Passive DNS Hardening - Farsight Security...Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Passive DNS I Passive DNS replicationis a technology

IntroductionDNS Security Issues

Passive DNS hardeningDNSDB

Passive DNS Hardening

Robert EdmondsInternet Systems Consortium, Inc.

Robert Edmonds Passive DNS Hardening



DNSPassive DNSISC SIE

Structure of this talk

I IntroductionI DNSI Passive DNSI ISC SIE

I DNS security issuesI Kashpureff poisoningI Kaminsky poisoning

I Passive DNS security issuesI Record injectionI Response spoofing

I ISC DNSDBI ArchitectureI Demos





The Domain Name System

I “The DNS maps hostnames to IP addresses.”

I More generally, it maps (key, type) tuples to a set ofunordered values. again, we can think of the DNS as basicallya multi-value distributed key-value store.





Clients, caches, content

I Clients request full resolution service from caches.

I Caches make zero or more inquiries to DNS content serverson behalf of clients. Results are cached for a limited time toserve future client requests.

I Content nameservers serve DNS records for zones that havebeen delegated to them.





DNS Caching Resolvers

gtisc.gatech.edu

Facebook.com

Google.com

amazon.com

.org

.isc.org

.com

.net

Dozens Millions Millions

Clients Content

Query

Respo

nse

Query

Response

Query

Respo

nse

Query

Response





Client-server and inter-server DNS protocols

I The DNS is actually two different protocols that share acommon wire format.

I The client-to-server protocol spoken between clients andcaches.

I The inter-server protocol spoken between caches and contentservers.

I Passive DNS focuses on the latter.





Passive DNS

I Passive DNS replication is a technology invented in 2004 byFlorian Weimer.

I Many uses! Malware, e-crime, legitimate Internet services alluse the DNS.

I Inter-server DNS messages are captured by sensors andforwarded to a collection point for analysis.

I After being processed, individual DNS records are stored in adatabase.





DNS Caching Resolvers

gtisc.gatech.edu

Facebook.com

Google.com

amazon.com

.org

.sc.org

.com

.net

Content

Query

Response

DNSDB

Security Information Exchange

Passive DNS Sensor





Passive DNS deployments

I Florian Weimer’s original dnslogger, first at RUS-CERT,then at BFK.de (2004–).

I Bojan Zdrnja’s dnsparse (2006–).I ISC’s Security Information Exchange (2007–).





ISC Security Information Exchange

I SIE is a distribution network for different types of securitydata.

I One of those types of data is passive DNS.I Sensor operators upload batches of data to SIE.I Data is broadcast onto private VLANs.I NMSG format is used to encapsulate data.

I Has a number of features which make it very useful for storingpassive DNS data, but won’t be covered further.

I See our Google Tech Talk for more information:http://www.isc.org/community/presentations/video.




Kashpureff poisoningKaminsky poisoning

DNS Security Issues

I Passive DNS captures both signed and unsigned data, soDNSSEC cannot help us.

I What security issues are there in the DNS that are relevant topassive DNS?

I Kashpureff poisoningI Kaminsky poisoning

I (Actually, just response spoofing in general.)





Kashpureff poisoning

I Kashpureff poisoning is the name given to a particular type ofDNS cache poisoning.

I The attacker runs a content nameserver.I A client is enticed to lookup a domain name under the

attacker’s control.I The cache contacts the attacker’s nameserver.

I The attacker’s nameserver provides extra records to the cache.I The extra records are inserted into the cache instead of being

discarded.





Kashpureff poisoning example

Q: malicious.example.com. IN A ?

R: malicious.example.com. IN NS www.example.net.

R: www.example.net. IN A 203.0.113.67





Kashpureff hardening

I 1997: Eugene Kashpureff hijacks the InterNIC website.I BIND 4.9.6 and 8.1.1 introduce hardening against

Kashpureff poisoning.I RFC 2181 is published.

I See §5.4.1 “Ranking data” for details.





Lack of entropy

I 2000: DJB observes that a maximum of only about 31-32 bitsof entropy can protect a UDP DNS query.

I Other DNS implementations slow to adopt SPR.I 32 bits of entropy particularly weak for a session ID due to the

birthday attack problem.I Newer protocols use cryptographically secure session IDs with

64, 128, or more bits.





Kaminsky poisoning

I 2008: Dan Kaminsky notices that the TTL can be bypassed.I Coordinated, multi-vendor patches are released to implement

source port randomization.I SPR makes Kaminsky attacks harder, but not impossible.




RelevanceCapture stageAnalysis stage

Relevance to passive DNS

I Weimer’s 2005 paper notes several problems with verifyingpassive DNS data.

I Kashpureff and Kaminsky poisoning of “active DNS” haveanalogues in passive DNS.

I Passive DNS sensors can’t see the DNS cache’s “bailiwick”,leading to record injection.

I Spoofed responses are treated just like normal responses.I A single spoofed response can poison the passive DNS

database!

I Goal: make passive DNS at least as reliable as activeDNS.





Protecting the capture stage against response spoofing

I Capture both queries and responses.I Correlate responses with previously seen queries.I The DNS message 9-tuple:

1. Initiator IP address2. Initiator port3. Target IP address4. Target port5. Internet protocol6. DNS ID7. Query name8. Query type9. Query class





nmsg/dnsqr

I dnsqr is a message module for ISC’s libnmsg specificallydesigned for passive DNS capture.

I UDP DNS transactions are classified into three categories:1. UDP QUERY RESPONSE2. UDP UNANSWERED QUERY3. UDP UNSOLICITED RESPONSE

I Performs IP reassembly, too!





Protecting the analysis stage against record injection

I Caches internally associate a “bailiwick” with each outgoingquery.

I The cache knows what bailiwick to use, because it knows whyit’s sending a particular query.

I We have to calculate the bailiwick ourselves.I Protection against record injection requires protection against

spoofed responses.I (Otherwise, an attacker could just spoof the record and the

source IP address of an in-bailiwick nameserver.)





Passive DNS bailiwick algorithm

I Must operate completely passively.I Must provide a boolean true or false for each record.

I “For each record name, is the response IP address anameserver for the zone that contains or can contain thisname?”

I Example: root nameservers can assert knowledge about anyname!

I Example: Verisign’s gtld servers can assert knowledge aboutany domain name ending in .com or .net.





Passive DNS bailiwick algorithm

I Initialize bailiwick cache with a copy of the root zone.I Cache starts off with knowledge of which servers serve the root

and TLDs.I Find all potential zones that a name could be located in.I Check whether any of the nameservers for those zones are the

nameserver that sent the response.I Each time an NS, A, or AAAA record is verified by the

algorithm, it is inserted into the bailiwick cache.





Passive DNS bailiwick algorithm example

Name: example.com.Server: 192.5.6.30

I Potential zones:I example.com.I com.I .

I Zones in bailiwick cache:I com.I .

I Check: example.com./NS? Not found.I Check: com./NS? Found 13 nameservers.I Check: are any of them 192.5.6.30? Yes.






com . IN NS a . g t l d −s e r v e r s . net .

a . g t l d −s e r v e r s . net . IN A 1 9 2 . 5 . 6 . 3 0






; ; QUESTION SECTION :;www. example . com . IN A

; ; AUTHORITY SECTION :example . com . 172800 IN NS a . iana −s e r v e r s . net .example . com . 172800 IN NS b . iana −s e r v e r s . net .

; ; ADDITIONAL SECTION :a . iana −s e r v e r s . net . 172800 IN A 1 9 2 . 0 . 3 4 . 4 3b . iana −s e r v e r s . net . 172800 IN A 1 9 3 . 0 . 0 . 2 3 6

; ; SERVER : 1 9 2 . 5 . 6 . 3 0 # 5 3 ( 1 9 2 . 5 . 6 . 3 0 )






; ; QUESTION SECTION :;www. example . com . IN A

; ; ANSWER SECTION :www. example . com . 172800 IN A 1 9 2 . 0 . 3 2 . 1 0

; ; AUTHORITY SECTION :example . com . 172800 IN NS a . iana −s e r v e r s . net .example . com . 172800 IN NS b . iana −s e r v e r s . net .

; ; SERVER : 1 9 2 . 0 . 3 4 . 4 3 # 5 3 ( 1 9 2 . 0 . 3 4 . 4 3 )





Passive DNS bailiwick algorithm exampleName: www.example.com.Server: 192.0.34.43

I Potential zones:I www.example.com.I example.com.I com.I .

I Zones in bailiwick cache:I example.com.I com.I .

I Check: www.example.com./NS? Not found.I Check: example.com./NS? Found 2 nameservers.I Check: are any of them 192.0.34.43? Yes.




ArchitectureExamples

DNSDB

I DNSDB is a database for storing DNS records.I Data is loaded from passive DNS and zone files.I Individual DNS records are stored in an Apache Cassandra

database.I Offers key-value store distributed across multiple machines.I Good fit for DNS data.I Sustains extremely high write throughput because all writes

are sequential.I Offers a RESTful HTTP API and web search interface.

I Database currently consumes about 500 GB out of 27 TB.





Architecture

I ComponentsI Data sources

I nmsg-dns-cacheI DNS TLD zones (FTP via ZFA programs): com, net, org,

etc.I DNS zones (standard AXFR/IXFR protocol)

I Data loadersI Deduplicated passive DNSI Zone file data





Data source: nmsg-dns-cache

I Reads raw DNS responses from passive DNS.I Parses each DNS message into individual DNS RRsets.I Series of filters reduce the total amount of data by about 50%.I RRsets are then inserted into an in-memory cache.I Cache is expired in FIFO order.I When RRsets expire from the cache, they form the final

nmsg-dns-cache output.





Data source: zone files

I gTLD Zone File Access programs: com, net, org, info,biz, name

I AXFR’d zones: isc.org, a few other ”test” zones.





DNSDB SIE

nmsg-dns-cache

DNSDB

Passive DNS Sensor

Passive DNS Sensor

Passive DNS Sensor

SIE Submit

SIE Submit

SIE Switch Fabric

Filter Dedupe

FTP Collector

Web Interface

HTTP API

Query

Response

Query

Response

AXFR/IXFR Collector

ZFA

.COM ZFA

.BIZ ZFA

.ORG ZFA

ISC.ORG DNS

Any other DNS

GTISC.GATECH.EDU

DNS

Filte

red,

Ded

uped

Dat

a V

LAN

Raw

Dat

a V

LAN





Example #1: *.google.com






IntroductionDNSPassive DNSISC SIE

DNS Security IssuesKashpureff poisoningKaminsky poisoning

Passive DNS hardeningRelevanceCapture stageAnalysis stage

DNSDBArchitectureExamples

Passive DNS Hardening - Farsight Security...Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Passive DNS I Passive DNS replicationis a technology

Text of Passive DNS Hardening - Farsight Security...Introduction DNS Security Issues Passive DNS hardening...

Deteksi Botnets Pada Passive DNS Dengan …eprints.umm.ac.id/41268/1/Pendahuluan.pdfDeteksi Botnets Pada Passive DNS Dengan Menggunakan Metode K Nearest Neighbor Tugas Akhir Diajukan

SQL Server Hardening - Cisco · SQL Server Hardening • SQLServerHardeningConsiderations,page1 • SQLServer2014SecurityConsiderations,page3 SQL Server Hardening Considerations

Passive DNS Collection and Analysis The 'dnstap' Approach · •Blind to off-wire events like cache expiry due to DNS TTL, cache purge due to LRU •Meaning is not tagged –NMSG

COMPUTER NETWORK SERCURITY COMPUTER & NETWORK … · • Hardening Windows, UNIX, Linux, Novell, Macintosh, File systems, Web Server, E-mail, FTP, DNS, NNTP Server • Access Control,

Privacy-Preserving Passive DNS...DNS abuse, the DNS queries and responses often have to be collected for further analysis. Florian Weimer is the creator of the Passive DNS systems

The Strategic Value of Passive DNS to ... - Farsight Security

Discovering Malicious Domains through Passive DNS Data ......The user has requested enhancement of the downloaded file. Discovering Malicious Domains through Passive DNS Data Graph

A DNS study of turbulent mixing of two passive scalarsA DNS study of turbulent mixing of two passive scalars A. Junejaa) and S. B. Pope Sibley School of Mechanical and Aerospace Engineering,

Hardening. Consulting. Contracting....Surface hardening Flame Induction Laser Furnace processes Case hardening Nitriding HARD-INOX® Boronising Vacuum hardening Hardening and tempering

Dns Hardening Linux Os

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29

Nevada Department of Corrections - Innovative DNS-DHCP ... · • Delegated DNS management • Active/Passive DHCP failover Transition Process and Key Benefits Erlendson indicated

Hardening. Consulting. Contracting. - gerster.ch der... · Surface hardening Flame Induction Laser Furnace processes Case hardening Nitriding HARD-INOX® Boronising Vacuum hardening

Passive DNS Collection – Henry Stern, Cisco

OpenDNS - cisco.com · DNS request patterns/geo. distribution Passive DNS database . 17 CONFIDENTIAL ... • Deck, data sheets, cheat sheets, etc. 37 CONFIDENTIAL . Title: OpenDNS

APNIC Conferences – APNIC - Passive DNS Collection and … · 2018. 1. 23. · Challenges of Measuring DNS •Historically, turning on logging in a DNS server slows it down to the

Networking:! UDP&!DNS! · Root DNS Servers com DNS servers org DNS servers edu DNS servers poly.edu DNS servers umass.edu DNS servers yahoo.com DNS servers amazon.com

DNS Wildcards Abuse in China ----From passive DNS perspective Network Security Research Lab @QIHOO 360 Zhang Zaifeng

Passive DNS Collection and Analysis The 'dnstap' Approach · Passive DNS Collection and Analysis The 'dnstap' Approach Dr. Paul Vixie, CEO Farsight Security, Inc. 2014-01-16 – Charleston,

BUILDING A LOCAL PASSIVE DNS CAPABILITY FOR MALWARE ... · building a local passive dns capability for malware incident response ... building a local passive dns capability for malware

Passive DNS Collection and Analysis The 'dnstap' …dnstap.info/slides/dnstap_vldss2014.pdfPassive DNS Collection and Analysis The 'dnstap' (& fstrm) Approach Farsight Security, Inc

Active and passive in-plane wall ˛uctuations in turbulent ......controls (§3.1), frequency analysis of passive controls based on analytical solutions and DNS results with passive

dns-Drechselkurse - Drechselstube Neckarsteinach · dns-Einsteigerkurs dns-Fortgeschrittenenkurs dns-Themenkurse dns-Profikurse dns-Betriebseventkurs Anmeldung / Anfahrt / Übenrachtung

Exposure: Finding Malicious Domains Using Passive · PDF fileExposure: Finding Malicious Domains Using Passive DNS Analysis Leyla Bilge, Engin Kirda, Christopher Kruegel and Marco

Passive DNS Hardening - DEF CON · Kashpureﬀ poisoning Kaminsky poisoning Kaminsky poisoning I 2008: Dan Kaminsky notices that the TTL can be bypassed. I Coordinated, multi-vendor

Induction Hardening and Flame Hardening

Scrutinizing a Country using Passive DNS and Picviz

Pre-Recursor Passive DNS · 2013. 4. 15. · © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Cisco CSIRT’s Passive DNS Collection and Searching System

Passive DNS Hardening - Farsight Security · DNS Security Issues Passive DNS hardening DNSDB Architecture Examples DNSDB I DNSDB is a database for storing DNS records. I Data is loaded

Passive DNS Database - CIO Summits€“eriodically review DNSDB content to provide third-party benchmark reference for an ... can scan DNSDB content using open ... Passive DNS Database

Documents

Passive DNS Hardening - Farsight Security...Introduction DNS Security Issues Passive DNS hardening DNSDB DNS Passive DNS ISC SIE Passive DNS I Passive DNS replicationis a technology

Text of Passive DNS Hardening - Farsight Security...Introduction DNS Security Issues Passive DNS hardening...