plnog14: dns, czyli co nowego w świecie dns-ozaurów - adam obszyński

1 | © 2015 All Rights Reserved.

DNS - Co nowego w świecie DNS-o-zaurów?

Adam ObszyńskiCCIE, CISSP


Agent’a

W poprzednich odcinkach.Czyli jak to dawniej bywało.

Sekcja „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?

Licencja na zabijanie.Nowożytne bakterie i wirusy.

Jej wysokość popularność.Nowe domeny i ciekawe kolizje.


Agent’a


Sekcja KJU aka „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?




History – a very short one

• 1971 - /etc/hosts & FTP…

• 1983 – DNS has been introduced

• 1996 – DNS NOTIFY & IXFR – The Second Generation

• 1997 - Dynamic Updates in the DNS – 3rd Generation

• Google.com registered!

• Then DNSSEC era begins…


Agent’a


Sekcja „Q”.Czy będą jakieś nowe zabawki lub ciasteczka?




Cookies

http://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html


DNS Cookieshttp://crafty-christie.blogspot.com/2009/03/james-bond-cookies.html

https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-00 od Listopad 2006

https://tools.ietf.org/html/draft-eastlake-dnsext-cookies-00


DNS Cookies

• Provides weak authentication of queries and responses. Weak brother

of TSIG.

• No protection against “in-line” attackers. No protection against anyone

who can see the plain text queries and responses.

• Requires no setup or configuration, just protocol behavior.

• Intended to great reduce

Forged source IP address traffic amplification DOS attacks.

Forged source IP address recursive server work load DOS attacks.

Forged source IP address reply cache poisoning attacks.



DNS COOKIE Option

• A new Option to the OPT-RR

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| OPTION-CODE TBD | OPTION-LENGTH = 18 |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Resolver Cookie upper half |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Resolver Cookie lower half |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Server Cookie upper half |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Server Cookie lower half |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Error Code |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



Resolver & Server views

Resolver:

Resolver puts a COOKIE in queries with

- A Resolver Cookie that varies with server

– Truncated HMAC(server-IP-address, resolver secret)

- The resolver cached Server Cookie for that Cookie if it has one

Resolver ignores all replies that do not have the correct Resolver Cookie

Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie

Server:

Server puts a COOKIE in replies with

- A Server Cookie that varies with resolver

– Truncated HMAC(resolver-IP-address, server secret)

- The Resolver Cookie if there was one in the corresponding query



Example

Resolver Server

Query: RC:123, SC:???,E:0

ErrReply: RC:123, SC:789, E:BadC

Query: RC:123, SC:789,E:0

AnsReply: RC:123, SC:789,E:0

SC:789RC:123

RC:123

ForgedReply: RC:???, SC:???,E:0

ForgedQuery: RC:XYZ, SC:???,E:0

ErrReply: RC:XYZ, SC:789, E:BadC RC:XYZ



DNSSEC & DANE::SMIME

https://tools.ietf.org/html/draft-ietf-dane-smime-07

Given that the DNS administrator for a domain name is authorized to give identifying information about the zone, it makes sense to allow that administrator to also make an authoritative binding between email messages purporting to come from the domain name and a certificate that might be used by someone authorized to send mail from those servers. The easiest way to do this is to use the DNS.

The SMIMEA DNS resource record (RR) is used to associate an end entity certificate or public key with the associated email address, thus forming a "SMIMEA certificate association".

https://tools.ietf.org/html/draft-ietf-dane-smime-07



ICANN 51



Testy:

DANE / TLS:

https://www.had-pilot.com/dane/danelaw.html

SMIME & DANE:

https://dane.sys4.de/smtp/mail.unitybox.de

https://www.had-pilot.com/dane/danelaw.html

https://dane.sys4.de/smtp/mail.unitybox.de


Agent’a






Evolution of DNS DDoS Attacks

• DNS based DDoS attacks are constantly evolving

• Get registrar

account access

• Change NS + add

nice TTL ;-)

• “Phantom”

domains don’t

respond

• Servers keeps

waiting

• Misbehaving domains

lock-up DNS resolvers

with open connections

• Resource exhaustion

• Botnets launch

attacks on one

specific target

• Target domain

DDoS’d, resolver

resources

exhausted

• Uses randomly

generated strings

• Exhausts limit on

outstanding DNS

queries

Registrar / NIC

Phantom Domain

Random Sub-

domain / NXD

CPE Botnet

Based

Domain Lock-up


.MYNIC Registrar case

By Hasnul Hasan

ICANN 49

+

Monitor YOUR

delegations

….

from outside ;-)


Basic NXDOMAIN Attack

• The attacker sends a flood of queries to

a DNS server to resolve a non-existent

domain/domain name.

• The recursive server tries to locate this

non-existing domain by carrying out

multiple domain name queries but does

not find it.

• In the process, its cache is filled up with

NXDOMAIN results.

Impact:

• Slower DNS server response time for

legitimate requests

• DNS server also spends valuable

resources as it keeps trying to repeat

the recursive query to get a resolution

result.


Random Subdomain Attack (Slow Drip)

• Infected clients create queries by

prepending randomly generated

subdomain strings to the victim’s

domain. E.g. xyz4433.plnog.pl

• Each client may only send a

small volume of these queries to

the DNS recursive server1

• Harder to detect

• Multiple of these infected clients

send such requests

Impact

• Responses may never come

back from these non-existing

subdomains2

• DNS recursive server waits for

responses, outstanding query

limit exhausted

• Target domain’s auth server

experiences DDoS

How the attack works

Victim Domain

e.g. plnog.pl

Bot/bad clients

Queries with random

strings prefixed to victim's

domain

e.g. xyz4433.plnog.pl

Flood of queries

for non-existent

subdomains

DNS recursive

Servers (ISP)

DDoS on

target victim

Resource

exhaustion

on recursive

servers


Domain Lock-up Attack

• Resolvers and domains are setup by attackers to establish TCP-based

connections with DNS resolvers

• When DNS resolver requests a response, these domains send “junk”

or random packets to keep them engaged

• They also are deliberately slow to respond to requests keeping the

resolvers engaged. This effectively locks up the DNS server resources.

Impact

• DNS resolver establishing these connections with the misbehaving

domains exhausts its resources


Botnet Based Attacks from CPE Devices

• Random Subdomain attacks that use botnets to target all traffic to

one site or domain

• Attack involves compromised devices like CPE switches, routers

• Supplied by ISPs

• Supplied by Customer

• These malware infected CPE devices form botnet to send multiple

DDoS traffic to say xyz123.plnog.pl

Impact

• Victim domain experiences DDoS

• DNS resolver resources exhausted

• When CPE devices are compromised,

many other bad things can happen like

• SSL proxy – login credentials theft etc.

• Launch point for attacks against Customer PCs

and environments, i.e. expanding the compromise


Phantom Domain Attack

• “Phantom” domains are setup as part of

attack

• DNS resolver tries to resolve multiple

domains that are phantom domains

• These phantom domains may not send

responses or they will be slow

Impact

• Server consumes resources while waiting

for responses, eventually leading to

degraded performance or failure

• Too many outstanding queries


Newest Attacks – What You can do?

#1 Upstream delays

• For traffic to “slow” servers and zones (NS)

Any server that exceeded the limit of responsiveness should

sent fewer queries

#2 Recursive timeout

• Timeout for recursive name lookup should be lowered to free up

DNS resolver resources

• Prevents maxing out on the number of outstanding DNS queries

#3 Dynamic Limiting of Bad Clients

• If a client generates too many costly responses (NXDOMAIN,

NXRRset, ServFail)

Drop or limit it’s traffic

#4 Block or Blacklist

• You have to wait for user call or observe syslog


Eliminate open resolvers ;-)

https://dnsscan.shadowserver.org/

https://dnsscan.shadowserver.org/


Eliminate broken software…


SPAM/Attacks with Domains less then 24h old

Henry Stern, Farsight | ICANN50 | London


Agent’a






DNS - Collision with Roaming Leak

Search List or Split Brain DNS + New TLD == Leak Issue

www.firma.exampleInternal DNS,

AD, etc.New TLDs

!!!

collision

!!!

collision

New & nice Loopback address: 127.0.53.53

Encourages to “look this up”

https://icann.org/namecollisionhttps://newgtlds.icann.org/newgtlds.csv

https://icann.org/namecollision

https://newgtlds.icann.org/newgtlds.csv


Q?


THE END

of

“DNS…”

TOPIC WILL* RETURN IN

PLNOG 2015 KRAKÓW

* - maybe ;-)

plnog14: dns, czyli co nowego w świecie dns-ozaurów - adam obszyński

Internet