Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi...
Transcript of Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi...
Hands-OnDNSSECwithDNSVizCaseyDeccio
BrighamYoungUniversityNANOG69,Feb.8,2017
Washington,DC
Preparation
• Demoandexercisesavailableat:• http://dnsviz.net/demo/
• Includeslinkstothefollowing:• VirtualBox software• VirtualBox demoimage• Tutorialexercises
2
Objectives
• UnderstandthebasicsofDNSandDNSSEC• BecomefamiliarwithDNSserverandanalysistools
• DiG• BIND• DNSViz
• Learnhowtoolsmightbeusedtoroutinelyanalyze/monitoryourDNShealth
3
Caveats
• Theexercisesrangefromnovice-leveltoadvanced.• Manyoftheexercisesaremoretofacilitateunderstandingthanefficiency.
• TheexercisesarebemeantforlearningDNS/DNSSECandrelatedtools,butdonotcoveralldetailsforproperDNS/DNSSECmaintenance.
4
DNSOverview
5
DNSNamespace
• Namespaceisorganizedhierarchically
• DNSrootistopofnamespace
• ZonesareautonomouslymanagedpiecesofDNSnamespace
• Subdomainnamespaceisdelegatedtochildzones
6
.
com net
example.com
example.net
referrals
DNSNameResolution
• Resolversqueryauthoritativeservers• Queriesbeginatrootzone,resolversfollowdownwardreferrals
• Resolverstopswhenitreceivesauthoritativeanswer
7
…
.
…
com
…
example.comstubresolver recursiveresolver
authoritativeservers
Answer: 192.0.2.16
Query:example.com/A?
VirtualEnvironmentInitialization
• Unzipdnsviz-demo-v4.zip• Opendnsviz-demo-v4/dnsviz-demo-v4.vbox
• “Start”VM• Enlargescreen• Double-click“TutorialExercises”file
• (Exercises0.1– 0.2)• Open“TerminalEmulator”• Changeto“demo”directory
8
$ cd demo
QueryDNSServers(1.1– 1.5)
9
queryaspecificserver(ratherthanqueryingyour
configuredresolver)
$ dig @a.root-servers.net example.com
norecordtypespecified,sodefaulttype“A”(address)isused
$ dig @a.gtld-servers.net example.com
$ dig @a.iana-servers.net example.com
$ dig example.com
noserverisexplicitlydesignated,soquerygoes
tolocalresolver
$ dig @a.iana-servers.net foobar.example.com
QueryaRootServer
10
QueryaTLDServer
11
QueryanSLDServer
12
QueryLocalRecursiveResolver
13
QueryforaNon-existentName
14
DNSSECOverview
15
PublicKeyCryptography
• Keys• Public Key– advertisedtoeveryone• Private Key– kepthidden
• Signatures• Madebyprivatekey• Validatedwithpublickey
• Validation• Consumerusespublickey,message,andsignaturetovalidatemessage
16
Data
PrivateKeySig
Data
PublicKey
Sig ValidorBogus?
DNSSecurityExtensions(DNSSEC)
• DNSdatasignedwithprivatekeys• Signatures(RRSIGs)andpublickeys(DNSKEYs)publishedinzonedata
• Resolverresponse• Ifauthentic:Authenticateddata(AD)bitisset• Ifbogus:SERVFAILmessageisreturned
17
example.com
stubresolverrecursive/validatingresolver
authoritativeserver
Query:example.com/A?
Answer:192.0.2.16 RRSIG
Query:example.com/DNSKEY?
Answer: DNSKEY… RRSIG
Query:example.com/A?
Answer: 192.0.2.16 AD
validate
DNSSECChainofTrust
• DNSKEYmustbeauthenticated.
• Trustextendsthroughancestrytoatrustanchoratresolver.
• DSresourcerecord–providesdigestofDNSKEYinchildzone.
• Resolvermuststartwithtrustedkey,atroot.
18
example.comZone data
DNSKEY
comZone data
DNSKEY
.Zone data
DNSKEY
DS
DS
Resolver trust anchor
KeyRoles– KSK/ZSK
• DNSKEYRRset usuallyhasmultiplekeys,oftenwithsplitroles.
• KSK(Keysigningkey)• Signs(only)theDNSKEYRRset.
• CorrespondstoDSrecordsinparent,providing“secureentrypoint”intozone.
• ZSK(Zonesigningkey)• Signstherestofthezone.
19
example.com Zone data
DNSKEY (ZSK)
comZone data
DNSKEY
DS
DNSKEY (KSK)
…
example.com
AuthenticatedDenialofExistence
• Howdoyouprovesomethingdoesn’texist?• “Chain”ofnamesofzoneformedusingNSECrecords.• NSECrecordsformcomprehensivechainofnames(andtheirrecordtypes)inzoneincanonicalordering.
• ServerusesNSECrecordstoprovenon-existence.
20
example.com.
apple.example.com.
banana.example.com.
grape.example.com.
recursive/validatingresolver
authoritativeserver
Query:coconut.example.com/A?
NXDOMAIN:banana.example.com/NSEC RRSIG
Query:example.com/DNSKEY?
Answer: DNSKEY… RRSIGvalidate
QueryforDNSSECRecords(2.1–2.5)
23
includeDNSSECrecordsinresponse(e.g.,RRSIG)
$ dig +dnssec +multi @a.iana-servers.net example.com
presentresponseinmulti-lineformatwithcomments(for
readability)
$ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY
queryforrecordsoftype“DNSKEY”(DNSSECpublickey)insteadofthe
default,“A”(address)
$ dig +dnssec +multi @a.gtld-servers.net example.com DS
querya“parent”serverbecausewe’reseekingaDSrecord
$ dig +dnssec +multi example.com
$ dig +dnssec +multi @a.iana-servers.netfoobar.example.com
QueryforDNSSECRecords(RRSIGs)
24
QueryforDNSSECRecords(DNSKEY)
25
QueryforDNSSECRecords(DS)
26
QueryforDNSSECRecords
27
QueryForDNSSECRecords(NSEC)
28
DNSViz
29
referrals
DNSAnalysisUsingDNSViz(dnsviz probe commandline)• Queriesissued– IPv4/IPv6UDP/TCP
• Referralqueries– tolearndelegationNSrecordsfromparent• NSqueries– tolearnauthoritativeNSrecords• DNSKEY/DSqueries– forbuildingaDNSSECchain• A/AAAA/TXT/MX/SOAqueries• Diagnosticqueries(specialhandlingoferrors,etc.)
30
.
com
example.com
output.json
OnlineanalysisSerializedonlineanalysis(JSON)$ dnsviz probe
example.com
DNSAnalysisUsingDNSViz(dnsviz grok/graph/printcommandline)• Responsesanalyzed(offline)
• Responsiveness• Querytimeouts• Networkerrors• EDNS/fragmentation
capabilities• Consistency
• Acrossservers• BetweenDNSKEY/RRSIG• BetweenDNSKEY/DS
• Correctness• RRSIG
• Expiration/inceptiondates• Cryptographicsignature
• DS- Cryptographichash• Negativeresponses
• NSECproofcorrectness• SOArecordcorrectness
31
$ dnsviz grok
output.json
Serializedonlineanalysis(JSON)
output-p.json Serializedofflineanalysis(JSON)
Analysisgraph(jpg,png,html)
$ dnsviz graph
Colorterminal/textoutput
abcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuv
$ dnsviz print
AnalyzeUsingdnsviz probe(3.1– 3.2)
32
$ dnsviz probe -A -a . -p example.com > example.com.json
followreferralsfromroot(“.”)toanalyze
name
maketheoutput“pretty”(forreadability)
storeanalysisinfilecalled“example.com.json”
$ medit example.com.json &
Issuediagnosticqueriestoauthoritativeservers,rather
thanrecursiveservers
$ dnsviz grok < example.com.json > example.com-p.json
AnalyzeUsingdnsviz grok(3.3– 3.4)
33
storeanalysisinfilecalled“example.com-p.json”
readanalysisfrom“example.com.json”
$ medit example.com-p.json
$ dnsviz grok -l info < example.com.json \> example.com-p1.json
AnalyzeUsingdnsviz grok(3.5– 3.6)
34
showonlyinformationthatisofpriority“info”or
higher
$ medit example.com-p1.json
AnalyzeUsingdnsviz grok(3.7)
35
displayoutput(ifany)toscreen,insteadof
redirectingtofile
$ dnsviz grok -l error < example.com.json
showonlyinformationthatisofpriority“error”or
higher
$ dnsviz graph -Thtml -t /dev/null < example.com.json \> example.com.html
AnalyzeUsingdnsviz graph(3.8– 3.11)
36
outputinteractiveHTMLformat
$ firefox example.com.html &
$ dnsviz graph -Thtml < example.com.json \> example.com.html
$ firefox example.com.html &
Don’tuseanytrustanchor
$ dnsviz print -t /dev/null < example.com.json
AnalyzeUsingdnsviz print (3.12– 3.13)
37
$ dnsviz print < example.com.json
anchortrustwithrootKSK
Don’tuseanytrustanchor
Viewdnsviz probe Output
38
Viewdnsviz probe Output
39
Viewdnsviz probe Output
40
Viewdnsviz grok Output
41
Viewdnsviz grok Output
42
Viewdnsviz grok Output
43
Viewdnsviz grok Output
44
Viewdnsviz grok Output
45
Viewdnsviz graph Output
46
Viewdnsviz graph Output
47
Viewdnsviz graph Output
48
Viewdnsviz print Output
49
Viewdnsviz print Output
50
SigningaDNSZone
51
SetupVirtualDNSEnvironment(4.1– 4.2)
52
VirtualBox Guest
UMLGuest
UMLGuest
UMLGuest
Host$ ./start_all
(Waitforallthreeconsolestocomeup)
$ cd /etc/bind
Changedirectoryforallthreeconsoles:root,tld1,sld1
SetupVirtualDNSEnvironment(4.3)
53
VirtualBox Guest
UMLGuest“root1”
UMLGuest“sld1”
UMLGuest“tld1”
$ ./dns_change_root local
(pointDNSroothintsandtrustedkeystointernalrootserver)
virtualswitch
Host
virtualswitch
Analyzeexample.com inLocalEnvironment(4.4– 4.6)
54
$ dnsviz probe -A -a . -p example.com | dnsviz graph -Thtml -O
Piperesultsdirectlytodnsviz graph,
ratherthanredirectingtofile
Outputanalysistofilenamed
“example.com.html”
$ ./dnsviz_analyze example.com (scriptincludedforsimplification)
$ firefox example.com.html &
Viewdnsviz graph Output
55
AddRecordstoexample.comZone(5.1– 5.4)• AddArecordsfornames“a”,“c”,and“e”(onsld1)(hint:seeexistingrecordfor“www”)
• Checkzone
• Reloadzone
• Checkthatrecordshowsup(queryfromVirtualBox guest)
56
# nano zones/db.example.com
# vi zones/db.example.com
or
# service bind9 reload
# named-checkzone example.com zones/db.example.com
$ dig @sld1 a.example.com
AddRecordstoexample.comZone
57
AddRecordstoexample.comZone
58
CreateDNSSECKeysforexample.com Zone(6.1– 6.3)
59
# KSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`
# ZSK=`dnssec-keygen -n ZONE -a RSASHA256 -b 1024 \-r /dev/urandom example.com`
Setthe“SEP”bitforthisDNSKEY
Createa2048-bitkey
UsealgorithmRSASHA256forsigning
No“SEP”bithere
(onsld1)
Createa1024-bitkey
# ls $KSK* $ZSK*
AddDNSKEYRecordstoexample.com Zone(6.4– 6.9)• LookatDNSKEYrecords(onsld1):
• AddDNSKEYrecordstozone
• Reloadzone
• Re-analyze
60
# service bind9 reload
# cat $KSK.key $ZSK.key >> zones/db.example.com
# cat $KSK.key $ZSK.key
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
CreateDNSSECkeysforexample.com Zone
61
CreateDNSSECkeysforexample.com Zone
62
Viewdnsviz graph Output:DNSKEYswithnoRRSIGs
63
Viewdig Output:noADbit
64
SignRecordsinexample.comZone(7.1– 7.4)• Signzone(sld1)
• Pointnamed.conf tosignedzonefile
• Reloadzone
65
# dnssec-signzone -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
Usepseudo-randomentropysource(notfor
productionuse)
Signentirezonewiththiskey
SignonlyDNSKEYrecordswiththiskey
# service bind9 reload
# sed -i -e ‘s:/db.example.com:&.signed:’ named.conf.local
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
Viewdnsviz graph Output:Signedexample.com Zone
66
Viewdig Output:noADbit
67
GenerateDSRecordsforexample.com (8.1– 8.2)(onsld1)
68
# dnssec-dsfromkey $KSK
AddDSRecordsforexample.com(8.3a– 8.3c)(ontld1)
69
# nano zones/dsset-example.com.
SignRecordsin“example.com”Zone(8.4)• CheckDSconsistencybeforetheyaredeployed(preview)
• Re-analyze
70
$ ./dnsviz probe -A -a . \-N example.com:a.local-sld-servers.net \-D example.com:zones/dsset-example.com. \-p example.com | dnsviz graph -Thtml -O
$ firefox example.com.html &
SignRecordsin“example.com”Zone(8.5– 8.6)• Signzone(ontld1)
• Re-analyze
71
# ./resign_tld
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
Previewdnsviz graphOutput:FullChainofTrust
72
Viewdnsviz graph Output:FullChainofTrust
73
Viewdig Output:ADbit
74
FunwithDNSViz
75
UseKSKtoOnlySignDNSKEYRRset (9.1– 9.3)
76
# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
Don’tsignzonedatawithKSK
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
Viewdnsviz graph Output:KSK-only
77
Viewdig Output:ADbit
78
AddNewKSKtoexample.comZone(9.4– 9.8)• GeneratenewKSK:
• Re-signzone:
• Reloadzone
79
# service bind9 reload
# NEWKSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`
# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
# cat $NEWKSK.key >> zones/db.example.com
$ dig +noall +comment +ad example.com
Viewdnsviz graph Output:StandbyKSK
80
Viewdig Output:ADbit
81
AddNewKSKtoexample.comZone(9.9– 9.11)• Re-signzonewithtwoKSKs:
• Reloadzone
82
# service bind9 reload
# dnssec-signzone -x -r /dev/urandom \-k $KSK -k $NEWKSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
Viewdnsviz graph Output:MultipleKSKs
83
Viewdig Output:ADbit
84
ChangeKSKforexample.comZone(9.12– 9.13)
• SignwithonlythesecondKSK:
85
# dnssec-signzone -x -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK
$ firefox example.com.html &
$ dnsviz probe -A -a . -x example.com:zones/db.example.com.signed -p \example.com | dnsviz graph -Thtml -O
ChangeKSKforexample.comZone(9.14– 9.15)
• Reloadzone
86
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
$ dig +noall +comment +ad example.com
Viewdnsviz graph Output:DSMismatch
87
Viewdig Output:SERVFAIL
88
TamperwithRecordContent(9.16– 9.18)• ChangeSOArecord:
89
# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed
# service bind9 reload
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
Viewdnsviz graph Output:InvalidSignatures
90
ChangeRRSIGExpiration(9.19–9.22)• SettheRRSIGexpirationexplicitlyto1secondfrom“now”
• Manipulate(again)SOArecord
• Reloadzone
91
# service bind9 reload
# dnssec-signzone -x -e now+1 -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed
Viewdnsviz graph Output:ExpiredRRSIGs
92
RemoveRRSIGs(9.23– 9.26)• RemoveRRSIGcoveringAAAArecord(onsld1)
• Checkzone
• Reloadzone
93
# nano zones/db.example.com.signed
# vi zones/db.example.com.signed
or
# service bind9 reload
# named-checkzone example.com zones/db.example.com.signed
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
RemoveRRSIGforAAAARecordfromZone
94
Viewdnsviz graph Output:MissingRRSIGs
95
ModifyTCPConnectivity(9.27–9.28)• RejectTCPconnectionrequests
96
# ip6tables -A INPUT -m state --state NEW -p tcp \--dport 53 -j REJECT
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
Viewdnsviz graph Output:NoTCP
97
ModifyPathMTU(9.29– 9.30)
• DropUDPresponseswithpayloadslargerthan512bytes
98
# iptables -A OUTPUT -p udp --sport 53 \-m length --length 540:65535 -j DROP
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
Viewdnsviz graph Output:LowPMTU
99
AddLameDelegation(9.31–9.33)• AddseconddelegationNSrecordforexample.com incomzone(ontld1)
• Signcomzone(ontld1)
100
# nano zones/db.com
# vi zones/db.com
or
# ./resign_tld
$ ./dnsviz_analyze example.com
$ firefox example.com.html &
AddSecondNSRecordforexample.com
101
Viewdnsviz graph Output:LameDelegation
102
GraphOnlySelectRRsets (9.34)
103
$ firefox example.com.html &
$ dnsviz graph -R A,AAAA -Thtml -O < example.com-working.json
OnlygraphAandAAAARRsets
Viewdnsviz graph Output:SelectRRsets
104
Analyzewithdnsviz print (9.35)
105
$ dnsviz print -R A,AAAA < example.com-working.json
Viewdnsviz graph Output:SelectRRsets
106
DNSViz RecursiveServerAnalysis
107
Analyzeexample.com onRecursiveServer(10.1)
108
$ dnsviz probe example.com | dnsviz graph -Thtml -O
No“-A”optionmeansquery
recursiveservers
$ firefox example.com.html &
Viewdnsviz graph Output:Recursive
109
DNSViz ProgrammaticAnalysis
110
dnsviz probe Revisited(11.1)
111
$ medit example.com-working.json &
$ vi example.com-working.json
or
Viewdnsviz probe Output:DiagnosticQueryHistory
112
Viewdnsviz probe Output:DiagnosticQueryHistory
113
dnsviz grok Revisited(10.3–10.4)
114
$ dnsviz grok -l warning -p < example.com-broken.json \> example.com-working-p.json
$ medit example.com-working-p.json &
$ vi example.com-working-p.json
or
Viewdnsviz grok Output:Errors,Warnings,Statuses
115
Viewdnsviz grok Output:Errors,Warnings,Statuses
116
Viewdnsviz grok Output:Errors,Warnings,Statuses
117
MonitoringwithDNSViz• Samplescriptusescombinationofdnsviz getanddnsviz graph,e.g.,forusewithcron
118
#!/bin/shname=$1date=`date +%Y%m%d%H%M%S`probe_out=/tmp/$name-probe-$date.jsongrok_out=/tmp/$name-grok-$date.jsongraph_out=/tmp/$name-graph-$date.png
dnsviz probe -A -d 0 -p $name > $probe_outdnsviz grok -l warning -p $name < $probe_out > $grok_outif (( $( stat -c %s $grok_out ) > 0 )); then
dnsviz graph -Tpng -o $graph_out $name $name < $probe_outgzip $probe_outcat $grok_out | \mutt -s “Problems with $name” -a $graph_out $grok_out.gz -- \
rm $probe_out* $grok_out $graph_out
Summary
• UnderstandingandanalyzingDNSandDNSSECcanbecomplex.
• DiG,BIND,DNSViz,andothertoolscanaidinunderstanding,troubleshooting,andmonitoring.
• MaintainandmonitoryourDNSzones!
119
FurtherInformationonDNSViz
• Source:https://github.com/dnsviz/dnsviz (License:GPLv2)
• Onlineversion:http://dnsviz.net/• Mailinglist:https://groups.google.com/d/forum/dnsviz-users
120