DNS fragmentation attacks - the dangers of not validating DNSSEC

DNS!Cache!Spoofing
"Fragmentation!Considered!Poisonous"
May!2012-August!2013

©!Men!&!Mice!!http://menandmice.com!

Monday 9 December 13

1

DNS!cache!poisoning!through!
fragmentation
• A!new!attack!presented!at!IETF!87!in!Berlin!August!2013
• works!with!any!large!DNS!responses!that!might!be!fragmented!on!the!

transport!path!(large!TXT!record!sets!-!SPF!etc)

• works!especially!well!in!situations!where!DNSSEC!validation!is!partially!or!

incorrectly!deployed:

• works!on!permissive!DNSSEC!resolvers,!clients!that!"fall-back"!to!non-

DNSSEC!resolvers

• according!to!research!from!Geoff!Huston!(APNIC),!these!situations!are!

fairly!common



2

Fragmentation!attack!(1)
evil!
web-server

HTTP
request
evil!resolver

Webpage!with!that!triggers!
DNS!requests!with!large!DNS!answers

“mybank.com”
authoritative!DNS
Servers

Cache

resolving!
DNS!Server
unsuspecting
resolver

local network, behind Firewall an NAT


3

evil!
web-server

DNS!lookups!
will!be!send!to!
the!
authoritative!
DNS!Servers
evil!resolver

“mybank.com”
authoritative!DNS
Servers

Cache

resolving!
DNS!Server
DNS!lookup!
for!the!domain!
name

unsuspecting
resolver



4

evil!
web-server

Answer!with!
Fragment!part!
1
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server
unsuspecting
resolver



5

Attacker!will!
swamp
caching!DNS!Server
with!fake!fragment!
No.!2!packets

evil!
web-server

Answer!with!
good!fragment!
part!2
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server

Fake!response
will!be!
cached

unsuspecting
resolver



6

evil!
web-server

Client!is!
connecting!to!a!
“pharming”!
website

HTTP
request
“mybank.com”
authoritative!DNS
Servers

evil!resolver

Cache

resolving!
DNS!Server

request!for!www.mybank.com./A!RR
false!answer!from!poisoned!cache
unsuspecting
resolver



7

Fragmentation!attack
• Attackers!try!to!overwrite!or!place!a!NS!record!in!the!cache
;; ANSWER SECTION:
mybank.com.
120

IN

SPF

"v=spf1, a:192.0.2.10, 192.0.2.22 ..."

;; AUTHORITY SECTION:
mybank.com.
86400
mybank.com.
86400

IN
IN

NS
NS

ns1.mybank.com.
ns2.mybank.com.

;; ADDITIONAL SECTION:
ns1.mybank.com.
604800
ns2.mybank.com.
604800

IN
IN

A
A

large!RRset!causing!
fragmentation

192.0.2.20
192.0.2.30

high!TTL!for!
maximum!
damage

Here!is!the!
fake!data

Fragment 1

Fragment 2


8


• some!operating!systems!(Windows,!FreeBSD)!use!

sequential!Fragment-IDs
• next!Fragment!ID!to!be!used!can!be!inferred!by!the!

attacker



9

• How!to!guard!against!fragmentation!attacks:
• deploy!DNSSEC!in!a!non-permissive!mode!(full!

validation)
• deploy!IPv6!(UDP!Fragmentation!works!differently!in!

IPv6!than!in!IPv4,!the!same!fragmentation!attack!is!not!
possible!in!IPv6!networks)



10

DNSSEC!to!the!rescue!...



11

References

• IETF!87!-!DNS!Cache-Poisoning:!New!Vulnerabilities!and!

Implications,!or:!DNSSEC,!the!time!has!come!
http://www.ietf.org/proceedings/87/slides/slides-87-saag-3.pdf

• DNS-OARC!Presentation!Oct!2013:
https://indico.dns-oarc.net//getFile.py/access?contribId=18&resId=1&materialId=slides&confId=1



12

DNSSEC!validation

©!Men!&!Mice!!http://menandmice,com!


13

DNSSEC!in!DNS!Messages
00 01

0
03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
2
Q
R

Identification!(ID)
Total!Number!of!Question!Resource!Records
Total!Number!of!Authority!Resource!Records

Opcode

A
A

T R R
C D A

Z

A C
D D

RCode

Total!Number!of!Answer!Resource!Records
AD!=!Authenticated!
Data
Total!Number!of!Additional!Resource!Records

Question!Resource!Records
Answer!Resource!Records
EDNS:
!!!EDNS:!version:!0,!
!!!flags:!do;!
!!!udp:!4096

CD!=!Checking!
disabled

Authority!Resource!Records
Additional!Resource!Records



14

• DO!Flag!in!EDNS!pseudo!record:!DNSSEC!OK
• this!client!can!handle!DNSSEC!records
• in!addition,!each!client!signaling!“DNSSEC!OK”!also!

signals!that!it!can!handle!UDP!DNS!responses!larger!
512!byte



15

• AD!Flag:
• a!validating!resolver!signaling!to!the!client
• that!it!has!successfully!validated!the!DNSSEC!data
• invalid!DNSSEC!data!will!not!be!send!to!a!

downstream!resolver!(client),!instead!the!resolver!will!
send!a!SERVFAIL!error!condition


16

• CD!Flag:
• an!Application!can!signal!to!the!resolving!DNS!Server!

that!it!will!validate!the!DNSSEC!information
• the!resolving!DNS!Server!does!not!need!to!validate!

itself,!but!is!free!to!do!so



17

dig ripe.net +dnssec
AD!flag:!
; <<>> DiG 9.7.1-P2 <<>> ripe.net +dnssec
secure!
;; global options: +cmd
answer
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62183
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;ripe.net.

IN
A

EDNS0!
information!
including!the!DO!
flag

;; ANSWER SECTION:
ripe.net.
172800
ripe.net.
172800

IN
IN

A
193.0.6.139
RRSIG A 5 2 172800 20101108100147 20101009090147 42006 ripe.net. Jzyeu9MUjNbk[...]5eY=

;; AUTHORITY SECTION:
ripe.net.
172800
ripe.net.
172800
ripe.net.
172800
ripe.net.
172800
ripe.net.
172800

IN
IN
IN
IN
IN

NS
sns-pb.isc.org.
NS
sunic.sunet.se.
NS
ns-pri.ripe.net.
NS
ns3.nic.fr.
RRSIG NS 5 2 172800 20101108100147 20101009090147 42006 ripe.net. I7+d5+U3683o[...]r4U=

;; ADDITIONAL SECTION:
ns-pri.ripe.net. 172800

IN
IN
IN
IN

A
193.0.0.195
AAAA 2001:610:240:0:53::3
RRSIG A 5 3 172800 20101108100147 20101009090147 42006 ripe.net. VVZ[...]jwg=
RRSIG AAAA 5 3 172800 20101108100147 20101009090147 42006 ripe.net. UP/t1m[...]k3k=

;;
;;
;;
;;

Query time: 454 msec
SERVER: 192.0.2.10#53(192.0.2.10)
WHEN: Sat Oct 9 22:39:45 2010
MSG SIZE rcvd: 870



18

DNSSEC!capable!DNS!
resolver!/!caching!server
• BIND!9!(starting!with!BIND!9.6-ESV):!
http://www.isc.org

• unbound:!

http://unbound.net

• PowerDNS!recursor:!
http://www.powerdns.com

• Windows!2012!DNS:!

http://technet.microsoft.com/en-us/library/hh831667.aspx



19

http://dnssec-or-not.org



20

http://dnssectest.sidn.nl



21

dnssec-tools.org

•A!collection!of!useful!tools!for!DNSSEC!deployment

(!http://dnssec-tools.org!)

• DNSSEC-check!-!tests!if!local!DNSSEC!resolver!are!

DNSSEC!enbled



22

DNSSEC-check



23

DNSSEC!validation!in!WebBrowser
• DNSSEC!Add-On!for!Firefox

Google!Chrome!and!
Microsoft!Internet!Explorer
(http://www.dnssec-validator.cz/)!
• go!to!
http://www.root-dnssec.org!

or!http://www.ripe.net
and!you!should!see!a!nice!green!key!icon!in!the!URL!bar!
telling!you!that!this!DNS!information!was!DNSSEC!validated.


24

DNSSEC!validation!in!Windows!
2012



25

DNSSEC!validation!in!
Microsoft!DNS!Server!2012
• The!DNS!Server!in!Windows!2012!now!supports!all!bits!

and!pieces!necessary!to!validate!DNSSEC!signatures!and!
keys!in!the!Internet!(including!SHA256!and!NSEC3).
• Windows!2008!only!supports!SHA1!and!NSEC,!and!was!

not!able!to!validate!the!Internet!root!zone



26

DNSSEC!validation
• DNSSEC!validation!can!be!

enabled!in!the!DNS!Servers!
global!properties!
(Advanced!-!enable!DNSSEC!
validation!for!remote!
responses)



27

enabling!DNSSEC!using!
'dnscmd'
• it!is!possible!to!enable!DNSSEC!validation!from!the!commandline!

using!the!command!

dnscmd /RetrieveRootTrustAnchors
• This!command!will!first!fetch!the!delegation!signer!(DS-record)!using!

https!from!IANA!(https://data.iana.org/root-anchors/root-anchors.xml).!

• The!server!will!then!fetch!the!public!key!signing!key!from!the!root!

zone!during!an!active!refresh!cycle!
(RFC 5011)!and!validate!the!KSK!using!the!delegation!signer!record.


28

enabling!DNSSEC!using!
'dnscmd'



29

A!DNSSEC!validating!caching!
only!configuration!for!BIND!9



30

DNSSEC!validation!with!
BIND!9
• build-in!support!for!DNSSEC!validation!in!BIND!9!DNS!server:
• BIND!9.6!-!no!build-in!trust-anchor,!no!support!for!RFC!5011
• BIND!9.7!-!support!for!RFC!5011!(automatic!update!of!trust-anchors)
• BIND!9.8!-!includes!build-in!trust-anchor!for!the!Internet!Root-Zone,!

but!validation!is!disabled!by!default
• BIND!9.9!-!build-in!trust-anchor!for!the!Internet!Root-Zone,!

DNSSEC!validation!enabled!by!default


31

getting!the!root-anchor
•for!BIND!9,!the!public!KSK!of!the!root!zone!is!used!as!

the!root-anchor

• the!DNSKEY!record!can!be!retrieved!using!dig:
dig . dnskey @a.root-servers.net. +norec | grep 257 > root.key

dig
command

we!want!the!
DNSKEY!
record
"."!is!the!
domain!name!
of!the!root!
zone

we!only!want!
the!KSK!
(Flag!257)
we!send!the!
query!to!one!
of!the!root!
servers

we!write!the!
result!in!this!
file

we!send!an!
iterative!query!
(polite)



32

Verifying!the!root!zones!key
•We!should!never!blindly!trust!cryptographic!keys!

published!on!websites!or!slides

• nor!should!we!trust!a!DNSKEY!fetched!from!an!insecure!

channel!(plain!DNS)
•we!need!to!verify!the!key!material
• IANA!published!the!DS!(delegation!signer!fingerprint)!on!an!

HTTPS!secured!website



33

http://data.iana.org/root-anchors/

root!DS!
fingerprint



34

Verifying!the!root!zone!key
• we!use!the!command!"dnssec-dsfromkey"!to!create!a!SHA256!

hash-fingeprint!from!the!downloaded!root-zone!DNSKEY
dnssec-dsfromkey -2 root.key
. IN DS 19036 8 2 (
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32
F24E8FB5 )

• if!we!compare!the!computed!hash!with!the!one!from!the!

website,!they!both!match

• the!downloaded!DNSKEY!record!is!valid


35

DNSSEC!setup!(BIND!9.6-ESV)
• In!BIND!9.6-ESV,!we!configure!a!static!trust!anchor!using!the!

"trusted-keys"!statement!in!the!"named.conf"!file:

trusted-keys {
"." 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};



36

DNSSEC!setup!(BIND!9.7.0+)
• Starting!with!BIND!9.7.0,!the!trusted!keys!can!be!automated!

updated!by!RFC!5011!(RFC!5011!-!Automated!Updates!of!DNS!
Security!(DNSSEC)!Trust!Anchors)
managed-keys {
"." initial-key 257 3 8
"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
};



37

general!setup
options {
recursion yes;
allow-recursion { mynetworks; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
querylog no;
recursive-clients 2000;
tcp-clients 200;
max-cache-size 2147483648; // 2GB
};



38

DNSSEC!maintenance!with!BIND!9!
“rndc”
•rndc!secroots:!dump!information!about!the!current!

active!DNSSEC!trust!anchors!into!the!file!
“named.secroots”.!

KEY!ID!19036:
current!KSK!of!
the!root!zone

bash-3.2# rndc secroots
bash-3.2# more named.secroots
22-Nov-2013 07:48:31.775
.

Start view _default
./RSASHA256/19036 ; managed
root!zone!trust!
anchor!key!ID

trust!anchor!will!be!
updated!according!to!
RFC!5011

168851 IN DNSKEY 257 3 8 (
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
) ; KSK; alg = RSASHA256; key id = 19036


39

BIND!9!controlling!DNSSEC!validation
•validation!on:!enable!DNSSEC!validation!on!a!caching!

BIND!9!DNS!Server!(globally):!
bash# rndc validation on

•validation!off:!disable!DNSSEC!validation!on!a!caching!

BIND!9!DNS!Server

bash# rndc validation off



40

References
• Deploying!DNSSEC!(whitepaper!by!SurfNet):

http://www.surf.nl/en/knowledge-and-innovation/knowledge-base/2012/white-paper-deploying-dnssec.html

• A!BIND!9!configuration!template!for!a!validating,!caching-

only!DNS!Server:
https://otrs.menandmice.com/otrs/public.pl?Action=PublicFAQZoom;ItemID=98;

• Free!BIND!9.9.4!installation!packages!for!Linux,!MacOS!X,!

Solaris:

http://support.menandmice.com/download/bind/

• Windows!2012!Server:!Enabling!DNSSEC!validation:

http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation



41

Thank!you!
E-Mail:
training@menandmice.com


42

DNS fragmentation attacks - the dangers of not validating DNSSEC

Recommended

Recommended

More Related Content

Similar to DNS fragmentation attacks - the dangers of not validating DNSSEC

Similar to DNS fragmentation attacks - the dangers of not validating DNSSEC (20)

More from Men and Mice

More from Men and Mice (20)

Recently uploaded

Recently uploaded (20)

DNS fragmentation attacks - the dangers of not validating DNSSEC