Windows 2012 and DNSSEC

1,782 views

Published on

DNS threats, what is DNSSEC, DNSSEC in Windows 2012 Server, Signing Zones, DNSSEC validation with Windows 2012

Published in: Technology

Windows 2012 and DNSSEC

  1. 1. ©  Men  &  Mice    http://menandmice.com   Windows  2012  and  DNSSEC 1
  2. 2. ©  Men  &  Mice    http://menandmice.com   Agenda •DNS  threats •What  is  DNSSEC? •DNSSEC  in  Windows   2012  Server •DNSSEC  validation  with   Windows  2012 •Signing  zones 2
  3. 3. ©  Men  &  Mice    http://menandmice.com   DNS  Threats 3
  4. 4. ©  Men  &  Mice    http://menandmice.com   DNS  Cache  Spoofing Episode  I the  Kaspureff  attacks 12.  July  1997 4
  5. 5. ©  Men  &  Mice    http://menandmice.com   The  Kashpureff  Attack •In  July,  1997,  Eugene  Kashpureff  used  a  direct  triggered   cache  poisoning  attack  against  the  InterNIC's  web  site ISP resolving   DNS  Server “alternic.net” authoritative  DNS Server Recursive  query  for www.alternic.net/A Cache Interative  query  for www.alternic.net/A response  including  bogus www.internic.net/A  RR Recursive  query  for www.internic.net/A bogus response evil  resolver unsuspecting resolver 5
  6. 6. ©  Men  &  Mice    http://menandmice.com   DNS  'bailiwick'  checking • The  fix • The  credibility  checking  when  replacing  cache  entries • Check  for  “in  bailiwick”  in  response  data.  Answer  records  must  be  from  the  same   domain  as  the  requested  name.              $ dig @ns1.example.com www.example.com ;; ANSWER SECTION: www.example.com. 120 IN A 192.0.2.10 ;; AUTHORITY SECTION: example.com. 86400 IN NS ns1.example.com. example.com. 86400 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 604800 IN A 192.0.2.120 ns2.example.com. 604800 IN A 192.0.2.130 www.mybank.com. 604800 IN A 1.2.3.4 Data  not  in   'bailiwick'   will  not  be   accepted   6
  7. 7. ©  Men  &  Mice    http://menandmice.com   DNS  Cache  Spoofing Episode  II the  Amit  Klein  findings March-June  2007 7
  8. 8. ©  Men  &  Mice    http://menandmice.com   The  Amit  Klein  findings  (1) • In  2007  Amit  Klein  found  that  the  randomizers  used  in  most  DNS  Servers   are  not  truly  random:  The  next  message  ID's  could  be  pre-calculated ISP resolving   DNS  Server “mybank.net” authoritative  DNS Server Recursive  query  for www.mybank.net/A Cache Interative  query  for www.mybank.net/A evil  resolver unsuspecting resolver 8
  9. 9. ©  Men  &  Mice    http://menandmice.com   The  Amit  Klein  findings  (2) • In  2007  Amit  Klein  found  that  the  randomizers  used  in  most  DNS  Servers   are  not  truly  random:  The  next  message  ID's  could  be  pre-calculated ISP resolving   DNS  Server “mybank.net” authoritative  DNS Server Cache evil  resolver unsuspecting resolver response  for www.mybank.net/A  RR flood  of  responses  for  www.mybank.net  with  pre-calculated  IDs Recursive  query  for www.mybank.net/A bogus response 9
  10. 10. ©  Men  &  Mice    http://menandmice.com   DNS  Cache  Spoofing Episode  III the  Dan  Kaminsky  findings March-August  2008 10
  11. 11. ©  Men  &  Mice    http://menandmice.com   The  Dan  Kaminsky  findings  (1) resolving   DNS  Server “mybank.com” authoritative  DNS Servers Cache evil  resolver unsuspecting resolver evil   web-server HTTP request Webpage  with  thousands of  fake  image  links <img src=”aaaaa.mybank.com”.. <img src=”aaaab.mybank.com”.. <img src=”aaaac.mybank.com”.. <img src=”aaaad.mybank.com”.. .... 11
  12. 12. ©  Men  &  Mice    http://menandmice.com   The  Dan  Kaminsky  findings  (2) resolving   DNS  Server “mybank.com” authoritative  DNS Servers Cache evil  resolver unsuspecting resolver evil   web-server Each Image  Tag  will   trigger  one   DNS  lookup DNS  lookups   will  be  send  to   the   authoritative   DNS  Servers 12
  13. 13. ©  Men  &  Mice    http://menandmice.com   The  Dan  Kaminsky  findings  (3) resolving   DNS  Server “mybank.com” authoritative  DNS Servers Cache evil  resolver unsuspecting resolver evil   web-server Some  good   answers  will   loose  the  race Attacker  will   swamp caching  DNS  Server with  fake  responses Fake  response will  be   cached 13
  14. 14. ©  Men  &  Mice    http://menandmice.com   The  Dan  Kaminsky  findings  (3) resolving   DNS  Server “mybank.com” authoritative  DNS Servers Cache evil  resolver unsuspecting resolver evil   web-server Client  is   connecting  to  a   “pharming”   website request  for  www.mybank.com./A  RR false  answer  from  poisoned  cache HTTP request DNSSEC HELPS! 14
  15. 15. ©  Men  &  Mice    http://menandmice.com   the  Dan  Kaminsky  “bug” •Attackers  try  to  overwrite  or  place  a  NS  record  in  the  cache ;; ANSWER SECTION: aaaa.mybank.com. 120 IN A 1.2.3.4 ;; AUTHORITY SECTION: mybank.com. 86400 IN NS ns1.mybank.com. mybank.com. 86400 IN NS ns2.mybank.com. ;; ADDITIONAL SECTION: ns1.mybank.com. 604800 IN A 192.0.2.20 ns2.mybank.com. 604800 IN A 192.0.2.30 high  TTL  for   maximum   damage Here  is  the   fake  data 15
  16. 16. ©  Men  &  Mice    http://menandmice.com   More  DNS  issues 16
  17. 17. ©  Men  &  Mice    http://menandmice.com   Men  in  the  middle  attack •an  attacker  en-route  can  change  DNS  data  unnoticed ISP resolving   DNS  Server authoritative  DNS Server Cache attacker client resolver query  for www.example.com. query  for www.example.com. www.example.com. A  192.0.2.10 www.example.com. A  192.0.2.10 www.example.com. A  10.1.2.3 DNSSEC HELPS! 17
  18. 18. ©  Men  &  Mice    http://menandmice.com   Betrayal  of  a  trusted  name   server •someone  in  control  of  an  resolving  DNS  Server  has  full   control  over  the  data  returned insecure/compromised resolving   DNS  Server authoritative  DNS Server Cache attacker client resolver query  for www.example.com. query  for www.example.com. www.example.com. A  192.0.2.10 www.example.com. A  10.1.2.3 DNSSEC HELPS! 18
  19. 19. ©  Men  &  Mice    http://menandmice.com   attacker  changes  the  local   resolver  settings •the  local  resolver  settings  are  changed  without  the  client   user  noticing,  returning  bad  data ISP/company resolving DNS  Server authoritative  DNS Server client resolver query  for www.example.com. www.example.com. A  10.1.2.3 attacker  has  control   over  this  resolving  DNS   Server attackers resolving  DNS  Server attacker attacker  changes   DNS  resolver   configuration  on  the   client DNSSEC HELPS! 19
  20. 20. ©  Men  &  Mice    http://menandmice.com   attack  on  an  authoritative  DNS   Server •an  attacker  changes  the  authoritative  data  on  the  DNS   Server resolving   DNS  Server authoritative  DNS Server Cache attacker client resolver query  for www.example.com. query  for www.example.com. www.example.com. A  10.1.2.3 www.example.com. A  10.1.2.3 Cache DNSSEC HELPS! 20
  21. 21. ©  Men  &  Mice    http://menandmice.com   DNSSEC 21
  22. 22. ©  Men  &  Mice    http://menandmice.com   A  Little  Bit  of  History •The  original  DNS  protocol  wasn't  designed  with  security  in  mind •It  has  very  few  built-in  security  mechanisms •As  the  Internet  became  wilder  and  woollier,  the  IETF  realized   this  would  be  a  problem •DNS  spoofing  was  too  easy,  for  example •DNSSEC  and  later  TSIG  were  developed  to  help  address  this   problem 22
  23. 23. ©  Men  &  Mice    http://menandmice.com   History  of  DNSSEC DNS invented DNS  being   used  in  the   Internet Steve  Bellovin   discovers  flaw   in  DNS work  on   DNSSEC   started  in   the  IETF RFC2535 DNSSEC  v1   is  ready work  on   DNSSECbis   started March  2005: RFC4033-4035   are  published:   DNSSEC  v2 October   2005:  .SE   signed RFC  5155:   NSEC3 DNSSEC 1983 1988 1999 20081990 1995 2001 2005 2010 root  zone  is   signed Windows  2012   DNSSEC DANE  RFC 2012 23
  24. 24. ©  Men  &  Mice    http://menandmice.com   DNS  Security  Extensions •DNSSEC  deployment  (http://www.xelerance.com/dnssec/) http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains 24
  25. 25. ©  Men  &  Mice    http://menandmice.com   DNS  Security  Extensions •DNSSEC  growth  http://secspider.cs.ucla.edu 25
  26. 26. ©  Men  &  Mice    http://menandmice.com   DNS  Server  for  DNSSEC • BIND  9.6  and  up:  Authoritative  server  and  validating  resolver • NSD  from  NlNetLabs:  Fast  authoritative  server • Unbound  from  NlNetLabs  :Fast  and  secure  validating  resolver • Windows  2012  DNS  Server:  Authoritative  server  and  validating   resolver • PowerDNS:  Authoritative  DNS  Server  with  SQL  Database  backend • BIND  10:  the  next  generation  of  the  BIND  nameserver 26
  27. 27. ©  Men  &  Mice    http://menandmice.com   Public  Key  Cryptography   Illustrated plain text cipher text encrypt k1 plain text cipher text decrypt k2 27
  28. 28. ©  Men  &  Mice    http://menandmice.com   PK  and  The  Key  Pair:   Public  and  Private • In  practice • One  key  of  the  pair  is  kept  private • The  other  key  is  made  public,  by  uploading  it  to  a  key  server,   publishing  it  via  a  directory,  or  having  a  certification  authority  sign  it   into  a  certificate 28
  29. 29. ©  Men  &  Mice    http://menandmice.com   DNSSEC  on  one  slide plain DNS data hash finger- print RRsig encrypt  with   private  key k Zonefile plain DNS data RRsig authoritative server resolving/validating server public key plain DNS data RRsig decrypt  with   public  key k finger- print hash finger- printcompare 29
  30. 30. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation  with   Windows  2012 30
  31. 31. ©  Men  &  Mice    http://menandmice.com   DNSSEC  in  DNS  Messages 00 01 0 2 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Identification  (ID) Q R Opcode A A T C R D R A Z A D C D RCode Total  Number  of  Question  Resource  Records Total  Number  of  Answer  Resource  Records Total  Number  of  Authority  Resource  Records Total  Number  of  Additional  Resource  Records Question  Resource  Records Answer  Resource  Records Authority  Resource  Records Additional  Resource  Records AD  =  Authenticated   Data CD  =  Checking   disabled EDNS:      EDNS:  version:  0,        flags:  do;        udp:  4096 31
  32. 32. ©  Men  &  Mice    http://menandmice.com   DNSSEC  in  DNS  Messages •DO  Flag  in  EDNS  pseudo  record:  DNSSEC  OK •this  client  can  handle  DNSSEC  records •in  addition,  each  client  signaling  “DNSSEC  OK”  also   signals  that  it  can  handle  UDP  DNS  responses  larger   512  byte 32
  33. 33. ©  Men  &  Mice    http://menandmice.com   DNSSEC  in  DNS  Messages •AD  Flag: •a  validating  resolver  signaling  to  the  client •that  it  has  successfully  validated  the  DNSSEC  data •invalid  DNSSEC  data  will  not  be  send  to  a   downstream  resolver  (client),  instead  the  resolver  will   send  a  SERVFAIL  error  condition 33
  34. 34. ©  Men  &  Mice    http://menandmice.com   DNSSEC  in  DNS  Messages •CD  Flag: •an  Application  can  signal  to  the  resolving  DNS  Server   that  it  will  validate  the  DNSSEC  information •the  resolving  DNS  Server  does  not  need  to  validate   itself,  but  is  free  to  do  so 34
  35. 35. ©  Men  &  Mice    http://menandmice.com   dig ripe.net +dnssec ; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;ripe.net. IN A ;; ANSWER SECTION: ripe.net. 172800 IN A 193.0.6.139 ripe.net. 172800 IN RRSIG A 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY= ;; AUTHORITY SECTION: ripe.net. 172800 IN NS sns-pb.isc.org. ripe.net. 172800 IN NS sunic.sunet.se. ripe.net. 172800 IN NS ns-pri.ripe.net. ripe.net. 172800 IN NS ns3.nic.fr. ripe.net. 172800 IN RRSIG NS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U= ;; ADDITIONAL SECTION: ns-pri.ripe.net. 172800 IN A 193.0.0.195 ns-pri.ripe.net. 172800 IN AAAA 2001:610:240:0:53::3 ns-pri.ripe.net. 172800 IN RRSIG A 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg= ns-pri.ripe.net. 172800 IN RRSIG AAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k= ;; Query time: 454 msec ;; SERVER: 192.0.2.10#53(192.0.2.10) ;; WHEN: Sat Oct 9 22:39:45 2010 ;; MSG SIZE rcvd: 870 EDNS0   information   including  the  DO   flag AD  flag:   secure   answer 35
  36. 36. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  resolution   (simplified) 36
  37. 37. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.org. “” org. example.org. local  caching   +  validating   DNS  Server What  is  the  address   of www.example.org. 37
  38. 38. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. What  is  the  address   of www.example.org. http://www.example.org. DNSSEC  Name  Resolution local  caching   +  validating   DNS  Server 38
  39. 39. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  a  list  of  “org.”   Name  Servers http://www.example.org. local  caching   +  validating   DNS  Server 39
  40. 40. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. What  is  the  address   of www.example.org. http://www.example.org. local  caching   +  validating   DNS  Server 40
  41. 41. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  a  list  of   “example.org.”  Name   Servers http://www.example.org. local  caching   +  validating   DNS  Server 41
  42. 42. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. What  is  the  address   of www.example.org. DNSSEC  Name  Resolution http://www.example.org. local  caching   +  validating   DNS  Server 42
  43. 43. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. Here  is  the   address  of   “www.example.org.”   plus  RRSIG   (signatures) DNSSEC  Name  Resolution Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 43
  44. 44. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. What  is  the  public   key  of example.org. DNSSEC  Name  Resolution http://www.example.org. local  caching   +  validating   DNS  Server Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ 44
  45. 45. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. Here  is  the  DNSKEY   of  “example.org.”  plus   RRSIG  (signatures) DNSSEC  Name  Resolution Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 45
  46. 46. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. What  is  the  DS  of example.org. http://www.example.org. local  caching   +  validating   DNS  Server Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ 46
  47. 47. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  the   “delegation  signer   (DS)”  of   “example.org.”  +   RRSIG Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 47
  48. 48. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. http://www.example.org. local  caching   +  validating   DNS  Server Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ What  is  the  public   key  (DNSKEY)  of “org.” 48
  49. 49. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  the  public   key  (DNSKEY)  of   “org.”  +  RRSIG Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 49
  50. 50. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. What  is  the  DS  of “org.” http://www.example.org. local  caching   +  validating   DNS  Server Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ 50
  51. 51. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  the   “delegation  signer   (DS)”  of  “org.”  +   RRSIG Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ org DS hash of public key . RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 51
  52. 52. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. http://www.example.org. local  caching   +  validating   DNS  Server Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ org DS hash of public key . RRSIG signature ↑ What  is  the  public   key  (DNSKEY)  of “.” 52
  53. 53. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Here  is  the   public  key   (DNSKEY)  of  “.”   +  RRSIG Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ org DS hash of public key . RRSIG signature ↑ . DNSKEY public key . RRSIG signature ↑ http://www.example.org. local  caching   +  validating   DNS  Server 53
  54. 54. ©  Men  &  Mice    http://menandmice.com   DNSSEC  Name  Resolution http://www.example.com. “” org. example.org. Trush Anchor for “.” (root zone) from configuration file Record Function www.example.org.A IPv4 Address www.example.org. RRSIG signature ↑ example.org. DNSKEY public key example.org. RRSIG signature ↑ example.org. DS hash of public key org. RRSIG signature ↑ org DNSKEY public key org RRSIG signature ↑ org DS hash of public key . RRSIG signature ↑ . DNSKEY public key . RRSIG signature ↑ Trust Anchor for “.” hash of public key http://www.example.org. local  caching   +  validating   DNS  Server 54
  55. 55. ©  Men  &  Mice    http://menandmice.com   http://www.example.com. “” org. example.org. Here  is  the   address  of   “www.example.org.” “Authenticated   Data” DNSSEC  Name  Resolution http://www.example.org. local  caching   +  validating   DNS  Server 55
  56. 56. ©  Men  &  Mice    http://menandmice.com   Validation •the  steps  on  the  previous  slides  are  simplified •they  only  show  validation  on  the  last  DNS  query •but  DNSSEC  validation  will  be  done  for  every  query  down   to  the  requested  domain •it  only  shows  validation  of  one  key  per  zone •in  reality,  we  have  ZSK  and  KSK,  so  twice  the  amount  of   checking 56
  57. 57. ©  Men  &  Mice    http://menandmice.com   DNS  clients  and  DNSSEC   resolvers legacy DNS resolver classic DNS stub resolver DNSSEC validating resolver classic DNS stub resolver DNSSEC validating resolver DNSSEC aware non-validating stub-resolver DNSSEC validating resolver DNSSEC validating Application insecure.com (not compromised) RD AA RA RD AA RA DO RD DO AA RA DO RD DO CD AA RA DO 57
  58. 58. ©  Men  &  Mice    http://menandmice.com   DNS  clients  and  DNSSEC   resolvers legacy DNS resolver classic DNS stub resolver DNSSEC validating resolver classic DNS stub resolver DNSSEC validating resolver DNSSEC aware non-validating stub-resolver DNSSEC validating resolver DNSSEC validating Application insecure.com (compromised) RD AA RA RD AA RA DO RD DO AA RA DO RD DO CD AA RA DO 58
  59. 59. ©  Men  &  Mice    http://menandmice.com   DNS  clients  and  DNSSEC   resolvers legacy DNS resolver classic DNS stub resolver DNSSEC validating resolver classic DNS stub resolver DNSSEC validating resolver DNSSEC aware non-validating stub-resolver DNSSEC validating resolver DNSSEC validating Application secure.org (not compromised) RD AA RA RD AA RRSIG RA DO RD DO AA RRSIG RA AD DO RD DO CD AA RRSIG DO RA RRSIG 59
  60. 60. ©  Men  &  Mice    http://menandmice.com   DNS  clients  and  DNSSEC   resolvers legacy DNS resolver classic DNS stub resolver DNSSEC validating resolver classic DNS stub resolver DNSSEC validating resolver DNSSEC aware non-validating stub-resolver DNSSEC validating resolver DNSSEC validating Application secure.org (compromised) RD AA RA RD AA RRSIG SRVFAIL DO RD DO AA RRSIG SRVFAIL DO RD DO CD AA RRSIG DO RA RRSIG 60
  61. 61. ©  Men  &  Mice    http://menandmice.com   Windows  7  /  8 legacy DNS resolver DNSSEC aware non-validating stub-resolver secure.org (compromised) RD DO AA RA DO AD-Flag missing on secure zone = insecure DNS resolver IPsec tunnel 61
  62. 62. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation  in  Windows   2012 62
  63. 63. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation  in   Microsoft  DNS  Server  2012 •The  DNS  Server  in  Windows  2012  now  supports  all  bits   and  pieces  necessary  to  validate  DNSSEC  signatures  and   keys  in  the  Internet  (including  SHA256  and  NSEC3). •Windows  2008  only  supports  SHA1  and  NSEC,  and  was   not  able  to  validate  the  Internet  root  zone 63
  64. 64. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation •DNSSEC  validation  can  be   enabled  in  the  DNS  Servers   global  properties   (Advanced  -  enable  DNSSEC   validation  for  remote   responses) 64
  65. 65. ©  Men  &  Mice    http://menandmice.com   import  or  add  a  public  DNSKEY   for  the  root  zone •add  the  public  DNSSEC  key  (the  key  signing  key,  or  KSK,   flag  field  value  257)  for  the  root  zone  as  a  trust  anchor   (trust  point)  into  the  system.  There  are  two  way  to  enter   the  trust  anchor: •by  importing  from  a  file •manually  adding  the  key  material 65
  66. 66. ©  Men  &  Mice    http://menandmice.com   Importing  the  trust  anchor   from  a  file •The  Windows  2012  DNS  Server  is  picky  about  the  format   of  the  trust  anchor  file  to  be  used.   •It  must  be  in  the  same  format  as  the  keyset  files  created  by   the  DNS  server  when  signing  a  DNS  zone.   •The  format  is  the  same  as  produced  with  the  BIND  'dig'   tool  in  the  versions  9.6  and  9.7  (using  the  '+multi'   switch),  but  the  Windows  2012  DNS  Server  will  not  take   the  format  produced  by  'dig'  from  BIND  9.9+. 66
  67. 67. ©  Men  &  Mice    http://menandmice.com   Importing  the  trust  anchor   from  a  file • Here  is  the  content  of  the  trust  anchor  file  to  be  imported:                          . 172800 IN DNSKEY 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; key id = 19036 67
  68. 68. ©  Men  &  Mice    http://menandmice.com   Importing  the  trust  anchor   from  a  file •Right  click  on   the  'Trust   Points'  folder  in   the  Windows   2012  DNS   management   console  and   select  'Import  -   DNSKEY'  ... 68
  69. 69. ©  Men  &  Mice    http://menandmice.com   Importing  the  trust  anchor   from  a  file •...  and  select  the  key-file: 69
  70. 70. ©  Men  &  Mice    http://menandmice.com   Manual  adding  the  key  material •Right  click  on   the  'Trust   Points'  folder  in   the  Windows   2012  DNS   Server  console,   select  'Add  -   DNSKEY' 70
  71. 71. ©  Men  &  Mice    http://menandmice.com   Manual  adding  the  key  material •enter  "."  (dot)  as  the  name  for  the  root  zone,  and  paste  the   public  KSK  key  (base64  encoded)  into  the  public  key  field.   The  DNS  server  is  again  very  picky  about  the  format  of   the  key  material,  it  must  be  all  in  one  line  without  any   spaces  or  line-breaks AwEAAagAIKlVZrpC6Ia7gEzahOR +9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/ RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/ Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ 8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu +ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= 71
  72. 72. ©  Men  &  Mice    http://menandmice.com   Manual  adding  the  key  material 72
  73. 73. ©  Men  &  Mice    http://menandmice.com   The  root  zone  public  key  in  the   trust  points  folder 73
  74. 74. ©  Men  &  Mice    http://menandmice.com   testing  the  DNSSEC  validation •The  PowerShell  in  Windows  2012  includes  a  command   (resolve-dnsname)  to  resolve  DNS  names,  including   DNSSEC  records.   •However,  this  command  unfortunately  does  not  display   the  state  of  the  AD  (Authenticated  Data)  Flag  in  the  DNS   response  header.   •This  AD  flag  will  tell  us  if  DNSSEC  validation  is  working   or  not. 74
  75. 75. ©  Men  &  Mice    http://menandmice.com   testing  the  DNSSEC  validation 75
  76. 76. ©  Men  &  Mice    http://menandmice.com   testing  the  DNSSEC  validation •the  BIND  for  Windows  distribution  from  ISC  includes   'dig'  (among  other  tools)  for  Windows.   •With  'dig'  we  can  see  the  AD  flag  on  DNSSEC  signed   DNS  domains,  and  therefore  validate  that  DNSSEC   validation  is  indeed  working  for  the  Windows  2012   DNS  Server 76
  77. 77. ©  Men  &  Mice    http://menandmice.com   testing  the  DNSSEC  validation 77
  78. 78. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation  in  Firefox •Install  the  Firefox   DNSSEC  Add-On   (http://www.dnssec-validator.cz/)   •and  then  go  to   http://www.root-dnssec.org   or  http://www.ripe.net and  you  should  see  a  nice  green  key  icon  in  the  URL  bar   telling  you  that  this  DNS  information  was  DNSSEC  validated. 78
  79. 79. ©  Men  &  Mice    http://menandmice.com   DNSSEC  validation  in  Internet   Explorer •CZ.NIC  Labs  offers  a   DNSSEC  validation  plugin for  Internet  Explorer  7-9 • https://labs.nic.cz/page/1031/rozsireni-dnssec-validator-pro-internet-explorer/ 79
  80. 80. ©  Men  &  Mice    http://menandmice.com   http://dnssec-or-not.org 80
  81. 81. ©  Men  &  Mice    http://menandmice.com   http://dnssectest.sidn.nl 81
  82. 82. ©  Men  &  Mice    http://menandmice.com   enabling  DNSSEC  using   'dnscmd' • it  is  also  possible  to  enable  DNSSEC  validation  from  the  commandline   using  the  command   dnscmd /RetrieveRootTrustAnchors • This  command  will  first  fetch  the  delegation  signer  (DS-record)  using   https  from  IANA  (https://data.iana.org/root-anchors/root-anchors.xml).   • The  server  will  then  fetch  the  public  key  signing  key  from  the  root   zone  during  an  active  refresh  cycle   (RFC 5011)  and  validate  the  KSK  using  the  delegation  signer  record. 82
  83. 83. ©  Men  &  Mice    http://menandmice.com   enabling  DNSSEC  using   'dnscmd' 83
  84. 84. ©  Men  &  Mice    http://menandmice.com   DNSSEC  zone  signing  with   Windows  2012 84
  85. 85. ©  Men  &  Mice    http://menandmice.com   Windows  2012  DNSSEC 85
  86. 86. ©  Men  &  Mice    http://menandmice.com   Windows  2012  DNSSEC 86
  87. 87. ©  Men  &  Mice    http://menandmice.com   Windows  2012  DNSSEC 87
  88. 88. ©  Men  &  Mice    http://menandmice.com   Windows  2012  DNSSEC 88
  89. 89. ©  Men  &  Mice    http://menandmice.com   ZSK  and  KSK • One  issue  in  cryptography  in  general  is  that  keys  can  be  stolen  or   cracked • the  longer  the  key  is  used,  the  higher  the  probability  that  the  key  can   be  replicated  by  a  brute  force  attack  or  is  stolen  and  used  (without   notice) • the  selection  of  the  key  algorithm  and  key  length  influence  the   probability  of  breaking  a  key • the  availability  of  cleartext  and  the  crypto-data  in  DNS  makes  is   easy  for  attackers  to  validate  a  cracked  key 89
  90. 90. ©  Men  &  Mice    http://menandmice.com   ZSK  and  KSK • Therefore,  it  is  common  practice  for  operational  flexibility  to  have  multiple  key   pairs: • A  ZSK  (Zone  Signing  Key),  to  sign  the  contents  of  the  zone • Except  possibly  not  the  DNSKEY  RRSet   • A  KSK  (Key  Signing  Key),  to  sign  just  the  DNSKEY  records • A  spare  KSK,  in  case  the  active  KSK  is  compromised • Repeat  all  of  the  above  for  each  key  algorithm  used • The  parent  zone  has  a  DS  record  for  the  active  KSK 90
  91. 91. ©  Men  &  Mice    http://menandmice.com   KSK •The  KSK  signs  the  DNSKEY  records  in  the  zone •The  KSK  has  always  an  odd  flag  number  (257  for  an  valid  KSK) •when  the  KSK  is  “rolled”  (renewed),  the  DS  record  in  the  parent   zone  needs  to  be  updated •The  KSK  should  be  created  with  a  large  key  size  to  be  'robust'   against  brute  force  attacks •the  KSK  has  a  long  lifetime 91
  92. 92. ©  Men  &  Mice    http://menandmice.com   ZSK • The  ZSK  signs  the  all  records  in  the  Zone  (possibly  including  the   DNSKEYs) • The  ZSK  has  always  an  even  flag  number  (256  for  an  valid  ZSK) • The  ZSK  can  be  rolled  without  the  need  to  change  the  DS  record  in   the  parent • So  the  operator  of  the  zone  is  more  flexible  with  key  rollovers  for   the  zone • The  ZSK  has  a  short  lifetime  and  is  “rolled”  often 92
  93. 93. ©  Men  &  Mice    http://menandmice.com   Generating/Selecting  the  KSK 93
  94. 94. ©  Men  &  Mice    http://menandmice.com   Generating  the  KSK 94
  95. 95. ©  Men  &  Mice    http://menandmice.com   The  DNSKEY  Record • There  are  different  algorithms  defined  for  DNSSEC: • RSAMD5  (deprecated  and  insecure,  not  available  in  Windows  2012) • RSASHA1  (mandatory  to  implement,  but  SHA1  is  seen  as  a  weak  protocol) • RSASHA256  (used  to  sign  the  ROOT-Zone) • RSASHA512 • ECCGOST  (used  in  Russia,  not  implemented  in Windows  2012) • DSA  (slow  for  validation,  not  used  in  practice,  not  available  in  Windows  2012) • ECDSA  (SHA-256  and  SHA384,  RFC  6605  -  April  2012,  not  widely  deployed  in  validators)   95
  96. 96. ©  Men  &  Mice    http://menandmice.com   Key  length •current  cryptanalysis  finds  RSA  keys  less  than  700  bits  as   breakable  (although  with  huge  amounts  of  resources) •Recent  (2012)  calculations  indicate  that  1024bit  RSASHA1  keys   could  be  broken  in  5  years  time •it  is  generally  recommended  to  move  away  from  SHA1  in  the   next  years •SHA256  or  SHA512  with  2048bit  key  length  are  safe  for  the  next   decades  based  on  current  cryptanalysis 96
  97. 97. ©  Men  &  Mice    http://menandmice.com   Impact  of  key  length •a  larger  key  increases  the  computing  resources  to  sign  a   zone  and  to  validate  the  signatures •doubling  the  key  size  in  bits  increases  ... •...  the  time  needed  to  create  signatures  (signing)  by  a   factor  of  8 •...  the  time  needed  to  validate  signatures  by  a  factor  of  4 97
  98. 98. ©  Men  &  Mice    http://menandmice.com   Selection  of  key  length •the  default  in  Windows  2012  for  the  Key  signing  key   (KSK)  is  2048bit  RSA/SHA256   98
  99. 99. ©  Men  &  Mice    http://menandmice.com   Selection  of  key  length •the  “DNSKEY  RRSET  signature  validity  period”  defines  the   lifetime  of  the  signatures  (RRSIG)  on  the  DNSSEC  public   keys  (KSK  and  ZSK) •Windows  2012  DNS  server  signed  the  DNSKEY  record  set   with  both  keys  (ZSK  and  KSK) •the  default  value  is  168  hours  (=  7  days  =  1  week) 99
  100. 100. ©  Men  &  Mice    http://menandmice.com   KSK  rollover •Windows  2012  can  perform  automatic  rollovers •the  default  rollover  interval  for  the  KSK  is  755  days   (approx.  2  year) 100
  101. 101. ©  Men  &  Mice    http://menandmice.com   KSK  Key  Rollover  (double-sign) KSKoldcreate new KSK KSKnew KSK zone transfer + max TTL of zone remove old KSK key active key published send new DS set to parent KSKold KSKnew TTL of DS records set in parent new DS record in parent 101
  102. 102. ©  Men  &  Mice    http://menandmice.com   KSK  defined 102
  103. 103. ©  Men  &  Mice    http://menandmice.com   Selecting/Generating  a  ZSK 103
  104. 104. ©  Men  &  Mice    http://menandmice.com   Selecting/Generating  a  ZSK 104
  105. 105. ©  Men  &  Mice    http://menandmice.com   Selecting/Generating  a  ZSK 105
  106. 106. ©  Men  &  Mice    http://menandmice.com   ZSK  Key  parameters •for  the  ZSK,  it  is  recommended  to  use  the  same  cryptographic   algorithm  as  for  the  KSK •the  key  length  of  a  ZSK  is  usually  lower,  as  the  ZSK  is  rolled   on  shorter  intervals •RSA/SHA-256  with  1024bit  key  are  the  defaults  in  Windows   2012 106
  107. 107. ©  Men  &  Mice    http://menandmice.com   signature  lifetimes •“DNSKEY  signature  validity  period”  defines  the  lifetime  of   the  signatures  created  by  the  ZSK  over  the  public   DNSSEC  keys  in  the  zone  (DNSKEY  records) •default  is  168  hours  (=  7  days  =  1  week) 107
  108. 108. ©  Men  &  Mice    http://menandmice.com   signature  lifetimes •“DS  signature  validity  period”  defines  the  lifetime  of  the   signatures  created  by  the  ZSK  over  a  delegation  signer   record  (DS-Record)  that  establishes  the  trust  to  a  child   zone  of  this  zone •default  is  168  hours  (=  7  days  =  1  week) 108
  109. 109. ©  Men  &  Mice    http://menandmice.com   signature  lifetimes •“Zone  record  validity  period”  defines  the  lifetime  of  the   signatures  created  by  the  ZSK  over  all  other  resource   records  in  the  zone  (SOA,  NS,  A,  AAAA,  MX,  TXT,  SRV  ...) •default  is  240  hours  (=  10  days) 109
  110. 110. ©  Men  &  Mice    http://menandmice.com   ZSK  rollover •the  default  rollover  interval  for  the  ZSK  is  90  days   (approx.  3  month) 110
  111. 111. ©  Men  &  Mice    http://menandmice.com   ZSK  Key  Rollover  (pre-publish) ZSKold ZSKnew create new ZSK ZSKold ZSKnew ZSK use new ZSK for signing zone transfer + TTL of DNSKEY-RRset zone transfer + max TTL of zone remove old ZSK key active key published 111
  112. 112. ©  Men  &  Mice    http://menandmice.com   ZSK  is  generated 112
  113. 113. ©  Men  &  Mice    http://menandmice.com   NSEC  or  NSEC3? 113
  114. 114. ©  Men  &  Mice    http://menandmice.com   The  NSEC  Record • RRSIG  records  are  fine  for  authenticating  records • But  what  about  negative  responses,  like  NXDOMAIN  or  NO  DATA? • These  don't  contain  records  to  sign • We  can't  just  provide  the  SOA  record  and  its  signature • That  would  allow  replay  attacks • We  must  add  a  new  RR  type  to  prove  negatives,  which  we  can   then  sign 114
  115. 115. ©  Men  &  Mice    http://menandmice.com   The  NSEC  record •Example: foo.example. IN SOA [...] foo.example. IN NS ns1.foo.example. foo.example. IN NS ns2.foo.example. foo.example. IN MX 10 mail.foo.example. foo.example. IN A 192.168.0.1 foo.example. IN NSEC mail.foo.example. SOA NS MX A NSEC mail.foo.example. IN A 192.168.0.2 Pointer  to   next  owner   name  in  zone 115
  116. 116. ©  Men  &  Mice    http://menandmice.com   The  NSEC  record •Example: foo.example. IN SOA [...] foo.example. IN NS ns1.foo.example. foo.example. IN NS ns2.foo.example. foo.example. IN MX 10 mail.foo.example. foo.example. IN A 192.168.0.1 foo.example. IN NSEC mail.foo.example. SOA NS MX A NSEC mail.foo.example. IN A 192.168.0.2 List  of  RR   types  for  this   owner  name   (foo.example) 116
  117. 117. ©  Men  &  Mice    http://menandmice.com   The  NSEC3  Record •NSEC  records  allow  a  nosy  stranger  to  obtain  a  complete   copy  of  your  zone •They  enumerate  that  which  exists,  in  order  to  prove  that   which  does  not  exist •example:  ldns-walk paypal.com •Therefore,  they  can  be  used  to  build  a  list  of  queries  to   obtain  the  whole  zone 117
  118. 118. ©  Men  &  Mice    http://menandmice.com   The  NSEC3  Record •NSEC3  uses  hashed  domain  names  to  obscure  the  list  of   names  in  the  zone •The  owner  name  and  next  node  name  are  now  hashed 118
  119. 119. ©  Men  &  Mice    http://menandmice.com   NSEC  or  NSEC3? 119
  120. 120. ©  Men  &  Mice    http://menandmice.com   Trust  Anchors 120
  121. 121. ©  Men  &  Mice    http://menandmice.com   The  Chain  of  Trust •We  already  have  a  chain  linking  parent  zones  to  child   zones  –  the  chain  of  authority •We  create  a  parallel  chain  of  trust  linking  signed  parent   zones  to  signed  child  zones •Enter  the  DS  RR  type 121
  122. 122. ©  Men  &  Mice    http://menandmice.com   The  DS  (Delegation  Signer)   Record •The  DS  RR  is  used  in  the  DNSKEY  authentication  process   •Answer  to  the  question,  is  the  zone's  public  key   (DNSKEY)  valid? •The  DS  RR  is  stored  in  the  parent  zone  of  the  DNSKEY's   zone •and  is  a  hash-value  on  the  zone's  DNSKEY 122
  123. 123. ©  Men  &  Mice    http://menandmice.com   The  Chain  of  Trust  Illustrated   (Part  1) com. IN SOA (soa param) com. IN RRSIG (SOA->COM-Key) com.  Zone .com  zone  private  Key (stored  secure) com. IN DNSKEY COM-Key com. IN RRSIG (DNSKEY->COM-Key) .com  zone  public  key in  zonefile sub.com. IN NS ns.example.com. sub.com. IN DS (hash->sub.com-Key) sub.com. IN RRSIG (DS->COM-Key) 123
  124. 124. ©  Men  &  Mice    http://menandmice.com   The  Chain  of  Trust  Illustrated   (Part  2) com. IN SOA (soa param) com. IN RRSIG (SOA->COM-Key) com.  Zone .com  zone  private  Key (stored  secure) com. IN DNSKEY COM-Key com. IN RRSIG (DNSKEY->COM-Key) sub.com. IN NS ns.example.com. sub.com. IN DS (hash->sub.com-Key) sub.com. IN RRSIG (DS->COM-Key) .com  zone Signatures  created  with  private  Zone-Key (“COM”-Zone-Key) Signatures    .com  zone    there  is  no  signature   on  non-authorative    data  (delegation  of   sub.com) 124
  125. 125. ©  Men  &  Mice    http://menandmice.com   The  Chain  of  Trust  Illustrated   (Part  3) com. IN SOA (soa param) com. IN RRSIG (SOA->COM-Key) com.  Zone sub.com  zone  private  Key used  to  sign  the  zone-data com. IN DNSKEY COM-Key com. IN RRSIG (DNSKEY->COM-Key) sub.com. IN NS ns.example.com. sub.com. IN DS (hash->sub.com-Key) sub.com. IN RRSIG (DS->COM-Key) sub.com. IN SOA (soa param) sub.com. IN RRSIG (SOA->SUB.COM-Key) sub.com. IN DNSKEY SUB.COM-Key sub.com. IN RRSIG (DNSKEY->SUB.COM-Key) sub.com. IN NS ns.example.com. sub.com. IN RRSIG (NS->SUB.COM-Key) sub.com.  Zone DS  Record  in   parent  zone validates  DNSKEY   in  child  zone 125
  126. 126. ©  Men  &  Mice    http://menandmice.com   DS-Records  in  Windows  2012 •Windows  2012  stores  the  DS-Record  set  and  the  DNSKEY   record  sets  in  text  files  under  C:WindowsSystem32dns 126
  127. 127. ©  Men  &  Mice    http://menandmice.com   DS-Records  in  Windows  2012 127
  128. 128. ©  Men  &  Mice    http://menandmice.com   DS-Records  in  Windows  2012 128
  129. 129. ©  Men  &  Mice    http://menandmice.com   Signing  and  polling 129
  130. 130. ©  Men  &  Mice    http://menandmice.com   Signing  the  zone 130
  131. 131. ©  Men  &  Mice    http://menandmice.com   Zone  is  signed 131
  132. 132. ©  Men  &  Mice    http://menandmice.com   signed  zone  in  DNS  manager 132
  133. 133. ©  Men  &  Mice    http://menandmice.com   signed  zone  in  the   Men  &  Mice  Suite 133
  134. 134. ©  Men  &  Mice    http://menandmice.com   signed  zone  in  the   Men  &  Mice  Suite 134
  135. 135. ©  Men  &  Mice    http://menandmice.com   signed  zone  in  the   Men  &  Mice  Suite 135
  136. 136. ©  Men  &  Mice    http://menandmice.com   Windows  2012  DNS  and   DNSSEC  Training • 3  day  “hands-on”  training  including • a  throughout  introduction  into  DNSSEC • DNSSEC  key  rollovers   • monitoring  DNSSEC  signed  zones • DNSSEC  troubleshooting  and  tools • many  “hands-on”  labs • Dates  and  Prices • go  to  http://menandmice.com/training/   136
  137. 137. ©  Men  &  Mice    http://menandmice.com   Thank  you! E-Mail: carsten@menandmice.com 137

×