Scribd
Upload
69 views

Apnic Elearning Webclass: Dns Security

The document provides an overview of a DNS security webinar presented by Sheryl Hermoso on September 5, 2012. The webinar covered topics such as how DNS works, common DNS vulnerabilities, securing nameservers, transaction signatures (TSIG), and DNS security extensions (DNSSEC). It provided examples of configuring TSIG and signing a zone with DNSSEC.

Uploaded by

Khurram Aziz Shah
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views

Apnic Elearning Webclass: Dns Security

The document provides an overview of a DNS security webinar presented by Sheryl Hermoso on September 5, 2012. The webinar covered topics such as how DNS works, common DNS vulnerabilities, securing nameservers, transaction signatures (TSIG), and DNS security extensions (DNSSEC). It provided examples of configuring TSIG and signing a zone with DNSSEC.

Uploaded by

Khurram Aziz Shah
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

!

"#$"%&'

APNIC eLearning Webclass


DNS Security
05 SEPTEMBER 2012 12:30h Brisbane Time (GMT+10)

Introduction
! Presenter
Sheryl Hermoso
Specialties: Training Officer [email protected]
Network Security IPv6 DNS/DNSSEC Internet Resource Mgmt

! For technical assistance refer to:


! http://www.apnic.net/elearningsupport

! Reminder: please take time to fill-up the survey

%'

!"#$"%&'

Overview: How DNS Works


Question: www.apnic.net A
1" www.apnic.net A ? 2" www.apnic.net A ?

root-server

Caching Resolver 192.168.5.10 forwarder 8" (recursive)


9" Add to cache 10" TTL

3go " ask net server @ X.gtld-servers.net (+ glue) A? 4www.apnic.net "

gtld-server

5" go ask apnic server @ ns.apnic.net (+ glue) 6" 192.168.5.10 7" www.apnic.net A ?

apnic-server

DNS Vulnerabilities
Zone administrator

1" master

Zone file
2"

4"
Caching forwarder

3"

5"

Dynamic updates

slaves

resolver

&'

!"#$"%&'

DNS Vulnerabilities
Corrupting data"
Zone administrator

Impersonating master" 1" master 4"

Cache impersonation"

Zone file
2"

Caching forwarder

3"

5"

Dynamic updates

slaves Cache pollution by" Data spoong"

resolver

Unauthorized updates"

Server protection!

Data protection!

DNS Cache Poisoning


1 3

I want to access www.example.com

www.example.com 192.168.1.99 QID=64569 QID=64570 QID=64571 match!


2

(pretending to be the authoritative zone)

QID=64571 Client DNS Caching Server

Root/GTLD

QID=64571

www.example.com 192.168.1.1 Webserver (192.168.1.1)

ns.example.com

('

!"#$"%&'

Securing the Nameserver


! Run the most recent version of the DNS software
! Bind 9.9.1 or Unbound 1.4.16 ! Apply the latest patches

! Hide version ! Restrict queries


! Allow-query { acl_match_list; };

! Prevent unauthorized zone transfers


! Allow-transfer { acl_match_list; };

! Run BIND with the least privilege (use chroot) ! Randomize source ports
! dont use query-source option

! Secure the box ! Use TSIG and DNSSEC

Transaction Signature (TSIG)


! A mechanism for protecting a message from a primary to secondary and vice versa (i.e. transactions) ! A keyed-hash is applied (like a digital signature) so recipient can verify message
! DNS question or answer & the timestamp ! Based on a shared secret - both sender and receiver are configured with it

! RFC 2845

!'

!"#$"%&'

TSIG Protected Vulnerabilities


Impersonating master"
Zone administrator

Cache impersonation"

Zone file

master

Caching forwarder

Dynamic updates

slaves

resolver

Unauthorized updates"

Cache pollution by" Data spoong"

TSIG Example
verication"
AXFR" Sig ...! AXFR"
Sig ...!

Query: AXFR"

Slave" KEY:" %sgs!f23fv! Response: Zone"


SOA " " SOA" Sig ...!

Master" KEY:" %sgs!f23fv!

SOA " " SOA" Sig ...!

verication"

10

)'

!"#$"%&'

TSIG Steps
! Generate secret
! dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key>

! Communicate secret
! Transfer the key securely (ex. SSH/SCP)

! Configure the servers


! Edit configuration file for primary and secondary

! Test
! dig @<server> <zone> AXFR -k <TSIG keyfile>

11

TSIG Configuration named.conf


!"#$%"&'()"*)"'+,-..-/,-/0'
! key ns1-ns2.pcx. net {! algorithm hmac-md5;! secret "APlaceToBe";! };! server 10.33.50.35 {! keys {ns1-ns2.pcx.net;};! };! ! allow-transfer {! key ns1-ns2.pcx.net ;};! };!

1)2345%"&'()"*)"'+,-..-6,-.6'
! key ns1-ns2.pcx.net {! algorithm hmac-md5;! secret "APlaceToBe";! };! server 10.33.40.46 {! keys {ns1-ns2.pcx.net;};! };! zone "my.zone.test." {! type slave;! file myzone.backup;! masters ! !{10.33.40.46;}; };!

!"#$%&'$(&)*$+,-($-'$&$./*$&'0$1*2*1$+"$-+$-'$+,*$%"'.3$./*$4'&5*06%"'27$$ #(-'3$8-'%/#0*9$(+&+*5*'+:$$

include /var/named/master/tsig-key-ns1-ns2;

*'

!"#$"%&'

TSIG Testing - dig


! You can use dig to check TSIG configuration
dig @<server> <zone> AXFR -k <TSIG keyfile>

$ dig @127.0.0.1 example.net AXFR \ -k Kns1-ns2.pcx.net.+157+15921.key ! A wrong key will give Transfer failed and on the server the security-category will log this. ! Note: TSIG is time-sensitive
13

DNS Security Extensions (DNSSEC)


! Protects the integrity of data in the DNS by establishing a chain of trust ! A form of digitally signing the data to attest its validity ! RFC 4033, 4034, 4035 ! DNSKEY/RRSIG/NSEC: provides mechanisms to establish authenticity and integrity of data ! DS: provides a mechanism to delegate trust to public keys of third parties

14

+'

!"#$"%&'

Vulnerabilities protected by DNSSEC


Zone administrator

Cache impersonation"

Zone file

master

Caching forwarder

Dynamic updates

slaves

resolver

Cache pollution by" Data spoong"

DNSSEC New Resource Records


! 3 Public key crypto related RRs
! RRSIG = Signature over RRset made using private key ! DNSKEY = Public key, needed for verifying a RRSIG ! DS = Delegation Signer; Pointer for building chains of authentication

! One RR for internal consistency


! NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name
! authenticated non-existence of data

16

,'

!"#$"%&'

Types of Keys
! Zone Signing Key (ZSK)
! Sign the RRsets within the zone ! Public key of ZSK is defined by a DNSKEY RR

! Key Signing Key (KSK)


! Signed the keys which includes ZSK and KSK and may also be used outside the zone

! Trusted anchor in a security aware server ! Part of the chain of trust by a parent name server ! Using a single key or both keys is an operational choice (RFC allows both methods)

DNSSEC - Setting up a Secure Zone


! Enable DNSSEC in the configuration file (named.conf)
! dnssec-enable yes; dnssec-validation yes;

! Create key pairs (KSK and ZSK)


! dnssec-keygen -a rsasha1 -b 1024 -n zone champika.net

! Publish your public key ! Signing the zone ! Update the config file
! Modify the zone statement, replace with the signed zone file

! Test with dig

$'

!"#$"%&'

Signing the Zone


! dnssec-signzone o champika.net db.champika.net Kchampika.net.+005+33633 ! Once you sign the zone a file with a .signed extension will be created
! db.champika.net.signed

! Note that only authoritative records are signed NS records for the zone itself are signed
! NS records for delegations are not signed ! DS RRs are signed! ! Glue is not signed

! Difference in the file size


! db.champika.net vs. db.champika.net.signed

Testing with dig: an example


dig @localhost www.champika.net +dnssec +multiline

%#'

!"#$"%&'

Questions
! Please remember to fill out the survey
! http://www.surveymonkey.com/s/ apnic-20120905-eL2

! Slide handouts will be available after completing the survey

APNIC Helpdesk Chat

%%'

!"#$"%&'

Thank you!
End of Session

%&'

You might also like