DNS Servers, the More the Merrier - Why You Need …...Alexander Clouter Library and Information...
Transcript of DNS Servers, the More the Merrier - Why You Need …...Alexander Clouter Library and Information...
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
DNS Servers, the More the MerrierWhy You Need More Than Two
Alexander Clouter <[email protected]>
Library and Information ServicesSchool of African and Oriental Studies
London
Networkshop 38, 2010
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
In the beginning, there were only two. . .
Between 2001 and 2008, our entire DNS infrastructure ran offtwo Solaris boxes running BIND9, each doing both:
authoritative soas.ac.uk hosting,including the reverse (PTR) zones(212.219.139.203 ! mr3.soas.ac.uk)
recursive google.com and bbc.co.uk
Example Recursive Query (‘dig +trace bbc.co.uk’):
. (use ‘hints’ file) ! .root-servers.net! .nic.uk! .bbc.co.uk! 212.58.224.138
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Design Overview
,-----. +-----+ +-+( auths ) | rec | |c|‘-----’ +-----+ +-+
Internet- border -------------------------------------
+---+ +---+ Intranet|rec| |rec| KEY: +-+|...| |...| * AUTHoritive zoneS |c|| s | | m | * RECursive +-++---+ +---+ * Master
| | * Slave\--<<--/ * Client
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Internal Recursive Lookup
,-----. +-----+ +-+( auths ) | rec | |c|‘-----’ +-----+ +-+
^| Internet
- border --|----------------------------------+---+ +-v-+ Intranet|rec| |rec|=====> 192.0.32.10 =====>+-+|...| |...|<-- example.com IN A? <--|c|| s | | m | +-++---+ +---+| |\--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
External Authoritative Lookup
,-----. /--+-----+<-------+-+( auths ) |/=| rec |=======>|c|‘-----’ || +-----+ +-+
|| IN MX soas.ac.uk?|| Internet
- border ------------v^-----------------------+---+ +---+ || Intranet|rec| |rec| || +-+|...| |...|---<---/| |c|| s | | m |===>====/ +-++---+ +---+ mr3/mr4| |\--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Overview
There were of course some problems:
authoritative textfile template + cronjob ! zone filesexternally resolvable RFC 1918 data(for example 192.168.x.y)large 10k/300kiB zone files1
no externally hosted slave(AWOL servers mean AWOL domain)master is publicly accessibleno restriction to who can do zone transfers
recursive publicly open resolverold versions of BIND that were poisonable
Homogeneous environment ! single bug ! total devastation
1reverse zone file paddingAlexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Publicly Accessible
Applies to both sides of DNS:authoritative publicly queryable ‘master’ means it’s a target
for intrusion attacks and malformed queriesnot everyone restricts zone transfers (AXFR)so it can be trivial to get detailed plan ofnetwork without probing
recursive DNS poisoning becomes more trivialDoS amplification attacks2
2less important, botnets and RFC 2827 (BCP 38)Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
DNS Poisoning
Caching resolvers can be overly keen (buggy) to cache data:attacker maintains authority for ‘evil.com’sends query acme.evil.com to resolver:
direct trivial if resolver is publicly accessibleindirect trick user to do lookup (email or website)evil server responds, for example, with either:
acme.evil.com. A 1.2.3.4acme.evil.com. NS bank.com.
uses additional section of reply to say“oh and by the way, bank.com. is at w.z.y.x”resolver eagerly caches acme.evil.com and bank.com
Also, can be done via race flooding the resolver with spoofedresponses. Only solution for this is DNSSEC.
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
DoS Amplification Attacks
,-----. +-+(5.6.7.8) 50 fold increase /---|B|‘-----’ xDSL => 1700kB/s | +-+
^ | 1.2.3.4| ~2700 byte answer! | Internet
- border --|-----------------------v----------+---+ +---+ | Intranet|rec| |rec| ~50 byte query ||...| |...|<--------------------/| s | | m | dig +dnssec NS se+---+ +---+ [spoof src 5.6.7.8]| |\--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Unrestricted AXFR’s“The 1990’s called and they want their DNS servers back. . . ”
At a large UK university computing centre:
$ dig AXFR compsci.ac.uk @ns1.compsci.ac.uk;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR;; flags: qr aa ra
[snipped]
;; Query time: 92 msec;; SERVER: 1.2.3.4#53(1.2.3.4);; WHEN: Sun Mar 21 16:29:46 2010;; XFR size: 1261 records
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Interesting Entries from the AXFR“The 1990’s called and they want their DNS servers back. . . ”
So, now we have 1261 records, anything interesting in there?
$ dig AXFR compsci.ac.uk | grep --interestinghost0 IN A 10.99.201.10 [rfc1918]host1 IN HINFO "486DX50" "Linux"swtch IN TXT "Cisco 6500 Infra switch"vax IN HINFO "VAX-8250" "VMS"till IN TXT "Shop till - Jane Doe"host2 IN HINFO "OpusPC486/33" "MS-DOS"print IN TXT "New HP Laser - John Smith"print IN A 1.2.3.4 [accessible]
10% was RFC 1918 and gave out the switching IP topology
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010
Publicly Open Resolver“The 1990’s called and they want their DNS servers back. . . ”
50 bytes out, 1400 bytes back:
$ dig +dnssec NS se @ns2.compsci.ac.uk
;; Query time: 8 msec;; SERVER: 1.2.3.5#53(1.2.3.5);; WHEN: Sun Mar 21 17:13:32 2010;; MSG SIZE rcvd: 1424
ns1.compsci.ac.uk ignores DNSSEC queries 3, does thisimply old? Could old also imply poisonable and vulnerable.
3which is why I used ns2 here for this testAlexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Adding External SlavesAdding Resilience to DNS
+-----+ +-+/--| rec |<-------|c|| +-----+ +-+X
#################################### Internet# border #######################################+---+##+---+###################### Intranet
|rec| |rec||...| |...|| s | | m | Authoritive Servers+---+ +---+ are unavailable and| | thus so is soas.ac.uk\--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Adding External SlavesAdding Resilience to DNS
+---+ +-----+ +-+| | | rec | |c|
+>| s | +-----+ +-+| | || +---+ Internet| border -------------------------------------| +---+ +---+ Intranet| |rec| |rec|^ |...| |...|^ | s | | m || +---+ +---+| | |\---+--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Adding External SlavesAdding Resilience to DNS
+---+ +-----+ +-+| | /------+--| rec |<-------|c|| s |<-----/ | +-----+ +-+| | X
##+---+############################# Internet# border #######################################+---+##+---+###################### Intranet|rec| |rec||...| |...|| s | | m |+---+ +---+| |\--<<--/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Hiding Your Primary pt.IProtecting Your Authority
+---+ +-----+ +-+| |<---+------------| rec |<-------|c|
+>| s | | +-----+ +-+| | | | || +---+ | | Internet| border --|---------------v------------------| +---+ | +---+ Intranet| |rec| | |rec|^ |...|<---/ |...|^ | s | | m || +---+ +---+| | |\---+--<<----------<<------/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Hiding Your Primary pt.IProtecting Your Authority
+---+ +-----+ +-+| |<---+------------| rec |<-------|c|
+>| s | | +-----+ +-+| | | | || +---+ | X Internet| border --|----------###########-------------| +---+ | +---+ +---+ Intranet| |rec| | |rec| | |^ |...|<---+--->|...| | m |^ | s | | s | | || +---+ +---+ +---+| | | |\---+--<<---------+--------/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Hiding Your Primary pt.IIProtecting Your Authority
Tweak your zone file:
$ dig (SOA|NS) soas.ac.uksoas.ac.uk. IN SOA ns1.soas.ac.uk. ...soas.ac.uk. IN SOA ns.soas.ac.uk. ...
soas.ac.uk. IN NS ns1.soas.ac.uk.soas.ac.uk. IN NS ns2.soas.ac.uk.soas.ac.uk. IN NS ns2.ic.ac.uk.
Now, firewall ‘hidden primary’ so only slaves can talk to it
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Hiding Your Primary pt.IIProtecting Your Authority
Tweak your zone file:
$ dig (SOA|NS) soas.ac.uksoas.ac.uk. IN SOA ns1.soas.ac.uk. ...soas.ac.uk. IN SOA ns.soas.ac.uk. ...
soas.ac.uk. IN NS ns1.soas.ac.uk.soas.ac.uk. IN NS ns2.soas.ac.uk.soas.ac.uk. IN NS ns2.ic.ac.uk.
Now, firewall ‘hidden primary’ so only slaves can talk to it
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Hiding Your Primary pt.IIProtecting Your Authority
Tweak your zone file:
$ dig (SOA|NS) soas.ac.uksoas.ac.uk. IN SOA ns1.soas.ac.uk. ...soas.ac.uk. IN SOA ns.soas.ac.uk. ...
soas.ac.uk. IN NS ns1.soas.ac.uk.soas.ac.uk. IN NS ns2.soas.ac.uk.soas.ac.uk. IN NS ns2.ic.ac.uk.
Now, firewall ‘hidden primary’ so only slaves can talk to it
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Split Recursive From AuthoritativeMitigation Against Poisoning
+---+ ,-----. +-----+ +-+| | ( auths ) | rec |<-+-----|c|
+>| s | ‘-----’ +-----+ | +-+| | | ^ /--------------/| +---+ | | Internet| border --|------v---#################-------| +---+ | +---+ Intranet| |rec| \----|rec|<-----------\ +-+^ |...| |...| +---+ \----|c|^ | s | | s | | m | +-+| +---+ +---+ +---+| | | |\---+--<<---------+--------/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
Split Recursive From AuthoritativeMitigation Against Poisoning
+---+ ,-----. +-----+ +-+| | ( auths ) | rec |<-+-----|c|
+>| s | ‘-----’ +-----+ | +-+| | | ^ || +---+ | X Internet| border --|----------#################-------| +---+ | Intranet| | | \-------------------+---+ +-+^ | s | +---+ +---+ |rec|<--|c|^ | | | s | | m | +---+ +-+| +---+ +---+ +---+| | | |\---+--<<---------+--------/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Views pt.ITidying Up and Adding Flexibility
+---+ +-----+ +-+/-------->| s |<---+----| rec |<-------|c|| +---+ | +-----+ +-++-------->| s |<---+| +---+ | Internet| border ----------|--------------------------| | Intranet+-------\ +---+ | +-----+ +-+| +>| s |<---+----| rec |<-------|c|| +---+ | +---+ | +-----+ +-+\-| m | +>| s |<---/+---+ +---+
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Views pt.ITidying Up and Adding Flexibility
+---+ +-----+ +-+/-------->| s |<---+----| rec |<-------|c|| +EXT+ | +-----+ +-++-------->| s |<---/| +---+ Internet| border #####################################| Intranet| +---+ +-----+ +-+| +>| s |<---+----| rec |<-------|c|| +---+ | +INT+ | +-----+ +-+\-| m |-+>| s |<---/+---+ +---+
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Views pt.IITidying Up and Adding Flexibility
Tweak your zone files and configure master to serveappropriate zone to correct slave:
external:~$ dig NS soas.ac.uksoas.ac.uk. IN NS ns1.soas.ac.uk. [bracknell]soas.ac.uk. IN NS ns2.soas.ac.uk. [gold.ac.uk]soas.ac.uk. IN NS ns2.ic.ac.uk. [imperial]
internal:~$ dig NS soas.ac.uksoas.ac.uk. IN NS ipserv0.it.soas.ac.uk.soas.ac.uk. IN NS ipserv1.it.soas.ac.uk.
Now, firewall internal slaves from the outside world
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Views pt.IIITidying Up and Adding Flexibility
Possible Pitfalls:internal resolver needs hint to use internal slavesPTR records need ‘views’ too, and sync’ed correctlySMTP servers are first to sulk when things go wrong
The result (in a ‘split-split’ DNS infrastructure):remove RFC 1918 results from Internetimpossible to poison internal authoritative from outsidefirewalling becomes simplertrivial to provide different results for classes of usertest zone file changes on your internal users first
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Tricks pt.ISteering Mail Traffic
An SMTP ‘fax’ server lives behind firewall so routing mail [email protected] is tricky, instead we do:
external:~$ dig MX fax.soas.ac.ukfax.soas.ac.uk. IN MX 10 mr3.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr4.soas.ac.uk.
internal:~$ dig MX fax.soas.ac.ukfax.soas.ac.uk. IN MX 5 hermes.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr3.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr4.soas.ac.uk.
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS Tricks pt.IIHiding Boxes
Development boxes are not available outside firewall:
external:~$ dig AXFR soas.ac.uk | grep cmscms.marketing IN CNAME rx2.marketing
internal:~$ dig AXFR soas.ac.uk | grep cmscms.marketing IN CNAME rx2.marketing
dev.cms.marketing IN CNAME rx1.marketing
Hiding boxes not for security, but to avoid firewall ‘deny’timeouts. Instead an instant NXDOMAIN is generated.
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNS BlacklistingMalware, Trojan, Worm and Phishing Protection for Free
As recursive servers now only talk to internal clients:‘safe’ to play with them and not affect outside worldunbound/bind9/maradns/others permit ‘hijacking’ domainsfind list of EvilTM domainsmangle it to plug into your resolversteer EvilTM domains to IDS (*.evil.com ! $ip{ids})find infections and stop users going to ‘dubious’ sites
However, what about false positives?Apache + mod_proxymod_perl script to ‘cook’ HTTP session cookiesself-service whitelisting ! Ultimate Laziness4
4zero support calls since deployed July 2008-ishAlexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
MigrationBonus Round
DNSSEC Enabling
similar to how PGP/SSL works, but hierarchicalroot not yet signed so need to use some glue:
DLV DNSSEC Look-aside ValidationITAR Interim Trust Anchor Repository (TLD’s only)
SecSpider 20k/6MiB of Trust Anchors (DNS crawler)large replies so needs EDNS0 to up limit to 4096 bytes
Currently 10% TLD’s signed (all IDN’s5) but RIPE/ARIN/etc arealso doing some reverse zones too.
Warning: Firewalls (eg PIX) and IDS’s configurable to think
DNS packet size > 512 bytes ! EvilTM
5Internationalised Domain NameAlexander Clouter <[email protected]> DNS Servers, the More the Merrier
Early Days of Organisation DNSA Modern DNS Infrastructure
Summary
Summary
‘flat’ combo auth+rec DNS infrastructure is a Bad IdeaTM
pain to move to split-split but worth it and you learn lotsnarrow purpose for each server, so can use any vendorproduct that suits you (diversity crucial though!)
OutlookPTR sync’ing is via ‘fruity’ AXFR compare/DDNS scriptDNS blacklists fail /etc/hosts - OSPF route hijacking?
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier
Appendix For Further Reading
For Further Reading I
Zytrax.comDNS for Rocket Scientists.Some Press, 2004!2010.
Steve FriedlAn Illustrated Guide to the Kaminsky DNS VulnerabilityUnixwiz.net 2008.Alexander Clouter (me!)Protecting Users with DNS Malware Blacklisting(also Unsavoury IP Route Blackholing)http://www.digriz.org.uk/
Alexander Clouter <[email protected]> DNS Servers, the More the Merrier