The Current State of DNS Resolvers and RPKI Protection
By Erik Dekker and Marius Brouwer
1
2
Motivation
�Why is this research important?
3
Motivation
�BGP is old
�First RFC was published in 1989 (RFC 1105)
�BGP was developed in times when security problems were less prevalent
�And is vulnerable for certain attacks
�For example, BGP is prone to IP Prefix Hijacks
4
BGP IP Prefix Hijack
AS666 8.0.0.0/24C
1.0.0.0/24A
AS1
AS5
AS3 AS4 8.0.0.0/24B
AS2
5
Resource Public Key Infrastructure
� RPKI comes to the rescue!
� Documented in RFC 6480
� But also in RFC 6481,6482, 6483, 6484, 6485, 6486, 6487, 6488, 6489, 6490, 6491, 6492, and 6493
6
How does RPKI work?
� RIRs assign IP prefixes to network operators
� For example RIPE assigns prefixes to SURFnet
� RPKI allows network operators to sign their assigned IP prefixes
� To prove that they have the right to originate this prefix
� The RIRs host the Trust Anchors
� This results in a Route Origin Authorization (ROA) record
� Which contains the AS number, Prefix(es) and optionally prefix length
� Routers can validate ROA records (Route Origin Validation)
� ROV == RPKI filtering
7
BGP IP Prefix Hijack with RPKI
AS1 AS2 AS3
AS666
8.0.0.0/24B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
AS5
8
DNS
� What does this have to do with DNS resolvers?
9
BGP IP Prefix Hijack
AS1 AS2 AS3
AS666
8.0.0.0/24B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
9.0.0.0/24D
DNS Server
DNS Server
9.0.0.1
AS5
Resolver
10
Example
� Amazon Route 53 BGP Hijack
� All traffic directed to MyEtherWallet was hijacked
11
Research question
� Main question:
� “What is the state of RPKI filtering on DNS resolvers?”
� Sub questions:
� How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection?
� How does anycast influence the protection of DNS resolvers?
12
Scope
�No DNSSEC
�No IPv6
13
Method –test setup
�RIPE Atlas Probes
�Can send DNS queries to their resolvers
�Who query our authoritative DNS servers
�Beacon
�TCPdump of all the queries
�Made a BGP dump
14
Method – experiment
1. $id.invalid.valid4.rootcanary.net
6. $id.invalid4.rootcanary.net
2. $id.invalid.valid4.rootcanary.net
3. $id.invalid4.rootcanary.net
4. $id.invalid4.rootcanary.net
5. $id.invalid4.rootcanary.net
1. A record2. A record3. Synthesized CNAME4. A record5. Answer6. Answer
Valid
Invalid
Results
15
Results –Probe RPKI Coverage
16
2500
5000
7500
10000
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Num
ber o
f Pro
bes
Probe ProtectionStatus
Total ProbesUnprotectedPartiallyFully
Results –Probe/Resolver RPKI Coverage
17
5000
10000
15000
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Prob
e/R
esol
ver P
airs
RPKI StatusTotalUnprotectedProtected
18
Results – Top 10 AS
0
1000
2000
3000
4000
5000
1516
913
335
3669
242 88
8179
2268
3033
2012
322
3215
AS
Que
ries
RPKI StatusProtectedUnprotected
19
Results – Top 19 AS highest filtering ASes
0
1000
2000
3000
4000
1333
512
32232
6570
1871
32 553
8473
1303
021
1928
6012
39247
3933
0169
3917
4112
4117
5948
0215
943
AS
Que
ries
RPKI StatusProtectedUnprotected
20
Results – Influence of Cloudflare anycast
40
80
120
160
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Clou
dfla
re P
refix
esRPKI Status
TotalUnprotectedProtected
21
Results – Influence of AS path length
0.00
0.25
0.50
0.75
1.00
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ry R
atio
RPKI StatusUnprotectedProtected
22
Results – Influence of AS path length
0
100,000
200,000
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ries
23
Results – Influence of AS path length
0
100,000
200,000
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ries
0.00
0.25
0.50
0.75
1.00
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ry R
atio
RPKI StatusUnprotectedProtected
24
Conclusions
Main Research Question:“ What is the state of RPKI filtering on DNS resolvers? ”
• How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection?
•How does anycast influence the protection of DNS resolvers?
25
Discussion
• RPKI query coverage ≠ RPKI protected clients• Atlas probe AS could still be hijacked.• Small amount of ASes are fully protected• Expectation: Longer AS path more RPKI protection
• Based on reverse path• Influence of anycast DNS relatively high and growing• Population of experiment is western oriented and geek biased
26
Future Work
• Take DNS forwarders into account in future research• Make use of another query generator other than RIPE Atlas for a different population• Place more beacons in different regions/AS• Focus on specific open DNS resolvers e.g. Cloudflare and Verisign Public DNS• Longitudinal study of ongoing data capture• Analyze which DNS resolvers are aided by filtering along the path.
27
Acknowledgements
Questions?
28
Top Related