DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl

September 18th 2009

DNSSECRestoring trust in DNS

Roland van Rijswijkroland.vanrijswijk [at] surfnet.nl

In cooperation with:

About us

SURFnet. We make innovation work2

High quality and high bandwith network for higher education and research

Shared ICT innovation centre for academia

Over 180 connected institutions (universities, polytechnics, vocational education, hospitals, research institutions) with 1 million end-users

Independent consultancy company

Cryptography expertise

Internet security expertise


Overview

- First half:- Attacks on DNS

- Second half:- DNSSEC in detail

- Questions: please ask!


DNS: Roadsigns for the net


DNS: insecurity by design?

- DNS was designed in the early Internet era

- Everybody more or less knew everybody else

- And everybody trusted everybody else

- Bottom line: Security was not a design criterion


Threats to DNS- Availability

- If DNS is not available, the internet is broken (users think)- A typical DNS resolver services 100000+ end users- Some authoritative servers host over 8 million zones

- Exploitation- On an exploited server availability and integrity are broken- Plus the attacker can gain access to all other software on the

same server/client

- Integrity- DNS gives the wrong answer and sends you the wrong way

Slide content courtesy of Bert Hubert (PowerDNS)


Why attack DNS?

- DNS is everywhere:- In your phone, in your laptop, in your PC…- But also in your car, in an ATM, in your

elevator, …

- It is very hard to protect DNS against attacks (currently)

- It is very easy to attack a lot of users

www.piggybank.domA: 123.45.67.89

Let’s start simple

DNS resolver

Client

Authoritative server

Root & TLD serverswww.piggybank.dom A?

www.piggybank.dom A?

Referral to auth.

www.piggybank.dom

A: 123.45.67.89


Question: name a general attack model that is applicable to this setupAnswer: a man in the middle attack

Beyond M-i-t-M: spoofingIP headers & stuff

src IP = 192.87.106.101 (ns1.surfnet.nl)dst IP = 208.77.188.166 (www.example.com)

UDP src port = 53 dst port = 4321headers & stuff

DNS QID = 1201 some flagsQuestion# = 1 Answer# = 1Authority# = 3 Add. record# = 3

Q? A record for www.surfnet.nlAns. www.surfnet.nl = 194.171.26.203Aut. surfnet.nl = ns1.surfnet.nlAut. surfnet.nl = ns2.surfnet.nlAut. surfnet.nl = ns3.surfnet.nlAdd. ns1.surfnet.nl = 192.87.106.101Add. ns2.surfnet.nl = 192.87.36.2Add. ns3.surfnet.nl = 195.169.124.71


Cache poisoning

DNS resolver

Client


Root & TLD serverswww.piggybank.dom A?


Referral to auth.

www.piggybank.dom

A: 123.57.89.15


Rogue responder

Question: how can I target a specific name?Answer: introduce a rogue client


So where do we go today? ;-)


Is it really a threat?Yes because:

- Source port randomisation was not common practice before Kaminsky

- Query ID randomisation wasn’t common practice either

No because:

- You can only attempt to poison a name a few times per day (why?)


Cache poisoning++

- Dan Kaminsky published an attack at last year’s Black Hat conference

- No need to wait for a resolver to take initiative, no need to wait for TTL expiry…

Preparing for KaminskyIP headers & stuff

src IP = 192.87.106.101 (ns1.surfnet.nl)dst IP = 208.77.188.166 (www.example.com)

UDP src port = 53 dst port = 4321headers & stuff

DNS QID = 1201 some flagsQuestion# = 1 Answer# = 1

Authority# = 3 Add. record# = 3Q? A record for www.surfnet.nlAns. www.surfnet.nl = 194.171.26.203Aut. surfnet.nl = ns1.surfnet.nlAut. surfnet.nl = ns2.surfnet.nlAut. surfnet.nl = ns3.surfnet.nlAdd. ns1.surfnet.nl = 192.87.106.101Add. ns2.surfnet.nl = 192.87.36.2Add. ns3.surfnet.nl = 195.169.124.71

Attack in action


Rogue responder

DNS resolver Root & TLD servers

12345.piggybank.domA: 123.45.67.89

12345.piggybank.dom A???QID=1234

12345.piggybank.dom A???QID=1235

Rogue authoritative

QID=1233QID=1234

QID=1235Success!

Additional: NS piggybank.dom

go to piggybank auth.

12345.piggybank.dom A???


Spoofed additional section;; QUESTION SECTION:;abcde.piggybank.dom. IN A

;; ANSWER SECTION:abcde.piggybank.dom. 582 IN A 123.45.67.89

;; AUTHORITY SECTION:piggybank.dom. 3161 IN NS ns1.piggybank.dom.piggybank.dom. 3161 IN NS ns2.piggybank.dom.

;; ADDITIONAL SECTION:ns1.piggybank.dom. 604800 IN A 123.45.67.1ns2.piggybank.dom. 604800 IN A 123.45.67.2

Attack in action

DNS resolver

Vulnerable end userRogue authoritative

www.piggybank.dom A?www.piggybank.dom A?


Root & TLD servers




So it’s even worse!

Impact on threat level (1)- Kaminsky is happening (we think, but is damn hard to detect):

- Wide-scale patching has been rolled out- But research shows:

Poisoning unpatched BIND: ±3 secondsPoisoning patched BIND: 1-11 hours (source: NIC.cz)


Impact on threat level (2)- Kaminsky is happening on our network!


Impact on threat level (3)


- Kaminsky is happening on our network!

Impact on threat level (4)


- Kaminsky is happening on our network!


The slow attack- Brute force attacks are easy to detect

- But the slow attack is very insidious…

research by Bert Hubert (PowerDNS) shows:

Graph courtesy of Bert Hubert

Summary

Stub resolver Caching resolver

Master

Zone file

queries

queri

es

queries

Slaves

zone transfers

dynamic updates

Man in the middle

Cache poisoning

Data modification

Master spoofing

Spoofed updates Corrupt data

Break time


What is DNSSEC? (1)

- DNSSEC is an extension to DNS specified by the IETF in a number of RFCs

- Actively developed since 1997

- According to RFC 4033:

“The Domain Name System Security Extensions (DNSSEC) add data origin authentication and data integrity to the Domain Name System.”


What is DNSSEC? (2)

- DNSSEC makes it possible to check the authenticity of DNS records

- This is accomplished using public key cryptography

- What DNSSEC does not do:- Provide confidentiality- Protect against threats to the name server (DDoS,

etc.)- Guarantee correctness of the DNS data (only

authenticity)- Protect against phishing, typosquatting, etc.


Cryptography in DNSSEC (1)


Cryptography in DNSSEC (2)- Signing takes place at zone level

- 2-tiered key model:

- Key Signing Key- Large key size (≥ 2048 bits RSA)- Long validity (≥ 1 year)- Used to sign Zone Signing Key

- Zone Signing Key- Smaller key size (≥ 1024 bits RSA)- Short validity (± 1 month)- Used to sign the zone (resource records)


Signing DNS zones- Additional resource records (RRs)

- For public keys:- DNSKEY, DS

- For signatures:- RRSIG

- For authenticated denial-of-existence:- NSEC, NSEC3

- Zones become quite a bit larger


Validating a response Query “www.nist.gov” @ns1.nist.gov

IN A www.nist.gov 129.6.13.45 IN RRSIG 156 0020502000151804A10

623C49E8D53CF7E6046E69737403676F7600... signature!

- Validate this signature against the “nist.gov” zone public zone signing key

- It’s the resolver’s job to do this!

- How do I find and trust the “nist.gov” key?


Current deployment- Deployed on several TLDs:

- ccTLD’s: .bg, .br, .cz, .pr, .se- generic TLD’s: .org, .gov, .museum

- Announced for more TLDs:- generic TLD’s: .com and .net (2011)

(> 65% of all domains!)

- Good news: root is likely to be signed before end of 2009 (bad news: politics…)

- Many (cc)TLD’s still to announce strategy

DNS root (.)

Trus

ts

Signing keys for .gov

zone

Used to sign .gov zone

containsnist.gov public key

Signing keys for nist.gov

zone

Used to sign nist.gov zone

containssigned record for www.nist.gov

Not signed = no trust possible yet

TRU

ST C

HA

IN

.gov

nist.gov

Trus

ts

DNS root (.)

Trus

ts


zone




zone




TRU

ST C

HA

IN

.gov

nist.gov

Trus

ts

DNS root (.)

Trus

ts


zone




zone




TRU

ST C

HA

IN

.gov

nist.gov

Trus

ts

DNS root (.)

Trus

ts


zone




zone




TRU

ST C

HA

IN

.gov

nist.gov

Trus

ts

Trust chain


Islands of trust.

nl org

com gov

verisign

surfnet

showcase

isc

www

nist

www

= island of trust


Finding trust anchors- Managing trust anchors by hand is hard work

- IANA has made the “Interim Trust Anchor Repository” (ITAR) availablehttps://itar.iana.org/

- ISC has introduced “DNSSEC look-a-side validation” (DLV) and made a repository available

- No standard way to trust the trust anchors of these repositories

- These are interim solutions

https://itar.iana.org/



DLV

= island of trust

= archipelago of trust

.

nl org

com gov

verisign

surfnet

showcase

isc

www

nist

www

DLV My ISP resolverQuery trust anchors


Key management (1)- Key Signing Key and Zone Signing Key have a

limited validity; this requires regular roll-overs:

Key #2

Key is used for signing

Key has been announced but is not yet valid

Key is still valid but no longer used for signing

Key #3

Key #4

Key #1

Rollover #1

Rollover #2

Rollover #3


Key management (2)

- Keys need to be stored securely off-line, smart card, Hardware Security Module (HSM), ...

- Administrators need to plan for emergency key roll-over

- The parent has to be notified of new keys for a domain (this needs to be automated)


FutureDNSSEC usage

research early adopters commodity latecomers

Current phase, early adopters are starting with DNSSEC,

momentum is slowly gathering, standards mature

Adoption takes off, multiple TLDs start offering

DNSSEC, default support in major operating systems

Rapid growth of #signed zones

Growth slows, latecomers are coming on-line

Initial phase, researchers realise DNS needs to be

secured

2009 futureearly 00's

DNSSEC usage

research early adopters commodity latecomers

Current phase, early adopters are starting with DNSSEC,

momentum is slowly gathering, standards mature

Adoption takes off, multiple TLDs start offering

DNSSEC, default support in major operating systems

Rapid growth of #signed zones

Growth slows, latecomers are coming on-line

Initial phase, researchers realise DNS needs to be

secured

2009 futureearly 00's


Criticism on DNSSECThe Top-10 Reasons Why DNSSEC Is the String Theory of the Internet 10. Adds many new dimensions to an already complex problem 9. Hogs all the research funds 8. Has many careers riding on it 7. Widely hailed by expert and layman alike as the next big thing 6. Responds to shortcomings by reinventing itself and doubling its complexity 5. On its third iteration to succes4. Attracts the brightest minds of the industry3. Cult-like following among believers 2. Always on the verge of solving a real world problem 1. Will be ready in 6 months!

Bert Hubert (PowerDNS)

- Even the critics agree that DNSSEC is the only available solution at the moment

- That doesn’t mean that DNSSEC is perfect… far from it

- DNSSEC is hard (especially compared to ‘ordinary’ DNS, which is very forgiving)

- The (un)availability of easy-to-use tools is hindering deployment of signed zones


DNSSEC software- But there is light on the tool horizon:

- OpenDNSSEC (www.opendnssec.org)- Secure64 DNS Signer- Xelerance DNSX Signer- ZKT (Zone Key Tool, www.hznet.de/dns/zkt)- PowerDNS + DNSSEC = PowerDNSSEC- other vendors have announced products

- For resolvers it’s a different matter, tools are widely available:- Unbound (by NLnetLabs)- BIND 9.x and up- Windows Server announced (2008 R2, Server 7)

http://www.opendnssec.org/

http://www.hznet.de/dns/zkt


Alternatives (1)- Continue patching against attacks (keep

using traditional DNS)- This is an arms race- The race is already being lost!

(remember the 6 weeks attack that Bert Hubert talked about yesterday)

- SSL/TLS- Too heavyweight to use on connections

to DNS servers- Does not secure a domain against cache-

poisoning; getting an SSL certificate is easy


Alternatives (2)- TSIG/SIG(0)

- TSIG is based on shared secrets (does not scale)

- SIG(0) secures transactions (no authentication of records!)

- DNScurve- Based on elliptic curve crypto- Can do much more than DNSSEC- Only proves authenticity online

(forwarder based)- No widescale deployment/support


Alternatives (3)- DNS 0x20

- Based on using capitalisation to introduce extra entropy into a query

- Capitalise parts of the query at random and check that the capitalisation in the answer matches the query

- Should be compatible with existing DNS infrastructure (RFC 4343)

- But depends on all name server software to implement literal query copying (most do)

- Criticism: it’s still an arms race- And it doesn’t protect ‘.’


Summary

- What does DNSSEC do for you?

- You can prove the authenticity of the records in your domain

- You can check the authenticity of the records of others

- You effectively protect yourself against attacks like Kaminsky’s


What have we done?- SURFnet’s resolvers perform DNSSEC validation:


What are we going to do?

- Extend our managed DNS service with DNSSEC support

- Testing DNSSEC appliances as they appear on the market

- Keep supporting OpenDNSSEC

- Give talks like this one :-)


What can you do?- Gather knowledge on DNSSEC

- SURFnet DNSSEC white paper (www.dnssec.nu)- Available at the end of this class

- Update/reconfigure your resolvers to support DNSSEC validation and experiment with it

- Work on an open source tool project!- Go to the OpenDNSSEC website and test the

software

http://www.dnssec.nu/


Questions?

Thank you for your attention!

Roland van Rijswijk

roland.vanrijswijk [at] surfnet.nl

Rick van Rein

rick [at] openfortress.nl

Presentation released under Creative Commons(http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en)

http://creativecommons.org/licenses/by-nc-sa/3.0/nl/deed.en

Lab work- You are going to perform the Kaminsky

attack

- Install BIND as a resolver

- Download the code

IMPORTANT: The code is provided under embargo, please discard it after the lab work is done

- We’d like you to finish with a short presentation of your findings

URL- http://dnssec1.students.os3.nl/DNSspoof.tgz

Documents

DNSSEC Restoring trust in DNS Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl