Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hype Potter and the Chamber of
DNSSECrets
www.d in o sec.co m
@ d in o s e c
Raúl Siles
Founder & Senior Security Analyst
raul@dinosec.com
Mónica Salas
Founder & Security Analyst
monica@dinosec.com March 29, 2019

2
Raúl Siles Mónica Salas
About Us
raul@dinosec.com monica@dinosec.com

3
DiNoSEC
2019
X Aniversario RootedCON

4
• DNSSEC zone signing
– DNSSEC: Authenticity and integrity
– Stats from the “.es” zone
– ICANN and DNSpionage
– DNS flag day
• DNSSEC practical zone signing
– Four DNSSEC cases
• DNSSEC validation
– DNSSEC bits (o flags)
• DNSSEC responses
– The last mile…
• Conclusions
Outline

DNSSEC Zone Signing

6
DNS Authenticity & Integrity Security Threats
DNS spoofing (MitM attacks) DNS cache poisoning
DNS resolver
INTEGRITY
AUTHENTICITY AUTHENTICITY
'To SEC or not to SEC: DNS question': https://youtu.be/HmiK51kA1QY

7
+
Where Did We Leave Off Last Year?
DNSSEC is the solution for DNS spoofing and DNS cache poisoning attacks
DNS ZONE DNS parent ZONE DNS RESOLVER
“.” KSK
(Public Key)
+
+
+

8
Harry Potter - Hogwarts Admission Letter
Integrity !!Authenticity?
Why should Harry trust his
Hogwarts admission letter?

9
Harry Potter – Rubius Hagrid
The Trust Anchor
2,75 meters height 400 kilograms weight
Anyone not convinced??

10
DNSSEC Roles Taxonomy
I use DNSSEC in my authoritative server
IuseaDNSSECcapableresolver
NO
SÍ
SÍ
NO
And we convinced everybody…

11
DNSSEC for ccTLD “.es” DNSSEC validation from Spain
0
5000
10000
15000
20000
25000
1/12/14
1/2/15
1/4/15
1/6/15
1/8/15
1/10/15
1/12/15
1/2/16
1/4/16
1/6/16
1/8/16
1/10/16
1/12/16
1/2/17
1/4/17
1/6/17
1/8/17
1/10/17
1/12/17
1/2/18
1/4/18
1/6/18
1/8/18
1/10/18
1/12/18
1/2/19
TOTAL “.es” DOMAINS with DNSSEC
…or NOT?
1’022%0’948%
+1,361 (+7.8%) SIGNED DOMAINS (from Nov 2019)
31% VALIDATION INCREMENT
DEC 2018
MAR 2019
1750000
1770000
1790000
1810000
1830000
1850000
1870000
1890000
1910000
1930000
1950000
1/12/14
1/2/15
1/4/15
1/6/15
1/8/15
1/10/15
1/12/15
1/2/16
1/4/16
1/6/16
1/8/16
1/10/16
1/12/16
1/2/17
1/4/17
1/6/17
1/8/17
1/10/17
1/12/17
1/2/18
1/4/18
1/6/18
1/8/18
1/10/18
1/12/18
1/2/19
TOTAL “.es” DOMAINS
https://stats.labs.apnic.net/dnssec
Thanks to: José Eleuterio López (Red.es)

12
Yes, We Did It… But It Was Not Only You…!
ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
LOS ANGELES – 22 February 2019 – The Internet Corporation for Assigned Names and Numbers (ICANN)
believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.
In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full
deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain
names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security,
stability and resiliency of the Internet’s global identifier systems…
https://www.icann.org/news/announcement-2019-02-22-en
7.8 % 31 %
Not really, it
was not us
convincing
ICANN… J

13
DNSpionage
• “A Deep Dive on the Recent Widespread DNS Hijacking Attacks”
Krebs on Security. February 18, 2019.
• Attacks hijacked DNS infrastructure of a registrar which also
operates one of the 13 “root” name servers (Netnod)
• Access to administrative DNS resources with the goal of capturing
credentials for other services via unauthorized changes to registries
• Attackers gained control of registrar’s administrative systems…
– Netnod, PCH…
• But DNSSEC became the unexpected ally…
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/

mail.netnod.tld
DNSSEC
DS
(.netnod) .tld
DS (.tld)
“.”
Netnod
employees
(evil) mail.netnod.tld
DNSSEC
DNSSEC
DISABLE DNSSEC
.netnod.tld.
(2)
COMODO
Get new cert. for
(evil) mail.netnod.tld.
(3)
ENABLE DNSSEC
.netnod.tld.
(4)
DNS recursive
resolver
DNSSEC
capable
(6)
(7)
A (mail)
.netnod
DNSSEC
DoT
DoH
NS
(.netnod)(1)
Registrar DNS
mail.netnod.tld IP is
evil IP x.x.x.x
(5)
No mail… & no
credentials stealing!!

15
DNSpionage Conclusions
• DNSSEC is not enough…
– Secure the administration of DNS zones (registries and registrars): 2FA
– DNS zone transfer operations are not secured through DNSSEC
• TSIG (Transaction SIGnature protocol - RFC 3645) is used to authenticate both end-
points of a DNS operation and add integrity
• EPP (Extensible Provisioning Protocol - RFC 5730)
– Originally designed for allocating objects from registrars to registries over
the Internet with the goal to prevent DNS hijacking
• Can be layered over multiple transport protocols
• Provides session management through “<login>” (client identifier and plain text
password)
• Session persists until a “<logout>” is sent
• “.es” supports EPP through HTTPS

16
February 1st, 2019: DNS Flag Day
• Slow DNS infrastructure performance due to systems
non-compliant with original DNS RFC 1035 (1987)
• DNS authoritative servers requirements:
– Avoid implementations or firewalls that drop DNS
packets with EDNS extensions (1999)
• DNS resolver: major open source DNS vendors released
updates to stop accommodating non-standard responses
(Bind, Knot, PowerDNS, Unbound)
https://dnsflagday.net

17
DNS Flag Day
[public]
DNS authoritative servers:
- Root DNS server
- gTLD or ccTLD DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
(DNS recursive server)
DNS client
(Stub resolver)
Root
TLD
Zone

DNSSEC Practical Zone Signing

19
Zone Registrar /
Operator
Signing
time (DS)
DNSSEC Algorithm DNSKEYs DS Addition
raulsil.es A/A
(Spain)
8 hours Established by registrar
RSASHA1-NSEC3-SHA1 (7)
ZSK + KSK Not tried
dinosec.info B/B
(World Wide)
15 mins Established by registrar
ECDSA-P256/SHA256 (13)
KSK Not tried
siles.info B/B à B/C
(Cloud)
15 mins Established by registrar
ECDSA-P256/SHA256 (13)
KSK à ZSK + KSK Very easy
dinosec.es D/D
(Spain/WW)
- NO WAY! - NO WAY!
Signing a DNS Zone - Multiple Examples
• Activation process:
• Simple: One button
• Timing: A few minutes (5-15 mins) or hours (e.g. 8-12 hours)
• Impossible
• Lack of customization or detailed DNSSEC parameters or options
1
2
3
4

20
ICANN Encourages Complaining…
https://forms.icann.org/en/resources/compliance/complaints/registrars/standards-
complaint-form
DNSSEC support required by ICANN for registrars with all available DS
algorithm types (2014): 2013 RAA (Registrar Accreditation Agreement)
https://www.icann.org/resources/pages/support-dnssec-ipv6-2014-01-29-en
https://www.icann.org/registrar-reports/accredited-list.html
Complain to ICANN

21
Supported DNSSEC Signing Algorithms (RFC 6944 )
https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec

22
DNSSEC Records and Signatures
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.raulsil.es
+dnssec
…
www.raulsil.es. 3600 IN A 87.98.231.5
www.raulsil.es. 3600 IN RRSIG A 7 2 3600
20190319175117 20190217175117 33299 www.raulsil.es.
00I5xmLgMuxaaH/AX6y/KCNAE7x+iNUYcEa9hLIdnfj3KSKyeMa/puU9zqL81x
jR5uI0DwIWjMBfUU1Egm8Wyx047jPQ+ANP2Ssdf7NwTpsVI9VOZrEMRmcxpjxi
l1birMQm/M8ZJmgi+poZRnNwvTxCC7bjewmd56cSXyzJfAY=
Signature validity period
(start date & expiration date)
Algorithm
used
Key ID

23
Enabling DNSSEC (1/2)
REGISTRAR “A”
REGISTRAR “B”

24
Enabling DNSSEC (2/2)
REGISTRAR “C”

25
DNSKEYs: 3 DNS Operators, 3 Signing Models
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY raulsil.es
raulsil.es. 2835 IN DNSKEY 256 3 7
AwEAAeBQ29zEisimlv+ybOPYCTin4hrl1pCBDtz6nVFO/r2BY1Y7LAnuX3doSBZi9Z6OliMJ5NWqhvNUoUi1n3U4g
hxGRf5i1P5qWfNZ5gLuwT2M5Yd4NoOAZnKlmdkGGLrqEiw45riNdB+/MbQwYozGr6tBE/4Kx1+M/UWkNnEi2HdZ
raulsil.es. 2835 IN DNSKEY 257 3 7
AwEAAaX0kus7MxJGgo5zuTmflEPH2dJkgDGbvepfG8tBH8y8gw036eTBbJDPf9DoOBdV2MMRa9QLptpwHQtYssKtZ
ooIFZxHv70UeQSKmSyz/1OCoUJXI5ahm7VU0AqfPcWC4B568gLv3LR7O47Syh+AJXvWUEE/uvK+chgEHqIE9j7v
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY dinosec.info
;; ANSWER SECTION:
dinosec.info. 3601 IN DNSKEY 257 3 13
Ei8CWVmqMGXW/fpfihKoJl7xF70RZLhp3FspO0DGycb49sBZocMJMcixB6dx+WbvwPZak7QY78ytOjnkHdB22g==
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info
siles.info. 3601 IN DNSKEY 257 3 13
h6RG7m0QEsIlpvpFpPNS+mlSOirDS+NQC41S/yG0wFd1WAT/mc2zEDtT8lJCC9aHgy6i8Bj01+cFwBQ05ke2IA==
oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
A
B
B
C

26
DS Records
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY es +dnssec +multiline
es. 65022 IN DNSKEY 256 3 8 (
AwEAAbdNeJQOckpcbVVTEHgKmHogfgezh6s6OrwZ
m6uMgzC9KhrqAwIX6PDfd2MDflwSlmfRPsVm/dq5
BzzbXQFZINCb2fzCer9S1e9gQiRX6/L/xDGH9gYP
rfU3eA1xB3RPgcfNRcvzAeAd3z3yylSBmWco2oHN
QWNLQqGs6jpI27cZ
) ; ZSK, RSASHA256 (1024b), id = 489
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS raulsil.es +dnssec
raulsil.es. 43200 IN DS 34464 7 2
97880FA96BCF744FAC85F073FFBCA679F053393C834F7837F44D1BD0A0A9C686
raulsil.es. 86400 IN RRSIG DS 8 2 86400 20190329081541 20190315005946 489 es.
qIYoNmkznp9gg53PNvoVkfGB3ytG+zFNAvrZVGDPvoc/Tx8z9D/3xWaK/p5l+yAbSB25UzPRlMXQ3TdmEzCUDAJz5LYTy
2Ly66xEsGjFi9yUGai4okSrIJdty6atlKpe78Qy6MGubKPUewDMOd7jhfKlIl2mP/UE8VZfbmp1tno=
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS dinosec.info +dnssec
dinosec.info. 86170. IN DS 16285 13 1 74FFB23176C36384D454A5CB87E78D228094667E
dinosec.info. 86170. IN RRSIG DS 7 2 86400 20190407153004 20190317143004 24332 info.
foiwm18puMTPY610HxluGehc20ES1iClXToh7GzVGyO4EjzP5wmHhvgPLeD9fb0xcyi0QxX14Zc64fgSt9cqSw6eAwsQt
gjAN4Djdz/nLMwp50T7cnQ1JHjpjxai5PdJqJ6j7069BVg46wWFlSsNyhsICTgXsJo0ljnofr5mKz8=
A
B
TLD

27
Case 3: “siles.info” DNS Operator Transfer (1/2)
• Domain registered and operated by B
• Zone operation transferred from operator B to operator C
– Zone registration was not transferable initially from B to C since
a minimum of 60 days is needed before a domain transfer
request can be undertaken by the a new registrar
– DNSSEC was previously enabled in B with just a KSK and
ECDSA P256/SHA256
– DNSSEC was enabled in C with KSK and ZSK and ECDSA
P256/SHA256

28
Case 3: “siles.info” DNS Operator Transfer (2/2)
Steps perfomed by zone owner at DNS provider’s managent console
Registrar / Operator B Operator C
0) B is registrar and operator for zone 1) Zone operation requested by owner
2) NS provided by C
3) NS servers pointed to C’s: it takes hours for the
change to be applied
4) DNSSEC disabled by B: DS(zone) removed
from TLD
3) Owner requests enabling DNSSEC for the zone
4) C signs the zone: Since C knows the zone
registrar is a third party, C provides the DS record
for the zone
5) Zone owner manually adds DS record
generated by C
6) B transfers DS record to TLD (.info)
DNSSEC zone is now signed and operational again at C

29
Case 3: siles.info (Steps 4 & 5)
DS generation at C DS addition at B
Hash(KSK)
= DS
KSK
SEP

30
CDS and CDNSKEY: Simplifying DS Updates
• RFC 8078 (March 2017)
• KSK renewal through standard DNS mechanisms
• New DS (and/or new DNSKEY) records are added to the child zone
upon KSK renewal
• Parent zone get news of child’s zone KSK renewal intention through:
– Polling: parent zone polls child zones periodically
– Pushing: child zone notifies parent zone of CDS/CDNSKEY avalibility
• Pros:
– KSK renewal independent of registrars
• Cons:
– Not “de facto” standards yet & Not mandatory (yet)

31
Case 3: DNSSEC Records After Transfer to C
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec
siles.info. 43200 IN DS 2371 13 2
4101DF3DCCE5291E11C450BBEBB16009378A11D0CF20C4B2E8842273025DC305
siles.info. 85653 IN RRSIG DS 7 2 86400 20190415152146 20190325142146
24332 info.
cSM+n8J6gy0A5q5RgU7hdifJEtU1ZPsfPx89lEH1GCZ3EG7Wkymx3drkdGJ5uBEzXJfwue8CG0fQveSvVL3MheC/jz8
5KCCwXwyHtCmdJHjXcPrwFKyHWHNsSznLcn0zugeAYWJwxN0DDOmHmM15+rBbvdNZ8Q3b535c7PtdDes=
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info +dnssec +multiline
siles.info. 2949 IN DNSKEY 256 3 13 (
oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
) ; ZSK, ECDSAP256SHA256 (256b), id = 34505
siles.info. 2949 IN DNSKEY 257 3 13 (
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
) ; KSK, ECDSAP256SHA256 (256b), id = 2371
siles.info. 2949 IN RRSIG DNSKEY 13 2 3600 20190409082227 (
20190208082227 2371 siles.info.
3QjU1QlBeQrhsJssRUJ3cBojHPon1hXJ80GT79gHYR3fMXLAE6f8vjLgTKBHb7PIyXvCU2LqgwqPYYbJHlJvog==)
B
TLD
C
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec
siles.info. 43115 IN DS 53189 13 1
419700DF0777F6839E2E368A1BAEF9044E8B30B7
C

32
Tracking The Trust Chain (https://dnsviz.net)
dinosec.info
siles.info

33
Root Zone TLD Database
• Very interesting information through the “curl” command
– All NS in the root zone:
– All DS in the root zone:
curl -s http://www.internic.net/domain/root.zone | awk '$4
== "DS" { print $1 " " $6 }' | uniq -c
http://www.internic.net/domain/root.zone
curl -s http://www.internic.net/domain/root.zone | awk '$4
== "NS" { print $1 " " $4 $5 }' | uniq -c

34
Algorithm Number
of TLDs
5 (RSA/SHA-1) 163
7 (RSA/SHA1-NSEC3) 551
8 (RSA/SHA-256) 2206
10 (RSA/SHA-512) 37
13 (ECC P-256) 6
Signing Algorithms Comparison
• DNSSEC key types
– RSA: Larger key length needed - Longer
signatures
• (5) RSA/SHA1 - not recommended (weak)
• (7) RSASHA1-NSEC3-SHA1 - if NSEC3 is
required to avoid zone enumeration
• (8) RSA/SHA-256
– ECC: not currently supported by all TLDs
- Small signatures and robust
• (13) ECDSA Curve P-256 / SHA-256
• (14) ECDSA Curve P-384 / SHA-384
TLDs using ECC ccTLD
Brazil .br
Switzerland .ch
Czech Republic .cz
Liechtenstein .li
Moldova .ld
Niue (*New Zeland) .nu
0 in May ´18
1 in July ´18
2 in Dec ´18
6 in Mar ´19

35
DANE: DNSSEC Beyond DNS
• Most TLS-based services rely on an external CA
• Problem: if that CA gets compromised and a new certificate is
generated for a domain, all the services will be in danger
• DNSSEC key signing schema advantages:
– The key is associated to a domain (not to an entity identified by a chain of
characters)
– The keys are signed by the zone owner and the zone parent (not a single
point of failure)
• The trust anchor is defined in the resolver’s side for a single
domain (“.”), not for hundreds of distinct CAs

36
DANE: RFC 7673
DNS-Based Authentication of Named Entities
• TLS certificates stored and signed within a specific DNS domain server
– Minimum privilege: if keys are compromised, only services under that DNS hierarchy will
be in danger
– Certificates are tied to domain names through DNSSEC trust relationships
• New DNS records to link TLS certificates with the domain
– TLSA (Transport Layer Security Authentication)
• Upon connection establishment, a TLS certificate is requested at the same
time a DNSSEC query is launched to check the received certificate matches
the received TLSA record
TLSA FORMAT: port._tcp_protocol.domain
_443._tcp.www.zone1.com (HTTPS)
_25._tcp.mail.zone1.com (SMTPS)

DNSSEC Validation

DNSSEC Bits (or Flags)

39
DNSSEC Bits (or Flags): Acronyms
DO CD AD
DOCDAD
DOC DAD
2019
DNSSEC
DNS

40
DNSSEC Bits (or Flags): Traffic
• Wireshark

41
DNSSEC Bits (or Flags): Meaning
• DO: DNSSEC OK
– ”I do support DNSSEC, so I want to receive the DNSSEC records…” (RRSIGs)
– https://tools.ietf.org/html/rfc4035#section-3.2.1
• CD: Checking Disabled
– ”Do not take care of validating the response through DNSSEC, as I will
validate it… Simply, send me the DNSSEC records."
• AD: Authentic Data (or “Validated Data”)
– ”All DNS records in this response are authentic, as I have already validated
them…"

42
The DO bit in DNSSEC
• DO: "DNSSEC OK"
– The resolver requests
the DNSSEC records to
be included in the
response
– If the DO bit is not set in
the request, the
DNSSEC records must
be removed from the
response
• Unless explicitly requested
https://tools.ietf.org/html/rfc3225#section-3
https://tools.ietf.org/html/rfc4035#section-3.2.1

43
The CD bit in DNSSEC
• CD: Checking Disabled
– The resolver can disable the DNSSEC validation (RRSIGs) in
its own upstream “DNS server” (another resolver)
– The CD bit in the query is reflected back in the response
– The CD bit in the query is reflected in the associated upstream
queries (recursive DNS resolution)
– As a result, the response includes the non-validated DNSSEC
records (to be validated locally)
– Flexibility to establish who will validate the records and the
criteria to apply (different time references, security islands, etc.)

44
The AD bit in DNSSEC
• AD: Authentic (or Authenticated) Data
– All the DNS records (RRSets) included in the Answer and
Authority sections of the response are authentic (from the
DNSSEC perspective)
– If so, set the AD bit in the response
– They have been validated by an upstream DNS resolver
– Originally the AD bit was not set in requests, but…

45
Managing the DNSSEC bits: DO, CD & AD (1/2)
• RFC 4035: Protocol Modifications for the DNS Security
Extensions
– DO bit set in requests, to indicate the availability of DNSSEC support
– CD bit set in requests between DNS clients and recursive servers
• Who will take care of validating the responses?
– The DO and CD bits are reflected back in the DNS responses based on its
value in the associated DNS requests
– AD bit set in responses between DNS clients and recursive servers
• Is the response data (DNS records) authentic?
• AD bit removed from requests: https://tools.ietf.org/html/rfc4035#section-4.6
– But later, in RFC 3655 and RFC 6840…
https://tools.ietf.org/html/rfc4035

46
Managing the DNSSEC bits: DO, CD & AD (2/2)
• RFC 6840: Clarifications and Implementation Notes for DNS
Security (DNSSEC)
– DO bit must be ignored by DNS recursive servers in responses
– AD bit set in requests to indicate interest in receiving the AD bit set in the
associated response (meaning, “I want you to validate the response”)
• Additionally to the DO bit already indicating DNSSEC support
– “The AD bit MUST only be set if DNSSEC records have been requested via the DO bit…”
• RFC 3655: Redefinition of DNS Authenticated Data (AD) bit
– https://tools.ietf.org/html/rfc3655
– E.g. Bind 9.11.x does not set the AD bit in the requests (still following the
previous RFC 4035)
https://tools.ietf.org/html/rfc6840

DNSSEC Responses

48
DNSSEC Responses
• Valid (or correct) response
– RCODE 0 (No Error: NOERROR)
• DNSSEC validation error (by the resolver)
– RCODE 2 (Server Failure: SERVFAIL)
• dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
• Domain does not exist
– RCODE 3 (Non-eXistent Domain: NXDOMAIN)
• The DNS server refuses to answer the request
– RCODE 5 (Refused: REFUSED)
DNS Flags section: Reply Code (RCODE) - 4 bits
DNSSEC is backwards
compatible with DNS:
Both worlds running
simultaneously…

49
Imagine you are already convinced
and we all have deployed
DNSSEC…

50

51
April 1st, 2018

CPE (Customer Premises Equipment)

53
Testing 1.1.1.1 (or one.one.one.one) with the Local
DNS Resolver…
What about
DNSSEC?
Connecting to
1.1.1.1 through
HTTP(S) you get
the CPE (router)
admin web
interface, but it
can resolve all
DNS queries
properly…

54
Local Web and DNS Server at 1.1.1.1
$ nmap -sS -sU -p 53 -n --reason -A 1.1.1.1
Starting Nmap 7.60 ( https://nmap.org )...
Nmap scan report for 1.1.1.1
Host is up, received echo-reply ttl 63
(0.0019s latency).
PORT STATE SERVICE REASON
VERSION
53/tcp open domain syn-ack ttl 63
dnsmasq 2.78
53/udp open domain udp-response ttl 63
dnsmasq 2.78
| dns-nsid:
|_ bind.version: dnsmasq-2.78
|_dns-recursion: Recursion appears to be
enabled
...
Aggressive OS guesses: Linux 2.6.32 - 3.0
(96%), ...
Network Distance: 2 hops
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 1.28 ms 172.16.8.1
2 2.62 ms 1.1.1.1
$

55
1.0.0.0/8 Conflicts
• Trying to reach 1.1.1.1
– https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/
– https://community.cloudflare.com/t/have-problems-with-1-1-1-1-read-me-first/15902
• The 1.0.0.0/8 range was assigned to APNIC in 2010
– Previously it was not assigned, but that didn’t mean it was available (or
reserved) for private usage (RFC 1918)
• https://seclists.org/nanog/2010/Jan/776
• Multiple CPEs are using that IP address internally…
• Multiple ISPs are using that IP address in their internal network…
• Testing DNS Resolution in Spanish ISPs…
– Thanks to some collaborators, we could test the DNS resolution for a few
Spanish ISPs…: Thanks RootedCON, Román, José, Pedro, Jorge…!!!!

56
$ dig @8.8.8.8 +dnssec www.isoc.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
48091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2,
AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.isoc.org. IN A
;; ANSWER SECTION:
www.isoc.org. 9985 IN A 212.110.167.157
www.isoc.org. 9985 IN RRSIG A 7 3
86400 20180723085001 20180709085001 36614 isoc.org.
BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs=
;; Query time: 1833 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 10:08:40 CEST 2018
;; MSG SIZE rcvd: 225
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
48091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2,
; EDNS: version: 0, flags: do; udp: 512
;www.isoc.org. IN
;; ANSWER SECTION:
www.isoc.org. 9985 IN A 212.110.167.157
www.isoc.org. 9985 IN RRSIG A 7 3
86400 20180723085001 20180709085001 36614 isoc.org.
BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs=
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 10:08:40 CEST 2018
Using Other DNS Public Resolvers with DNSSEC Support
• Can you find the differences? J
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 31624
;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
; EDNS: version: 0, flags:; udp: 4096
;www.isoc.org. IN A
;; ANSWER SECTION:
www.isoc.org. 13790 IN A 212.110.167.157
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 06 20:14:33 CEST 2018

57
www.example.com (& .org)

58
Basic Mode
• No DNS settings

59
Expert Mode (1/2)
• Internet
– DNS & DDNS:
• DNS Seguro
– OFF
que quiero que me interceptes todo el tráfico

60
Expert Mode (2/2)
• You cannot
change the
DNS servers!!
• You can only
see them… if
you’re lucky J

61
Getting Admin Mode and Researching

62
Admin Mode (1/2)
• Internet
– DNS & DDNS:
• EDNS0
– OFF
• Secure DNS
– OFF
No significant
changes

63
Admin Mode (2/2)
• Settings
– LAN – IPv4:
• DNS Proxy
– ON
(Setting not available in Expert Mode)
No significant
changes

64
CPE Internals (SSH)
• Who is Disabling DNSSEC: CPE or ISP or …?
• References to 1.1.1.1 or 1.0.0.1?
# ps
630 admin 1412 S /usr/sbin/dnsmasq -u admin
# ifconfig –a
br0 Link encap:Ethernet HWaddr 00:01:02:03:04:05
inet addr:192.168.1.1 Bcast:192.168.1.255...
br0:0 Link encap:Ethernet HWaddr 00:01:02:03:04:05
inet addr:1.1.1.1 Bcast:1.255.255.255...
# iptables -t nat –L
... (no DNS or special IP addresses references)

65
Who is Disabling DNSSEC: CPE or ISP? (1/3)
Request:

66
Response:

67
• They are compatible with EDNS0
• They are selectively removing all DNSSEC flags!!!!
• Let’s call it “Client-side DNSSEC Flag Day”!!!!
– Selectively removing DNNSEC support from the client side!
– If AD or DO flags are set in the query, they are removed from the
response L
– If CD flag is set in the query, it is removed from the response too,
breaking RFC 4035 J
• When using the CPE DNS resolvers (or 1.1.1.1)
• Same scenario if ISP transparently intercepts all DNS traffic

68
Client-Side DNSSEC Flag Day
[public]
- Root DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
DNS client
(Stub resolver)
Root
TLD
Zone

69
Final Conclusions (1/2)
• “Secure DNS” enables a single iptables rule for DNS traffic
• How to bypass it client-side and be able to use DNSSEC,
at least with the public DNS resolvers (e.g. Quads)?
– Use TCP (look at the iptables rule) J… or DoH or DoT
– The traffic goes via TCP to the public DNS resolver
# iptables -t nat –L
...
DNAT udp -- 192.168.1.0/24 !www.evil.isp
udp dpt:domain to:192.168.1.1:53
$ dig -t A www.dinosec.info +dnssec @9.9.9.9 +tcp
DNSSEC reponse J

70
Final Conclusions (2/2)
• This UDP vs TCP difference does not apply to the ISP
DNS resolvers (e.g. when “Secure DNS” is turned off)
– They remove the DNSSEC flags for both, UDP and TCP
• The only solution, if the transparent DNS proxies are not
in the middle, is to force all clients to use a custom DNS
resolver (public, or private, different from the CPE)
– If the transparent DNS proxies are in the middle…
$ dig -t A www.dinosec.info +dnssec +tcp
No DNSSEC reponse L

71
Wright’s Principle
"Security won't get better until tools for
practical exploration of the attack
surface are made available."
– Joshua Wright, 2011

Tool

73
dnssecchef
• DNS/DNSSEC proxy tool by DinoSec (Python)
– Fake DNS/DNSSEC responses (file or command line options)
– TCP and UDP support
• Based on dnschef (v0.3): https://github.com/iphelix/dnschef/
– Peter Kacherginsky (iPhelix)
• Requires dnslib v0.9.10+: https://bitbucket.org/paulc/dnslib/
– Paul Chakravarti
– Added support for DNSSEC flag getters/setters in v0.9.9
• Use it as a direct DNS server or as a transparent DNS proxy

74
DNSSEC Manipulation
[public]
- Root DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
DNS client
(Stub resolver)
Root
TLD
Zone

75
dnssecchef Options
• Multiple DNSSEC related options…
$ sudo ./dnssecchef --nodnssec
_ _ __
| | version 0.5 | | / _|
__| |_ __ ___ ___ ___ ___ ___| |__ ___| |_
/ _` | '_ / __|/ __|/ _ / __|/ __| '_ / _ _|
| (_| | | | __ __ __/ (__| (__| | | | __/ |
__,_|_| |_|___/|___/___|___|___|_| |_|___|_|
(c) 2019 DinoSec
monica@dinosec.com & raul@dinosec.com
[*] DNSSECChef started on interface: 127.0.0.1
[*] Using the following nameservers: 8.8.8.8
[>] Disabling DNSSEC support completely...
[*] No parameters were specified. Running in full proxy mode
[*] DNSSECChef is running in both UDP and TCP modes (default)
[*] ...
By default, no DNSSEC
changes (standard).
--dnssec:
Enable DNSSEC flags
manipulation.
--nodnssec:
Disable DNSSEC
support.
--file=dnssecchef.ini
Fake DNS responses.https://github.com/dinosec/dnssecchef

Conclusions

77
Nobody Said It Was Going To Be Easy or Costless…
DNSSEC environment does not differ from real life:
There are few people in the “right side”… And many more in the “wrong side”
DNS Operators
ISPs
Obsolete network
devicesREGISTRARs
Non-RFC compliant
resolvers
Security unaware
DNS domain
holders
Security aware DNS zone holders &
responsible resolver administrators
Great admin
complexity

78
The One that Appeares to Be Bad…
Turn out to
be good!!
And the wise people are on our side…

79
So We Know in the End…
• Good will triumph and terror will be vanquished!!!!

80
Who Do You Trust in the DNS World?
• Preferred DNS resolver for
privacy reasons:
– Your ISP
– “The Quads” (large public servers)
• 8.8.8.8
• DNS Cloud providers
– Small public servers
– Your own
https://twitter.com/raulsiles/status/1090003636510429185

81
Thanks!
• Implementing DNSSEC
• “Capacidades de next-generation threat intelligence para red
teams y purple teams, centradas en defenderse frente a APTs y
amenazas híbridas, mediante soluciones big-data de sensores
IoT en la nube basadas en deep y machine learning empleando
blockchain y computación cuántica.”

82
Spanish Collection of Proverbs
“Quien a DNSSEC se
arrima, buena firma le
cobija…”
“Quién sin DNSSEC se acuesta,
suplantado se levanta…”

83
References

84
References
• “To SEC or Not to SEC: DNS Question” – CCN-CERT. Dec 2018
– https://www.dinosec.com/en/lab.html#JornadasCCN-CERT2018
– https://www.youtube.com/watch?v=HmiK51kA1QY
• Estudio del estado de DNSSEC en España – Oct 2018
– https://www.incibe-cert.es/guias-y-estudios/estudios/estudio-del-estado-dnssec-espana
• Guía de implantación y buenas prácticas de DNSSEC – Oct 2018
– https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec
• DNS over TLS (DoT) – RFC7858
– https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
• DNS (Queries) over HTTPS (DoH) – RFC8484
– https://developers.cloudflare.com/1.1.1.1/dns-over-https/
– https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/
• "Sunrise DNS over TLS, sunset DNSSEC?" & "DNSSEC and DNS over TLS" (Aug 2018)
– https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/
– https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/

www.d in o s e c.c o m
@d in o s ec
Mó n ic a S a la s
mo n ic a @ d in o s e c .c o m
R aú l S iles
ra u l@ d in o s e c .c o m

86
Questions?
www.d in o s ec.co m
@ d in o s e c

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019] (20)

More from RootedCON

More from RootedCON (20)

Recently uploaded

Recently uploaded (20)

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]