DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray...

“DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA” draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009

Upload
alexander-mcleod
Category

Documents
view
212
download
0

TAGS:

Embed Size (px):

Transcript of DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray...

“DNS Proxy Bypass by Recursive DNSDiscovery and LOCAL.ARPA”

draft-ietf-dns-recursive-discovery

Ray Bellis

IETF76 DNSOP WG

Hiroshima, 11th November 2009

The Fundamental Problem…

ISPISP

DNS

DNS settings learntvia DHCP or PPP/IPCP

DHCPDISCOVER

DHCPOFFER

DNS Servers (6) = 192.168.1.1

FAIL

Please try again – the DNS proxy on192.168.1.1 doesn’t work properly (see RFC5625)

Page 3: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

The Chicken and Egg Problem…

ISPISP

DNS

DNS settings learntvia DHCP or PPP/IPCP

DHCPDISCOVER

DHCPOFFER

DNS Servers (6) = 192.168.1.1

FAIL

Still not right – you don’t know the real DNS servers because the LAN came up before the WAN.

Didn’t you fix that proxy yet?

Page 4: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

The Configuration Problem…

ISPISP

DNS

End-user configuresDNS settings

DHCPDISCOVER

DHCPOFFER

DNS Servers (6) = 192.168.1.1

FAIL

Uh-oh - someone forgot to implement TR124 requirement LAN.DNS.2.End-user supplied DNS settings SHOULD be in the DHCP OFFER.

BTW – your proxy still doesn’t work properly!

Page 5: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

The Proposed Solution…

ISPISP

DNS

• Let the DHCP stuff happen• Use the DNS proxy initially …• to ask the recursive DNS server for a list

of real DNS servers• Then use those instead!

IN A? domain.local.arpa.

IN A 192.0.2.1

Page 6: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

The Proposed Solution…

ISPISP

DNS

• Let the DHCP stuff happen• Use the DNS proxy initially …• to ask the recursive DNS server for a list

of real DNS servers• Then use those instead!

IN A? domain.local.arpa.

IN A 192.0.2.1

Page 7: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

A little more detail

• Why we’re proposing this:

– Because DNS proxies don’t work!• to get DNSSEC through• to get TCP queries through

• The draft reserves local.arpa.

– for use “within a network’s administrative boundaries”

– and domain.local.arpa for this application

• Version -02 will have NXDOMAIN redirect detection

– probably via nxdomain.local.arpa.

– if nxdomain.local.arpa == domain.local.arpa then ignore the results, your ISP is trapping NXDOMAIN

Page 8: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

Things we’ve thrown out already

• Anycast

– If you’re going to use an Anycast address to discover DNS, you might as well use that address for all DNS!

• “.local”

– Too much baggage

Things we’re still figuring out!

• Does the bootstrap query need additional protection, and if so, how?

– DNSSEC no good, proxies break it!

– A random nonce prefix?

– Something else?

• Interaction with DNSSEC-signed .arpa

– If IANA has an NSEC[3] record that says local.arpa doesn’t exist, then the locally-supplied copy is bogus

Page 10: DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

Any Questions?

The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC ...security.hsr.ch › lectures › Internet_Security_1 › 12-DNSSEC.pdf · • DNS resolution via recursive nameserver

Welcome! [nsrc.org] · •Recursive Server ... •Lab 3 – Configuring Domains –TEA BREAK •DNS Registries •Troubleshooting (dig, traceroute, nslookup, ethereal) ... triggers

DNSSEC Validation Failure - NASA.GOV - 20120118 - FINAL · 2014-11-25 · Analysis(of(DNSSEC(Validation(Failure(Comcast(–(DNS(Engineering(Page(4(of(12(Trust(Anchor(for(a(domain.(This(instructs(Comcast(DNS(recursive(resolvers(to

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

Comparing the Performance of Public DNS Resolvers · 2018-10-09 · Comparing the Performance of Public DNS Resolvers Angelique Medina ... Recursive TTL IP Address ... Verisign 237.75

BIND 9.11 Update - RIPE 72 | Copenhagen, 23 – 27 … · DNS catalog zones draft-muks-dnsop-dns ... Code for the common good Preserve the original intent ... Considering a new open

CSCI-1680 DNS - Brown Universitycs.brown.edu › courses › cs168 › f17 › lectures › 17-dns.pdfResolver operation •Apps make recursive queries to local DNS server (1) –Ask

DNS NO ECOSISTEMA DE CIBERSEGURANÇA A … · • Despite adversaries’ reliance on DNS, 68% organizations do not monitor recursive DNS ... Workday – HR SAP IPS/IDS Email/SPAM

NXNSAttack:RecursiveDNSIneﬃcienciesandVulnerabilitiescyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf · Authoritative name-server 2.6x 2x NXNSAttack a Recursive resolver 163x

DNS Concepts - APNICarchive.apnic.net/meetings/16/programme/tutorials/docs/... · • Recursive server – Do the actual lookups; ask questions to the DNS on behalf of the clients

Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA.

DNS - Devious Name Services Destroying Privacy & Anonymity ... CON 25/DEF CON 25 presentations/DE… · •Understand IPv6 vs IPv4 •Route ALL DNS to knowns recursive resolvers that

The Hitchhiker’s Guide to DNS Cache Poisoningshmat/shmat_securecomm10.pdfThe Hitchhiker’s Guide to DNS Cache Poisoning 3 2.2 Caching and recursive resolution When a DNS resolver

Characterization of Collaborative Resolution in Recursive DNS … · 2019-11-25 · Berger et al. [11] associate IPv4 and IPv6 addresses in DNS queries to ﬁnd dual-stack machines.

CSCI-1680 DNS - Brown University › courses › cs168 › f18 › lectures › 17-dns.pdf · Resolver operation •Apps make recursive queries to local DNS server (1) –Ask server

DNS for Dummies ebooksocial.dnsmadeeasy.com/wp-content/uploads/2016/08/DNS-for-Newbies.pdfqueries through: Recursive DNS Servers (or Caching Servers, sounds like "cashing") and Authoritative

SLA Monitoring System (SLAM) - ICANN · EPP EPP service availability ≤ 864 min of down(me (≈98%) ... DNS test • One non-recursive DNS query sent every minute from all probe

DNS CHANGE MAKERS LIU’S VIEW. · “DNS amplification” attacks in which open recursive name servers are used as amplifiers to swamp targets on the Internet. Turns out that name

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29.

CSCI-1680 DNS - Brown Universitycs.brown.edu/courses/csci1680/f18/lectures/17-dns.pdf · Resolver operation •Apps make recursive queries to local DNS server (1) –Ask server to

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray...

Documents

Transcript of DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray...