The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of...
Transcript of The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of...
-
The Importance of Being an Earnest stub
Challenges and solution for the versatile stub
Willem Toorop13 May 2017
OARC 26 (Madrid)
-
The Importance of Being an Earnest stub – OARC 26 2/45Willem Toorop (NLnet Labs)
From the ground-up security
● Every “secure” connection is preceded by a DNS lookup● The stub does the lookup at the request of the application
The recursive resolver does all the heavy lifting
Recursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
dns-oarc.net A
→
←
64.191.0.198 WebSrv
Browser(application)
OS
stubdns-oarc.net A
→ https
-
The Importance of Being an Earnest stub – OARC 26 3/45Willem Toorop (NLnet Labs)
From the ground-up security
● DNSSEC protects against cache poisoning
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
dns-oarc.net A
→
←
64.191.0.198 WebSrv
Browser(application)
OS
stubdns-oarc.net A
→ https
dns-oarc.net
= 6.6.6.1
-
The Importance of Being an Earnest stub – OARC 26 4/45Willem Toorop (NLnet Labs)
From the ground-up security
● DNSSEC protects against cache poisoning● But not against resolver hijacking
( i.e. ARP or DHCP hijacking or routing tricks )
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
← 6.6.6.1
Browser(application)
OS
stub
dns-oarc.net A?
→
WebSrv
http
THEFIRST/LAST
MILE
-
The Importance of Being an Earnest stub – OARC 26 5/45Willem Toorop (NLnet Labs)
From the ground-up security
● DNSSEC protects against cache poisoning● But not against resolver hijacking● One possibility: DNSSEC on the stub
DNSSEC AwareRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSKEY DS A
dns-oarc.net
DNSKEY DS
net
DNSKEY
·
THEFIRST/LAST
MILE
-
The Importance of Being an Earnest stub – OARC 26 6/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● DNSSEC protects against cache poisoning● But not against resolver hijacking● Another possibility: DNS over TLS
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
THEFIRST/LAST
MILE
-
The Importance of Being an Earnest stub – OARC 26 7/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● TLS hijacking? Is That Possible?!● Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception."
Network and Distributed Systems Symposium (NDSS’17). 2017.https://www.internetsociety.org/doc/security-impact-https-interception
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stub https
dns-oarc.net A
→
←
64.191.0.198
https
Applies to DNS over TLS too
https://www.internetsociety.org/doc/security-impact-https-interception
-
The Importance of Being an Earnest stub – OARC 26 8/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● Strengthen TLS security with the stub: DANE( DNS-based Authentication of Named Entities )
● Also signalling system for TLS support( For application without user interaction )
-
The Importance of Being an Earnest stub – OARC 26 9/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?
Authenticate DNS-over-TLS with DANE?
-
The Importance of Being an Earnest stub – OARC 26 10/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
DNSSEC AwareRecursiveresolver_
853._tcp.getdnsapi.net
TLSA
DNSKEY DS
getdnsapi.net
DNSKEY DS
net
DNSKEY
·
Authoritativedns-oarc.net
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?– Chicken and Egg problem
Authenticate DNS-over-TLS with DANE?
-
The Importance of Being an Earnest stub – OARC 26 11/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?● Have the TLSA record + the complete DNSSEC
authentication chain embedded in a TLS extensionhttps://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
-
The Importance of Being an Earnest stub – OARC 26 12/45Willem Toorop (NLnet Labs)
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
From the ground-up security/privacy
● Bootstrap the TLSA lookup with regular DNS?● Have the TLSA record + the complete DNSSEC
authentication chain embedded in a TLS extensionhttps://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
TLS DNSSEC authentication chain
extension must be obligatory, to prevent the “Too many CA’s” problem
https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension
-
The Importance of Being an Earnest stub – OARC 26 13/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● The stub is close to the applicationInform status of DNSSEC and DNS Privacy
X Clear text DNS
X Private DNS
X Authenticated X Private DNS
DNS Privacy statusDNSSEC Availability
-
The Importance of Being an Earnest stub – OARC 26 14/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
● Enhanced privacy by round-robining upstreams
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stub
ValidationRecursiveresolver
ValidationRecursiveresolver
ValidationRecursiveresolver
Round-robin
ValidationRecursiveresolver
Bonus
Feature
-
The Importance of Being an Earnest stub – OARC 26 15/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
Cross the first DNSSEC mile X
From the ground up Privacy X
Strengthened TLS authentication (DANE) X X
Strengthened opportunistic TLS (DANE) X X
Provide status of DNSSEC & DNS over TLS X
DN
SSEC
DN
S ov
er T
LSN
on a
ddre
ss lo
okup
s
API
● Requirements for theversatile stub
-
The Importance of Being an Earnest stub – OARC 26 16/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
Cross the first DNSSEC mile X
From the ground up Privacy X
Strengthened TLS authentication (DANE) X X
Strengthened opportunistic TLS (DANE) X X
Provide status of DNSSEC & DNS over TLS X
DN
SSEC
DN
S ov
er T
LSN
on a
ddre
ss lo
okup
s
API
● Requirements for theversatile stub
-
The Importance of Being an Earnest stub – OARC 26 17/45Willem Toorop (NLnet Labs)
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSKEY DS A
dns-oarc.net
DNSKEY DS
net
DNSKEY
·
recursiveresolver
DNSSEC Roadblocks
● Resolving DNSSEC (to cross the first mile)needs DNSSEC Aware recursive resolver
-
The Importance of Being an Earnest stub – OARC 26 18/45Willem Toorop (NLnet Labs)
recursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSSEC Roadblocks
● Resolving DNSSEC (to cross the first mile)needs DNSSEC Aware recursive resolver
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027+Full recursion capability
https://tools.ietf.org/html/rfc8027
-
The Importance of Being an Earnest stub – OARC 26 19/45Willem Toorop (NLnet Labs)
recursiveresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
DNSSEC Roadblocks
● Resolving DNSSEC (to cross the first mile)needs DNSSEC Aware recursive resolver
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027+Full recursion capability
Does not apply to first-mile crossed by DNS-over-TLS
Does not apply to first-mile crossed by DNS-over-TLS
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
https://tools.ietf.org/html/rfc8027
-
The Importance of Being an Earnest stub – OARC 26 20/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
IPv6 Only
DNS64
Authoritativecom
Authoritative.
Authoritativetwitter.com
twitter.co
m AAAA
→←
64:ff9b::
68e0:2ac
1
IPv4 only
Browser(application)
OS
stub
https
NAT64
104.244.42.193https
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027● IPv6 Address Synthesis Prefix Discovery
https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147
https://tools.ietf.org/html/rfc8027https://tools.ietf.org/html/rfc7050https://tools.ietf.org/html/rfc6147
-
The Importance of Being an Earnest stub – OARC 26 21/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027● IPv6 Address Synthesis Prefix Discovery
https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147
IPv6 Only
DNS64
Authoritativecom
Authoritative.
Authoritativetwitter.com
Browser(application)
OS
stub NAT64Privacyresolver
https://tools.ietf.org/html/rfc8027https://tools.ietf.org/html/rfc7050https://tools.ietf.org/html/rfc6147
-
The Importance of Being an Earnest stub – OARC 26 22/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011
RootKSK
Rollover
-
The Importance of Being an Earnest stub – OARC 26 23/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011
RootKSK
Rollover
In-band RFC5011 trackingwith DNSSEC auth chain TLS extension
In-band RFC5011 trackingwith DNSSEC auth chain TLS extension
ValidationRecursiveresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
-
The Importance of Being an Earnest stub – OARC 26 24/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
● DNSSEC validating stubs must do RFC5011● A stub library for DANE has no system config
+bootstrap DNSSEC capability: https://tools.ietf.org/html/rfc7958● A stub library for DANE runs with user's privileges
RootKSK
Rollover
https://tools.ietf.org/html/rfc7958
-
The Importance of Being an Earnest stub – OARC 26 25/45Willem Toorop (NLnet Labs)
DNSSEC Roadblocks
DNSSEC validation (various)
DNSSEC Roadblock Avoidance RFC8027
IPv6 Prefix Discovery RFC7050
IPv6 Address Synthesis RFC6147
Automated Trust Anchor Updates RFC5011
Automated Initial Trust Anchor retrieval RFC7958
DNSSEC stubs capability requirements
-
The Importance of Being an Earnest stub – OARC 26 26/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
Cross the first DNSSEC mile X
From the ground up Privacy X
Strengthened TLS authentication (DANE) X X
Strengthened opportunistic TLS (DANE) X X
Provide status of DNSSEC & DNS over TLS X
DN
SSEC
DN
S ov
er T
LSN
on a
ddre
ss lo
okup
s
API
● Requirements for theversatile stub
-
The Importance of Being an Earnest stub – OARC 26 27/45Willem Toorop (NLnet Labs)
B
Privacyresolver
Browser(application)
OS
stubDNS-over-TLS
A
Privacyresolver
Browser(application)
OS
stubDNS-over-TLS
B
A
Requirements forDNS-over-TLS
● TCP fastopen (optional) https://tools.ietf.org/html/rfc7413● Connection reuse https://tools.ietf.org/html/rfc7766● EDNS0 keepalive https://tools.ietf.org/html/rfc7828● EDNS0 padding https://tools.ietf.org/html/rfc7830
https://tools.ietf.org/html/rfc7413https://tools.ietf.org/html/rfc7766https://tools.ietf.org/html/rfc7828https://tools.ietf.org/html/rfc7830
-
The Importance of Being an Earnest stub – OARC 26 28/45Willem Toorop (NLnet Labs)
Requirements forDNS-over-TLS
● Connection reuse (Q/R, Q/R, Q/R)● Pipe-lining of queries (Q,Q,Q,R,R,R)
Privacyresolver
Browser(application)
OS
stubA B C
DNS-over-TLSABC
-
The Importance of Being an Earnest stub – OARC 26 29/45Willem Toorop (NLnet Labs)
Requirements forDNS-over-TLS
Privacyresolver
Browser(application)
OS
stubB
DNS-over-TLS
C
ABC
A
Privacyresolver
Browser(application)
OS
stubAB C
DNS-over-TLSABC
● Connection reuse (Q/R, Q/R, Q/R)● Pipe-lining of queries (Q,Q,Q,R,R,R)● Process Out-Of-Order-Responses (Q
1,Q
2, R
2, R
1)
-
The Importance of Being an Earnest stub – OARC 26 30/45Willem Toorop (NLnet Labs)
Requirements forDNS-over-TLS
● Strict or Opportunistic usage profiles?https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09
1) Authenticated Private DNS2) Private DNS3) Clear text DNS
Privacyresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09
-
The Importance of Being an Earnest stub – OARC 26 31/45Willem Toorop (NLnet Labs)
Requirements forDNS-over-TLS
● Strict or Opportunistic usage profiles?https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09
1) Authenticated Private DNS2) Private DNS3) Clear text DNS
Privacyresolver
Authoritativenet
Authoritative.
Authoritativedns-oarc.net
WebSrv
Browser(application)
OS
stubhttps
dns-oarc.net A
→
←
64.191.0.198
RFC7858 (DNS-over-TLS)defined direct SPKI authentication only
RFC7858 (DNS-over-TLS)defined direct SPKI authentication only
https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09
-
The Importance of Being an Earnest stub – OARC 26 32/45Willem Toorop (NLnet Labs)
Privacyresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
DNSSECResolver
getdnsapi.net A/AAAA
Authoritativedns-oarc.net
Requirements forDNS-over-TLS
● Regular PKIX authentication(bootstrap address lookup with regular DNS(SEC))
-
The Importance of Being an Earnest stub – OARC 26 33/45Willem Toorop (NLnet Labs)
Privacyresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
DNSSEC AwareRecursiveresolver
Requirements forDNS-over-TLS
● Regular PKIX authentication● Authenticate with DANE
(stricter opportunistic with TLSA signalling)
DNSSECDNSSEC
DNSKEY DS A
getdnsapi.net
-
The Importance of Being an Earnest stub – OARC 26 34/45Willem Toorop (NLnet Labs)
Privacyresolver
Authoritativenet
Authoritative.
Authoritativegetdnsapi.net
WebSrv
Browser(application)
OS
stub
https
dns-oarc.net A
→
← 64.191.0.198
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
Authoritativedns-oarc.net
RRSIGs
_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS
net DNSKEY DS. DNSKEY
RRSIGs
Requirements forDNS-over-TLS
● Regular PKIX authentication● Authenticate with DANE● DNSSEC authentication chain TLS extension
DNSSECDNSSEC
-
The Importance of Being an Earnest stub – OARC 26 35/45Willem Toorop (NLnet Labs)
Requirements forDNS PrivacyDNS-over-TLS RFC7858
Reuse / Pipelining / OOOR RFC7766
TCP Fastopen RFC7413
ENDS0 keepalive RFC7828
ENDS0 padding RFC7830
PKIX support for authentication (various)
DNSSEC support(for address lookup and authentication)
(various)
-
The Importance of Being an Earnest stub – OARC 26 36/45Willem Toorop (NLnet Labs)
From the ground-up security/privacy
Cross the first DNSSEC mile X
From the ground up Privacy X
Strengthened TLS authentication (DANE) X X
Strengthened opportunistic TLS (DANE) X X
Provide status of DNSSEC & DNS over TLS X
DN
SSEC
DN
S ov
er T
LSN
on a
ddre
ss lo
okup
s
API
● Requirements for theversatile stub
-
The Importance of Being an Earnest stub – OARC 26 37/45Willem Toorop (NLnet Labs)
Application
OS
stub
Non address lookups -Application Interface
getaddrinfo() and getnameinfo()(POSIX standard extended by RFC3493 for IPv6)
-
The Importance of Being an Earnest stub – OARC 26 38/45Willem Toorop (NLnet Labs)
Application
OS
stub
Non address lookups -Application Interface
getaddrinfo() and getnameinfo()(POSIX standard extended by RFC3493 for IPv6)
Talk to upstreams directly with a library:● libresolv, libval, ldns, libunbound, libgetdns
Learn upstreams from OS● /etc/resolv.conf, NetworkManager, registry...
Application
OS
stublibrary
-
The Importance of Being an Earnest stub – OARC 26 39/45Willem Toorop (NLnet Labs)
Application
OS
stub
Non address lookups -Application Interface
getaddrinfo() and getnameinfo()(POSIX standard extended by RFC3493 for IPv6)
Talk to upstreams directly with a library:● libresolv, libval, ldns, libunbound, libgetdns
Learn upstreams from OS● /etc/resolv.conf, NetworkManager, registry...
Applications using getaddrinfo() APIwill not get the versatile stub features(first DNSSEC mile coverage, DNS privacy)
Applications using getaddrinfo() APIwill not get the versatile stub features(first DNSSEC mile coverage, DNS privacy)
Application
OS
stublibrary
-
The Importance of Being an Earnest stub – OARC 26 40/45Willem Toorop (NLnet Labs)
Non address lookups -Application Interface
Application
OS
stub
Stub server listening on 127.0.0.1:53● getaddrinfo() and getnameinfo()
use system stub which uses stub server stub
server
Stubby
DnsmasqDnssec-Trigger
-
The Importance of Being an Earnest stub – OARC 26 41/45Willem Toorop (NLnet Labs)
Non address lookups -Application Interface
Application
OS
getaddrinfo() and getnameinfo()use systemd-resolved via nsswitch module● Stub server listening on 127.0.0.53:53
stubserver
systemd-resolved.service
systemd-resolved
-
The Importance of Being an Earnest stub – OARC 26 42/45Willem Toorop (NLnet Labs)
Non address lookups -Application Interface
Talk to stub server via a library:● libresolv, libval, ldns, libunbound, libgetdns
Application
OS
stublibrary
stub stubserver
App
systemd-resolved.service
Stubby
Dnsmasq
systemd-resolved127.0.0.53:53
Dnssec-Trigger
-
The Importance of Being an Earnest stub – OARC 26 43/45Willem Toorop (NLnet Labs)
Non address lookups -Application Interface
Talk to stub server via a library:● libresolv, libval, ldns, libunbound, libgetdns
Application
OS
stublibrary
stub stubserver
App
systemd-resolved.service
Stubby
Dnsmasq
systemd-resolved127.0.0.53:53
Dnssec-Trigger
-
The Importance of Being an Earnest stub – OARC 26 44/45Willem Toorop (NLnet Labs)
Non address lookups -Application Interface
Talk to stub server via the dbus API● https://www.freedesktop.org/wiki/Software/systemd/resolved/
Application
OS
dbus APIstub server
App
systemd-resolved.service
systemd-resolved
https://www.freedesktop.org/wiki/Software/systemd/resolved/
-
The Importance of Being an Earnest stub – OARC 26 45/45Willem Toorop (NLnet Labs)
The Importance of Being an Earnest stub
Dia 1Dia 2Dia 3Dia 4Dia 5Dia 6Dia 7Dia 8Dia 9Dia 10Dia 11Dia 12Dia 13Dia 14Dia 15Dia 16Dia 17Dia 18Dia 19Dia 20Dia 21Dia 22Dia 23Dia 24Dia 25Dia 26Dia 27Dia 28Dia 29Dia 30Dia 31Dia 32Dia 33Dia 34Dia 35Dia 36Dia 37Dia 38Dia 39Dia 40Dia 41Dia 42Dia 43Dia 44Dia 45