Modeling DNS Security: Misconfiguration, Availability, and Visualization
-
Upload
adam-monroe -
Category
Documents
-
view
30 -
download
0
description
Transcript of Modeling DNS Security: Misconfiguration, Availability, and Visualization
![Page 1: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/1.jpg)
Modeling DNS Security: Misconfiguration, Availability,
and VisualizationCasey Deccio
Sandia National Laboratories
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
BYU Computer Science Dept. Colloquium
Sep 9, 2010
![Page 2: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/2.jpg)
Criticality of the DNS
The DNS is the “phone book” for the Internet Domain name to IP
address translation Mail server lookup Service discovery
Most Internet applications rely on DNS name resolution
2
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
![Page 3: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/3.jpg)
Availability and security
DNS must be both available and accurate
Security was added as a retrofit Security increases complexity Troubleshooting is difficult
Misconfigurations abound, rendering name resolution unavailable Examples:
medicare.gov, nasa.gov, arpa
3
![Page 4: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/4.jpg)
4
Objectives
Establish model and metrics for assessing availability of DNSSEC deployments
Quantify complexity that may increase potential for DNSSEC misconfiguration
Introduce techniques to mitigate effects of misconfiguration
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
![Page 5: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/5.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
5
![Page 6: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/6.jpg)
DNS namespace
Namespace is organized hierarchically
DNS root is top of namespace
Zones are autonomously managed pieces of DNS namespace
Subdomain namespace is delegated to child zones
6
. .
com com net net
bar.combar.combaz.netbaz.net
foo.comfoo.com
![Page 7: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/7.jpg)
DNS name resolution Resolvers query authoritative servers Queries begin at root zone, resolvers follow
downward referrals Resolver stops when it receives authoritative
answer
7
…
.
…
.
…
com
…
com
…
bar.com
…
bar.comstub resolverstub resolver recursive
resolverrecursiveresolver
authoritative serversauthoritative servers
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
![Page 8: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/8.jpg)
DNS attacks Tainted DNS responses can direct users to malicious services To forge DNS responses:
Guess query ID and UDP source port Arrive before legitimate response
Attackers success rate increased by: Eliciting queries of the resolver Sending large number of responses
8
bar.combar.com
stub resolverstub resolver recursiveresolverrecursiveresolver authoritative serversauthoritative servers
attackerattackerQuery: www.bar.com/A ?Query: www.bar.com/A ?
Answer: ??Answer: ??
![Page 9: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/9.jpg)
DNS Security Extensions (DNSSEC) DNS data signed with private keys for authentication Signatures (RRSIGs) and public keys (DNSKEYs) published in zone
data Resolver response
If authentic: Authenticated data (AD) bit is set If bogus: SERVFAIL message is returned
99
bar.com
bar.com
stub resolverstub resolverrecursive/validatingresolverrecursive/validatingresolver
authoritative serverauthoritative server
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16 RRSIGRRSIG
Query: bar.com/DNSKEY ?Query: bar.com/DNSKEY ?
Answer: DNSKEY…Answer: DNSKEY… RRSIGRRSIG
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16 ADAD
validatevalidate
![Page 10: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/10.jpg)
Chain of trust
DNSKEY must be authenticated
Resolver must have some notion of trust
Trust extends through ancestry to a trust anchor at resolver
DS resource record – provides digest of DNSKEY in child zone
1010
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver trust anchortrust anchor
![Page 11: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/11.jpg)
Insecure delegations
If child zone is unsigned, resolver must be able to prove it is insecure
NSEC resource records provide proof of absence of DS
1111
baz.net
baz.net
Zone dataZone data
net
netZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
NSEC/DSNSEC/DS
ResolverResolver trust anchortrust anchor
![Page 12: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/12.jpg)
DNSSEC maintenance RRSIGs must be
periodically resigned to prevent expiration
DNSKEYs must be periodically rolled (replaced) to avoid prolonged exposure
Rollovers involving DS RRs must be coordinated with parent zones
Authoritative servers must serve consistent data
1212
![Page 13: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/13.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
13
![Page 14: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/14.jpg)
Classes of DNSSEC misconfiguration
14
Zone misconfigurations Missing, expired, or bogus
RRSIG Missing DNSKEYs
Delegation misconfigurations No DNSKEY in child
matching any DS in parent Missing NSEC RRs for
insecure delegation Trust anchor
misconfiguration Stale trust anchor at resolver
![Page 15: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/15.jpg)
Failure potential Probability of bogus validation Based on fraction of responsive authoritative
servers serving bogus or incomplete data Resolvers will retry if server non-responsive Not all servers will retry if server responds with bogus data
Assumption: resolver queries any authoritative server with equal probability
bar.combar.com
ValidValid BogusBogus Non-responsiveNon-responsive
recursive/validatingresolverrecursive/validatingresolver
authoritative serverauthoritative server
15
€
Pf (z) =| bogus_ servers |
| responsive _ servers |
![Page 16: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/16.jpg)
Failure potential Formula extends to chain of trust in ancestor
zones Failure potential of each zone is combined
independently of one another
1616
…
.
…
.
…
com
…
com
…
bar.com
…
bar.comRecursive/validatingresolverRecursive/validatingresolver
authoritative serversauthoritative servers
€
Pfr(z) =1− (1− Pf (i))
i=z
anchor
∏
![Page 17: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/17.jpg)
DNSSEC Deployment Survey
Polled ~1500 production signed zones over a six-week period
Recorded validation errors resulting from misconfiguration
Statistic Value
Production signed zones polled 1,456
Total misconfigurations resulting in certain failure 194
Zone-class misconfigurations 134 (69%)
Delegation-class errors resulting in certain failure 60 (31%)
Errors (any class) caused by misconfigured ancestor zones 61 (31%)17
![Page 18: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/18.jpg)
Failure Potential of Zones
18
![Page 19: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/19.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
19
![Page 20: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/20.jpg)
Complexity analysis
Complexity creates potential for misconfiguration
Hierarchical complexity: Size of ancestry (zone
depth)
Administrative complexity: Servers administered by
distinct organizations
202020
…
.
…
.
…
com
…
com
…
bar.com
…
bar.com
![Page 21: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/21.jpg)
Hierarchical reduction potential
If ancestry might reasonably be consolidated, what is the reduction?
Ancestry reduced, but original namespace can be preserved
21
sub.bar.comsub.bar.com
bar.combar.com
comcom
..
bar.combar.com
comcom
..
€
HRP =| orig _ zones | − | consolidated _ zones |
| orig _ zones |
= 0.25
![Page 22: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/22.jpg)
Administrative Complexity
How diverse is the set of organizations administering a zone?
Complexity measured by random sampling (with replacement) of authoritative servers to determine the probability that two organizations are selected
22
bar.combar.comns.bar.comns.bar.com me.baz.netme.baz.net
= 0.5
€
AC =1−| servers(o) |
| all _ servers |
⎛
⎝ ⎜
⎞
⎠ ⎟2
o∈orgs∑
![Page 23: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/23.jpg)
Hierarchical Reduction Potential
23
![Page 24: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/24.jpg)
Administrative complexity
24
![Page 25: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/25.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
25
![Page 26: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/26.jpg)
Avoiding and mitigating effects of misconfiguration
Follow best practice operational standards (RFCs) Key rollover procedures Trust anchor rollover procedures
Validation diligence Resolver keeps trying alternative authoritative
servers to find valid response Optimality can be difficult – where is the break in
the chain? Implemented in BIND 9
26
![Page 27: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/27.jpg)
Soft anchoring DNSKEYs typically don’t
change often Resolvers configured with
“hard” (traditional) trust anchors
“Soft” anchors are derived from DNSKEYs authenticated from existing hard anchors
27
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver Hard anchorHard anchor
Soft anchorSoft anchor
Soft anchorSoft anchor
![Page 28: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/28.jpg)
Impact of soft anchoring
Resolution not inhibited by: zone-class
misconfigurations in ancestry
delegation-class misconfigurations
28
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver Hard anchorHard anchor
Soft anchorSoft anchor
Soft anchorSoft anchor
![Page 29: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/29.jpg)
Maintaining soft anchors
Resolvers follow procedure similar to that used for rolling hard trust anchors (RFC 5011)
Resolver periodically polls soft anchor zone
Soft anchor addition: Newly authenticated
DNSKEYs persist for “hold down” period
New DNSKEY seen with corresponding DS
Soft anchor removal: Delegation to soft anchor
made insecure DNSKEY is revoked DNSKEY and its DS RR
are removed
29
![Page 30: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/30.jpg)
Soft anchoring limitations
Doesn’t help when misconfigurations are at or below the bottom “link” in the chain of trust
Resolver must have authenticated soft anchors through valid chain of trust before misconfiguration
Scalability Maintenance overhead of all trust anchors may be
intense Least-recently used policy may help
30
![Page 31: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/31.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
31
![Page 32: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/32.jpg)
DNSSEC Visualization
Live analysis of DNS authentication chain at: http://dnsviz.net/
32
![Page 33: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/33.jpg)
33
![Page 34: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/34.jpg)
34
arpa: the “root” of reverse name resolution
RRSIG expired, invalidating NSEC necessary to prove insecure delegation
![Page 35: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/35.jpg)
35
Some authoritative servers for kiae.ru not serving RRSIGs
![Page 36: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/36.jpg)
36
Some authoritative servers for dshield.org have expired RRSIGs
![Page 37: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/37.jpg)
37
medicare.gov:missing appropriate DNSKEY, resulting in broken delegation
![Page 38: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/38.jpg)
38
Misconfiguration in a complex system of DNS dependencies
![Page 39: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/39.jpg)
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
39
![Page 40: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/40.jpg)
40
Summary
DNS responses must be both accurate and available
DNSSEC deployment requires careful deployment and maintenance
Soft anchoring can mitigate effects of misconfiguration
DNSSEC visualization helps understanding and troubleshooting
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
![Page 41: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/41.jpg)
Future work
Internet draft of soft anchoring to gain community support
Improved usability of DNS visualization tool Monitoring and alerting Better analysis of server inconsistencies
41
![Page 42: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/42.jpg)
Acknowledgements
Jeff Sedayao, Krishna Kant at Intel Corporation
Prasant Mohapatra at UC Davis
42
![Page 44: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/44.jpg)
Visualization components
44
Domain name
DNSKEY/DS RR
SEP Revoke Published
Missing
DNSKEY attributes
NSEC proving non-existence ofDS RRs (insecure delegation)
Missing
Trust anchor
![Page 45: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/45.jpg)
Visualization components
45
Alias dependency
Signature or digest
Valid Bogus Expired
Delegation
Secure Bogus Insecure Misconfigured
Proof of insecuredelegation
Sufficient Insufficient
Missing
![Page 46: Modeling DNS Security: Misconfiguration, Availability, and Visualization](https://reader036.fdocuments.in/reader036/viewer/2022062308/5681329a550346895d993342/html5/thumbnails/46.jpg)
The bottom line
Status of nodes in graph, based on chain of trust
46
Secure InsecureBogus