DNS Servers, the More the Merrier - Why You Need …...Alexander Clouter Library and Information Services School of African and Oriental Studies London Networkshop

Early Days of Organisation DNSA Modern DNS Infrastructure

Summary

DNS Servers, the More the MerrierWhy You Need More Than Two

Alexander Clouter <[email protected]>

Library and Information ServicesSchool of African and Oriental Studies

London

Networkshop 38, 2010

Alexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary

Everything Rolled into TogetherDesign Flaws1990’s DNS Design in 2010

In the beginning, there were only two. . .

Between 2001 and 2008, our entire DNS infrastructure ran offtwo Solaris boxes running BIND9, each doing both:

authoritative soas.ac.uk hosting,including the reverse (PTR) zones(212.219.139.203 ! mr3.soas.ac.uk)

recursive google.com and bbc.co.uk

Example Recursive Query (‘dig +trace bbc.co.uk’):

. (use ‘hints’ file) ! .root-servers.net! .nic.uk! .bbc.co.uk! 212.58.224.138



Summary


Design Overview

,-----. +-----+ +-+( auths ) | rec | |c|‘-----’ +-----+ +-+

Internet- border -------------------------------------

+---+ +---+ Intranet|rec| |rec| KEY: +-+|...| |...| * AUTHoritive zoneS |c|| s | | m | * RECursive +-++---+ +---+ * Master

| | * Slave\--<<--/ * Client



Summary


Internal Recursive Lookup

,-----. +-----+ +-+( auths ) | rec | |c|‘-----’ +-----+ +-+

^| Internet

- border --|----------------------------------+---+ +-v-+ Intranet|rec| |rec|=====> 192.0.32.10 =====>+-+|...| |...|<-- example.com IN A? <--|c|| s | | m | +-++---+ +---+| |\--<<--/



Summary


External Authoritative Lookup

,-----. /--+-----+<-------+-+( auths ) |/=| rec |=======>|c|‘-----’ || +-----+ +-+

|| IN MX soas.ac.uk?|| Internet

- border ------------v^-----------------------+---+ +---+ || Intranet|rec| |rec| || +-+|...| |...|---<---/| |c|| s | | m |===>====/ +-++---+ +---+ mr3/mr4| |\--<<--/



Summary


Overview

There were of course some problems:

authoritative textfile template + cronjob ! zone filesexternally resolvable RFC 1918 data(for example 192.168.x.y)large 10k/300kiB zone files1

no externally hosted slave(AWOL servers mean AWOL domain)master is publicly accessibleno restriction to who can do zone transfers

recursive publicly open resolverold versions of BIND that were poisonable

Homogeneous environment ! single bug ! total devastation

1reverse zone file paddingAlexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary


Publicly Accessible

Applies to both sides of DNS:authoritative publicly queryable ‘master’ means it’s a target

for intrusion attacks and malformed queriesnot everyone restricts zone transfers (AXFR)so it can be trivial to get detailed plan ofnetwork without probing

recursive DNS poisoning becomes more trivialDoS amplification attacks2

2less important, botnets and RFC 2827 (BCP 38)Alexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary


DNS Poisoning

Caching resolvers can be overly keen (buggy) to cache data:attacker maintains authority for ‘evil.com’sends query acme.evil.com to resolver:

direct trivial if resolver is publicly accessibleindirect trick user to do lookup (email or website)evil server responds, for example, with either:

acme.evil.com. A 1.2.3.4acme.evil.com. NS bank.com.

uses additional section of reply to say“oh and by the way, bank.com. is at w.z.y.x”resolver eagerly caches acme.evil.com and bank.com

Also, can be done via race flooding the resolver with spoofedresponses. Only solution for this is DNSSEC.



Summary


DoS Amplification Attacks

,-----. +-+(5.6.7.8) 50 fold increase /---|B|‘-----’ xDSL => 1700kB/s | +-+

^ | 1.2.3.4| ~2700 byte answer! | Internet

- border --|-----------------------v----------+---+ +---+ | Intranet|rec| |rec| ~50 byte query ||...| |...|<--------------------/| s | | m | dig +dnssec NS se+---+ +---+ [spoof src 5.6.7.8]| |\--<<--/



Summary


Unrestricted AXFR’s“The 1990’s called and they want their DNS servers back. . . ”

At a large UK university computing centre:

$ dig AXFR compsci.ac.uk @ns1.compsci.ac.uk;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR;; flags: qr aa ra

[snipped]

;; Query time: 92 msec;; SERVER: 1.2.3.4#53(1.2.3.4);; WHEN: Sun Mar 21 16:29:46 2010;; XFR size: 1261 records



Summary


Interesting Entries from the AXFR“The 1990’s called and they want their DNS servers back. . . ”

So, now we have 1261 records, anything interesting in there?

$ dig AXFR compsci.ac.uk | grep --interestinghost0 IN A 10.99.201.10 [rfc1918]host1 IN HINFO "486DX50" "Linux"swtch IN TXT "Cisco 6500 Infra switch"vax IN HINFO "VAX-8250" "VMS"till IN TXT "Shop till - Jane Doe"host2 IN HINFO "OpusPC486/33" "MS-DOS"print IN TXT "New HP Laser - John Smith"print IN A 1.2.3.4 [accessible]

10% was RFC 1918 and gave out the switching IP topology



Summary


Publicly Open Resolver“The 1990’s called and they want their DNS servers back. . . ”

50 bytes out, 1400 bytes back:

$ dig +dnssec NS se @ns2.compsci.ac.uk

;; Query time: 8 msec;; SERVER: 1.2.3.5#53(1.2.3.5);; WHEN: Sun Mar 21 17:13:32 2010;; MSG SIZE rcvd: 1424

ns1.compsci.ac.uk ignores DNSSEC queries 3, does thisimply old? Could old also imply poisonable and vulnerable.

3which is why I used ns2 here for this testAlexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary

MigrationBonus Round

Adding External SlavesAdding Resilience to DNS

+-----+ +-+/--| rec |<-------|c|| +-----+ +-+X

#################################### Internet# border #######################################+---+##+---+###################### Intranet

|rec| |rec||...| |...|| s | | m | Authoritive Servers+---+ +---+ are unavailable and| | thus so is soas.ac.uk\--<<--/



Summary



+---+ +-----+ +-+| | | rec | |c|

+>| s | +-----+ +-+| | || +---+ Internet| border -------------------------------------| +---+ +---+ Intranet| |rec| |rec|^ |...| |...|^ | s | | m || +---+ +---+| | |\---+--<<--/



Summary



+---+ +-----+ +-+| | /------+--| rec |<-------|c|| s |<-----/ | +-----+ +-+| | X

##+---+############################# Internet# border #######################################+---+##+---+###################### Intranet|rec| |rec||...| |...|| s | | m |+---+ +---+| |\--<<--/



Summary


Hiding Your Primary pt.IProtecting Your Authority

+---+ +-----+ +-+| |<---+------------| rec |<-------|c|

+>| s | | +-----+ +-+| | | | || +---+ | | Internet| border --|---------------v------------------| +---+ | +---+ Intranet| |rec| | |rec|^ |...|<---/ |...|^ | s | | m || +---+ +---+| | |\---+--<<----------<<------/



Summary


Hiding Your Primary pt.IProtecting Your Authority

+---+ +-----+ +-+| |<---+------------| rec |<-------|c|

+>| s | | +-----+ +-+| | | | || +---+ | X Internet| border --|----------###########-------------| +---+ | +---+ +---+ Intranet| |rec| | |rec| | |^ |...|<---+--->|...| | m |^ | s | | s | | || +---+ +---+ +---+| | | |\---+--<<---------+--------/



Summary


Hiding Your Primary pt.IIProtecting Your Authority

Tweak your zone file:

$ dig (SOA|NS) soas.ac.uksoas.ac.uk. IN SOA ns1.soas.ac.uk. ...soas.ac.uk. IN SOA ns.soas.ac.uk. ...

soas.ac.uk. IN NS ns1.soas.ac.uk.soas.ac.uk. IN NS ns2.soas.ac.uk.soas.ac.uk. IN NS ns2.ic.ac.uk.

Now, firewall ‘hidden primary’ so only slaves can talk to it



Summary









Summary









Summary


Split Recursive From AuthoritativeMitigation Against Poisoning

+---+ ,-----. +-----+ +-+| | ( auths ) | rec |<-+-----|c|

+>| s | ‘-----’ +-----+ | +-+| | | ^ /--------------/| +---+ | | Internet| border --|------v---#################-------| +---+ | +---+ Intranet| |rec| \----|rec|<-----------\ +-+^ |...| |...| +---+ \----|c|^ | s | | s | | m | +-+| +---+ +---+ +---+| | | |\---+--<<---------+--------/



Summary


Split Recursive From AuthoritativeMitigation Against Poisoning

+---+ ,-----. +-----+ +-+| | ( auths ) | rec |<-+-----|c|

+>| s | ‘-----’ +-----+ | +-+| | | ^ || +---+ | X Internet| border --|----------#################-------| +---+ | Intranet| | | \-------------------+---+ +-+^ | s | +---+ +---+ |rec|<--|c|^ | | | s | | m | +---+ +-+| +---+ +---+ +---+| | | |\---+--<<---------+--------/



Summary


DNS Views pt.ITidying Up and Adding Flexibility

+---+ +-----+ +-+/-------->| s |<---+----| rec |<-------|c|| +---+ | +-----+ +-++-------->| s |<---+| +---+ | Internet| border ----------|--------------------------| | Intranet+-------\ +---+ | +-----+ +-+| +>| s |<---+----| rec |<-------|c|| +---+ | +---+ | +-----+ +-+\-| m | +>| s |<---/+---+ +---+



Summary


DNS Views pt.ITidying Up and Adding Flexibility

+---+ +-----+ +-+/-------->| s |<---+----| rec |<-------|c|| +EXT+ | +-----+ +-++-------->| s |<---/| +---+ Internet| border #####################################| Intranet| +---+ +-----+ +-+| +>| s |<---+----| rec |<-------|c|| +---+ | +INT+ | +-----+ +-+\-| m |-+>| s |<---/+---+ +---+



Summary


DNS Views pt.IITidying Up and Adding Flexibility

Tweak your zone files and configure master to serveappropriate zone to correct slave:

external:~$ dig NS soas.ac.uksoas.ac.uk. IN NS ns1.soas.ac.uk. [bracknell]soas.ac.uk. IN NS ns2.soas.ac.uk. [gold.ac.uk]soas.ac.uk. IN NS ns2.ic.ac.uk. [imperial]

internal:~$ dig NS soas.ac.uksoas.ac.uk. IN NS ipserv0.it.soas.ac.uk.soas.ac.uk. IN NS ipserv1.it.soas.ac.uk.

Now, firewall internal slaves from the outside world



Summary


DNS Views pt.IIITidying Up and Adding Flexibility

Possible Pitfalls:internal resolver needs hint to use internal slavesPTR records need ‘views’ too, and sync’ed correctlySMTP servers are first to sulk when things go wrong

The result (in a ‘split-split’ DNS infrastructure):remove RFC 1918 results from Internetimpossible to poison internal authoritative from outsidefirewalling becomes simplertrivial to provide different results for classes of usertest zone file changes on your internal users first



Summary


DNS Tricks pt.ISteering Mail Traffic

An SMTP ‘fax’ server lives behind firewall so routing mail [email protected] is tricky, instead we do:

external:~$ dig MX fax.soas.ac.ukfax.soas.ac.uk. IN MX 10 mr3.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr4.soas.ac.uk.

internal:~$ dig MX fax.soas.ac.ukfax.soas.ac.uk. IN MX 5 hermes.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr3.soas.ac.uk.fax.soas.ac.uk. IN MX 10 mr4.soas.ac.uk.



Summary


DNS Tricks pt.IIHiding Boxes

Development boxes are not available outside firewall:

external:~$ dig AXFR soas.ac.uk | grep cmscms.marketing IN CNAME rx2.marketing

internal:~$ dig AXFR soas.ac.uk | grep cmscms.marketing IN CNAME rx2.marketing

dev.cms.marketing IN CNAME rx1.marketing

Hiding boxes not for security, but to avoid firewall ‘deny’timeouts. Instead an instant NXDOMAIN is generated.



Summary


DNS BlacklistingMalware, Trojan, Worm and Phishing Protection for Free

As recursive servers now only talk to internal clients:‘safe’ to play with them and not affect outside worldunbound/bind9/maradns/others permit ‘hijacking’ domainsfind list of EvilTM domainsmangle it to plug into your resolversteer EvilTM domains to IDS (*.evil.com ! $ip{ids})find infections and stop users going to ‘dubious’ sites

However, what about false positives?Apache + mod_proxymod_perl script to ‘cook’ HTTP session cookiesself-service whitelisting ! Ultimate Laziness4

4zero support calls since deployed July 2008-ishAlexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary


DNSSEC Enabling

similar to how PGP/SSL works, but hierarchicalroot not yet signed so need to use some glue:

DLV DNSSEC Look-aside ValidationITAR Interim Trust Anchor Repository (TLD’s only)

SecSpider 20k/6MiB of Trust Anchors (DNS crawler)large replies so needs EDNS0 to up limit to 4096 bytes

Currently 10% TLD’s signed (all IDN’s5) but RIPE/ARIN/etc arealso doing some reverse zones too.

Warning: Firewalls (eg PIX) and IDS’s configurable to think

DNS packet size > 512 bytes ! EvilTM

5Internationalised Domain NameAlexander Clouter <[email protected]> DNS Servers, the More the Merrier


Summary

Summary

‘flat’ combo auth+rec DNS infrastructure is a Bad IdeaTM

pain to move to split-split but worth it and you learn lotsnarrow purpose for each server, so can use any vendorproduct that suits you (diversity crucial though!)

OutlookPTR sync’ing is via ‘fruity’ AXFR compare/DDNS scriptDNS blacklists fail /etc/hosts - OSPF route hijacking?


Appendix For Further Reading

For Further Reading I

Zytrax.comDNS for Rocket Scientists.Some Press, 2004!2010.

Steve FriedlAn Illustrated Guide to the Kaminsky DNS VulnerabilityUnixwiz.net 2008.Alexander Clouter (me!)Protecting Users with DNS Malware Blacklisting(also Unsavoury IP Route Blackholing)http://www.digriz.org.uk/


Documents

DNS Servers, the More the Merrier - Why You Need …...Alexander Clouter Library and Information Services School of African and Oriental Studies London Networkshop