DNS servers & workflow DNS Principles Some Use cases Threat model DNS and security Open Resolvers (T)SIG DNSSEC DNS and privacy Approach Qname Minimisation Encryption Resources DNS privacy Zone Testing DNS OARC DNSSEC VIZ DNS monitoring with RIPE Atlas Additional - Privacy? I don’t have anything to hide
dns too chatty. ▶ Query/answer are cleartext: dns too public. ▶ Easy to subverted: dns too trusting. 1. [...] The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit [...] 2. [...] Messages carried by UDP are restricted to 512 bytes (not counting the IP or UDP headers) [...]. 3. Many type of resource records.
M. Kolkman - NLnet Labs - 2012 ) ▶ Server vulnerabilities ▶ Bugs, ▶ Implementation mistakes, ▶ bad configuration. ▶ Compromise of systems ▶ Spoofing, ▶ Cache poisoning (resolver). ▶ Man in the middle ▶ On the wire, ▶ Through compromise.
services, offers, actions, or other information or content expressed or made available based on this presentation are under the responsibility of their authors.
updates and zone transfers. ▶ Authentication of caching forwarders. ▶ RFC 2845 Secret Key Transaction Authentication for DNS (TSIG): One-way hash function (shared secret). ▶ RFC 2931 DNS Request and Transaction Signatures (SIG(0)s): Public key algorithm. ▶ Designed to provide integrity and Authentication .
end security). ▶ Public/private key pair is associated with each DNS zone. ▶ Zone signature by authoritative and record validation by resolver. ▶ Chain-of-trust must exist from the root zone to a leaf zone. ▶ NXDOMAIN case with NSEC(3). ▶ DNS data authenticity can be verify (solution to DNS hijacking: response spoofing, cache poisoning). ▶ RFC 2535 Domain Name System Security Extensions, [3833, 4033, 4034, 4035, 4398, 4470, 4509, 5155, 6781]. ▶ Provide new protocol security features: ▶ RFC 6698 DNS based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol (TLSA), [6394, 7218, 7671, 7672, 7673, 7929, 8162]. ▶ RFC 5585 DomainKeys Identified Mail (DKIM) Service Overview, [4686, 5016, 5617, 5863, 6376, 6377].
▶ 18 signed ccTLD in Africa. ▶ 2 signed ccTLDs without DS in root zone (Guinea, Bissau & Sierra Leone). ▶ Key Algorithm: ▶ RSA/SHA-256 (14 countries) ▶ RSASHA1-NSEC3-SHA1 (Seychelles, Sierra Leone & Guinea, Bissau) ▶ RSA/SHA-1 (Madagascar & Namibia) ▶ RSA/SHA-512 (Tanzania) ▶ Namibia, na.: first DS record on 2010/07/16. ▶ Liberia, lr.: Last DS on 2017/04/13. ▶ bj. is unsigned. http://dnssec-africa.org/index.html
possible. ▶ Evil name server. 2. Encrypt it. ▶ Third-party sniffers. ▶ RFC 7626 DNS Privacy Considerations. ▶ RFC 7816 DNS Query Name Minimisation to Improve Privacy published (status “experimental”). ▶ RFC 7858 Specification for DNS over Transport Layer Security (TLS) ▶ Draft under discussion: Specification for DNS over Datagram Transport Layer Security (DTLS).
and a DNS authoritative. ▶ RFC 7816 “QNAME minimisation follows the principle [that] the less data you send out, the fewer privacy problems you have.” ▶ Inconsistencies with the handling of so-called Empty Non-Terminal domain name. ▶ In resolver only (no change of the protocol). ▶ Supported by Unbound (version ≥ 1.5.7, Off by default) and Knot Resolver (version ≥ 1.0, On by default).
between DNS client/stub and a DNS resolver. ▶ Transport ▶ RFC 7858 Specification for DNS over Transport Layer Security (TLS) ▶ Specification for DNS over Datagram Transport Layer Security (DTLS). ▶ Application ▶ DNS over HTTP/QUIC (REST API). ▶ Application-Level DNS: GetDNS (DNS over TLS), DNSCrypt and DNSCurve (Not a standard, DTLS).
Rec Rec => Auth At Recursive At Authori- tative Passive monitoring Encryption (e.g. TLS, HTTPS, QUIC) QNAME Min- imization Active monitoring Authentication & Encryption Other Disclosure Risks e.g. Data breaches Data Best Practices (Policies) e.g. De- identification https://indico.dns-oarc.net/event/26/session/4/contribution/10/ material/slides/0.pdf
Glass ▶ Allow anyone to send a DNS query from that location. ▶ Useful in the case of troubleshooting a anycast served zone. ▶ Use REST API. ▶ http://www.dns-lg.com ▶ http://www.bortzmeyer.org/dns-lg.html 2. Zonemaster ▶ Web-based front-end which runs various exhaustive DNS tests on zone. ▶ Determine zone consistency, delegation, connectivity and the like. ▶ https://www.zonemaster.net/ ▶ btsa.bj https://zonemaster.net/test/a633fcaa10ce9e54 ▶ 4gbenin https://zonemaster.net/test/9690c405a197d939 ▶
: DNS Statistics Collector (DSC) is a tool used for collecting and exploring statistics from busy DNS servers. ▶ drool : drool is a tool to replay DNS traffic. ▶ ripeatlas : Go bindings for RIPE Atlas API. ▶ Check My DNS: https://cmdns.dev.dns-oarc.net
suite for analysis and visualization of Domain Name System (DNS) behavior. ▶ Resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). ▶ Visual analysis of the DNSSEC authentication chain for a domain name and its resolution path. ▶ Lists configuration errors detected. ▶ http://dnsviz.net/
the name servers for your domain. ▶ Visualisation designed for monitoring screens, reports and interactive analysis. ▶ DNS measurement ▶ https://atlas.ripe.net/measurements/10166283 - bj. ▶ https://atlas.ripe.net/measurements/10166286 - gouv.bj. ▶ Tools ▶ DNSMON ▶ From anchors to ccTLDs - limited to RIPE NCC members and service region. ▶ https://dnsmon.ripe.net ▶ DomainMon ▶ From probes to second-level domains. ▶ https://atlas.ripe.net/domainmon/