Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DNS security and privacy

Alfred Arouna
November 25, 2017
Technology
0
83

DNS security and privacy

DNS security and privacy analysis in Benin. Presentation made for Benin DNS Forum

Alfred Arouna

November 25, 2017
Tweet

More Decks by Alfred Arouna

See All by Alfred Arouna
DNSathon 2018
alfredarouna
0
66
DNS KSK Rollover: Isocel Status
alfredarouna
2
110
Libre et Inovation v2
alfredarouna
0
45
BGP Link Evaluator
alfredarouna
1
100
Libre et Innovation
alfredarouna
0
30
Email Authentication
alfredarouna
0
42
Des Raisons du Déploiement retardé d'IPv6 en Afrique
alfredarouna
0
74
Netkit par la pratique
alfredarouna
0
28
Mécanismes de transition IPv4 < − > IPv6: Exemples: Tunnel Broker, DNS64 et NAT64
alfredarouna
0
72

Other Decks in Technology

See All in Technology
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.8k
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
290
反実仮想機械学習とは何か
usaito
PRO
11
4.7k
Gitlab本から学んだこと - そーだいなるプレイバック / gitlab-book
soudai
4
440
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
640
エンジニア候補者向け資料2024.04.24.pdf
macloud
0
3.3k
Azure犬駆動開発の記録/GlobalAzureFukuoka2024_20240420
nina01
1
220
開発パフォーマンスを最大化するための開発体制
ham0215
2
430
On Your Data を超えていく!
hirotomotaguchi
2
690
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
100
VS CodeでAWSを操作しよう
smt7174
8
1.7k

Featured

See All Featured
How to Ace a Technical Interview
jacobian
272
22k
Designing for humans not robots
tammielis
248
25k
Agile that works and the tools we love
rasmusluckow
325
20k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Typedesign – Prime Four
hannesfritz
36
2.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Testing 201, or: Great Expectations
jmmastey
28
6.4k

Transcript

  1. DNS security and privacy Implementation and Deployment Alfred Arouna Bénin

    DNS Forum November 25, 2017 Cotonou - Bénin [email protected] https://speakerdeck.com/alfredarouna @[email protected]

  2. Outline 30 years old protocol DNS tree & Domain Name

    DNS servers & workflow DNS Principles Some Use cases Threat model DNS and security Open Resolvers (T)SIG DNSSEC DNS and privacy Approach Qname Minimisation Encryption Resources DNS privacy Zone Testing DNS OARC DNSSEC VIZ DNS monitoring with RIPE Atlas Additional - Privacy? I don’t have anything to hide

  3. The Internet Protocol Journal, Volume 19, Number 1 https://frama.link/JzxRM9y3

  4. 1983 RFC881

  5. 1983 RFC881 Nov 1987

  6. Nov 1987 RFC1034 DOMAIN NAMES - CONCEPTS AND FACILITIES

  7. Nov 1987 RFC1034 DOMAIN NAMES - CONCEPTS AND FACILITIES RFC1035

    DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION

  8. The DNS domain name

  9. Parts of a Domain Name ?

  10. The DNS tree structure

  11. DNS Tree https://www.iana.org/domains/root/db

  12. The DNS servers

  13. RFC 7719 - DNS Terminology: DNS servers types

  14. RFC 7719 - DNS Terminology: DNS servers types (stub resolver)

  15. RFC 7719 - DNS Terminology: DNS servers types (third party

    resolver)

  16. RFC 7719 - DNS Terminology: DNS servers types (resolvers)

  17. RFC 7719 - DNS Terminology: DNS servers types (authoritatives)

  18. RFC 7719 - DNS Terminology: DNS servers types (resolvers &

    authoritatives)

  19. The DNS resource resolution

  20. DNS workflow: stub to resolver

  21. DNS workflow: resolver to root

  22. DNS workflow: root to resolver

  23. DNS workflow: resolver to TLD NS

  24. DNS workflow: TLD to resolver

  25. DNS workflow: resolver to FQDN NS

  26. DNS workflow: FQDN NS to resolver

  27. DNS workflow: resolver to stub

  28. Principles ▶ Full query names are sent at every step:

    dns too chatty. ▶ Query/answer are cleartext: dns too public. ▶ Easy to subverted: dns too trusting. 1. [...] The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit [...] 2. [...] Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers) [...]. 3. Many type of resource records.

  29. 1 presidence.bj. 3600 IN SOA beau.ns.cloudflare.com. dns.cloudflare.com. 2 fgi.bj. 3600

    IN SOA ns1.it-num.com. admin.fgi.bj. 3 dnsforum.bj. 86399 IN NS rs21.registrar-servers.com. 4 arcep.bj. 86400 IN NS ns1.infomaniak.ch. 5 fgi.bj. 3600 IN A 46.226.110.58 6 presidence.bj. 3600 IN A 104.25.140.36 7 presidence.bj. 3600 IN AAAA 2400:cb00:2048:1::6819:8b24 8 arcep.bj. 86400 IN MX 5 mta-gw.infomaniak.ch. 9 benintelecoms.bj. 171085 IN MX 10 webmail.benintelecoms.bj. 10 dnsforum.bj. 14400 IN TXT "v=spf1 a mx include:websitewelcome.com ~all" → 11 benintelecoms.bj. 10800 IN TXT "v=spf1 a mx ip4:81.91.225.6 ip4:81.91.225.10 ip4:41.216.47.22 ~all" → 12 benintelecoms.bj. 10800 IN TXT "google-site-verification=Zw-Aej..." 13 moov.bj. 86400 IN TXT "v=spf1 ip4:41.191.70.130 ~all" 14 moov.bj. 86400 IN TXT "v=spf1 ip4:41.191.70.131 ~all" 15 mtn.bj. 86377 IN TXT "mfUHqWXkYQzscXwm+0NRG29kv8Ap..." 16 mtn.bj. 86377 IN TXT "v=spf1 a mx -all" 17 dkim2k._domainkey.isocelmail.bj. 86400 IN TXT "v=DKIM1; k=rsa; s=email; p="MIIBI.... "" 18 dkim._domainkey.benintelecoms.bj. 3600 IN TXT "v=DKIM1; p="MIGfMA0GCSqGSIb..."" 19 _dmarc.isocelmail.bj. 86400 IN TXT "v=DMARC1;p=reject;pct=100;..." 20 _dmarc.presidence.bj. 3599 IN TXT "v=DMARC1;pct=100;p=none;..."

  30. Well-known use cases ▶ Resource resolution protocol. ▶ SOA, NS,

    A, AAAA, MX, SRV, TXT, PTR, DNSKEY, OPENPGPKEY, TLSA, etc. ▶ Content access control. ▶ Split-horizon (split-view DNS, split-brain DNS, or split DNS), ▶ RFC7871: Client Subnet in DNS Queries, ▶ DNS load-balancing or hosting. ▶ Data channel for surveillance. ▶ Censorship, ▶ Malicious activities, ▶ Commercial profiling.

  31. The DNS Threat model

  32. DNS Attack tree - DNS Threat Analysis by Mark Santcroos

    & Olaf M. Kolkman - NLnet Labs - 2007 Figure 1: Attack tree 4

  33. Our concern (Introduction to DNS and its vulnerabilities - Olaf

    M. Kolkman - NLnet Labs - 2012 ) ▶ Server vulnerabilities ▶ Bugs, ▶ Implementation mistakes, ▶ bad configuration. ▶ Compromise of systems ▶ Spoofing, ▶ Cache poisoning (resolver). ▶ Man in the middle ▶ On the wire, ▶ Through compromise.

  34. DNS vulnerabilities

  35. Securing the DNS

  36. Exploits of a Mom https://www.xkcd.com/327 Disclamer Any opinions, advice, statements,

    services, offers, actions, or other information or content expressed or made available based on this presentation are under the responsibility of their authors.

  37. Open resolvers ? If you get ”open-resolver-detected” in response, then

    you have a problem :) $ dig +short test.openresolver.com TXT @41.79.218.245 "open-resolver-detected" $ dig +short test.openresolver.com TXT @41.79.218.225 ;; connection timed out; no servers could be reached $ dig +short test.openresolver.com TXT @41.85.184.102 "open-resolver-detected" $ dig +short test.openresolver.com TXT @41.222.192.9 ;; connection timed out; no servers could be reached $ dig +short test.openresolver.com TXT @41.86.224.9 ;; connection timed out; no servers could be reached $ dig +short test.openresolver.com TXT @8.8.8.8 "open-resolver-detected" $ dig +short test.openresolver.com TXT @156.154.70.1 "open-resolver-detected" $ dig +short test.openresolver.com TXT @156.154.71.1 "open-resolver-detected"

  38. (T)SIG ▶ Scope host to host communication. ▶ Authorizing dynamic

    updates and zone transfers. ▶ Authentication of caching forwarders. ▶ RFC 2845 Secret Key Transaction Authentication for DNS (TSIG): One-way hash function (shared secret). ▶ RFC 2931 DNS Request and Transaction Signatures (SIG(0)s): Public key algorithm. ▶ Designed to provide integrity and Authentication .

  39. $ dig @kpanlingan.uac.bj axfr +multi uac.bj [...] ;; XFR size:

    196 records (messages 1, bytes 4362) $ dig axfr @ns1.kanakoo.bj benintelecoms.bj [...] ;; XFR size: 46 records (messages 1, bytes 1620) $ dig @ns1.kanakoo.bj. axfr be.bj [...] ;; XFR size: 18 records (messages 1, bytes 790)

  40. DNSSEC ▶ Scope DNS resolver and DNS authoritative (end to

    end security). ▶ Public/private key pair is associated with each DNS zone. ▶ Zone signature by authoritative and record validation by resolver. ▶ Chain-of-trust must exist from the root zone to a leaf zone. ▶ NXDOMAIN case with NSEC(3). ▶ DNS data authenticity can be verify (solution to DNS hijacking: response spoofing, cache poisoning). ▶ RFC 2535 Domain Name System Security Extensions, [3833, 4033, 4034, 4035, 4398, 4470, 4509, 5155, 6781]. ▶ Provide new protocol security features: ▶ RFC 6698 DNS based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol (TLSA), [6394, 7218, 7671, 7672, 7673, 7929, 8162]. ▶ RFC 5585 DomainKeys Identified Mail (DKIM) Service Overview, [4686, 5016, 5617, 5863, 6376, 6377].

  41. DNSSEC to authenticate DNS data

  42. DNSSEC Signature in Africa ▶ 38 Unsigned ccTLDs in Africa.

    ▶ 18 signed ccTLD in Africa. ▶ 2 signed ccTLDs without DS in root zone (Guinea, Bissau & Sierra Leone). ▶ Key Algorithm: ▶ RSA/SHA-256 (14 countries) ▶ RSASHA1-NSEC3-SHA1 (Seychelles, Sierra Leone & Guinea, Bissau) ▶ RSA/SHA-1 (Madagascar & Namibia) ▶ RSA/SHA-512 (Tanzania) ▶ Namibia, na.: first DS record on 2010/07/16. ▶ Liberia, lr.: Last DS on 2017/04/13. ▶ bj. is unsigned. http://dnssec-africa.org/index.html

  43. DNSSEC Validation status in Benin - RSA (1/4) https://stats.labs.apnic.net/dnssec

  44. DNSSEC Validation status in Benin - ECDSA (2/4) https://stats.labs.apnic.net/ecdsa

  45. DNSSEC Validation status in Benin - RSA & ECDSA (2/4)

    https://stats.labs.apnic.net/ecdsa/XL?o=cXBw1x1g1r1

  46. DNSSEC Validation status in Benin - Details (4/4) https://stats.labs.apnic.net/ecdsa/BJ

  47. DNSSEC Validation status in Benin - Google PDNS usage (4/4)

    https://stats.labs.apnic.net/ecdsa/BJ

  48. DNSSEC Validation status in Benin - High validation - High

    Google PDNS usage (4/4) https://stats.labs.apnic.net/ecdsa/BJ

  49. DNSSEC Validation status in Benin - Low validation - Low

    Google PDNS usage (4/4) https://stats.labs.apnic.net/ecdsa/BJ

  50. DNSSEC Validation status in Benin - 62.96% to GPDNS (cumulative)

    0 10 20 Spacetel BENINTELECOM ETISALAT−AS ISOCEL JENY−SAS−AS CanalBox−Benin−AS OTI−AS SUD−TELCOM−AS UNIVERCELL−AS ISPs % to GPDN https://frama.link/k9t4Hzej

  51. 62.96%

  52. https://www.xkcd.com/1361

  53. DNS Privacy project

  54. https://twitter.com/szymielewicz/status/910786831339442176

  55. DNS PRIVate Exchange (DPRIVE) 1. Send as little data as

    possible. ▶ Evil name server. 2. Encrypt it. ▶ Third-party sniffers. ▶ RFC 7626 DNS Privacy Considerations. ▶ RFC 7816 DNS Query Name Minimisation to Improve Privacy published (status “experimental”). ▶ RFC 7858 Specification for DNS over Transport Layer Security (TLS) ▶ Draft under discussion: Specification for DNS over Datagram Transport Layer Security (DTLS).

  56. Send as little data as possible ▶ Scope DNS resolver

    and a DNS authoritative. ▶ RFC 7816 “QNAME minimisation follows the principle [that] the less data you send out, the fewer privacy problems you have.” ▶ Inconsistencies with the handling of so-called Empty Non-Terminal domain name. ▶ In resolver only (no change of the protocol). ▶ Supported by Unbound (version ≥ 1.5.7, Off by default) and Knot Resolver (version ≥ 1.0, On by default).

  57. QNAME minimisation for targeted queries

  58. Encrypt data as much as possible ▶ Scope Encrypt data

    between DNS client/stub and a DNS resolver. ▶ Transport ▶ RFC 7858 Specification for DNS over Transport Layer Security (TLS) ▶ Specification for DNS over Datagram Transport Layer Security (DTLS). ▶ Application ▶ DNS over HTTP/QUIC (REST API). ▶ Application-Level DNS: GetDNS (DNS over TLS), DNSCrypt and DNSCurve (Not a standard, DTLS).

  59. Encrypt on transport layer

  60. Encrypt on application layer

  61. Resources

  62. DNS privacy (Resolver) ▶ IETF DPRIVE Tutorial by Sara Dickinson

    and Daniel Kahn Gillmor https://www.ietf.org/meeting/97/tutorials/dns-privacy.html. ▶ DNS Privacy websites: ▶ Community, non-technical: https://dnsprivacy.org ▶ Enterprise/corporate users: https://dnsprivacy.net ▶ getdns project website: https://getdnsapi.net

  63. Table: Risk Mitigation Matrix In-Flight At Rest Risk Stub =>

    Rec Rec => Auth At Recursive At Authori- tative Passive monitoring Encryption (e.g. TLS, HTTPS, QUIC) QNAME Min- imization Active monitoring Authentication & Encryption Other Disclosure Risks e.g. Data breaches Data Best Practices (Policies) e.g. De- identification https://indico.dns-oarc.net/event/26/session/4/contribution/10/ material/slides/0.pdf

  64. Zone configuration and results testing tools (Authoritative) 1. DNS Looking

    Glass ▶ Allow anyone to send a DNS query from that location. ▶ Useful in the case of troubleshooting a anycast served zone. ▶ Use REST API. ▶ http://www.dns-lg.com ▶ http://www.bortzmeyer.org/dns-lg.html 2. Zonemaster ▶ Web-based front-end which runs various exhaustive DNS tests on zone. ▶ Determine zone consistency, delegation, connectivity and the like. ▶ https://www.zonemaster.net/ ▶ btsa.bj https://zonemaster.net/test/a633fcaa10ce9e54 ▶ 4gbenin https://zonemaster.net/test/9690c405a197d939 ▶
  65. None
  66. None

  67. DNS OARC (Authoritative and resolver) ▶ Tools: https://www.dns-oarc.net/oarc/software ▶ dsc

    : DNS Statistics Collector (DSC) is a tool used for collecting and exploring statistics from busy DNS servers. ▶ drool : drool is a tool to replay DNS traffic. ▶ ripeatlas : Go bindings for RIPE Atlas API. ▶ Check My DNS: https://cmdns.dev.dns-oarc.net
  68. None
  69. None

  70. Visualize the status of a DNS zone (Authoritative) ▶ Tool

    suite for analysis and visualization of Domain Name System (DNS) behavior. ▶ Resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). ▶ Visual analysis of the DNSSEC authentication chain for a domain name and its resolution path. ▶ Lists configuration errors detected. ▶ http://dnsviz.net/
  71. None

  72. Monitoring your DNS infrastructure with RIPE Atlas (Authoritative) ▶ Monitor

    the name servers for your domain. ▶ Visualisation designed for monitoring screens, reports and interactive analysis. ▶ DNS measurement ▶ https://atlas.ripe.net/measurements/10166283 - bj. ▶ https://atlas.ripe.net/measurements/10166286 - gouv.bj. ▶ Tools ▶ DNSMON ▶ From anchors to ccTLDs - limited to RIPE NCC members and service region. ▶ https://dnsmon.ripe.net ▶ DomainMon ▶ From probes to second-level domains. ▶ https://atlas.ripe.net/domainmon/
  73. None

  74. Probes in Benin response time (UDP) to ben02.gouv.bj.

  75. None

  76. Probes in Benin response time (TCP) to ben02.gouv.bj.

  77. https://www.privacytools.io Encryption against global mass surveillance

  78. Nothing To hide https://frama.link/bnpA04Zr

  79. None

  80. BONNES PRATIQUES POUR L’ACQUISITION ET L’EXPLOITATION DE NOMS DE DOMAINE

    https://www.ssi.gouv.fr/particulier/guide/ bonnes-pratiques-pour-lacquisition-et-lexploitation-de-noms-de-domaine/

  81. Question ?

  82. https://twitter.com/mariejulien/status/915868965821394945