DNS fragmentation attacks - the dangers of not validating DNSSEC

©!Men!&!Mice!!http://menandmice.com!

DNS!Cache!Spoofing

"Fragmentation!Considered!Poisonous"May!2012-August!2013

1Monday 9 December 13

DNS!cache!poisoning!through!fragmentation

• A!new!attack!presented!at!IETF!87!in!Berlin!August!2013

• works!with!any!large!DNS!responses!that!might!be!fragmented!on!the!transport!path!(large!TXT!record!sets!-!SPF!etc)

• works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or!incorrectly!deployed:

• works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non-DNSSEC!resolvers

• according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are!fairly!common

Fragmentation!attack!(1)

resolving!DNS!Server

“mybank.com”authoritative!DNS

Servers

evil!resolver

unsuspectingresolver

evil!web-server

HTTPrequest

Webpage!with!that!triggers!DNS!requests!with!large!DNS!answers

local network, behind Firewall an NAT

Servers

evil!resolver

evil!web-server

DNS!lookup!for!the!domain!

DNS!lookups!will!be!send!to!

the!authoritative!DNS!Servers

Servers

evil!resolver

evil!web-server

Answer!with!Fragment!part!

Servers

evil!resolver

evil!web-server

Answer!with!good!fragment!

part!2

Attacker!will!swamp

caching!DNS!Serverwith!fake!fragment!

No.!2!packets

Fake!responsewill!be!cached

Servers

evil!resolver

evil!web-server

Client!is!connecting!to!a!

“pharming”!website

request!for!www.mybank.com./A!RR

false!answer!from!poisoned!cache

HTTPrequest

Fragmentation!attack

•Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache

;; ANSWER SECTION:mybank.com. 120 IN SPF "v=spf1, a:192.0.2.10, 192.0.2.22 ..."

;; AUTHORITY SECTION:mybank.com. 86400 IN NS ns1.mybank.com.mybank.com. 86400 IN NS ns2.mybank.com. ;; ADDITIONAL SECTION:ns1.mybank.com. 604800 IN A 192.0.2.20ns2.mybank.com. 604800 IN A 192.0.2.30

high!TTL!for!maximum!damage

Here!is!the!fake!data

Fragment 1

Fragment 2

large!RRset!causing!fragmentation

•some!operating!systems!(Windows,!FreeBSD)!use!sequential!Fragment-IDs

•next!Fragment!ID!to!be!used!can!be!inferred!by!the!attacker

•How!to!guard!against!fragmentation!attacks:

•deploy!DNSSEC!in!a!non-permissive!mode!(full!validation)

•deploy!IPv6!(UDP!Fragmentation!works!differently!in!IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not!possible!in!IPv6!networks)

DNSSEC!to!the!rescue!...

References

•IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and!Implications,!or:!DNSSEC,!the!time!has!come!http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

•DNS-OARC!Presentation!Oct!2013:https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1

©!Men!&!Mice!!http://menandmice,com!

DNSSEC!validation

DNSSEC!in!DNS!Messages

00 0102 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Identification!(ID)QR Opcode

CD RCode

Total!Number!of!Question!Resource!Records Total!Number!of!Answer!Resource!Records

Total!Number!of!Authority!Resource!Records Total!Number!of!Additional!Resource!Records

Question!Resource!Records

Answer!Resource!Records

Authority!Resource!Records

Additional!Resource!Records

AD!=!Authenticated!Data

CD!=!Checking!disabled

EDNS:!!!EDNS:!version:!0,!!!!flags:!do;!!!!udp:!4096

•DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK

•this!client!can!handle!DNSSEC!records

•in!addition,!each!client!signaling!“DNSSEC!OK”!also!signals!that!it!can!handle!UDP!DNS!responses!larger!512!byte

•AD!Flag:

•a!validating!resolver!signaling!to!the!client

•that!it!has!successfully!validated!the!DNSSEC!data

•invalid!DNSSEC!data!will!not!be!send!to!a!downstream!resolver!(client),!instead!the!resolver!will!send!a!SERVFAIL!error!condition

•CD!Flag:

•an!Application!can!signal!to!the!resolving!DNS!Server!that!it!will!validate!the!DNSSEC!information

•the!resolving!DNS!Server!does!not!need!to!validate!itself,!but!is!free!to!do!so

dig ripe.net +dnssec; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec ;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;ripe.net. IN A

;; ANSWER SECTION:ripe.net. 172800 IN A 193.0.6.139ripe.net. 172800 IN RRSIGA 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=

;; AUTHORITY SECTION:ripe.net. 172800 IN NS sns-pb.isc.org.ripe.net. 172800 IN NS sunic.sunet.se.ripe.net. 172800 IN NS ns-pri.ripe.net.ripe.net. 172800 IN NS ns3.nic.fr.ripe.net. 172800 IN RRSIGNS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=

;; ADDITIONAL SECTION:ns-pri.ripe.net. 172800 IN A 193.0.0.195ns-pri.ripe.net. 172800 IN AAAA 2001:610:240:0:53::3ns-pri.ripe.net. 172800 IN RRSIGA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=ns-pri.ripe.net. 172800 IN RRSIGAAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=

;; Query time: 454 msec;; SERVER: 192.0.2.10#53(192.0.2.10);; WHEN: Sat Oct 9 22:39:45 2010;; MSG SIZE rcvd: 870

EDNS0!information!

including!the!DO!flag

AD!flag:!secure!answer

DNSSEC!capable!DNS!resolver!/!caching!server

•BIND!9!(starting!with!BIND!9.6-ESV):!http://www.isc.org

•unbound:!http://unbound.net

•PowerDNS!recursor:!http://www.powerdns.com

•Windows!2012!DNS:!http://technet.microsoft.com/en-us/library/hh831667.aspx

http://dnssec-or-not.org

http://dnssectest.sidn.nl

dnssec-tools.org

•A!collection!of!useful!tools!for!DNSSEC!deployment(!http://dnssec-tools.org!)

•DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are!DNSSEC!enbled

DNSSEC-check

DNSSEC!validation!in!Web-Browser

•DNSSEC!Add-On!for!Firefox

Google!Chrome!and!Microsoft!Internet!Explorer

(http://www.dnssec-validator.cz/)!

•go!to!http://www.root-dnssec.org!or!http://www.ripe.netand!you!should!see!a!nice!green!key!icon!in!the!URL!bar!telling!you!that!this!DNS!information!was!DNSSEC!validated.

DNSSEC!validation!in!Windows!2012

DNSSEC!validation!in!Microsoft!DNS!Server!2012

•The!DNS!Server!in!Windows!2012!now!supports!all!bits!and!pieces!necessary!to!validate!DNSSEC!signatures!and!keys!in!the!Internet!(including!SHA256!and!NSEC3).

•Windows!2008!only!supports!SHA1!and!NSEC,!and!was!not!able!to!validate!the!Internet!root!zone

DNSSEC!validation

•DNSSEC!validation!can!be!enabled!in!the!DNS!Servers!global!properties!(Advanced!-!enable!DNSSEC!validation!for!remote!responses)

enabling!DNSSEC!using!'dnscmd'

• it!is!possible!to!enable!DNSSEC!validation!from!the!commandline!using!the!command!

dnscmd /RetrieveRootTrustAnchors

• This!command!will!first!fetch!the!delegation!signer!(DS-record)!using!https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).!

• The!server!will!then!fetch!the!public!key!signing!key!from!the!root!zone!during!an!active!refresh!cycle!(RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record.

enabling!DNSSEC!using!'dnscmd'

A!DNSSEC!validating!caching!only!configuration!for!BIND!9

DNSSEC!validation!with!BIND!9

• build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server:

• BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011

• BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors)

• BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,!but!validation!is!disabled!by!default

• BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,!DNSSEC!validation!enabled!by!default

getting!the!root-anchor

•for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as!the!root-anchor

•the!DNSKEY!record!can!be!retrieved!using!dig:

dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key

digcommand

"."!is!the!domain!name!

of!the!root!zone

we!want!the!DNSKEY!record

we!send!the!query!to!one!of!the!root!

servers

we!send!an!iterative!query!

(polite)

we!only!want!the!KSK!

(Flag!257)

we!write!the!result!in!this!

Verifying!the!root!zones!key

•We!should!never!blindly!trust!cryptographic!keys!published!on!websites!or!slides

•nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure!channel!(plain!DNS)

•we!need!to!verify!the!key!material

•IANA!published!the!DS!(delegation!signer!fingerprint)!on!an!HTTPS!secured!website

http://data.iana.org/root-anchors/

root!DS!fingerprint

Verifying!the!root!zone!key

•we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256!hash-fingeprint!from!the!downloaded!root-zone!DNSKEY

dnssec-dsfromkey -2 root.key. IN DS 19036 8 2 ( 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5 )

• if!we!compare!the!computed!hash!with!the!one!from!the!website,!they!both!match

• the!downloaded!DNSKEY!record!is!valid

DNSSEC!setup!(BIND!9.6-ESV)

• In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the!"trusted-keys"!statement!in!the!"named.conf"!file:

trusted-keys {"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

DNSSEC!setup!(BIND!9.7.0+)

• Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated!updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS!Security!(DNSSEC)!Trust!Anchors)

managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";};

general!setup

options { recursion yes; allow-recursion { mynetworks; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; querylog no; recursive-clients 2000; tcp-clients 200; max-cache-size 2147483648; // 2GB};

DNSSEC!maintenance!with!BIND!9!“rndc”

•rndc!secroots:!dump!information!about!the!current!active!DNSSEC!trust!anchors!into!the!file!“named.secroots”.!

bash-3.2# rndc secroots bash-3.2# more named.secroots22-Nov-2013 07:48:31.775

Start view _default

./RSASHA256/19036 ; managed

. 168851 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256; key id = 19036

root!zone!trust!anchor!key!ID

trust!anchor!will!be!updated!according!to!

RFC!5011

KEY!ID!19036:current!KSK!of!the!root!zone

BIND!9!controlling!DNSSEC!validation

•validation!on:!enable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server!(globally):!

bash# rndc validation on

•validation!off:!disable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server

bash# rndc validation off

References

•Deploying!DNSSEC!(whitepaper!by!SurfNet):http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

•A!BIND!9!configuration!template!for!a!validating,!caching-only!DNS!Server:https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98;

•Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,!Solaris:http://support.menandmice.com/download/bind/

•Windows!2012!Server:!Enabling!DNSSEC!validation:http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation

Thank!you!

E-Mail:training@menandmice.com

DNS fragmentation attacks - the dangers of not validating DNSSEC

Technology

Transcript of DNS fragmentation attacks - the dangers of not validating DNSSEC

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

A flexible DNSSEC-validating Resolver - ICANN · Large recursive DNS farms Scales, the really fast scriptable engine allows you to change resolution Flexible shared cache backends

DNSSEC Practice Statement - CommBank › ... › registry › DNSSEC-practice-state… · 2019-08-09 · DNSSEC Practice Statement Page III ariservices.com CONFIDENTIAL TM Contact

DNSSEC 101

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

From Validating Models to Validating Systems

ECDSA P-256 support in DNSSEC-validating Resolvers

2017 DNSSEC KSK Rollover - North American Network ... · 2017 DNSSEC KSK Rollover edward.lewis@icann.org ... configuration parameter in DNS validating revolvers ... Unbound ...

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC Implementation Considerations and Risk Analysisdnssec-deployment.icann.org/training/AMM/amm-dnssec-design.pdf · DNSSEC Implementation Considerations and Risk Analysis TAGI

Measuring DNSSEC - APNIC · NON-DNSSEC 45,911 88 AS27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP Brazil NON-DNSSEC 39,970 40 AS12322 PROXAD Free SAS France NON-DNSSEC 39,913 358

ECC support in DNSSEC-validating Resolvers

DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC 101

OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC •

Lamb dnssec

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com.

Dnssec Tutorial