SlideShare a Scribd company logo
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Hype Potter and the Chamber of
DNSSECrets
www.d in o sec.co m
@ d in o s e c
Raúl Siles
Founder & Senior Security Analyst
raul@dinosec.com
Mónica Salas
Founder & Security Analyst
monica@dinosec.com March 29, 2019
2
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Raúl Siles Mónica Salas
About Us
raul@dinosec.com monica@dinosec.com
3
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DiNoSEC
2019
X Aniversario RootedCON
4
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
• DNSSEC zone signing
– DNSSEC: Authenticity and integrity
– Stats from the “.es” zone
– ICANN and DNSpionage
– DNS flag day
• DNSSEC practical zone signing
– Four DNSSEC cases
• DNSSEC validation
– DNSSEC bits (o flags)
• DNSSEC responses
– The last mile…
• Conclusions
Outline
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Zone Signing
6
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNS Authenticity & Integrity Security Threats
DNS spoofing (MitM attacks) DNS cache poisoning
DNS resolver
INTEGRITY
AUTHENTICITY AUTHENTICITY
'To SEC or not to SEC: DNS question': https://youtu.be/HmiK51kA1QY
7
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
+
Where Did We Leave Off Last Year?
DNSSEC is the solution for DNS spoofing and DNS cache poisoning attacks
DNS ZONE DNS parent ZONE DNS RESOLVER
“.” KSK
(Public Key)
+
+
+
8
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Harry Potter - Hogwarts Admission Letter
Integrity !!Authenticity?
Why should Harry trust his
Hogwarts admission letter?
9
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Harry Potter – Rubius Hagrid
The Trust Anchor
2,75 meters height 400 kilograms weight
Anyone not convinced??
10
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Roles Taxonomy
I use DNSSEC in my authoritative server
IuseaDNSSECcapableresolver
NO
SÍ
SÍ
NO
And we convinced everybody…
11
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC for ccTLD “.es” DNSSEC validation from Spain
0
5000
10000
15000
20000
25000
1/12/14
1/2/15
1/4/15
1/6/15
1/8/15
1/10/15
1/12/15
1/2/16
1/4/16
1/6/16
1/8/16
1/10/16
1/12/16
1/2/17
1/4/17
1/6/17
1/8/17
1/10/17
1/12/17
1/2/18
1/4/18
1/6/18
1/8/18
1/10/18
1/12/18
1/2/19
TOTAL “.es” DOMAINS with DNSSEC
…or NOT?
1’022%0’948%
+1,361 (+7.8%) SIGNED DOMAINS (from Nov 2019)
31% VALIDATION INCREMENT
DEC 2018
MAR 2019
1750000
1770000
1790000
1810000
1830000
1850000
1870000
1890000
1910000
1930000
1950000
1/12/14
1/2/15
1/4/15
1/6/15
1/8/15
1/10/15
1/12/15
1/2/16
1/4/16
1/6/16
1/8/16
1/10/16
1/12/16
1/2/17
1/4/17
1/6/17
1/8/17
1/10/17
1/12/17
1/2/18
1/4/18
1/6/18
1/8/18
1/10/18
1/12/18
1/2/19
TOTAL “.es” DOMAINS
https://stats.labs.apnic.net/dnssec
Thanks to: José Eleuterio López (Red.es)
12
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Yes, We Did It… But It Was Not Only You…!
ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet
LOS ANGELES – 22 February 2019 – The Internet Corporation for Assigned Names and Numbers (ICANN)
believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.
In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full
deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain
names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security,
stability and resiliency of the Internet’s global identifier systems…
https://www.icann.org/news/announcement-2019-02-22-en
7.8 % 31 %
Not really, it
was not us
convincing
ICANN… J
13
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSpionage
• “A Deep Dive on the Recent Widespread DNS Hijacking Attacks”
Krebs on Security. February 18, 2019.
• Attacks hijacked DNS infrastructure of a registrar which also
operates one of the 13 “root” name servers (Netnod)
• Access to administrative DNS resources with the goal of capturing
credentials for other services via unauthorized changes to registries
• Attackers gained control of registrar’s administrative systems…
– Netnod, PCH…
• But DNSSEC became the unexpected ally…
https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
mail.netnod.tld
DNSSEC
DS
(.netnod) .tld
DS (.tld)
“.”
Netnod
employees
(evil) mail.netnod.tld
DNSSEC
DNSSEC
DISABLE DNSSEC
.netnod.tld.
(2)
COMODO
Get new cert. for
(evil) mail.netnod.tld.
(3)
ENABLE DNSSEC
.netnod.tld.
(4)
DNS recursive
resolver
DNSSEC
capable
(6)
(7)
A (mail)
.netnod
DNSSEC
DoT
DoH
NS
(.netnod)(1)
Registrar DNS
mail.netnod.tld IP is
evil IP x.x.x.x
(5)
No mail… & no
credentials stealing!!
15
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSpionage Conclusions
• DNSSEC is not enough…
– Secure the administration of DNS zones (registries and registrars): 2FA
– DNS zone transfer operations are not secured through DNSSEC
• TSIG (Transaction SIGnature protocol - RFC 3645) is used to authenticate both end-
points of a DNS operation and add integrity
• EPP (Extensible Provisioning Protocol - RFC 5730)
– Originally designed for allocating objects from registrars to registries over
the Internet with the goal to prevent DNS hijacking
• Can be layered over multiple transport protocols
• Provides session management through “<login>” (client identifier and plain text
password)
• Session persists until a “<logout>” is sent
• “.es” supports EPP through HTTPS
16
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
February 1st, 2019: DNS Flag Day
• Slow DNS infrastructure performance due to systems
non-compliant with original DNS RFC 1035 (1987)
• DNS authoritative servers requirements:
– Avoid implementations or firewalls that drop DNS
packets with EDNS extensions (1999)
• DNS resolver: major open source DNS vendors released
updates to stop accommodating non-standard responses
(Bind, Knot, PowerDNS, Unbound)
https://dnsflagday.net
17
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNS Flag Day
[public]
DNS authoritative servers:
- Root DNS server
- gTLD or ccTLD DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
(DNS recursive server)
DNS client
(Stub resolver)
Root
TLD
Zone
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Practical Zone Signing
19
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Zone Registrar /
Operator
Signing
time (DS)
DNSSEC Algorithm DNSKEYs DS Addition
raulsil.es A/A
(Spain)
8 hours Established by registrar
RSASHA1-NSEC3-SHA1 (7)
ZSK + KSK Not tried
dinosec.info B/B
(World Wide)
15 mins Established by registrar
ECDSA-P256/SHA256 (13)
KSK Not tried
siles.info B/B à B/C
(Cloud)
15 mins Established by registrar
ECDSA-P256/SHA256 (13)
KSK à ZSK + KSK Very easy
dinosec.es D/D
(Spain/WW)
- NO WAY! - NO WAY!
Signing a DNS Zone - Multiple Examples
• Activation process:
• Simple: One button
• Timing: A few minutes (5-15 mins) or hours (e.g. 8-12 hours)
• Impossible
• Lack of customization or detailed DNSSEC parameters or options
1
2
3
4
20
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
ICANN Encourages Complaining…
https://forms.icann.org/en/resources/compliance/complaints/registrars/standards-
complaint-form
DNSSEC support required by ICANN for registrars with all available DS
algorithm types (2014): 2013 RAA (Registrar Accreditation Agreement)
https://www.icann.org/resources/pages/support-dnssec-ipv6-2014-01-29-en
https://www.icann.org/registrar-reports/accredited-list.html
Complain to ICANN
21
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Supported DNSSEC Signing Algorithms (RFC 6944 )
https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec
22
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Records and Signatures
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.raulsil.es
+dnssec
…
www.raulsil.es. 3600 IN A 87.98.231.5
www.raulsil.es. 3600 IN RRSIG A 7 2 3600
20190319175117 20190217175117 33299 www.raulsil.es.
00I5xmLgMuxaaH/AX6y/KCNAE7x+iNUYcEa9hLIdnfj3KSKyeMa/puU9zqL81x
jR5uI0DwIWjMBfUU1Egm8Wyx047jPQ+ANP2Ssdf7NwTpsVI9VOZrEMRmcxpjxi
l1birMQm/M8ZJmgi+poZRnNwvTxCC7bjewmd56cSXyzJfAY=
Signature validity period
(start date & expiration date)
Algorithm
used
Key ID
23
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Enabling DNSSEC (1/2)
REGISTRAR “A”
REGISTRAR “B”
24
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Enabling DNSSEC (2/2)
REGISTRAR “C”
25
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSKEYs: 3 DNS Operators, 3 Signing Models
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY raulsil.es
raulsil.es. 2835 IN DNSKEY 256 3 7
AwEAAeBQ29zEisimlv+ybOPYCTin4hrl1pCBDtz6nVFO/r2BY1Y7LAnuX3doSBZi9Z6OliMJ5NWqhvNUoUi1n3U4g
hxGRf5i1P5qWfNZ5gLuwT2M5Yd4NoOAZnKlmdkGGLrqEiw45riNdB+/MbQwYozGr6tBE/4Kx1+M/UWkNnEi2HdZ
raulsil.es. 2835 IN DNSKEY 257 3 7
AwEAAaX0kus7MxJGgo5zuTmflEPH2dJkgDGbvepfG8tBH8y8gw036eTBbJDPf9DoOBdV2MMRa9QLptpwHQtYssKtZ
ooIFZxHv70UeQSKmSyz/1OCoUJXI5ahm7VU0AqfPcWC4B568gLv3LR7O47Syh+AJXvWUEE/uvK+chgEHqIE9j7v
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY dinosec.info
;; ANSWER SECTION:
dinosec.info. 3601 IN DNSKEY 257 3 13
Ei8CWVmqMGXW/fpfihKoJl7xF70RZLhp3FspO0DGycb49sBZocMJMcixB6dx+WbvwPZak7QY78ytOjnkHdB22g==
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info
siles.info. 3601 IN DNSKEY 257 3 13
h6RG7m0QEsIlpvpFpPNS+mlSOirDS+NQC41S/yG0wFd1WAT/mc2zEDtT8lJCC9aHgy6i8Bj01+cFwBQ05ke2IA==
siles.info. 3600 IN DNSKEY 256 3 13
oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
siles.info. 3600 IN DNSKEY 257 3 13
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
A
B
B
C
26
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DS Records
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY es +dnssec +multiline
es. 65022 IN DNSKEY 256 3 8 (
AwEAAbdNeJQOckpcbVVTEHgKmHogfgezh6s6OrwZ
m6uMgzC9KhrqAwIX6PDfd2MDflwSlmfRPsVm/dq5
BzzbXQFZINCb2fzCer9S1e9gQiRX6/L/xDGH9gYP
rfU3eA1xB3RPgcfNRcvzAeAd3z3yylSBmWco2oHN
QWNLQqGs6jpI27cZ
) ; ZSK, RSASHA256 (1024b), id = 489
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS raulsil.es +dnssec
raulsil.es. 43200 IN DS 34464 7 2
97880FA96BCF744FAC85F073FFBCA679F053393C834F7837F44D1BD0A0A9C686
raulsil.es. 86400 IN RRSIG DS 8 2 86400 20190329081541 20190315005946 489 es.
qIYoNmkznp9gg53PNvoVkfGB3ytG+zFNAvrZVGDPvoc/Tx8z9D/3xWaK/p5l+yAbSB25UzPRlMXQ3TdmEzCUDAJz5LYTy
2Ly66xEsGjFi9yUGai4okSrIJdty6atlKpe78Qy6MGubKPUewDMOd7jhfKlIl2mP/UE8VZfbmp1tno=
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS dinosec.info +dnssec
dinosec.info. 86170. IN DS 16285 13 1 74FFB23176C36384D454A5CB87E78D228094667E
dinosec.info. 86170. IN RRSIG DS 7 2 86400 20190407153004 20190317143004 24332 info.
foiwm18puMTPY610HxluGehc20ES1iClXToh7GzVGyO4EjzP5wmHhvgPLeD9fb0xcyi0QxX14Zc64fgSt9cqSw6eAwsQt
gjAN4Djdz/nLMwp50T7cnQ1JHjpjxai5PdJqJ6j7069BVg46wWFlSsNyhsICTgXsJo0ljnofr5mKz8=
A
B
TLD
27
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Case 3: “siles.info” DNS Operator Transfer (1/2)
• Domain registered and operated by B
• Zone operation transferred from operator B to operator C
– Zone registration was not transferable initially from B to C since
a minimum of 60 days is needed before a domain transfer
request can be undertaken by the a new registrar
– DNSSEC was previously enabled in B with just a KSK and
ECDSA P256/SHA256
– DNSSEC was enabled in C with KSK and ZSK and ECDSA
P256/SHA256
28
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Case 3: “siles.info” DNS Operator Transfer (2/2)
Steps perfomed by zone owner at DNS provider’s managent console
Registrar / Operator B Operator C
0) B is registrar and operator for zone 1) Zone operation requested by owner
2) NS provided by C
3) NS servers pointed to C’s: it takes hours for the
change to be applied
4) DNSSEC disabled by B: DS(zone) removed
from TLD
3) Owner requests enabling DNSSEC for the zone
4) C signs the zone: Since C knows the zone
registrar is a third party, C provides the DS record
for the zone
5) Zone owner manually adds DS record
generated by C
6) B transfers DS record to TLD (.info)
DNSSEC zone is now signed and operational again at C
29
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Case 3: siles.info (Steps 4 & 5)
DS generation at C DS addition at B
Hash(KSK)
= DS
KSK
SEP
30
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
CDS and CDNSKEY: Simplifying DS Updates
• RFC 8078 (March 2017)
• KSK renewal through standard DNS mechanisms
• New DS (and/or new DNSKEY) records are added to the child zone
upon KSK renewal
• Parent zone get news of child’s zone KSK renewal intention through:
– Polling: parent zone polls child zones periodically
– Pushing: child zone notifies parent zone of CDS/CDNSKEY avalibility
• Pros:
– KSK renewal independent of registrars
• Cons:
– Not “de facto” standards yet & Not mandatory (yet)
31
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Case 3: DNSSEC Records After Transfer to C
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec
siles.info. 43200 IN DS 2371 13 2
4101DF3DCCE5291E11C450BBEBB16009378A11D0CF20C4B2E8842273025DC305
siles.info. 85653 IN RRSIG DS 7 2 86400 20190415152146 20190325142146
24332 info.
cSM+n8J6gy0A5q5RgU7hdifJEtU1ZPsfPx89lEH1GCZ3EG7Wkymx3drkdGJ5uBEzXJfwue8CG0fQveSvVL3MheC/jz8
5KCCwXwyHtCmdJHjXcPrwFKyHWHNsSznLcn0zugeAYWJwxN0DDOmHmM15+rBbvdNZ8Q3b535c7PtdDes=
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info +dnssec +multiline
siles.info. 2949 IN DNSKEY 256 3 13 (
oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
) ; ZSK, ECDSAP256SHA256 (256b), id = 34505
siles.info. 2949 IN DNSKEY 257 3 13 (
mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
) ; KSK, ECDSAP256SHA256 (256b), id = 2371
siles.info. 2949 IN RRSIG DNSKEY 13 2 3600 20190409082227 (
20190208082227 2371 siles.info.
3QjU1QlBeQrhsJssRUJ3cBojHPon1hXJ80GT79gHYR3fMXLAE6f8vjLgTKBHb7PIyXvCU2LqgwqPYYbJHlJvog==)
B
TLD
C
$ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec
siles.info. 43115 IN DS 53189 13 1
419700DF0777F6839E2E368A1BAEF9044E8B30B7
C
32
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Tracking The Trust Chain (https://dnsviz.net)
dinosec.info
siles.info
33
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Root Zone TLD Database
• Very interesting information through the “curl” command
– All NS in the root zone:
– All DS in the root zone:
curl -s http://www.internic.net/domain/root.zone | awk '$4
== "DS" { print $1 " " $6 }' | uniq -c
http://www.internic.net/domain/root.zone
curl -s http://www.internic.net/domain/root.zone | awk '$4
== "NS" { print $1 " " $4 $5 }' | uniq -c
34
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Algorithm Number
of TLDs
5 (RSA/SHA-1) 163
7 (RSA/SHA1-NSEC3) 551
8 (RSA/SHA-256) 2206
10 (RSA/SHA-512) 37
13 (ECC P-256) 6
Signing Algorithms Comparison
• DNSSEC key types
– RSA: Larger key length needed - Longer
signatures
• (5) RSA/SHA1 - not recommended (weak)
• (7) RSASHA1-NSEC3-SHA1 - if NSEC3 is
required to avoid zone enumeration
• (8) RSA/SHA-256
– ECC: not currently supported by all TLDs
- Small signatures and robust
• (13) ECDSA Curve P-256 / SHA-256
• (14) ECDSA Curve P-384 / SHA-384
TLDs using ECC ccTLD
Brazil .br
Switzerland .ch
Czech Republic .cz
Liechtenstein .li
Moldova .ld
Niue (*New Zeland) .nu
0 in May ´18
1 in July ´18
2 in Dec ´18
6 in Mar ´19
35
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DANE: DNSSEC Beyond DNS
• Most TLS-based services rely on an external CA
• Problem: if that CA gets compromised and a new certificate is
generated for a domain, all the services will be in danger
• DNSSEC key signing schema advantages:
– The key is associated to a domain (not to an entity identified by a chain of
characters)
– The keys are signed by the zone owner and the zone parent (not a single
point of failure)
• The trust anchor is defined in the resolver’s side for a single
domain (“.”), not for hundreds of distinct CAs
36
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DANE: RFC 7673
DNS-Based Authentication of Named Entities
• TLS certificates stored and signed within a specific DNS domain server
– Minimum privilege: if keys are compromised, only services under that DNS hierarchy will
be in danger
– Certificates are tied to domain names through DNSSEC trust relationships
• New DNS records to link TLS certificates with the domain
– TLSA (Transport Layer Security Authentication)
• Upon connection establishment, a TLS certificate is requested at the same
time a DNSSEC query is launched to check the received certificate matches
the received TLSA record
TLSA FORMAT: port._tcp_protocol.domain
_443._tcp.www.zone1.com (HTTPS)
_25._tcp.mail.zone1.com (SMTPS)
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Validation
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Bits (or Flags)
39
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Bits (or Flags): Acronyms
DO CD AD
DOCDAD
DOC DAD
2019
DNSSEC
DNS
40
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Bits (or Flags): Traffic
• Wireshark
41
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Bits (or Flags): Meaning
• DO: DNSSEC OK
– ”I do support DNSSEC, so I want to receive the DNSSEC records…” (RRSIGs)
– https://tools.ietf.org/html/rfc4035#section-3.2.1
• CD: Checking Disabled
– ”Do not take care of validating the response through DNSSEC, as I will
validate it… Simply, send me the DNSSEC records."
– https://tools.ietf.org/html/rfc4035#section-3.2.2
• AD: Authentic Data (or “Validated Data”)
– ”All DNS records in this response are authentic, as I have already validated
them…"
– https://tools.ietf.org/html/rfc4035#section-3.2.3
42
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
The DO bit in DNSSEC
• DO: "DNSSEC OK"
– The resolver requests
the DNSSEC records to
be included in the
response
– If the DO bit is not set in
the request, the
DNSSEC records must
be removed from the
response
• Unless explicitly requested
https://tools.ietf.org/html/rfc3225#section-3
https://tools.ietf.org/html/rfc4035#section-3.2.1
43
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
The CD bit in DNSSEC
• CD: Checking Disabled
– The resolver can disable the DNSSEC validation (RRSIGs) in
its own upstream “DNS server” (another resolver)
– The CD bit in the query is reflected back in the response
– The CD bit in the query is reflected in the associated upstream
queries (recursive DNS resolution)
– As a result, the response includes the non-validated DNSSEC
records (to be validated locally)
– Flexibility to establish who will validate the records and the
criteria to apply (different time references, security islands, etc.)
https://tools.ietf.org/html/rfc4035#section-3.2.2
44
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
The AD bit in DNSSEC
• AD: Authentic (or Authenticated) Data
– All the DNS records (RRSets) included in the Answer and
Authority sections of the response are authentic (from the
DNSSEC perspective)
– If so, set the AD bit in the response
– They have been validated by an upstream DNS resolver
– Originally the AD bit was not set in requests, but…
https://tools.ietf.org/html/rfc4035#section-3.2.3
45
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Managing the DNSSEC bits: DO, CD & AD (1/2)
• RFC 4035: Protocol Modifications for the DNS Security
Extensions
– DO bit set in requests, to indicate the availability of DNSSEC support
– CD bit set in requests between DNS clients and recursive servers
• Who will take care of validating the responses?
– The DO and CD bits are reflected back in the DNS responses based on its
value in the associated DNS requests
– AD bit set in responses between DNS clients and recursive servers
• Is the response data (DNS records) authentic?
• AD bit removed from requests: https://tools.ietf.org/html/rfc4035#section-4.6
– But later, in RFC 3655 and RFC 6840…
https://tools.ietf.org/html/rfc4035
46
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Managing the DNSSEC bits: DO, CD & AD (2/2)
• RFC 6840: Clarifications and Implementation Notes for DNS
Security (DNSSEC)
– DO bit must be ignored by DNS recursive servers in responses
– AD bit set in requests to indicate interest in receiving the AD bit set in the
associated response (meaning, “I want you to validate the response”)
• Additionally to the DO bit already indicating DNSSEC support
– “The AD bit MUST only be set if DNSSEC records have been requested via the DO bit…”
• RFC 3655: Redefinition of DNS Authenticated Data (AD) bit
– https://tools.ietf.org/html/rfc3655
– E.g. Bind 9.11.x does not set the AD bit in the requests (still following the
previous RFC 4035)
https://tools.ietf.org/html/rfc6840
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Responses
48
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Responses
• Valid (or correct) response
– RCODE 0 (No Error: NOERROR)
• DNSSEC validation error (by the resolver)
– RCODE 2 (Server Failure: SERVFAIL)
• dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL
• Domain does not exist
– RCODE 3 (Non-eXistent Domain: NXDOMAIN)
• The DNS server refuses to answer the request
– RCODE 5 (Refused: REFUSED)
DNS Flags section: Reply Code (RCODE) - 4 bits
DNSSEC is backwards
compatible with DNS:
Both worlds running
simultaneously…
49
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Imagine you are already convinced
and we all have deployed
DNSSEC…
50
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
51
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
April 1st, 2018
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
CPE (Customer Premises Equipment)
53
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Testing 1.1.1.1 (or one.one.one.one) with the Local
DNS Resolver…
What about
DNSSEC?
Connecting to
1.1.1.1 through
HTTP(S) you get
the CPE (router)
admin web
interface, but it
can resolve all
DNS queries
properly…
54
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Local Web and DNS Server at 1.1.1.1
$ nmap -sS -sU -p 53 -n --reason -A 1.1.1.1
Starting Nmap 7.60 ( https://nmap.org )...
Nmap scan report for 1.1.1.1
Host is up, received echo-reply ttl 63
(0.0019s latency).
PORT STATE SERVICE REASON
VERSION
53/tcp open domain syn-ack ttl 63
dnsmasq 2.78
53/udp open domain udp-response ttl 63
dnsmasq 2.78
| dns-nsid:
|_ bind.version: dnsmasq-2.78
|_dns-recursion: Recursion appears to be
enabled
...
Aggressive OS guesses: Linux 2.6.32 - 3.0
(96%), ...
Network Distance: 2 hops
TRACEROUTE (using port 53/tcp)
HOP RTT ADDRESS
1 1.28 ms 172.16.8.1
2 2.62 ms 1.1.1.1
$
55
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
1.0.0.0/8 Conflicts
• Trying to reach 1.1.1.1
– https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/
– https://community.cloudflare.com/t/have-problems-with-1-1-1-1-read-me-first/15902
• The 1.0.0.0/8 range was assigned to APNIC in 2010
– Previously it was not assigned, but that didn’t mean it was available (or
reserved) for private usage (RFC 1918)
• https://seclists.org/nanog/2010/Jan/776
• Multiple CPEs are using that IP address internally…
• Multiple ISPs are using that IP address in their internal network…
• Testing DNS Resolution in Spanish ISPs…
– Thanks to some collaborators, we could test the DNS resolution for a few
Spanish ISPs…: Thanks RootedCON, Román, José, Pedro, Jorge…!!!!
56
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
$ dig @8.8.8.8 +dnssec www.isoc.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
48091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2,
AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.isoc.org. IN A
;; ANSWER SECTION:
www.isoc.org. 9985 IN A 212.110.167.157
www.isoc.org. 9985 IN RRSIG A 7 3
86400 20180723085001 20180709085001 36614 isoc.org.
BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs=
;; Query time: 1833 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 10:08:40 CEST 2018
;; MSG SIZE rcvd: 225
$ dig @8.8.8.8 +dnssec www.isoc.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:
48091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2,
AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.isoc.org. IN
;; ANSWER SECTION:
www.isoc.org. 9985 IN A 212.110.167.157
www.isoc.org. 9985 IN RRSIG A 7 3
86400 20180723085001 20180709085001 36614 isoc.org.
BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs=
;; Query time: 1833 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 10 10:08:40 CEST 2018
;; MSG SIZE rcvd: 225
Using Other DNS Public Resolvers with DNSSEC Support
• Can you find the differences? J
$ dig @8.8.8.8 +dnssec www.isoc.org.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id: 31624
;; flags: qr rd ra; QUERY: 1, ANSWER: 1,
AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.isoc.org. IN A
;; ANSWER SECTION:
www.isoc.org. 13790 IN A 212.110.167.157
;; Query time: 92 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jul 06 20:14:33 CEST 2018
;; MSG SIZE rcvd: 57
57
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
www.example.com (& .org)
58
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Basic Mode
• No DNS settings
59
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Expert Mode (1/2)
• Internet
– DNS & DDNS:
• DNS Seguro
– OFF
que quiero que me interceptes todo el tráfico
60
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Expert Mode (2/2)
• You cannot
change the
DNS servers!!
• You can only
see them… if
you’re lucky J
61
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Getting Admin Mode and Researching
62
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Admin Mode (1/2)
• Internet
– DNS & DDNS:
• EDNS0
– OFF
• Secure DNS
– OFF
No significant
changes
63
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Admin Mode (2/2)
• Settings
– LAN – IPv4:
• DNS Proxy
– ON
(Setting not available in Expert Mode)
No significant
changes
64
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
CPE Internals (SSH)
• Who is Disabling DNSSEC: CPE or ISP or …?
• References to 1.1.1.1 or 1.0.0.1?
# ps
630 admin 1412 S /usr/sbin/dnsmasq -u admin
# ifconfig –a
br0 Link encap:Ethernet HWaddr 00:01:02:03:04:05
inet addr:192.168.1.1 Bcast:192.168.1.255...
br0:0 Link encap:Ethernet HWaddr 00:01:02:03:04:05
inet addr:1.1.1.1 Bcast:1.255.255.255...
# iptables -t nat –L
... (no DNS or special IP addresses references)
65
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Who is Disabling DNSSEC: CPE or ISP? (1/3)
Request:
66
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Who is Disabling DNSSEC: CPE or ISP? (2/3)
Response:
67
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Who is Disabling DNSSEC: CPE or ISP? (3/3)
• They are compatible with EDNS0
• They are selectively removing all DNSSEC flags!!!!
• Let’s call it “Client-side DNSSEC Flag Day”!!!!
– Selectively removing DNNSEC support from the client side!
– If AD or DO flags are set in the query, they are removed from the
response L
– If CD flag is set in the query, it is removed from the response too,
breaking RFC 4035 J
• When using the CPE DNS resolvers (or 1.1.1.1)
• Same scenario if ISP transparently intercepts all DNS traffic
68
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Client-Side DNSSEC Flag Day
[public]
DNS authoritative servers:
- Root DNS server
- gTLD or ccTLD DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
(DNS recursive server)
DNS client
(Stub resolver)
Root
TLD
Zone
69
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Final Conclusions (1/2)
• “Secure DNS” enables a single iptables rule for DNS traffic
• How to bypass it client-side and be able to use DNSSEC,
at least with the public DNS resolvers (e.g. Quads)?
– Use TCP (look at the iptables rule) J… or DoH or DoT
– The traffic goes via TCP to the public DNS resolver
# iptables -t nat –L
...
DNAT udp -- 192.168.1.0/24 !www.evil.isp
udp dpt:domain to:192.168.1.1:53
$ dig -t A www.dinosec.info +dnssec @9.9.9.9 +tcp
DNSSEC reponse J
70
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Final Conclusions (2/2)
• This UDP vs TCP difference does not apply to the ISP
DNS resolvers (e.g. when “Secure DNS” is turned off)
– They remove the DNSSEC flags for both, UDP and TCP
• The only solution, if the transparent DNS proxies are not
in the middle, is to force all clients to use a custom DNS
resolver (public, or private, different from the CPE)
– If the transparent DNS proxies are in the middle…
$ dig -t A www.dinosec.info +dnssec +tcp
No DNSSEC reponse L
71
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Wright’s Principle
"Security won't get better until tools for
practical exploration of the attack
surface are made available."
– Joshua Wright, 2011
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Tool
73
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
dnssecchef
• DNS/DNSSEC proxy tool by DinoSec (Python)
– Fake DNS/DNSSEC responses (file or command line options)
– TCP and UDP support
• Based on dnschef (v0.3): https://github.com/iphelix/dnschef/
– Peter Kacherginsky (iPhelix)
• Requires dnslib v0.9.10+: https://bitbucket.org/paulc/dnslib/
– Paul Chakravarti
– Added support for DNSSEC flag getters/setters in v0.9.9
• Use it as a direct DNS server or as a transparent DNS proxy
74
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
DNSSEC Manipulation
[public]
DNS authoritative servers:
- Root DNS server
- gTLD or ccTLD DNS server
- Zone DNS server
DNS forwarder
[private]
DNS (authoritative)
server
DNS resolver
(DNS recursive server)
DNS client
(Stub resolver)
Root
TLD
Zone
75
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
dnssecchef Options
• Multiple DNSSEC related options…
$ sudo ./dnssecchef --nodnssec
_ _ __
| | version 0.5 | | / _|
__| |_ __ ___ ___ ___ ___ ___| |__ ___| |_
/ _` | '_ / __|/ __|/ _ / __|/ __| '_  / _  _|
| (_| | | | __ __  __/ (__| (__| | | | __/ |
__,_|_| |_|___/|___/___|___|___|_| |_|___|_|
(c) 2019 DinoSec
monica@dinosec.com & raul@dinosec.com
[*] DNSSECChef started on interface: 127.0.0.1
[*] Using the following nameservers: 8.8.8.8
[>] Disabling DNSSEC support completely...
[*] No parameters were specified. Running in full proxy mode
[*] DNSSECChef is running in both UDP and TCP modes (default)
[*] ...
By default, no DNSSEC
changes (standard).
--dnssec:
Enable DNSSEC flags
manipulation.
--nodnssec:
Disable DNSSEC
support.
--file=dnssecchef.ini
Fake DNS responses.https://github.com/dinosec/dnssecchef
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Conclusions
77
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Nobody Said It Was Going To Be Easy or Costless…
DNSSEC environment does not differ from real life:
There are few people in the “right side”… And many more in the “wrong side”
DNS Operators
ISPs
Obsolete network
devicesREGISTRARs
Non-RFC compliant
resolvers
Security unaware
DNS domain
holders
Security aware DNS zone holders &
responsible resolver administrators
Great admin
complexity
78
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
The One that Appeares to Be Bad…
Turn out to
be good!!
And the wise people are on our side…
79
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
So We Know in the End…
• Good will triumph and terror will be vanquished!!!!
80
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Who Do You Trust in the DNS World?
• Preferred DNS resolver for
privacy reasons:
– Your ISP
– “The Quads” (large public servers)
• 8.8.8.8
• DNS Cloud providers
– Small public servers
– Your own
https://twitter.com/raulsiles/status/1090003636510429185
81
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Thanks!
• Implementing DNSSEC
• “Capacidades de next-generation threat intelligence para red
teams y purple teams, centradas en defenderse frente a APTs y
amenazas híbridas, mediante soluciones big-data de sensores
IoT en la nube basadas en deep y machine learning empleando
blockchain y computación cuántica.”
82
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Spanish Collection of Proverbs
“Quien a DNSSEC se
arrima, buena firma le
cobija…”
“Quién sin DNSSEC se acuesta,
suplantado se levanta…”
83
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
References
84
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
References
• “To SEC or Not to SEC: DNS Question” – CCN-CERT. Dec 2018
– https://www.dinosec.com/en/lab.html#JornadasCCN-CERT2018
– https://www.youtube.com/watch?v=HmiK51kA1QY
• Estudio del estado de DNSSEC en España – Oct 2018
– https://www.incibe-cert.es/guias-y-estudios/estudios/estudio-del-estado-dnssec-espana
• Guía de implantación y buenas prácticas de DNSSEC – Oct 2018
– https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec
• DNS over TLS (DoT) – RFC7858
– https://tools.ietf.org/html/rfc7858
– https://developers.cloudflare.com/1.1.1.1/dns-over-tls/
• DNS (Queries) over HTTPS (DoH) – RFC8484
– https://tools.ietf.org/html/rfc8484
– https://developers.cloudflare.com/1.1.1.1/dns-over-https/
– https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/
• "Sunrise DNS over TLS, sunset DNSSEC?" & "DNSSEC and DNS over TLS" (Aug 2018)
– https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/
– https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/
www.d in o s e c.c o m
@d in o s ec
Mó n ic a S a la s
mo n ic a @ d in o s e c .c o m
R aú l S iles
ra u l@ d in o s e c .c o m
86
2019 © Dino Security S.L.
All rights reserved. Todos los derechos reservados. www.dinosec.com
Questions?
www.d in o s ec.co m
@ d in o s e c

More Related Content

What's hot

Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
RootedCON
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
Priyanka Aash
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
RootedCON
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
PROIDEA
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
Positive Hack Days
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol  (DNSSEC)Introduction To The DANE Protocol  (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
Deploy360 Programme (Internet Society)
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
Maarten Mulders
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
Jermund Ottermo
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
Nahidul Kibria
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
Nemanja Nikodijević
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practice
APNIC
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 

What's hot (20)

Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
 
Hacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the ShadowsHacking Exposed LIVE: Attacking in the Shadows
Hacking Exposed LIVE: Attacking in the Shadows
 
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
J. Daniel Martínez - IoP: The Internet of Planes / Hacking millionaires jet c...
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
 
DNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense VectorDNS как линия защиты/DNS as a Defense Vector
DNS как линия защиты/DNS as a Defense Vector
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Introduction To The DANE Protocol (DNSSEC)
Introduction To The DANE Protocol  (DNSSEC)Introduction To The DANE Protocol  (DNSSEC)
Introduction To The DANE Protocol (DNSSEC)
 
SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)SSL/TLS for Mortals (Devoxx FR 2018)
SSL/TLS for Mortals (Devoxx FR 2018)
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
BalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency walletBalCCon2k18 - Towards the perfect cryptocurrency wallet
BalCCon2k18 - Towards the perfect cryptocurrency wallet
 
DNS privacy in theory and practice
DNS privacy in theory and practiceDNS privacy in theory and practice
DNS privacy in theory and practice
 
Shamoon
ShamoonShamoon
Shamoon
 
FIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure EnclaveFIPS 140-2 Validations in a Secure Enclave
FIPS 140-2 Validations in a Secure Enclave
 

Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
African Cyber Security Summit
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
Deploy360 Programme (Internet Society)
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
APNIC
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
APNIC
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
Deploy360 Programme (Internet Society)
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
John Bambenek
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
Deploy360 Programme (Internet Society)
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PROIDEA
 
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
SWITCHPOINT NV/SA
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
Ryan Kovar
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
Deploy360 Programme (Internet Society)
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
DNS Entrepreneurship Center
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Mundo Contact
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
Chin Wan Lim
 
Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle
Blancco
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
Glenn McKnight
 

Similar to Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019] (20)

Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
ION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid ItION Durban - DNSSEC, and Why We Can't Avoid It
ION Durban - DNSSEC, and Why We Can't Avoid It
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
PHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat IntelligencePHDAYS: DGAs and Threat Intelligence
PHDAYS: DGAs and Threat Intelligence
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSECPLNOG 5: Eric Ziegast, Zbigniew Jasinski -  DNSSEC
PLNOG 5: Eric Ziegast, Zbigniew Jasinski - DNSSEC
 
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Hidden empires of malware
Hidden empires of malwareHidden empires of malware
Hidden empires of malware
 
DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?DNSSEC and VoIP: Who are you really calling?
DNSSEC and VoIP: Who are you really calling?
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 
Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle Toronto Event- How to Protect Data Throughout Its Lifecycle
Toronto Event- How to Protect Data Throughout Its Lifecycle
 
DNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael CasadevallDNS Over HTTPS by Michael Casadevall
DNS Over HTTPS by Michael Casadevall
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
RootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
RootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acinRooted2020 emotet is-dead_long_live_emotet_-_victor_acin
Rooted2020 emotet is-dead_long_live_emotet_-_victor_acin
 

Recently uploaded

BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
Debmalya Biswas
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
BrainSell Technologies
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 

Recently uploaded (20)

BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)Gen AI: Privacy Risks of Large Language Models (LLMs)
Gen AI: Privacy Risks of Large Language Models (LLMs)
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdfAcumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
Acumatica vs. Sage Intacct vs. NetSuite _ NOW CFO.pdf
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 

Monica Salas & Raul Siles - Hype Potter and the Chamber of DNSSECrets [rooted2019]

  • 1. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Hype Potter and the Chamber of DNSSECrets www.d in o sec.co m @ d in o s e c Raúl Siles Founder & Senior Security Analyst raul@dinosec.com Mónica Salas Founder & Security Analyst monica@dinosec.com March 29, 2019
  • 2. 2 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Raúl Siles Mónica Salas About Us raul@dinosec.com monica@dinosec.com
  • 3. 3 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DiNoSEC 2019 X Aniversario RootedCON
  • 4. 4 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com • DNSSEC zone signing – DNSSEC: Authenticity and integrity – Stats from the “.es” zone – ICANN and DNSpionage – DNS flag day • DNSSEC practical zone signing – Four DNSSEC cases • DNSSEC validation – DNSSEC bits (o flags) • DNSSEC responses – The last mile… • Conclusions Outline
  • 5. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Zone Signing
  • 6. 6 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Authenticity & Integrity Security Threats DNS spoofing (MitM attacks) DNS cache poisoning DNS resolver INTEGRITY AUTHENTICITY AUTHENTICITY 'To SEC or not to SEC: DNS question': https://youtu.be/HmiK51kA1QY
  • 7. 7 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com + Where Did We Leave Off Last Year? DNSSEC is the solution for DNS spoofing and DNS cache poisoning attacks DNS ZONE DNS parent ZONE DNS RESOLVER “.” KSK (Public Key) + + +
  • 8. 8 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter - Hogwarts Admission Letter Integrity !!Authenticity? Why should Harry trust his Hogwarts admission letter?
  • 9. 9 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Harry Potter – Rubius Hagrid The Trust Anchor 2,75 meters height 400 kilograms weight Anyone not convinced??
  • 10. 10 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Roles Taxonomy I use DNSSEC in my authoritative server IuseaDNSSECcapableresolver NO SÍ SÍ NO And we convinced everybody…
  • 11. 11 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC for ccTLD “.es” DNSSEC validation from Spain 0 5000 10000 15000 20000 25000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS with DNSSEC …or NOT? 1’022%0’948% +1,361 (+7.8%) SIGNED DOMAINS (from Nov 2019) 31% VALIDATION INCREMENT DEC 2018 MAR 2019 1750000 1770000 1790000 1810000 1830000 1850000 1870000 1890000 1910000 1930000 1950000 1/12/14 1/2/15 1/4/15 1/6/15 1/8/15 1/10/15 1/12/15 1/2/16 1/4/16 1/6/16 1/8/16 1/10/16 1/12/16 1/2/17 1/4/17 1/6/17 1/8/17 1/10/17 1/12/17 1/2/18 1/4/18 1/6/18 1/8/18 1/10/18 1/12/18 1/2/19 TOTAL “.es” DOMAINS https://stats.labs.apnic.net/dnssec Thanks to: José Eleuterio López (Red.es)
  • 12. 12 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Yes, We Did It… But It Was Not Only You…! ICANN Calls for Full DNSSEC Deployment, Promotes Community Collaboration to Protect the Internet LOS ANGELES – 22 February 2019 – The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure. In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems… https://www.icann.org/news/announcement-2019-02-22-en 7.8 % 31 % Not really, it was not us convincing ICANN… J
  • 13. 13 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage • “A Deep Dive on the Recent Widespread DNS Hijacking Attacks” Krebs on Security. February 18, 2019. • Attacks hijacked DNS infrastructure of a registrar which also operates one of the 13 “root” name servers (Netnod) • Access to administrative DNS resources with the goal of capturing credentials for other services via unauthorized changes to registries • Attackers gained control of registrar’s administrative systems… – Netnod, PCH… • But DNSSEC became the unexpected ally… https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
  • 14. mail.netnod.tld DNSSEC DS (.netnod) .tld DS (.tld) “.” Netnod employees (evil) mail.netnod.tld DNSSEC DNSSEC DISABLE DNSSEC .netnod.tld. (2) COMODO Get new cert. for (evil) mail.netnod.tld. (3) ENABLE DNSSEC .netnod.tld. (4) DNS recursive resolver DNSSEC capable (6) (7) A (mail) .netnod DNSSEC DoT DoH NS (.netnod)(1) Registrar DNS mail.netnod.tld IP is evil IP x.x.x.x (5) No mail… & no credentials stealing!!
  • 15. 15 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSpionage Conclusions • DNSSEC is not enough… – Secure the administration of DNS zones (registries and registrars): 2FA – DNS zone transfer operations are not secured through DNSSEC • TSIG (Transaction SIGnature protocol - RFC 3645) is used to authenticate both end- points of a DNS operation and add integrity • EPP (Extensible Provisioning Protocol - RFC 5730) – Originally designed for allocating objects from registrars to registries over the Internet with the goal to prevent DNS hijacking • Can be layered over multiple transport protocols • Provides session management through “<login>” (client identifier and plain text password) • Session persists until a “<logout>” is sent • “.es” supports EPP through HTTPS
  • 16. 16 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com February 1st, 2019: DNS Flag Day • Slow DNS infrastructure performance due to systems non-compliant with original DNS RFC 1035 (1987) • DNS authoritative servers requirements: – Avoid implementations or firewalls that drop DNS packets with EDNS extensions (1999) • DNS resolver: major open source DNS vendors released updates to stop accommodating non-standard responses (Bind, Knot, PowerDNS, Unbound) https://dnsflagday.net
  • 17. 17 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNS Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
  • 18. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Practical Zone Signing
  • 19. 19 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Zone Registrar / Operator Signing time (DS) DNSSEC Algorithm DNSKEYs DS Addition raulsil.es A/A (Spain) 8 hours Established by registrar RSASHA1-NSEC3-SHA1 (7) ZSK + KSK Not tried dinosec.info B/B (World Wide) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK Not tried siles.info B/B à B/C (Cloud) 15 mins Established by registrar ECDSA-P256/SHA256 (13) KSK à ZSK + KSK Very easy dinosec.es D/D (Spain/WW) - NO WAY! - NO WAY! Signing a DNS Zone - Multiple Examples • Activation process: • Simple: One button • Timing: A few minutes (5-15 mins) or hours (e.g. 8-12 hours) • Impossible • Lack of customization or detailed DNSSEC parameters or options 1 2 3 4
  • 20. 20 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com ICANN Encourages Complaining… https://forms.icann.org/en/resources/compliance/complaints/registrars/standards- complaint-form DNSSEC support required by ICANN for registrars with all available DS algorithm types (2014): 2013 RAA (Registrar Accreditation Agreement) https://www.icann.org/resources/pages/support-dnssec-ipv6-2014-01-29-en https://www.icann.org/registrar-reports/accredited-list.html Complain to ICANN
  • 21. 21 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Supported DNSSEC Signing Algorithms (RFC 6944 ) https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec
  • 22. 22 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Records and Signatures $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net www.raulsil.es +dnssec … www.raulsil.es. 3600 IN A 87.98.231.5 www.raulsil.es. 3600 IN RRSIG A 7 2 3600 20190319175117 20190217175117 33299 www.raulsil.es. 00I5xmLgMuxaaH/AX6y/KCNAE7x+iNUYcEa9hLIdnfj3KSKyeMa/puU9zqL81x jR5uI0DwIWjMBfUU1Egm8Wyx047jPQ+ANP2Ssdf7NwTpsVI9VOZrEMRmcxpjxi l1birMQm/M8ZJmgi+poZRnNwvTxCC7bjewmd56cSXyzJfAY= Signature validity period (start date & expiration date) Algorithm used Key ID
  • 23. 23 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Enabling DNSSEC (1/2) REGISTRAR “A” REGISTRAR “B”
  • 24. 24 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Enabling DNSSEC (2/2) REGISTRAR “C”
  • 25. 25 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSKEYs: 3 DNS Operators, 3 Signing Models $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY raulsil.es raulsil.es. 2835 IN DNSKEY 256 3 7 AwEAAeBQ29zEisimlv+ybOPYCTin4hrl1pCBDtz6nVFO/r2BY1Y7LAnuX3doSBZi9Z6OliMJ5NWqhvNUoUi1n3U4g hxGRf5i1P5qWfNZ5gLuwT2M5Yd4NoOAZnKlmdkGGLrqEiw45riNdB+/MbQwYozGr6tBE/4Kx1+M/UWkNnEi2HdZ raulsil.es. 2835 IN DNSKEY 257 3 7 AwEAAaX0kus7MxJGgo5zuTmflEPH2dJkgDGbvepfG8tBH8y8gw036eTBbJDPf9DoOBdV2MMRa9QLptpwHQtYssKtZ ooIFZxHv70UeQSKmSyz/1OCoUJXI5ahm7VU0AqfPcWC4B568gLv3LR7O47Syh+AJXvWUEE/uvK+chgEHqIE9j7v $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY dinosec.info ;; ANSWER SECTION: dinosec.info. 3601 IN DNSKEY 257 3 13 Ei8CWVmqMGXW/fpfihKoJl7xF70RZLhp3FspO0DGycb49sBZocMJMcixB6dx+WbvwPZak7QY78ytOjnkHdB22g== $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info siles.info. 3601 IN DNSKEY 257 3 13 h6RG7m0QEsIlpvpFpPNS+mlSOirDS+NQC41S/yG0wFd1WAT/mc2zEDtT8lJCC9aHgy6i8Bj01+cFwBQ05ke2IA== siles.info. 3600 IN DNSKEY 256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== siles.info. 3600 IN DNSKEY 257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== A B B C
  • 26. 26 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DS Records $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY es +dnssec +multiline es. 65022 IN DNSKEY 256 3 8 ( AwEAAbdNeJQOckpcbVVTEHgKmHogfgezh6s6OrwZ m6uMgzC9KhrqAwIX6PDfd2MDflwSlmfRPsVm/dq5 BzzbXQFZINCb2fzCer9S1e9gQiRX6/L/xDGH9gYP rfU3eA1xB3RPgcfNRcvzAeAd3z3yylSBmWco2oHN QWNLQqGs6jpI27cZ ) ; ZSK, RSASHA256 (1024b), id = 489 $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS raulsil.es +dnssec raulsil.es. 43200 IN DS 34464 7 2 97880FA96BCF744FAC85F073FFBCA679F053393C834F7837F44D1BD0A0A9C686 raulsil.es. 86400 IN RRSIG DS 8 2 86400 20190329081541 20190315005946 489 es. qIYoNmkznp9gg53PNvoVkfGB3ytG+zFNAvrZVGDPvoc/Tx8z9D/3xWaK/p5l+yAbSB25UzPRlMXQ3TdmEzCUDAJz5LYTy 2Ly66xEsGjFi9yUGai4okSrIJdty6atlKpe78Qy6MGubKPUewDMOd7jhfKlIl2mP/UE8VZfbmp1tno= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS dinosec.info +dnssec dinosec.info. 86170. IN DS 16285 13 1 74FFB23176C36384D454A5CB87E78D228094667E dinosec.info. 86170. IN RRSIG DS 7 2 86400 20190407153004 20190317143004 24332 info. foiwm18puMTPY610HxluGehc20ES1iClXToh7GzVGyO4EjzP5wmHhvgPLeD9fb0xcyi0QxX14Zc64fgSt9cqSw6eAwsQt gjAN4Djdz/nLMwp50T7cnQ1JHjpjxai5PdJqJ6j7069BVg46wWFlSsNyhsICTgXsJo0ljnofr5mKz8= A B TLD
  • 27. 27 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (1/2) • Domain registered and operated by B • Zone operation transferred from operator B to operator C – Zone registration was not transferable initially from B to C since a minimum of 60 days is needed before a domain transfer request can be undertaken by the a new registrar – DNSSEC was previously enabled in B with just a KSK and ECDSA P256/SHA256 – DNSSEC was enabled in C with KSK and ZSK and ECDSA P256/SHA256
  • 28. 28 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: “siles.info” DNS Operator Transfer (2/2) Steps perfomed by zone owner at DNS provider’s managent console Registrar / Operator B Operator C 0) B is registrar and operator for zone 1) Zone operation requested by owner 2) NS provided by C 3) NS servers pointed to C’s: it takes hours for the change to be applied 4) DNSSEC disabled by B: DS(zone) removed from TLD 3) Owner requests enabling DNSSEC for the zone 4) C signs the zone: Since C knows the zone registrar is a third party, C provides the DS record for the zone 5) Zone owner manually adds DS record generated by C 6) B transfers DS record to TLD (.info) DNSSEC zone is now signed and operational again at C
  • 29. 29 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: siles.info (Steps 4 & 5) DS generation at C DS addition at B Hash(KSK) = DS KSK SEP
  • 30. 30 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CDS and CDNSKEY: Simplifying DS Updates • RFC 8078 (March 2017) • KSK renewal through standard DNS mechanisms • New DS (and/or new DNSKEY) records are added to the child zone upon KSK renewal • Parent zone get news of child’s zone KSK renewal intention through: – Polling: parent zone polls child zones periodically – Pushing: child zone notifies parent zone of CDS/CDNSKEY avalibility • Pros: – KSK renewal independent of registrars • Cons: – Not “de facto” standards yet & Not mandatory (yet)
  • 31. 31 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Case 3: DNSSEC Records After Transfer to C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43200 IN DS 2371 13 2 4101DF3DCCE5291E11C450BBEBB16009378A11D0CF20C4B2E8842273025DC305 siles.info. 85653 IN RRSIG DS 7 2 86400 20190415152146 20190325142146 24332 info. cSM+n8J6gy0A5q5RgU7hdifJEtU1ZPsfPx89lEH1GCZ3EG7Wkymx3drkdGJ5uBEzXJfwue8CG0fQveSvVL3MheC/jz8 5KCCwXwyHtCmdJHjXcPrwFKyHWHNsSznLcn0zugeAYWJwxN0DDOmHmM15+rBbvdNZ8Q3b535c7PtdDes= $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DNSKEY siles.info +dnssec +multiline siles.info. 2949 IN DNSKEY 256 3 13 ( oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA== ) ; ZSK, ECDSAP256SHA256 (256b), id = 34505 siles.info. 2949 IN DNSKEY 257 3 13 ( mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ== ) ; KSK, ECDSAP256SHA256 (256b), id = 2371 siles.info. 2949 IN RRSIG DNSKEY 13 2 3600 20190409082227 ( 20190208082227 2371 siles.info. 3QjU1QlBeQrhsJssRUJ3cBojHPon1hXJ80GT79gHYR3fMXLAE6f8vjLgTKBHb7PIyXvCU2LqgwqPYYbJHlJvog==) B TLD C $ kdig @9.9.9.9 +tls-ca +tls-host=dns.quad9.net -t DS siles.info +dnssec siles.info. 43115 IN DS 53189 13 1 419700DF0777F6839E2E368A1BAEF9044E8B30B7 C
  • 32. 32 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Tracking The Trust Chain (https://dnsviz.net) dinosec.info siles.info
  • 33. 33 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Root Zone TLD Database • Very interesting information through the “curl” command – All NS in the root zone: – All DS in the root zone: curl -s http://www.internic.net/domain/root.zone | awk '$4 == "DS" { print $1 " " $6 }' | uniq -c http://www.internic.net/domain/root.zone curl -s http://www.internic.net/domain/root.zone | awk '$4 == "NS" { print $1 " " $4 $5 }' | uniq -c
  • 34. 34 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Algorithm Number of TLDs 5 (RSA/SHA-1) 163 7 (RSA/SHA1-NSEC3) 551 8 (RSA/SHA-256) 2206 10 (RSA/SHA-512) 37 13 (ECC P-256) 6 Signing Algorithms Comparison • DNSSEC key types – RSA: Larger key length needed - Longer signatures • (5) RSA/SHA1 - not recommended (weak) • (7) RSASHA1-NSEC3-SHA1 - if NSEC3 is required to avoid zone enumeration • (8) RSA/SHA-256 – ECC: not currently supported by all TLDs - Small signatures and robust • (13) ECDSA Curve P-256 / SHA-256 • (14) ECDSA Curve P-384 / SHA-384 TLDs using ECC ccTLD Brazil .br Switzerland .ch Czech Republic .cz Liechtenstein .li Moldova .ld Niue (*New Zeland) .nu 0 in May ´18 1 in July ´18 2 in Dec ´18 6 in Mar ´19
  • 35. 35 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: DNSSEC Beyond DNS • Most TLS-based services rely on an external CA • Problem: if that CA gets compromised and a new certificate is generated for a domain, all the services will be in danger • DNSSEC key signing schema advantages: – The key is associated to a domain (not to an entity identified by a chain of characters) – The keys are signed by the zone owner and the zone parent (not a single point of failure) • The trust anchor is defined in the resolver’s side for a single domain (“.”), not for hundreds of distinct CAs
  • 36. 36 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DANE: RFC 7673 DNS-Based Authentication of Named Entities • TLS certificates stored and signed within a specific DNS domain server – Minimum privilege: if keys are compromised, only services under that DNS hierarchy will be in danger – Certificates are tied to domain names through DNSSEC trust relationships • New DNS records to link TLS certificates with the domain – TLSA (Transport Layer Security Authentication) • Upon connection establishment, a TLS certificate is requested at the same time a DNSSEC query is launched to check the received certificate matches the received TLSA record TLSA FORMAT: port._tcp_protocol.domain _443._tcp.www.zone1.com (HTTPS) _25._tcp.mail.zone1.com (SMTPS)
  • 37. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Validation
  • 38. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags)
  • 39. 39 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Acronyms DO CD AD DOCDAD DOC DAD 2019 DNSSEC DNS
  • 40. 40 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Traffic • Wireshark
  • 41. 41 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Bits (or Flags): Meaning • DO: DNSSEC OK – ”I do support DNSSEC, so I want to receive the DNSSEC records…” (RRSIGs) – https://tools.ietf.org/html/rfc4035#section-3.2.1 • CD: Checking Disabled – ”Do not take care of validating the response through DNSSEC, as I will validate it… Simply, send me the DNSSEC records." – https://tools.ietf.org/html/rfc4035#section-3.2.2 • AD: Authentic Data (or “Validated Data”) – ”All DNS records in this response are authentic, as I have already validated them…" – https://tools.ietf.org/html/rfc4035#section-3.2.3
  • 42. 42 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The DO bit in DNSSEC • DO: "DNSSEC OK" – The resolver requests the DNSSEC records to be included in the response – If the DO bit is not set in the request, the DNSSEC records must be removed from the response • Unless explicitly requested https://tools.ietf.org/html/rfc3225#section-3 https://tools.ietf.org/html/rfc4035#section-3.2.1
  • 43. 43 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The CD bit in DNSSEC • CD: Checking Disabled – The resolver can disable the DNSSEC validation (RRSIGs) in its own upstream “DNS server” (another resolver) – The CD bit in the query is reflected back in the response – The CD bit in the query is reflected in the associated upstream queries (recursive DNS resolution) – As a result, the response includes the non-validated DNSSEC records (to be validated locally) – Flexibility to establish who will validate the records and the criteria to apply (different time references, security islands, etc.) https://tools.ietf.org/html/rfc4035#section-3.2.2
  • 44. 44 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The AD bit in DNSSEC • AD: Authentic (or Authenticated) Data – All the DNS records (RRSets) included in the Answer and Authority sections of the response are authentic (from the DNSSEC perspective) – If so, set the AD bit in the response – They have been validated by an upstream DNS resolver – Originally the AD bit was not set in requests, but… https://tools.ietf.org/html/rfc4035#section-3.2.3
  • 45. 45 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (1/2) • RFC 4035: Protocol Modifications for the DNS Security Extensions – DO bit set in requests, to indicate the availability of DNSSEC support – CD bit set in requests between DNS clients and recursive servers • Who will take care of validating the responses? – The DO and CD bits are reflected back in the DNS responses based on its value in the associated DNS requests – AD bit set in responses between DNS clients and recursive servers • Is the response data (DNS records) authentic? • AD bit removed from requests: https://tools.ietf.org/html/rfc4035#section-4.6 – But later, in RFC 3655 and RFC 6840… https://tools.ietf.org/html/rfc4035
  • 46. 46 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Managing the DNSSEC bits: DO, CD & AD (2/2) • RFC 6840: Clarifications and Implementation Notes for DNS Security (DNSSEC) – DO bit must be ignored by DNS recursive servers in responses – AD bit set in requests to indicate interest in receiving the AD bit set in the associated response (meaning, “I want you to validate the response”) • Additionally to the DO bit already indicating DNSSEC support – “The AD bit MUST only be set if DNSSEC records have been requested via the DO bit…” • RFC 3655: Redefinition of DNS Authenticated Data (AD) bit – https://tools.ietf.org/html/rfc3655 – E.g. Bind 9.11.x does not set the AD bit in the requests (still following the previous RFC 4035) https://tools.ietf.org/html/rfc6840
  • 47. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Responses
  • 48. 48 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Responses • Valid (or correct) response – RCODE 0 (No Error: NOERROR) • DNSSEC validation error (by the resolver) – RCODE 2 (Server Failure: SERVFAIL) • dig: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL • Domain does not exist – RCODE 3 (Non-eXistent Domain: NXDOMAIN) • The DNS server refuses to answer the request – RCODE 5 (Refused: REFUSED) DNS Flags section: Reply Code (RCODE) - 4 bits DNSSEC is backwards compatible with DNS: Both worlds running simultaneously…
  • 49. 49 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Imagine you are already convinced and we all have deployed DNSSEC…
  • 50. 50 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com
  • 51. 51 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com April 1st, 2018
  • 52. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CPE (Customer Premises Equipment)
  • 53. 53 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Testing 1.1.1.1 (or one.one.one.one) with the Local DNS Resolver… What about DNSSEC? Connecting to 1.1.1.1 through HTTP(S) you get the CPE (router) admin web interface, but it can resolve all DNS queries properly…
  • 54. 54 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Local Web and DNS Server at 1.1.1.1 $ nmap -sS -sU -p 53 -n --reason -A 1.1.1.1 Starting Nmap 7.60 ( https://nmap.org )... Nmap scan report for 1.1.1.1 Host is up, received echo-reply ttl 63 (0.0019s latency). PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 63 dnsmasq 2.78 53/udp open domain udp-response ttl 63 dnsmasq 2.78 | dns-nsid: |_ bind.version: dnsmasq-2.78 |_dns-recursion: Recursion appears to be enabled ... Aggressive OS guesses: Linux 2.6.32 - 3.0 (96%), ... Network Distance: 2 hops TRACEROUTE (using port 53/tcp) HOP RTT ADDRESS 1 1.28 ms 172.16.8.1 2 2.62 ms 1.1.1.1 $
  • 55. 55 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com 1.0.0.0/8 Conflicts • Trying to reach 1.1.1.1 – https://blog.cloudflare.com/fixing-reachability-to-1-1-1-1-globally/ – https://community.cloudflare.com/t/have-problems-with-1-1-1-1-read-me-first/15902 • The 1.0.0.0/8 range was assigned to APNIC in 2010 – Previously it was not assigned, but that didn’t mean it was available (or reserved) for private usage (RFC 1918) • https://seclists.org/nanog/2010/Jan/776 • Multiple CPEs are using that IP address internally… • Multiple ISPs are using that IP address in their internal network… • Testing DNS Resolution in Spanish ISPs… – Thanks to some collaborators, we could test the DNS resolution for a few Spanish ISPs…: Thanks RootedCON, Román, José, Pedro, Jorge…!!!!
  • 56. 56 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48091 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;www.isoc.org. IN ;; ANSWER SECTION: www.isoc.org. 9985 IN A 212.110.167.157 www.isoc.org. 9985 IN RRSIG A 7 3 86400 20180723085001 20180709085001 36614 isoc.org. BkflOYwNc6SOfTIs+miL2gxfYADI9JAf... pytdHBTQEzYs= ;; Query time: 1833 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Jul 10 10:08:40 CEST 2018 ;; MSG SIZE rcvd: 225 Using Other DNS Public Resolvers with DNSSEC Support • Can you find the differences? J $ dig @8.8.8.8 +dnssec www.isoc.org. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31624 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.isoc.org. IN A ;; ANSWER SECTION: www.isoc.org. 13790 IN A 212.110.167.157 ;; Query time: 92 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Jul 06 20:14:33 CEST 2018 ;; MSG SIZE rcvd: 57
  • 57. 57 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com www.example.com (& .org)
  • 58. 58 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Basic Mode • No DNS settings
  • 59. 59 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Expert Mode (1/2) • Internet – DNS & DDNS: • DNS Seguro – OFF que quiero que me interceptes todo el tráfico
  • 60. 60 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Expert Mode (2/2) • You cannot change the DNS servers!! • You can only see them… if you’re lucky J
  • 61. 61 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Getting Admin Mode and Researching
  • 62. 62 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Mode (1/2) • Internet – DNS & DDNS: • EDNS0 – OFF • Secure DNS – OFF No significant changes
  • 63. 63 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Admin Mode (2/2) • Settings – LAN – IPv4: • DNS Proxy – ON (Setting not available in Expert Mode) No significant changes
  • 64. 64 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com CPE Internals (SSH) • Who is Disabling DNSSEC: CPE or ISP or …? • References to 1.1.1.1 or 1.0.0.1? # ps 630 admin 1412 S /usr/sbin/dnsmasq -u admin # ifconfig –a br0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:192.168.1.1 Bcast:192.168.1.255... br0:0 Link encap:Ethernet HWaddr 00:01:02:03:04:05 inet addr:1.1.1.1 Bcast:1.255.255.255... # iptables -t nat –L ... (no DNS or special IP addresses references)
  • 65. 65 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (1/3) Request:
  • 66. 66 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (2/3) Response:
  • 67. 67 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who is Disabling DNSSEC: CPE or ISP? (3/3) • They are compatible with EDNS0 • They are selectively removing all DNSSEC flags!!!! • Let’s call it “Client-side DNSSEC Flag Day”!!!! – Selectively removing DNNSEC support from the client side! – If AD or DO flags are set in the query, they are removed from the response L – If CD flag is set in the query, it is removed from the response too, breaking RFC 4035 J • When using the CPE DNS resolvers (or 1.1.1.1) • Same scenario if ISP transparently intercepts all DNS traffic
  • 68. 68 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Client-Side DNSSEC Flag Day [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
  • 69. 69 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (1/2) • “Secure DNS” enables a single iptables rule for DNS traffic • How to bypass it client-side and be able to use DNSSEC, at least with the public DNS resolvers (e.g. Quads)? – Use TCP (look at the iptables rule) J… or DoH or DoT – The traffic goes via TCP to the public DNS resolver # iptables -t nat –L ... DNAT udp -- 192.168.1.0/24 !www.evil.isp udp dpt:domain to:192.168.1.1:53 $ dig -t A www.dinosec.info +dnssec @9.9.9.9 +tcp DNSSEC reponse J
  • 70. 70 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Final Conclusions (2/2) • This UDP vs TCP difference does not apply to the ISP DNS resolvers (e.g. when “Secure DNS” is turned off) – They remove the DNSSEC flags for both, UDP and TCP • The only solution, if the transparent DNS proxies are not in the middle, is to force all clients to use a custom DNS resolver (public, or private, different from the CPE) – If the transparent DNS proxies are in the middle… $ dig -t A www.dinosec.info +dnssec +tcp No DNSSEC reponse L
  • 71. 71 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Wright’s Principle "Security won't get better until tools for practical exploration of the attack surface are made available." – Joshua Wright, 2011
  • 72. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Tool
  • 73. 73 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef • DNS/DNSSEC proxy tool by DinoSec (Python) – Fake DNS/DNSSEC responses (file or command line options) – TCP and UDP support • Based on dnschef (v0.3): https://github.com/iphelix/dnschef/ – Peter Kacherginsky (iPhelix) • Requires dnslib v0.9.10+: https://bitbucket.org/paulc/dnslib/ – Paul Chakravarti – Added support for DNSSEC flag getters/setters in v0.9.9 • Use it as a direct DNS server or as a transparent DNS proxy
  • 74. 74 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com DNSSEC Manipulation [public] DNS authoritative servers: - Root DNS server - gTLD or ccTLD DNS server - Zone DNS server DNS forwarder [private] DNS (authoritative) server DNS resolver (DNS recursive server) DNS client (Stub resolver) Root TLD Zone
  • 75. 75 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com dnssecchef Options • Multiple DNSSEC related options… $ sudo ./dnssecchef --nodnssec _ _ __ | | version 0.5 | | / _| __| |_ __ ___ ___ ___ ___ ___| |__ ___| |_ / _` | '_ / __|/ __|/ _ / __|/ __| '_ / _ _| | (_| | | | __ __ __/ (__| (__| | | | __/ | __,_|_| |_|___/|___/___|___|___|_| |_|___|_| (c) 2019 DinoSec monica@dinosec.com & raul@dinosec.com [*] DNSSECChef started on interface: 127.0.0.1 [*] Using the following nameservers: 8.8.8.8 [>] Disabling DNSSEC support completely... [*] No parameters were specified. Running in full proxy mode [*] DNSSECChef is running in both UDP and TCP modes (default) [*] ... By default, no DNSSEC changes (standard). --dnssec: Enable DNSSEC flags manipulation. --nodnssec: Disable DNSSEC support. --file=dnssecchef.ini Fake DNS responses.https://github.com/dinosec/dnssecchef
  • 76. 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Conclusions
  • 77. 77 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Nobody Said It Was Going To Be Easy or Costless… DNSSEC environment does not differ from real life: There are few people in the “right side”… And many more in the “wrong side” DNS Operators ISPs Obsolete network devicesREGISTRARs Non-RFC compliant resolvers Security unaware DNS domain holders Security aware DNS zone holders & responsible resolver administrators Great admin complexity
  • 78. 78 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com The One that Appeares to Be Bad… Turn out to be good!! And the wise people are on our side…
  • 79. 79 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com So We Know in the End… • Good will triumph and terror will be vanquished!!!!
  • 80. 80 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Who Do You Trust in the DNS World? • Preferred DNS resolver for privacy reasons: – Your ISP – “The Quads” (large public servers) • 8.8.8.8 • DNS Cloud providers – Small public servers – Your own https://twitter.com/raulsiles/status/1090003636510429185
  • 81. 81 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Thanks! • Implementing DNSSEC • “Capacidades de next-generation threat intelligence para red teams y purple teams, centradas en defenderse frente a APTs y amenazas híbridas, mediante soluciones big-data de sensores IoT en la nube basadas en deep y machine learning empleando blockchain y computación cuántica.”
  • 82. 82 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Spanish Collection of Proverbs “Quien a DNSSEC se arrima, buena firma le cobija…” “Quién sin DNSSEC se acuesta, suplantado se levanta…”
  • 83. 83 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com References
  • 84. 84 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com References • “To SEC or Not to SEC: DNS Question” – CCN-CERT. Dec 2018 – https://www.dinosec.com/en/lab.html#JornadasCCN-CERT2018 – https://www.youtube.com/watch?v=HmiK51kA1QY • Estudio del estado de DNSSEC en España – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/estudios/estudio-del-estado-dnssec-espana • Guía de implantación y buenas prácticas de DNSSEC – Oct 2018 – https://www.incibe-cert.es/guias-y-estudios/guias/guia-implantacion-y-buenas-practicas-dnssec • DNS over TLS (DoT) – RFC7858 – https://tools.ietf.org/html/rfc7858 – https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ • DNS (Queries) over HTTPS (DoH) – RFC8484 – https://tools.ietf.org/html/rfc8484 – https://developers.cloudflare.com/1.1.1.1/dns-over-https/ – https://blog.apnic.net/2018/10/12/doh-dns-over-https-explained/ • "Sunrise DNS over TLS, sunset DNSSEC?" & "DNSSEC and DNS over TLS" (Aug 2018) – https://blog.apnic.net/2018/08/17/sunrise-dns-over-tls-sunset-dnssec/ – https://blog.apnic.net/2018/08/20/dnssec-and-dns-over-tls/
  • 85. www.d in o s e c.c o m @d in o s ec Mó n ic a S a la s mo n ic a @ d in o s e c .c o m R aú l S iles ra u l@ d in o s e c .c o m
  • 86. 86 2019 © Dino Security S.L. All rights reserved. Todos los derechos reservados. www.dinosec.com Questions? www.d in o s ec.co m @ d in o s e c