/reconfigure your resolvers to
support DNSSEC validation and
experiment with it
- Work on an open source tool project!
- Go to the OpenDNSSEC website and test the
software
47
SURFnet. We make innovation work
Questions?
Thank you for your attention!
Roland van Rijswijk
roland.vanrijswijk [at] surfnet.nl
Rick van Rein
rick [at] openfortress.nl
Presentation released under Creative Commons
(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en)
48
SURFnet. We make innovation work
Lab work
- You are going to perform the Kaminsky
attack
- Install BIND as a resolver
- Download the code
IMPORTANT: The code is provided
under embargo, please discard it after
the lab work is done
- We’d like you to finish with a short
presentation of your findings
URL
- http://dnssec1.students.os3.nl/DNSspoof.tgz