The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of...

The Importance of Being an Earnest stub

Challenges and solution for the versatile stub

Willem Toorop13 May 2017

OARC 26 (Madrid)

The Importance of Being an Earnest stub – OARC 26 2/45Willem Toorop (NLnet Labs)

From the ground-up security

● Every “secure” connection is preceded by a DNS lookup● The stub does the lookup at the request of the application

The recursive resolver does all the heavy lifting

Recursiveresolver

Authoritativenet

Authoritative.

Authoritativedns-oarc.net

dns-oarc.net A

→

←

64.191.0.198 WebSrv

Browser(application)

OS

stubdns-oarc.net A

→ https



● DNSSEC protects against cache poisoning

ValidationRecursiveresolver

Authoritativenet

Authoritative.


dns-oarc.net A

→

←

64.191.0.198 WebSrv


OS

stubdns-oarc.net A

→ https

dns-oarc.net

= 6.6.6.1



● DNSSEC protects against cache poisoning● But not against resolver hijacking

( i.e. ARP or DHCP hijacking or routing tricks )


Authoritativenet

Authoritative.


← 6.6.6.1


OS

stub

dns-oarc.net A?

→

WebSrv

http

THEFIRST/LAST

MILE



● DNSSEC protects against cache poisoning● But not against resolver hijacking● One possibility: DNSSEC on the stub

DNSSEC AwareRecursiveresolver

Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

DNSKEY DS A

dns-oarc.net

DNSKEY DS

net

DNSKEY

·

THEFIRST/LAST

MILE


From the ground-up security/privacy

● DNSSEC protects against cache poisoning● But not against resolver hijacking● Another possibility: DNS over TLS


Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

dns-oarc.net A

→

←

64.191.0.198

THEFIRST/LAST

MILE



● TLS hijacking? Is That Possible?!● Durumeric, Zakir, et al. "The Security Impact of HTTPS Interception."

Network and Distributed Systems Symposium (NDSS’17). 2017.https://www.internetsociety.org/doc/security-impact-https-interception


Authoritativenet

Authoritative.


WebSrv


OS

stub https

dns-oarc.net A

→

←

64.191.0.198

https

Applies to DNS over TLS too

https://www.internetsociety.org/doc/security-impact-https-interception



● Strengthen TLS security with the stub: DANE( DNS-based Authentication of Named Entities )

● Also signalling system for TLS support( For application without user interaction )



Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

dns-oarc.net A

→

←

64.191.0.198


● Bootstrap the TLSA lookup with regular DNS?

Authenticate DNS-over-TLS with DANE?



Authoritativenet

Authoritative.

Authoritativegetdnsapi.net

WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198

DNSSEC AwareRecursiveresolver_

853._tcp.getdnsapi.net

TLSA

DNSKEY DS

getdnsapi.net

DNSKEY DS

net

DNSKEY

·



● Bootstrap the TLSA lookup with regular DNS?– Chicken and Egg problem

Authenticate DNS-over-TLS with DANE?



Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198

_853._tcp.getdnsapi.net TLSA getdnsapi.net DNSKEY DS

net DNSKEY DS. DNSKEY


RRSIGs



RRSIGs


● Bootstrap the TLSA lookup with regular DNS?● Have the TLSA record + the complete DNSSEC

authentication chain embedded in a TLS extensionhttps://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension



Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198




RRSIGs



RRSIGs


● Bootstrap the TLSA lookup with regular DNS?● Have the TLSA record + the complete DNSSEC

authentication chain embedded in a TLS extensionhttps://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

TLS DNSSEC authentication chain

extension must be obligatory, to prevent the “Too many CA’s” problem

https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension



● The stub is close to the applicationInform status of DNSSEC and DNS Privacy

X Clear text DNS

X Private DNS

X Authenticated X Private DNS

DNS Privacy statusDNSSEC Availability



● Enhanced privacy by round-robining upstreams


Authoritativenet

Authoritative.


WebSrv


OS

stub




Round-robin


Bonus

Feature



Cross the first DNSSEC mile X

From the ground up Privacy X

Strengthened TLS authentication (DANE) X X

Strengthened opportunistic TLS (DANE) X X

Provide status of DNSSEC & DNS over TLS X

DN

SSEC

DN

S ov

er T

LSN

on a

ddre

ss lo

okup

s

API

● Requirements for theversatile stub








DN

SSEC

DN

S ov

er T

LSN

on a

ddre

ss lo

okup

s

API



Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

DNSKEY DS A

dns-oarc.net

DNSKEY DS

net

DNSKEY

·

recursiveresolver

DNSSEC Roadblocks

● Resolving DNSSEC (to cross the first mile)needs DNSSEC Aware recursive resolver


recursiveresolver

Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

DNSSEC Roadblocks


● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027+Full recursion capability

https://tools.ietf.org/html/rfc8027


recursiveresolver

Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

DNSSEC Roadblocks


● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027+Full recursion capability

Does not apply to first-mile crossed by DNS-over-TLS

Does not apply to first-mile crossed by DNS-over-TLS


Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198




RRSIGs



RRSIGs



DNSSEC Roadblocks

IPv6 Only

DNS64

Authoritativecom

Authoritative.

Authoritativetwitter.com

twitter.co

m AAAA

→←

64:ff9b::

68e0:2ac

1

IPv4 only


OS

stub

https

NAT64

104.244.42.193https

● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027● IPv6 Address Synthesis Prefix Discovery

https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147

https://tools.ietf.org/html/rfc8027https://tools.ietf.org/html/rfc7050https://tools.ietf.org/html/rfc6147


DNSSEC Roadblocks

● DNSSEC Roadblock Avoidance https://tools.ietf.org/html/rfc8027● IPv6 Address Synthesis Prefix Discovery

https://tools.ietf.org/html/rfc7050+DNS64 capability https://tools.ietf.org/html/rfc6147

IPv6 Only

DNS64

Authoritativecom

Authoritative.

Authoritativetwitter.com


OS

stub NAT64Privacyresolver

https://tools.ietf.org/html/rfc8027https://tools.ietf.org/html/rfc7050https://tools.ietf.org/html/rfc6147


DNSSEC Roadblocks

● DNSSEC validating stubs must do RFC5011

RootKSK

Rollover


DNSSEC Roadblocks

● DNSSEC validating stubs must do RFC5011

RootKSK

Rollover

In-band RFC5011 trackingwith DNSSEC auth chain TLS extension

In-band RFC5011 trackingwith DNSSEC auth chain TLS extension


Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198




RRSIGs



RRSIGs


DNSSEC Roadblocks

● DNSSEC validating stubs must do RFC5011● A stub library for DANE has no system config

+bootstrap DNSSEC capability: https://tools.ietf.org/html/rfc7958● A stub library for DANE runs with user's privileges

RootKSK

Rollover



DNSSEC Roadblocks

DNSSEC validation (various)

DNSSEC Roadblock Avoidance RFC8027

IPv6 Prefix Discovery RFC7050

IPv6 Address Synthesis RFC6147

Automated Trust Anchor Updates RFC5011

Automated Initial Trust Anchor retrieval RFC7958

DNSSEC stubs capability requirements








DN

SSEC

DN

S ov

er T

LSN

on a

ddre

ss lo

okup

s

API



B

Privacyresolver


OS

stubDNS-over-TLS

A

Privacyresolver


OS

stubDNS-over-TLS

B

A

Requirements forDNS-over-TLS

● TCP fastopen (optional) https://tools.ietf.org/html/rfc7413● Connection reuse https://tools.ietf.org/html/rfc7766● EDNS0 keepalive https://tools.ietf.org/html/rfc7828● EDNS0 padding https://tools.ietf.org/html/rfc7830

https://tools.ietf.org/html/rfc7413https://tools.ietf.org/html/rfc7766https://tools.ietf.org/html/rfc7828https://tools.ietf.org/html/rfc7830



● Connection reuse (Q/R, Q/R, Q/R)● Pipe-lining of queries (Q,Q,Q,R,R,R)

Privacyresolver


OS

stubA B C

DNS-over-TLSABC



Privacyresolver


OS

stubB

DNS-over-TLS

C

ABC

A

Privacyresolver


OS

stubAB C

DNS-over-TLSABC

● Connection reuse (Q/R, Q/R, Q/R)● Pipe-lining of queries (Q,Q,Q,R,R,R)● Process Out-Of-Order-Responses (Q

1,Q

2, R

2, R

1)



● Strict or Opportunistic usage profiles?https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09

1) Authenticated Private DNS2) Private DNS3) Clear text DNS

Privacyresolver

Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

dns-oarc.net A

→

←

64.191.0.198

https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09



● Strict or Opportunistic usage profiles?https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09

1) Authenticated Private DNS2) Private DNS3) Clear text DNS

Privacyresolver

Authoritativenet

Authoritative.


WebSrv


OS

stubhttps

dns-oarc.net A

→

←

64.191.0.198

RFC7858 (DNS-over-TLS)defined direct SPKI authentication only

RFC7858 (DNS-over-TLS)defined direct SPKI authentication only

https://tools.ietf.org/html/draft-ietf-dprive-dtls-and-tls-profiles-09


Privacyresolver

Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198

DNSSECResolver

getdnsapi.net A/AAAA



● Regular PKIX authentication(bootstrap address lookup with regular DNS(SEC))


Privacyresolver

Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198

DNSSEC AwareRecursiveresolver


● Regular PKIX authentication● Authenticate with DANE

(stricter opportunistic with TLSA signalling)

DNSSECDNSSEC

DNSKEY DS A

getdnsapi.net


Privacyresolver

Authoritativenet

Authoritative.


WebSrv


OS

stub

https

dns-oarc.net A

→

← 64.191.0.198




RRSIGs



RRSIGs


● Regular PKIX authentication● Authenticate with DANE● DNSSEC authentication chain TLS extension

DNSSECDNSSEC


Requirements forDNS PrivacyDNS-over-TLS RFC7858

Reuse / Pipelining / OOOR RFC7766

TCP Fastopen RFC7413

ENDS0 keepalive RFC7828

ENDS0 padding RFC7830

PKIX support for authentication (various)

DNSSEC support(for address lookup and authentication)

(various)








DN

SSEC

DN

S ov

er T

LSN

on a

ddre

ss lo

okup

s

API



Application

OS

stub

Non address lookups -Application Interface

getaddrinfo() and getnameinfo()(POSIX standard extended by RFC3493 for IPv6)


Application

OS

stub



Talk to upstreams directly with a library:● libresolv, libval, ldns, libunbound, libgetdns

Learn upstreams from OS● /etc/resolv.conf, NetworkManager, registry...

Application

OS

stublibrary


Application

OS

stub



Talk to upstreams directly with a library:● libresolv, libval, ldns, libunbound, libgetdns

Learn upstreams from OS● /etc/resolv.conf, NetworkManager, registry...

Applications using getaddrinfo() APIwill not get the versatile stub features(first DNSSEC mile coverage, DNS privacy)

Applications using getaddrinfo() APIwill not get the versatile stub features(first DNSSEC mile coverage, DNS privacy)

Application

OS

stublibrary



Application

OS

stub

Stub server listening on 127.0.0.1:53● getaddrinfo() and getnameinfo()

use system stub which uses stub server stub

server

Stubby

DnsmasqDnssec-Trigger



Application

OS

getaddrinfo() and getnameinfo()use systemd-resolved via nsswitch module● Stub server listening on 127.0.0.53:53

stubserver

systemd-resolved.service

systemd-resolved



Talk to stub server via a library:● libresolv, libval, ldns, libunbound, libgetdns

Application

OS

stublibrary

stub stubserver

App


Stubby

Dnsmasq

systemd-resolved127.0.0.53:53

Dnssec-Trigger



Talk to stub server via the dbus API● https://www.freedesktop.org/wiki/Software/systemd/resolved/

Application

OS

dbus APIstub server

App


systemd-resolved

https://www.freedesktop.org/wiki/Software/systemd/resolved/


The Importance of Being an Earnest stub

Dia 1Dia 2Dia 3Dia 4Dia 5Dia 6Dia 7Dia 8Dia 9Dia 10Dia 11Dia 12Dia 13Dia 14Dia 15Dia 16Dia 17Dia 18Dia 19Dia 20Dia 21Dia 22Dia 23Dia 24Dia 25Dia 26Dia 27Dia 28Dia 29Dia 30Dia 31Dia 32Dia 33Dia 34Dia 35Dia 36Dia 37Dia 38Dia 39Dia 40Dia 41Dia 42Dia 43Dia 44Dia 45

The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of...

Documents

Transcript of The Importance of Being an Earnest stub - NLnet LabsWillem Toorop (NLnet Labs) The Importance of...