DNS fragmentation attacks - the dangers of not validating DNSSEC

©!Men!&!Mice!!http://menandmice.com!

DNS!Cache!Spoofing

"Fragmentation!Considered!Poisonous"May!2012-August!2013

1Monday 9 December 13

http://www.menandmice.com



DNS!cache!poisoning!through!fragmentation

• A!new!attack!presented!at!IETF!87!in!Berlin!August!2013

• works!with!any!large!DNS!responses!that!might!be!fragmented!on!the!transport!path!(large!TXT!record!sets!-!SPF!etc)

• works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or!incorrectly!deployed:

• works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non-DNSSEC!resolvers

• according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are!fairly!common





Fragmentation!attack!(1)

resolving!DNS!Server

“mybank.com”authoritative!DNS

Servers

Cache

evil!resolver

unsuspectingresolver

evil!web-server

HTTPrequest

Webpage!with!that!triggers!DNS!requests!with!large!DNS!answers

local network, behind Firewall an NAT








Servers

Cache

evil!resolver


evil!web-server

DNS!lookup!for!the!domain!

name

DNS!lookups!will!be!send!to!

the!authoritative!DNS!Servers









Servers

Cache

evil!resolver


evil!web-server

Answer!with!Fragment!part!

1









Servers

Cache

evil!resolver


evil!web-server

Answer!with!good!fragment!

part!2

Attacker!will!swamp

caching!DNS!Serverwith!fake!fragment!

No.!2!packets

Fake!responsewill!be!cached









Servers

Cache

evil!resolver


evil!web-server

Client!is!connecting!to!a!

“pharming”!website

request!for!www.mybank.com./A!RR

false!answer!from!poisoned!cache

HTTPrequest






Fragmentation!attack

•Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache

;; ANSWER SECTION:mybank.com. 120 IN SPF "v=spf1, a:192.0.2.10, 192.0.2.22 ..."

;; AUTHORITY SECTION:mybank.com. 86400 IN NS ns1.mybank.com.mybank.com. 86400 IN NS ns2.mybank.com. ;; ADDITIONAL SECTION:ns1.mybank.com. 604800 IN A 192.0.2.20ns2.mybank.com. 604800 IN A 192.0.2.30

high!TTL!for!maximum!damage

Here!is!the!fake!data

Fragment 1

Fragment 2

large!RRset!causing!fragmentation






•some!operating!systems!(Windows,!FreeBSD)!use!sequential!Fragment-IDs

•next!Fragment!ID!to!be!used!can!be!inferred!by!the!attacker






•How!to!guard!against!fragmentation!attacks:

•deploy!DNSSEC!in!a!non-permissive!mode!(full!validation)

•deploy!IPv6!(UDP!Fragmentation!works!differently!in!IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not!possible!in!IPv6!networks)





DNSSEC!to!the!rescue!...





References

•IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and!Implications,!or:!DNSSEC,!the!time!has!come!http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

•DNS-OARC!Presentation!Oct!2013:https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1




http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1

https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1

©!Men!&!Mice!!http://menandmice,com!

DNSSEC!validation





DNSSEC!in!DNS!Messages

00 0102 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

Identification!(ID)QR Opcode

AA

TC

RD

RA Z

AD

CD RCode

Total!Number!of!Question!Resource!Records Total!Number!of!Answer!Resource!Records

Total!Number!of!Authority!Resource!Records Total!Number!of!Additional!Resource!Records

Question!Resource!Records

Answer!Resource!Records

Authority!Resource!Records

Additional!Resource!Records

AD!=!Authenticated!Data

CD!=!Checking!disabled

EDNS:!!!EDNS:!version:!0,!!!!flags:!do;!!!!udp:!4096






•DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK

•this!client!can!handle!DNSSEC!records

•in!addition,!each!client!signaling!“DNSSEC!OK”!also!signals!that!it!can!handle!UDP!DNS!responses!larger!512!byte






•AD!Flag:

•a!validating!resolver!signaling!to!the!client

•that!it!has!successfully!validated!the!DNSSEC!data

•invalid!DNSSEC!data!will!not!be!send!to!a!downstream!resolver!(client),!instead!the!resolver!will!send!a!SERVFAIL!error!condition






•CD!Flag:

•an!Application!can!signal!to!the!resolving!DNS!Server!that!it!will!validate!the!DNSSEC!information

•the!resolving!DNS!Server!does!not!need!to!validate!itself,!but!is!free!to!do!so





dig ripe.net +dnssec; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec ;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096;; QUESTION SECTION:;ripe.net. IN A

;; ANSWER SECTION:ripe.net. 172800 IN A 193.0.6.139ripe.net. 172800 IN RRSIGA 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=

;; AUTHORITY SECTION:ripe.net. 172800 IN NS sns-pb.isc.org.ripe.net. 172800 IN NS sunic.sunet.se.ripe.net. 172800 IN NS ns-pri.ripe.net.ripe.net. 172800 IN NS ns3.nic.fr.ripe.net. 172800 IN RRSIGNS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=

;; ADDITIONAL SECTION:ns-pri.ripe.net. 172800 IN A 193.0.0.195ns-pri.ripe.net. 172800 IN AAAA 2001:610:240:0:53::3ns-pri.ripe.net. 172800 IN RRSIGA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=ns-pri.ripe.net. 172800 IN RRSIGAAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=

;; Query time: 454 msec;; SERVER: 192.0.2.10#53(192.0.2.10);; WHEN: Sat Oct 9 22:39:45 2010;; MSG SIZE rcvd: 870

EDNS0!information!

including!the!DO!flag

AD!flag:!secure!answer





DNSSEC!capable!DNS!resolver!/!caching!server

•BIND!9!(starting!with!BIND!9.6-ESV):!http://www.isc.org

•unbound:!http://unbound.net

•PowerDNS!recursor:!http://www.powerdns.com

•Windows!2012!DNS:!http://technet.microsoft.com/en-us/library/hh831667.aspx




http://www.isc.org

http://www.isc.org

http://unbound.net

http://unbound.net

http://www.powerdns.com

http://www.powerdns.com

http://technet.microsoft.com/en-us/library/hh831667.aspx

http://technet.microsoft.com/en-us/library/hh831667.aspx


http://dnssec-or-not.org







http://dnssectest.sidn.nl







dnssec-tools.org

•A!collection!of!useful!tools!for!DNSSEC!deployment(!http://dnssec-tools.org!)

•DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are!DNSSEC!enbled





DNSSEC-check





DNSSEC!validation!in!Web-Browser

•DNSSEC!Add-On!for!Firefox

Google!Chrome!and!Microsoft!Internet!Explorer

(http://www.dnssec-validator.cz/)!

•go!to!http://www.root-dnssec.org!or!http://www.ripe.netand!you!should!see!a!nice!green!key!icon!in!the!URL!bar!telling!you!that!this!DNS!information!was!DNSSEC!validated.




http://www.dnssec-validator.cz/

http://www.dnssec-validator.cz/

http://www.root-dnssec.org/

http://www.root-dnssec.org/

http://www.ripe.net/

http://www.ripe.net/


DNSSEC!validation!in!Windows!2012





DNSSEC!validation!in!Microsoft!DNS!Server!2012

•The!DNS!Server!in!Windows!2012!now!supports!all!bits!and!pieces!necessary!to!validate!DNSSEC!signatures!and!keys!in!the!Internet!(including!SHA256!and!NSEC3).

•Windows!2008!only!supports!SHA1!and!NSEC,!and!was!not!able!to!validate!the!Internet!root!zone





DNSSEC!validation

•DNSSEC!validation!can!be!enabled!in!the!DNS!Servers!global!properties!(Advanced!-!enable!DNSSEC!validation!for!remote!responses)





enabling!DNSSEC!using!'dnscmd'

• it!is!possible!to!enable!DNSSEC!validation!from!the!commandline!using!the!command!

dnscmd /RetrieveRootTrustAnchors

• This!command!will!first!fetch!the!delegation!signer!(DS-record)!using!https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).!

• The!server!will!then!fetch!the!public!key!signing!key!from!the!root!zone!during!an!active!refresh!cycle!(RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record.




https://data.iana.org/root-anchors/root-anchors.xml

https://data.iana.org/root-anchors/root-anchors.xml

http://www.ietf.org/rfc/rfc5011.txt

http://www.ietf.org/rfc/rfc5011.txt


enabling!DNSSEC!using!'dnscmd'





A!DNSSEC!validating!caching!only!configuration!for!BIND!9





DNSSEC!validation!with!BIND!9

• build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server:

• BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011

• BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors)

• BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,!but!validation!is!disabled!by!default

• BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,!DNSSEC!validation!enabled!by!default





getting!the!root-anchor

•for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as!the!root-anchor

•the!DNSKEY!record!can!be!retrieved!using!dig:

dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key

digcommand

"."!is!the!domain!name!

of!the!root!zone

we!want!the!DNSKEY!record

we!send!the!query!to!one!of!the!root!

servers

we!send!an!iterative!query!

(polite)

we!only!want!the!KSK!

(Flag!257)

we!write!the!result!in!this!

file





Verifying!the!root!zones!key

•We!should!never!blindly!trust!cryptographic!keys!published!on!websites!or!slides

•nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure!channel!(plain!DNS)

•we!need!to!verify!the!key!material

•IANA!published!the!DS!(delegation!signer!fingerprint)!on!an!HTTPS!secured!website





http://data.iana.org/root-anchors/

root!DS!fingerprint







Verifying!the!root!zone!key

•we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256!hash-fingeprint!from!the!downloaded!root-zone!DNSKEY

dnssec-dsfromkey -2 root.key. IN DS 19036 8 2 ( 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32 F24E8FB5 )

• if!we!compare!the!computed!hash!with!the!one!from!the!website,!they!both!match

• the!downloaded!DNSKEY!record!is!valid





DNSSEC!setup!(BIND!9.6-ESV)

• In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the!"trusted-keys"!statement!in!the!"named.conf"!file:

trusted-keys {"." 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

};





DNSSEC!setup!(BIND!9.7.0+)

• Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated!updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS!Security!(DNSSEC)!Trust!Anchors)

managed-keys { "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";};





general!setup

options { recursion yes; allow-recursion { mynetworks; }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; querylog no; recursive-clients 2000; tcp-clients 200; max-cache-size 2147483648; // 2GB};





DNSSEC!maintenance!with!BIND!9!“rndc”

•rndc!secroots:!dump!information!about!the!current!active!DNSSEC!trust!anchors!into!the!file!“named.secroots”.!

bash-3.2# rndc secroots bash-3.2# more named.secroots22-Nov-2013 07:48:31.775

Start view _default

./RSASHA256/19036 ; managed

. 168851 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256; key id = 19036

root!zone!trust!anchor!key!ID

trust!anchor!will!be!updated!according!to!

RFC!5011

KEY!ID!19036:current!KSK!of!the!root!zone





BIND!9!controlling!DNSSEC!validation

•validation!on:!enable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server!(globally):!

bash# rndc validation on

•validation!off:!disable!DNSSEC!validation!on!a!caching!BIND!9!DNS!Server

bash# rndc validation off





References

•Deploying!DNSSEC!(whitepaper!by!SurfNet):http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

•A!BIND!9!configuration!template!for!a!validating,!caching-only!DNS!Server:https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98;

•Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,!Solaris:http://support.menandmice.com/download/bind/

•Windows!2012!Server:!Enabling!DNSSEC!validation:http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation




http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98

https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98

http://support.menandmice.com/download/bind/

http://support.menandmice.com/download/bind/

http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation

http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation


Thank!you!

E-Mail:[email protected]




mailto:[email protected]

mailto:[email protected]

DNS fragmentation attacks - the dangers of not validating DNSSEC

Technology

Transcript of DNS fragmentation attacks - the dangers of not validating DNSSEC