DNS Security
DNS Security
DNS Security
DNS Security
Contact: [email protected]
eDNS03_v1.0
Overview
How DNS Works
DNS Vulnerabilities
Securing the Nameservers
Transaction Signature (TSIG)
DNS Security Extensions (DNSSEC)
DNSSEC New Resource Records
Signing Zones
Overview: How DNS Works
Question: www.apnic.net A
root-server
1" 2" www.apnic.net A ?
10" TTL
192.168.5.10 7" apnic-server
DNS Vulnerabilities
Zone administrator
1"
4"
Zone file master Caching forwarder
2"
3" 5"
Dynamic
updates
slaves
resolver
DNS Vulnerabilities
Corrupting data" Impersonating master"
Cache impersonation"
Zone administrator
1"
4"
Zone file master Caching forwarder
2"
3" 5"
Dynamic
updates
slaves
resolver
Cache pollution by"
Data spoofing"
Unauthorized updates"
3
1
www.example.com 192.168.1.99
I want to access
www.example.com QID=64569
QID=64570 (pretending to be
the authoritative
QID=64571 match!
zone)
2
QID=64571
Client DNS Caching Root/GTLD
Server
QID=64571
3
www.example.com 192.168.1.1
Webserver
(192.168.1.1) ns.example.com
RFC 4033: DNS Security Introduction
and Requirements
Securing the Nameserver
Run the most recent version of the DNS software
Bind 9.9.1 or Unbound 1.4.16
Apply the latest patches
Hide version
Restrict queries
Allow-query { acl_match_list; };
Prevent unauthorized zone transfers
Allow-transfer { acl_match_list; };
Run BIND with the least privilege (use chroot)
Randomize source ports
dont use query-source option
Secure the box
Use TSIG and DNSSEC
Transaction Signature (TSIG)
A mechanism for protecting a message from a primary to
secondary and vice versa (i.e. transactions)
A keyed-hash is applied (like a digital signature) so recipient
can verify message
DNS question or answer & the timestamp
Based on a shared secret - both sender and receiver are configured
with it
RFC 2845
TSIG Protected Vulnerabilities
Impersonating master" Cache impersonation"
Zone administrator
Dynamic
updates
slaves
resolver
Slave" Master"
KEY: KEY:
%sgs!f23fv! %sgs!f23fv!
Response: Zone"
SOA " SOA "
" "
SOA" SOA"
verification"
11
TSIG Steps
Generate secret
dnssec-keygen -a <algorithm> -b <bits> -n host
<name of the key>
Communicate secret
Transfer the key securely (ex. SSH/SCP)
Test
dig @<server> <zone> AXFR -k <TSIG keyfile>
12
TSIG Configuration named.conf
Primary
server
10.33.40.46
Secondary
server
10.33.50.35
! !
key ns1-ns2.pcx. net {! key ns1-ns2.pcx.net {!
algorithm hmac-md5;! algorithm hmac-md5;!
secret "APlaceToBe";! secret "APlaceToBe";!
};! };!
server 10.33.50.35 {! server 10.33.40.46 {!
keys {ns1-ns2.pcx.net;};! keys {ns1-ns2.pcx.net;};!
};! };!
! zone "my.zone.test." {!
allow-transfer {! type slave;!
key ns1-ns2.pcx.net ;};! file myzone.backup;!
};! masters !
!{10.33.40.46;}; };!
You
can
save
this
in
a
le
and
refer
to
it
in
the
cong
le
(named.conf)
using
include
statement:
include /var/named/master/tsig-key-ns1-ns2;
TSIG Testing - dig
You can use dig to check TSIG configuration
dig @<server> <zone> AXFR -k <TSIG keyfile>
A wrong key will give Transfer failed and on the server the
security-category will log this.
Note: TSIG is time-sensitive
14
DNS Security Extensions (DNSSEC)
Protects the integrity of data in the DNS by establishing a
chain of trust
A form of digitally signing the data to attest its validity
RFC 4033, 4034, 4035
DNSKEY/RRSIG/NSEC: provides mechanisms to establish
authenticity and integrity of data
DS: provides a mechanism to delegate trust to public keys
of third parties
15
Vulnerabilities protected by DNSSEC
Zone administrator
Cache impersonation"
Zone file master Caching forwarder
Dynamic
updates
slaves
resolver
17
Types of Keys
Zone Signing Key (ZSK)
Sign the RRsets within the zone
Public key of ZSK is defined by a DNSKEY RR