Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

1. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hype Potter and the Chamber of DNSSECrets www.d in o sec.co m @ d in o s e c Raúl Siles Founder & Senior Security Analyst raul@dinosec.com Mónica Salas Founder & Security Analyst monica@dinosec.com March 29, 2019

4. 4 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com • DNSSEC zone signing – DNSSEC: Authenticity and integrity – Stats from the “.es” zone – ICANN and DNSpionage – DNS flag day • DNSSEC practical zone signing – Four DNSSEC cases • DNSSEC validation – DNSSEC bits (o flags) • DNSSEC responses – The last mile… • Conclusions Outline

6. 6 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Authenticity & Integrity Security Threats DNS spoofing (MitM attacks) DNS cache poisoning DNS resolver INTEGRITY AUTHENTICITY AUTHENTICITY 'To SEC or not to SEC: DNS question': https://youtu.be/HmiK51kA1QY

7. 7 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com + Where Did We Leave Off Last Year? DNSSEC is the solution for DNS spoofing and DNS cache poisoning attacks DNS ZONE DNS parent ZONE DNS RESOLVER “.” KSK (Public Key) + + +

8. 8 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter - Hogwarts Admission Letter Integrity !!Authenticity? Why should Harry trust his Hogwarts admission letter?

9. 9 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter – Rubius Hagrid The Trust Anchor 2,75 meters height 400 kilograms weight Anyone not convinced??

10. 10 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Roles Taxonomy I use DNSSEC in my authoritative server IuseaDNSSECcapableresolver NO SÍ SÍ NO And we convinced everybody…

11. 11 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC for ccTLD “.es” DNSSEC validation from Spain 0 5000 10000 15000 20000 25000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS with DNSSEC …or NOT? 1’022%0’948% +1,361 (+7.8%) SIGNED DOMAINS (from Nov 2019) 31% VALIDATION INCREMENT DEC 2018 MAR 2019 1750000 1770000 1790000 1810000 1830000 1850000 1870000 1890000 1910000 1930000 1950000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS https://stats.labs.apnic.net/dnssec Thanks to: José Eleuterio López (Red.es)

12. 12 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Yes, We Did It… But It Was Not Only You…! ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet LOS ANGELES – 22 February 2019 – The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems… https://www.icann.org/news/announcement-2019-02-22-en 7.8 % 31 % Not really, it was not us convincing ICANN… J

13. 13 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage • “A Deep Dive on the Recent Widespread DNS Hijacking Attacks” Krebs on Security. February 18, 2019. • Attacks hijacked DNS infrastructure of a registrar which also operates one of the 13 “root” name servers (Netnod) • Access to administrative DNS resources with the goal of capturing credentials for other services via unauthorized changes to registries • Attackers gained control of registrar’s administrative systems… – Netnod, PCH… • But DNSSEC became the unexpected ally… https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

14. mail.netnod.tld DNSSEC DS (.netnod) .tld DS (.tld) “.” Netnod employees (evil) mail.netnod.tld DNSSEC DNSSEC DISABLE DNSSEC .netnod.tld. (2) COMODO Get new cert. for (evil) mail.netnod.tld. (3) ENABLE DNSSEC .netnod.tld. (4) DNS recursive resolver DNSSEC capable (6) (7) A (mail) .netnod DNSSEC DoT DoH NS (.netnod)(1) Registrar DNS mail.netnod.tld IP is evil IP x.x.x.x (5) No mail… & no credentials stealing!!

15. 15 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage Conclusions • DNSSEC is not enough… – Secure the administration of DNS zones (registries and registrars): 2FA – DNS zone transfer operations are not secured through DNSSEC • TSIG (Transaction SIGnature protocol - RFC 3645) is used to authenticate both end- points of a DNS operation and add integrity • EPP (Extensible Provisioning Protocol - RFC 5730) – Originally designed for allocating objects from registrars to registries over the Internet with the goal to prevent DNS hijacking • Can be layered over multiple transport protocols • Provides session management through “<login>” (client identifier and plain text password) • Session persists until a “<logout>” is sent • “.es” supports EPP through HTTPS

16. 16 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com February 1st, 2019: DNS Flag Day • Slow DNS infrastructure performance due to systems non-compliant with original DNS RFC 1035 (1987) • DNS authoritative servers requirements: – Avoid implementations or firewalls that drop DNS packets with EDNS extensions (1999) • DNS resolver: major open source DNS vendors released updates to stop accommodating non-standard responses (Bind, Knot, PowerDNS, Unbound) https://dnsflagday.net

17. 17 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone

19. 19 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Zone Registrar / Operator Signing time (DS) DNSSEC Algorithm DNSKEYs DS Addition raulsil.es A/A (Spain) 8 hours Established by registrar RSASHA1-NSEC3-SHA1 (7) ZSK + KSK Not tried dinosec.info B/B (World Wide) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK Not tried siles.info B/B à B/C (Cloud) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK à ZSK + KSK Very easy dinosec.es D/D (Spain/WW) - NO WAY! - NO WAY! Signing a DNS Zone - Multiple Examples • Activation process: • Simple: One button • Timing: A few minutes (5-15 mins) or hours (e.g. 8-12 hours) • Impossible • Lack of customization or detailed DNSSEC parameters or options 1 2 3 4

20. 20 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com ICANN Encourages Complaining… https://forms.icann.org/en/resources/compliance/complaints/registrars/standards- complaint-form DNSSEC support required by ICANN for registrars with all available DS algorithm types (2014): 2013 RAA (Registrar Accreditation Agreement) https://www.icann.org/resources/pages/support-dnssec-ipv6-2014-01-29-en https://www.icann.org/registrar-reports/accredited-list.html Complain to ICANN

21. 21 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Supported DNSSEC Signing Algorithms (RFC 6944 ) https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec

22. 22 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Records and Signatures $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.raulsil.es +dnssec … www.raulsil.es. 3600 IN A 87.98.231.5 www.raulsil.es. 3600 IN RRSIG A 7 2 3600 20190319175117 20190217175117 33299 www.raulsil.es. 00I5xmLgMuxaaH/AX6y/KCNAE7x+iNUYcEa9hLIdnfj3KSKyeMa/puU9zqL81x jR5uI0DwIWjMBfUU1Egm8Wyx047jPQ+ANP2Ssdf7NwTpsVI9VOZrEMRmcxpjxi l1birMQm/M8ZJmgi+poZRnNwvTxCC7bjewmd56cSXyzJfAY= Signature validity period (start date & expiration date) Algorithm used Key ID

25. 25 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSKEYs: 3 DNS Operators, 3 Signing Models $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY raulsil.es raulsil.es. 2835 IN DNSKEY 256 3 7 AwEAAeBQ29zEisimlv+ybOPYCTin4hrl1pCBDtz6nVFO/r2BY1Y7LAnuX3doSBZi9Z6OliMJ5NWqhvNUoUi1n3U4g hxGRf5i1P5qWfNZ5gLuwT2M5Yd4NoOAZnKlmdkGGLrqEiw45riNdB+/MbQwYozGr6tBE/4Kx1+M/UWkNnEi2HdZ raulsil.es. 2835 IN DNSKEY 257 3 7 AwEAAaX0kus7MxJGgo5zuTmflEPH2dJkgDGbvepfG8tBH8y8gw036eTBbJDPf9DoOBdV2MMRa9QLptpwHQtYssKtZ ooIFZxHv70UeQSKmSyz/1OCoUJXI5ahm7VU0AqfPcWC4B568gLv3LR7O47Syh+AJXvWUEE/uvK+chgEHqIE9j7v $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY dinosec.info ;; ANSWER SECTION: dinosec.info. 3601 IN DNSKEY 257 3 13 Ei8CWVmqMGXW/fpfihKoJl7xF70RZLhp3FspO0DGycb49sBZocMJMcixB6dx+WbvwPZak7QY78ytOjnkHdB22g== $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info siles.info. 3601 IN DNSKEY 257 3 13 h6RG7m0QEsIlpvpFpPNS+mlSOirDS+NQC41S/yG0wFd1WAT/mc2zEDtT8lJCC9aHgy6i8Bj01+cFwBQ05ke2IA== siles.info. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== siles.info. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== A B B C

26. 26 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DS Records $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY es +dnssec +multiline es. 65022 IN DNSKEY 256 3 8 ( AwEAAbdNeJQOckpcbVVTEHgKmHogfgezh6s6OrwZ m6uMgzC9KhrqAwIX6PDfd2MDflwSlmfRPsVm/dq5 BzzbXQFZINCb2fzCer9S1e9gQiRX6/L/xDGH9gYP rfU3eA1xB3RPgcfNRcvzAeAd3z3yylSBmWco2oHN QWNLQqGs6jpI27cZ ) ; ZSK, RSASHA256 (1024b), id = 489 $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS raulsil.es +dnssec raulsil.es. 43200 IN DS 34464 7 2 97880FA96BCF744FAC85F073FFBCA679F053393C834F7837F44D1BD0A0A9C686 raulsil.es. 86400 IN RRSIG DS 8 2 86400 20190329081541 20190315005946 489 es. qIYoNmkznp9gg53PNvoVkfGB3ytG+zFNAvrZVGDPvoc/Tx8z9D/3xWaK/p5l+yAbSB25UzPRlMXQ3TdmEzCUDAJz5LYTy 2Ly66xEsGjFi9yUGai4okSrIJdty6atlKpe78Qy6MGubKPUewDMOd7jhfKlIl2mP/UE8VZfbmp1tno= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS dinosec.info +dnssec dinosec.info. 86170. IN DS 16285 13 1 74FFB23176C36384D454A5CB87E78D228094667E dinosec.info. 86170. IN RRSIG DS 7 2 86400 20190407153004 20190317143004 24332 info. foiwm18puMTPY610HxluGehc20ES1iClXToh7GzVGyO4EjzP5wmHhvgPLeD9fb0xcyi0QxX14Zc64fgSt9cqSw6eAwsQt gjAN4Djdz/nLMwp50T7cnQ1JHjpjxai5PdJqJ6j7069BVg46wWFlSsNyhsICTgXsJo0ljnofr5mKz8= A B TLD

27. 27 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (1/2) • Domain registered and operated by B • Zone operation transferred from operator B to operator C – Zone registration was not transferable initially from B to C since a minimum of 60 days is needed before a domain transfer request can be undertaken by the a new registrar – DNSSEC was previously enabled in B with just a KSK and ECDSA P256/SHA256 – DNSSEC was enabled in C with KSK and ZSK and ECDSA P256/SHA256

28. 28 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (2/2) Steps perfomed by zone owner at DNS provider’s managent console Registrar / Operator B Operator C 0) B is registrar and operator for zone 1) Zone operation requested by owner 2) NS provided by C 3) NS servers pointed to C’s: it takes hours for the change to be applied 4) DNSSEC disabled by B: DS(zone) removed from TLD 3) Owner requests enabling DNSSEC for the zone 4) C signs the zone: Since C knows the zone registrar is a third party, C provides the DS record for the zone 5) Zone owner manually adds DS record generated by C 6) B transfers DS record to TLD (.info) DNSSEC zone is now signed and operational again at C

30. 30 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CDS and CDNSKEY: Simplifying DS Updates • RFC 8078 (March 2017) • KSK renewal through standard DNS mechanisms • New DS (and/or new DNSKEY) records are added to the child zone upon KSK renewal • Parent zone get news of child’s zone KSK renewal intention through: – Polling: parent zone polls child zones periodically – Pushing: child zone notifies parent zone of CDS/CDNSKEY avalibility • Pros: – KSK renewal independent of registrars • Cons: – Not “de facto” standards yet & Not mandatory (yet)

31. 31 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: DNSSEC Records After Transfer to C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43200 IN DS 2371 13 2 4101DF3DCCE5291E11C450BBEBB16009378A11D0CF20C4B2E8842273025DC305 siles.info. 85653 IN RRSIG DS 7 2 86400 20190415152146 20190325142146 24332 info. cSM+n8J6gy0A5q5RgU7hdifJEtU1ZPsfPx89lEH1GCZ3EG7Wkymx3drkdGJ5uBEzXJfwue8CG0fQveSvVL3MheC/jz8 5KCCwXwyHtCmdJHjXcPrwFKyHWHNsSznLcn0zugeAYWJwxN0DDOmHmM15+rBbvdNZ8Q3b535c7PtdDes= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info +dnssec +multiline siles.info. 2949 IN DNSKEY 256 3 13 ( oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== ) ; ZSK, ECDSAP256SHA256 (256b), id = 34505 siles.info. 2949 IN DNSKEY 257 3 13 ( mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== ) ; KSK, ECDSAP256SHA256 (256b), id = 2371 siles.info. 2949 IN RRSIG DNSKEY 13 2 3600 20190409082227 ( 20190208082227 2371 siles.info. 3QjU1QlBeQrhsJssRUJ3cBojHPon1hXJ80GT79gHYR3fMXLAE6f8vjLgTKBHb7PIyXvCU2LqgwqPYYbJHlJvog==) B TLD C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43115 IN DS 53189 13 1 419700DF0777F6839E2E368A1BAEF9044E8B30B7 C

33. 33 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Root Zone TLD Database • Very interesting information through the “curl” command – All NS in the root zone: – All DS in the root zone: curl -s http://www.internic.net/domain/root.zone | awk '$4 == "DS" { print $1 " " $6 }' | uniq -c http://www.internic.net/domain/root.zone curl -s http://www.internic.net/domain/root.zone | awk '$4 == "NS" { print $1 " " $4 $5 }' | uniq -c

34. 34 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Algorithm Number of TLDs 5 (RSA/SHA-1) 163 7 (RSA/SHA1-NSEC3) 551 8 (RSA/SHA-256) 2206 10 (RSA/SHA-512) 37 13 (ECC P-256) 6 Signing Algorithms Comparison • DNSSEC key types – RSA: Larger key length needed - Longer signatures • (5) RSA/SHA1 - not recommended (weak) • (7) RSASHA1-NSEC3-SHA1 - if NSEC3 is required to avoid zone enumeration • (8) RSA/SHA-256 – ECC: not currently supported by all TLDs - Small signatures and robust • (13) ECDSA Curve P-256 / SHA-256 • (14) ECDSA Curve P-384 / SHA-384 TLDs using ECC ccTLD Brazil .br Switzerland .ch Czech Republic .cz Liechtenstein .li Moldova .ld Niue (*New Zeland) .nu 0 in May ´18 1 in July ´18 2 in Dec ´18 6 in Mar ´19

35. 35 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: DNSSEC Beyond DNS • Most TLS-based services rely on an external CA • Problem: if that CA gets compromised and a new certificate is generated for a domain, all the services will be in danger • DNSSEC key signing schema advantages: – The key is associated to a domain (not to an entity identified by a chain of characters) – The keys are signed by the zone owner and the zone parent (not a single point of failure) • The trust anchor is defined in the resolver’s side for a single domain (“.”), not for hundreds of distinct CAs

36. 36 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: RFC 7673 DNS-Based Authentication of Named Entities • TLS certificates stored and signed within a specific DNS domain server – Minimum privilege: if keys are compromised, only services under that DNS hierarchy will be in danger – Certificates are tied to domain names through DNSSEC trust relationships • New DNS records to link TLS certificates with the domain – TLSA (Transport Layer Security Authentication) • Upon connection establishment, a TLS certificate is requested at the same time a DNSSEC query is launched to check the received certificate matches the received TLSA record TLSA FORMAT: port._tcp_protocol.domain _443._tcp.www.zone1.com (HTTPS) _25._tcp.mail.zone1.com (SMTPS)

41. 41 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Meaning • DO: DNSSEC OK – ”I do support DNSSEC, so I want to receive the DNSSEC records…” (RRSIGs) – https://tools.ietf.org/html/rfc4035#section-3.2.1 • CD: Checking Disabled – ”Do not take care of validating the response through DNSSEC, as I will validate it… Simply, send me the DNSSEC records." – https://tools.ietf.org/html/rfc4035#section-3.2.2 • AD: Authentic Data (or “Validated Data”) – ”All DNS records in this response are authentic, as I have already validated them…" – https://tools.ietf.org/html/rfc4035#section-3.2.3

42. 42 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The DO bit in DNSSEC • DO: "DNSSEC OK" – The resolver requests the DNSSEC records to be included in the response – If the DO bit is not set in the request, the DNSSEC records must be removed from the response • Unless explicitly requested https://tools.ietf.org/html/rfc3225#section-3 https://tools.ietf.org/html/rfc4035#section-3.2.1

43. 43 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The CD bit in DNSSEC • CD: Checking Disabled – The resolver can disable the DNSSEC validation (RRSIGs) in its own upstream “DNS server” (another resolver) – The CD bit in the query is reflected back in the response – The CD bit in the query is reflected in the associated upstream queries (recursive DNS resolution) – As a result, the response includes the non-validated DNSSEC records (to be validated locally) – Flexibility to establish who will validate the records and the criteria to apply (different time references, security islands, etc.) https://tools.ietf.org/html/rfc4035#section-3.2.2

44. 44 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The AD bit in DNSSEC • AD: Authentic (or Authenticated) Data – All the DNS records (RRSets) included in the Answer and Authority sections of the response are authentic (from the DNSSEC perspective) – If so, set the AD bit in the response – They have been validated by an upstream DNS resolver – Originally the AD bit was not set in requests, but… https://tools.ietf.org/html/rfc4035#section-3.2.3

45. 45 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (1/2) • RFC 4035: Protocol Modifications for the DNS Security Extensions – DO bit set in requests, to indicate the availability of DNSSEC support – CD bit set in requests between DNS clients and recursive servers • Who will take care of validating the responses? – The DO and CD bits are reflected back in the DNS responses based on its value in the associated DNS requests – AD bit set in responses between DNS clients and recursive servers • Is the response data (DNS records) authentic? • AD bit removed from requests: https://tools.ietf.org/html/rfc4035#section-4.6 – But later, in RFC 3655 and RFC 6840… https://tools.ietf.org/html/rfc4035

46. 46 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (2/2) • RFC 6840: Clarifications and Implementation Notes for DNS Security (DNSSEC) – DO bit must be ignored by DNS recursive servers in responses – AD bit set in requests to indicate interest in receiving the AD bit set in the associated response (meaning, “I want you to validate the response”) • Additionally to the DO bit already indicating DNSSEC support – “The AD bit MUST only be set if DNSSEC records have been requested via the DO bit…” • RFC 3655: Redefinition of DNS Authenticated Data (AD) bit – https://tools.ietf.org/html/rfc3655 – E.g. Bind 9.11.x does not set the AD bit in the requests (still following the previous RFC 4035) https://tools.ietf.org/html/rfc6840

48. 48 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Responses • Valid (or correct) response – RCODE 0 (No Error: NOERROR) • DNSSEC validation error (by the resolver) – RCODE 2 (Server Failure: SERVFAIL) • dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL • Domain does not exist – RCODE 3 (Non-eXistent Domain: NXDOMAIN) • The DNS server refuses to answer the request – RCODE 5 (Refused: REFUSED) DNS Flags section: Reply Code (RCODE) - 4 bits DNSSEC is backwards compatible with DNS: Both worlds running simultaneously…

53. 53 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Testing 1.1.1.1 (or one.one.one.one) with the Local DNS Resolver… What about DNSSEC? Connecting to 1.1.1.1 through HTTP(S) you get the CPE (router) admin web interface, but it can resolve all DNS queries properly…

54. 54 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Local Web and DNS Server at 1.1.1.1 $ nmap -sS -sU -p 53 -n --reason -A 1.1.1.1 Starting Nmap 7.60 ( https://nmap.org )... Nmap scan report for 1.1.1.1 Host is up, received echo-reply ttl 63 (0.0019s latency). PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 63 dnsmasq 2.78 53/udp open domain udp-response ttl 63 dnsmasq 2.78 | dns-nsid: |_ bind.version: dnsmasq-2.78 |_dns-recursion: Recursion appears to be enabled ... Aggressive OS guesses: Linux 2.6.32 - 3.0 (96%), ... Network Distance: 2 hops TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 1.28 ms 172.16.8.1 2 2.62 ms 1.1.1.1 $

55. 55 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com 1.0.0.0/8 Conflicts • Trying to reach 1.1.1.1 – https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/ – https://community.cloudflare.com/t/have-problems-with-1-1-1-1-read-me-first/15902 • The 1.0.0.0/8 range was assigned to APNIC in 2010 – Previously it was not assigned, but that didn’t mean it was available (or reserved) for private usage (RFC 1918) • https://seclists.org/nanog/2010/Jan/776 • Multiple CPEs are using that IP address internally… • Multiple ISPs are using that IP address in their internal network… • Testing DNS Resolution in Spanish ISPs… – Thanks to some collaborators, we could test the DNS resolution for a few Spanish ISPs…: Thanks RootedCON, Román, José, Pedro, Jorge…!!!!

56. 56 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 Using Other DNS Public Resolvers with DNSSEC Support • Can you find the differences? J $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31624 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 13790 IN A 212.110.167.157 ;; Query time: 92 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jul 06 20:14:33 CEST 2018 ;; MSG SIZE rcvd: 57

59. 59 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Expert Mode (1/2) • Internet – DNS & DDNS: • DNS Seguro – OFF que quiero que me interceptes todo el tráfico

63. 63 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Mode (2/2) • Settings – LAN – IPv4: • DNS Proxy – ON (Setting not available in Expert Mode) No significant changes

64. 64 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CPE Internals (SSH) • Who is Disabling DNSSEC: CPE or ISP or …? • References to 1.1.1.1 or 1.0.0.1? # ps 630 admin 1412 S /usr/sbin/dnsmasq -u admin # ifconfig –a br0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:192.168.1.1 Bcast:192.168.1.255... br0:0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:1.1.1.1 Bcast:1.255.255.255... # iptables -t nat –L ... (no DNS or special IP addresses references)

67. 67 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (3/3) • They are compatible with EDNS0 • They are selectively removing all DNSSEC flags!!!! • Let’s call it “Client-side DNSSEC Flag Day”!!!! – Selectively removing DNNSEC support from the client side! – If AD or DO flags are set in the query, they are removed from the response L – If CD flag is set in the query, it is removed from the response too, breaking RFC 4035 J • When using the CPE DNS resolvers (or 1.1.1.1) • Same scenario if ISP transparently intercepts all DNS traffic

68. 68 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Client-Side DNSSEC Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone

69. 69 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (1/2) • “Secure DNS” enables a single iptables rule for DNS traffic • How to bypass it client-side and be able to use DNSSEC, at least with the public DNS resolvers (e.g. Quads)? – Use TCP (look at the iptables rule) J… or DoH or DoT – The traffic goes via TCP to the public DNS resolver # iptables -t nat –L ... DNAT udp -- 192.168.1.0/24 !www.evil.isp udp dpt:domain to:192.168.1.1:53 $ dig -t A www.dinosec.info +dnssec @9.9.9.9 +tcp DNSSEC reponse J

70. 70 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (2/2) • This UDP vs TCP difference does not apply to the ISP DNS resolvers (e.g. when “Secure DNS” is turned off) – They remove the DNSSEC flags for both, UDP and TCP • The only solution, if the transparent DNS proxies are not in the middle, is to force all clients to use a custom DNS resolver (public, or private, different from the CPE) – If the transparent DNS proxies are in the middle… $ dig -t A www.dinosec.info +dnssec +tcp No DNSSEC reponse L

71. 71 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wright’s Principle "Security won't get better until tools for practical exploration of the attack surface are made available." – Joshua Wright, 2011

73. 73 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef • DNS/DNSSEC proxy tool by DinoSec (Python) – Fake DNS/DNSSEC responses (file or command line options) – TCP and UDP support • Based on dnschef (v0.3): https://github.com/iphelix/dnschef/ – Peter Kacherginsky (iPhelix) • Requires dnslib v0.9.10+: https://bitbucket.org/paulc/dnslib/ – Paul Chakravarti – Added support for DNSSEC flag getters/setters in v0.9.9 • Use it as a direct DNS server or as a transparent DNS proxy

74. 74 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Manipulation [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone

75. 75 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef Options • Multiple DNSSEC related options… $ sudo ./dnssecchef --nodnssec _ _ __ | | version 0.5 | | / _| __| |_ __ ___ ___ ___ ___ ___| |__ ___| |_ / _` | '_ / __|/ __|/ _ / __|/ __| '_ / _ _| | (_| | | | __ __ __/ (__| (__| | | | __/ | __,_|_| |_|___/|___/___|___|___|_| |_|___|_| (c) 2019 DinoSec monica@dinosec.com & raul@dinosec.com [*] DNSSECChef started on interface: 127.0.0.1 [*] Using the following nameservers: 8.8.8.8 [>] Disabling DNSSEC support completely... [*] No parameters were specified. Running in full proxy mode [*] DNSSECChef is running in both UDP and TCP modes (default) [*] ... By default, no DNSSEC changes (standard). --dnssec: Enable DNSSEC flags manipulation. --nodnssec: Disable DNSSEC support. --file=dnssecchef.ini Fake DNS responses.https://github.com/dinosec/dnssecchef

77. 77 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Nobody Said It Was Going To Be Easy or Costless… DNSSEC environment does not differ from real life: There are few people in the “right side”… And many more in the “wrong side” DNS Operators ISPs Obsolete network devicesREGISTRARs Non-RFC compliant resolvers Security unaware DNS domain holders Security aware DNS zone holders & responsible resolver administrators Great admin complexity

80. 80 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who Do You Trust in the DNS World? • Preferred DNS resolver for privacy reasons: – Your ISP – “The Quads” (large public servers) • 8.8.8.8 • DNS Cloud providers – Small public servers – Your own https://twitter.com/raulsiles/status/1090003636510429185

81. 81 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Thanks! • Implementing DNSSEC • “Capacidades de next-generation threat intelligence para red teams y purple teams, centradas en defenderse frente a APTs y amenazas híbridas, mediante soluciones big-data de sensores IoT en la nube basadas en deep y machine learning empleando blockchain y computación cuántica.”

82. 82 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Spanish Collection of Proverbs “Quien a DNSSEC se arrima, buena firma le cobija…” “Quién sin DNSSEC se acuesta, suplantado se levanta…”

84. 84 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com References • “To SEC or Not to SEC: DNS Question” – CCN-CERT. Dec 2018 – https://www.dinosec.com/en/lab.html#JornadasCCN-CERT2018 – https://www.youtube.com/watch?v=HmiK51kA1QY • Estudio del estado de DNSSEC en España – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/estudios/estudio-del-estado-dnssec-espana • Guía de implantación y buenas prácticas de DNSSEC – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec • DNS over TLS (DoT) – RFC7858 – https://tools.ietf.org/html/rfc7858 – https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ • DNS (Queries) over HTTPS (DoH) – RFC8484 – https://tools.ietf.org/html/rfc8484 – https://developers.cloudflare.com/1.1.1.1/dns-over-https/ – https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/ • "Sunrise DNS over TLS, sunset DNSSEC?" & "DNSSEC and DNS over TLS" (Aug 2018) – https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/ – https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/

85. www.d in o s e c.c o m @d in o s ec Mó n ic a S a la s mo n ic a @ d in o s e c .c o m R aú l S iles ra u l@ d in o s e c .c o m

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

You are reading a preview.

Check these out next

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

More Related Content

Slideshows for you (20)

Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019] (20)

More from RootedCON (20)

Recently uploaded (20)