Upload
men-and-mice
View
183
Download
0
Embed Size (px)
Citation preview
© Men & Mice http://menandmice.com
DNS and DNSSECMonitoring
1Wednesday 9 November 16
© Men & Mice http://menandmice.com
why DNSSEC monitoring
a DNS infrastructure with DNSSEC signed zones is more fragile
more complex configuration
most errors are fatal, the zone cannot be resolved anymore (this is a security feature of DNSSEC!)
DNSSEC monitoring helps to detect issues before the DNS service is affected
2
Wednesday 9 November 16
© Men & Mice http://menandmice.com
our scripts
we have compiled 15 essential monitoring test scripts• these scripts are simple (bourne-) shell scripts that should
work on any Unix/Linux system (and on Windows 10 with Linux-Sub-System or Windows with Cygwin)
• the scripts are available in the Men & Mice Services Github repos https://github.com/menandmice-services/dns-monitoring-scripts
• Please send pull-requests for fixes and additions
• Please send feedback to [email protected]
3
Wednesday 9 November 16
© Men & Mice http://menandmice.com
our scripts• the scripts are deliberately simple
• each script takes one input parameter• the domain-name of a delegated zone
• the scripts can be used from a cron-job • or embedded into a monitoring system
4
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNS-Server Tests
5Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Server (1)Test 1 - UDPv4 reachability - test for each authoritative server of the DNS infrastructure
dig ns ${1} +short | while read server; do ipaddr=$(dig ${server} a +short) echo "Server: ${server} (${ipaddr})" soarec=$(dig -4 @${server} ${1} soa +cd) rc=$? if [ $rc != 0 ]; then echo "Error while sending UDPv4 query to ${server}" exit $rc; else echo "OK" fidone
6
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Server (2)Test 2 - UDPv6 reachability - test for each authoritative server of the DNS infrastructure that it is reachable over UDP IPv6
dig ns ${1} +short | while read server; do ipaddr=$(dig ${server} aaaa +short) echo "Server: ${server} (${ipaddr})" soarec=$(dig -6 @${server} ${1} soa +cd) rc=$? if [ $rc != 0 ]; then echo "Error while sending UDPv6 query to ${server}" exit $rc; else echo "OK" fidone
7
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Server (3)Test 3 - TCPv4 reachability - test for each authoritative server of the DNS infrastructure that it is reachable over TCP IPv4
dig ns ${1} +short | while read server; do ipaddr=$(dig ${server} a +short) echo "Server: ${server} (${ipaddr})" soarec=$(dig -4 @${server} ${1} soa +cd +tcp) rc=$? if [ $rc != 0 ]; then echo "Error while sending TCPv4 query to ${server}" exit $rc; else echo "OK" fidone
8
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Server (4)Test 4 - TCPv6 reachability - test for each authoritative server of the DNS infrastructure that it is reachable over TCP IPv6
dig ns ${1} +short | while read server; do ipaddr=$(dig ${server} aaaa +short) echo "Server: ${server} (${ipaddr})" soarec=$(dig -6 @${server} ${1} soa +cd +tcp) rc=$? if [ $rc != 0 ]; then echo "Error while sending TCPv6 query to ${server}" exit $rc; else echo "OK" fidone
9
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Server (5)
Test 5 - EDNS0 response size: tests that the server signals the correct EDNS0 response size. Size needs to be checked against the local policy. Usually 1220-1232 bytes.ednspolicy=1232dig ns ${1} +short | while read server; do echo "Server: ${server} " ednsbuf=$(dig @${server} ${1} | grep "; EDNS:" | cut -d " " -f 7) if [ "${ednsbuf}" -eq "${ednspolicy}" ] then echo " EDNS0-Bufsize is ${ednsbuf}, good " else echo " EDNS0-Bufsize is ${ednsbuf}, out of policy range " fidone
10
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNS-Zone Tests
11Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (1)
Test 6 - Test that all authoritative servers for a zone respond. Count is tested against the number of delegation authoritative servers for the zone.tld=$(echo ${1} | rev | cut -d'.' -f 1 | rev)tldns=$(dig ns ${1}. +short | tail -1)parentnsnum=$(dig @${tldns} ns ${1} +short | wc -l)childnsnum=$(dig -4 ${1} +nssearch | wc -l)
if [ "${parentnsnum}" -eq "${childnsnum}" ]then echo "all authoritative DNS-Server answer"else echo "Error: Mismatch" echo "Auth DNS-Servers in Delegation: ${parentnsnum}" echo "Auth DNS-Servers in Zone: ${childnsnum}"fi
12
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (2)
Test 7 - Test that all authoritative servers for a zone respond via TCP. Count should be tested against the known good number of authoritative servers for the zone. The return code of the dig command should be checked for errors.tld=$(echo ${1} | rev | cut -d'.' -f 1 | rev)tldns=$(dig ns ${1}. +short | tail -1)parentnsnum=$(dig @${tldns} ns ${1} +short | wc -l)childnsnum=$(dig -4 ${1} +nssearch +tcp | wc -l)
if [ "${parentnsnum}" -eq "${childnsnum}" ]then echo "all authoritative DNS-Server answer"else echo "Error: Mismatch" echo "Auth DNS-Servers in Delegation: ${parentnsnum}" echo "Auth DNS-Servers in Zone: ${childnsnum}"fi
13
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (3)
Test 8 - Test that all authoritative servers for a zone have the same SOA serial. The return code of the dig command should be checked for errors.dig zone +nssearch
The SOA serial can be different for short number of times after an update on the master (propagation delay during zone transfer)
On a test interval of 5 minutes, the test should issue a warning if the same SOA difference is seen in two successive tests
If the same SOA difference is seen after three or more tests, an event of severity ERROR should be generated
14
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (3)
Test 8 - Test that all authoritative servers for a zone have the same SOA serial. The return code of the dig command should be checked for errors.oldsoaserial="0"dig ${1} +nssearch | while read serverres; do soaserial=$(echo ${serverres} | cut -d ' ' -f 4) if [ "${oldsoaserial}" -eq "0" ] then oldsoaserial=$soaserial else if [ "${oldsoaserial}" -eq "${soaserial}" ] then echo "Match for ${soaserial}" else echo "Mismatch for ${soaserial} != ${oldsoaserial}" fi fidone
15
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (4)
Test 9 - Test for AA-Flag. Repeat this test for each authoritative server for the zone. Each server must respond with an AA-Flag.dig ns ${1} +short | while read server; do echo "Server: ${server} " aaflag=$(dig @${server} ${1} soa +norec | grep ";; flags" |\ cut -d " " -f 4 | cut -b 1-2) if [ "${aaflag}" = "aa" ] then echo " AA-Flag found, good " else echo " no AA-Flag, Server not authoritative " fidone
16
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Zone (5)Test 10 - Test for Parent-Child NS-RRset. Tests that the NS-RRset in the parent zone (delegation) matches the NS-RRset in the zone data.# get one authoritative server for the zonechild_dns=$(dig ns ${1} +short | tail -1)# get TLD of Domaintld=$(echo ${1} | rev | cut -d'.' -f 1 | rev)# get one authoritative server for the TLDtldns=$(dig ns ${tld}. +short | tail -1)# query the delegation recordsparns=$(dig @${tldns} ns ${1} +norec +noall +authority | grep "IN.*NS" | sort)while read nsrec; do ns=$(echo ${nsrec} | cut -d ' ' -f 5) parentns="${parentns} ${ns}"done <<EOF${parns}EOF
# query the zone recordschildns=$(dig @${child_dns} ns ${1} +short +norec | sort)parentns=$(echo ${parentns} | tr ' ' '\n' | sort)
echo "Parent delegation:"echo ${parentns}echo "Child zonedata:"echo ${childns}
if [ "${childns}" = "${parentns}" ]; then echo "Parent/Child NS-RRSet matches"else echo "Parent/Child NS-RRSet mismatch"fi
17
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Tests
18Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (1)
Test 11 - Test for DNSKEY RRset answer size. The full answer packet of the DNSKEY rrset should be below the IPv6 fragmentation payload limit (1232 byte)
maxsize=1232replysize=$(dig ${1} dnskey +dnssec | grep ";; MSG SIZE" | cut -d " " -f 6)if [ "${replysize}" -le "${maxsize}" ]then echo "Good, DNSKEY RRSet size is ${replysize} which is below or equal to ${maxsize}"else echo "Bad, DNSKEY RRSet size is ${replysize} which is above ${maxsize}"fi
19
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (2)
Test 12 - RRSIG validity: check for the lifetime timestamps of RRSIGs in the zone. This test should be done for every important RRset in the zone (SOA, DNSKEY, MX, A/AAAA)
dig zone soa +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 6
dig zone soa +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 5
compare the output with the current system time date "+%Y%m%d%H%M%S"
1 issue an ERROR event, if the inception time is in the future
2 issue an ERROR event, if the expiry time is in the past
3 issue a WARNING event, if the expiry time will be reached in less than 5 days
4 issue an ERROR event, if the expiry time will be reached in less than 2 days
20
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (3)
Test 12 - RRSIG validity: check for the lifetime timestamps of RRSIGs in the zone. This test should be done for every important RRset in the zone (SOA, DNSKEY, MX, A/AAAA)today=$(date "+%Y%m%d%H%M%S")inception=$(dig ${1} soa +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 6)expiry=$(dig ${1} soa +dnssec | egrep "RRSIG.*SOA" | cut -d " " -f 5)
echo "Today : ${today}"echo "Inception: ${inception}"echo "Expiry : ${expiry}"
if [ "${inception}" -gt "${today}" ]then echo "ERROR: RRSIG validity (${inception}) is in the future"fi
if [ "${expiry}" -lt "${today}" ]then echo "ERROR: RRSIG validity (${expiry}) is in the past, DNSSEC signature has expired"fi
twodaysahead=$(date +%s)twodaysahead=$((${twodaysahead}+172800))twodaysahead=$(date -u -r ${twodaysahead} "+%Y%m%d%H%M%S")if [ "${expiry}" -lt "${twodaysahead}" ]then echo "ERROR: RRSIG validity (${expiry}) will end in less than two days"fi
fivedaysahead=$(date +%s)fivedaysahead=$((${fivedaysahead}+432000))fivedaysahead=$(date -u -r ${fivedaysahead} "+%Y%m%d%H%M%S")if [ "${expiry}" -lt "${fivedaysahead}" ]then echo "WARNING: RRSIG validity (${expiry}) will end in less than five days"fi
21
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (4)
Test 13 - DS Records - test the number and the content of the DS records in the parent zone. Issue a warning when the count or the content changes.
oldds=$(cat $0.$1.saved.dscontent)olddscount=$(cat $0.$1.saved.dscount)
ds=$(dig ${1} ds +short)echo "${ds}" > $0.$1.saved.dscontent
dscount=$(dig ${1} ds +short | wc -l)echo "${dscount}" > $0.$1.saved.dscount
if [ "${ds}" != "${oldds}" ]then echo "Warning: DS-Record has changed!" && exit 128else echo "OK: DS-Record is the same as last time tested!"fi
if [ "${dscount}" != "${olddscount}" ]then echo "Warning: number of DS-Record has changed!" && exit 129else echo "OK: number of DS-Record is the same as last time tested!"fi
22
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (5)
Test 14 - DS Records and KSK - test that the DS-Record matches the KSK in the zone. The two values (Key-ID) must match.
dskeyid=$(dig ${1} ds +short +cd | cut -d " " -f 1 | tail -1)rrsigkeyid=$(dig ${1} dnskey +dnssec +short +cd | egrep "^DNSKEY" | grep "${dskeyid}" |\ cut -d ' ' -f 7)
if [ "${dskeyid}" != "${rrsigkeyid}" ]then echo "Error: Key-Tag of DS-Records does not match the Key-Tag of RRSIG on DNSKEY" exit 128else echo "OK: Key-Tag of DS-Records does match the Key-Tag of RRSIG on DNSKEY"fi
23
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - DNSSEC (6)
Test 15 - Count of DNSKEY records in the zone. The number can change during a key-rollover. Any change should create a WARNING event.
olddnskeycount=$(cat $0.$1.saved.dnskeycount)
dnskeycount=$(dig ${1} dnskey +cd +dnssec | egrep "DNSKEY.*2" | grep -v "RRSIG" | wc -l)echo "${dnskeycount}" > $0.$1.saved.dnskeycount
if [ "${dnskeycount}" != "${olddnskeycount}" ]then echo "Warning: Number of DNSKEY-Record has changed!" exit 128else echo "OK: Number of DNSKEY-Record is the same as with last test!"fi
24
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNS Monitoring Tips
25Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Logbook
The DNSSEC monitoring system should write an audit trail of DNSSEC zone changes:
1. changes to the DNSKEY records (KEY-ID and SOA Serial of the change)
2. changes to the DS-Record (KEY-ID and SOA serial of the parent zone)
26
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Tools • DNSSEC tools from .SE TLD: https://github.com/dotse/dnssec-monitor
• Verisign jdnssec-tools
http://www.verisignlabs.com/dnssec-tools/
• YAZVS — Yet Another Zone Validation Script http://yazvs.verisignlabs.com/
• ldns-verify from the LDNS package http://www.nlnetlabs.nl/projects/ldns/
• Nagval - Nagios Plugin by JPMens https://github.com/jpmens/nagval
• Key-Checker - Monitors Key-Rollover https://github.com/bortzmeyer/key-checker
27
Wednesday 9 November 16
© Men & Mice http://menandmice.com
DNSSEC Monitoring - Tools
• Zonemaster https://zonemaster.net/
• DNSViz http://dnsviz.net/
28
Wednesday 9 November 16
© Men & Mice http://menandmice.com
Men & Mice DNS Training
•November 7 – 9, 2016 Introduction to DNS & BIND Hands-On ClassRedwood City (CA), USA
•November 7 – 11, 2016 Introduction & Advanced DNS and BIND Topics Hands-On ClassRedwood City (CA), USA
29
https://www.menandmice.com/support-training/training/
Wednesday 9 November 16
© Men & Mice http://menandmice.com
Our Next Webinar ‘DNS high availability tools’ – Open Source Load-Balancing
The DNS protocol has built-in high availability for authoritative DNS servers, but client machines can see a degraded DNS service if a DNS resolver (caching DNS server) is failing.
Learn more about:
• how the DNS clients in popular operating systems (Windows, Linux, macOS/iOS) choose the DNS resolver among a list of available servers
• how a DNS resolver service can be made failure-tolerant with open-source solutions such as “dnsdist” from PowerDNS and “relayd” from OpenBSD
December 7th, 2016 4:00 CET / 1:00 GMT / 10 EDT / 7 PDT
30
https://www.menandmice.com/resources/educational-resources/webinars/a-secure-bind-9-best-practices/
Wednesday 9 November 16
© Men & Mice http://menandmice,com
Thank you!
Questions? Comments?
31Wednesday 9 November 16