Modeling dns security misconfiguration availability and visualization
Download
1 / 46

Modeling DNS Security: Misconfiguration, Availability, and Visualization - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Modeling DNS Security: Misconfiguration, Availability, and Visualization. Casey Deccio Sandia National Laboratories. BYU Computer Science Dept. Colloquium Sep 9, 2010.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Modeling DNS Security: Misconfiguration, Availability, and Visualization' - wells


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Modeling dns security misconfiguration availability and visualization

Modeling DNS Security: Misconfiguration, Availability, and Visualization

Casey Deccio

Sandia National Laboratories

BYU Computer Science Dept. Colloquium

Sep 9, 2010

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.


Criticality of the dns
Criticality of the DNS Visualization

  • The DNS is the “phone book” for the Internet

    • Domain name to IP address translation

    • Mail server lookup

    • Service discovery

  • Most Internet applications rely on DNS name resolution

Query: www.foo.com/A ?

Answer:192.0.2.16


Availability and security
Availability and security Visualization

  • DNS must be both available and accurate

  • Security was added as a retrofit

    • Security increases complexity

    • Troubleshooting is difficult

  • Misconfigurations abound, rendering name resolution unavailable

    • Examples:

      medicare.gov, nasa.gov, arpa


Objectives
Objectives Visualization

Establish model and metrics for assessing availability of DNSSEC deployments

Quantify complexity that may increase potential for DNSSEC misconfiguration

Introduce techniques to mitigate effects of misconfiguration

Query: www.foo.com/A ?

Answer:192.0.2.16

4


Outline
Outline Visualization

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Dns namespace
DNS namespace Visualization

  • Namespace is organized hierarchically

  • DNS root is top of namespace

  • Zones are autonomously managed pieces of DNS namespace

  • Subdomain namespace is delegated to child zones

.

com

net

baz.net

bar.com

foo.com


Dns name resolution
DNS name resolution Visualization

  • Resolvers query authoritative servers

  • Queries begin at root zone, resolvers follow downward referrals

  • Resolver stops when it receives authoritative answer

.

Query: www.bar.com/A ?

com

Answer: 192.0.2.16

bar.com

stub resolver

recursive

resolver

authoritative servers


Dns attacks
DNS attacks Visualization

  • Tainted DNS responses can direct users to malicious services

  • To forge DNS responses:

    • Guess query ID and UDP source port

    • Arrive before legitimate response

  • Attackers success rate increased by:

    • Eliciting queries of the resolver

    • Sending large number of responses

attacker

Query: www.bar.com/A ?

bar.com

Answer: ??

stub resolver

recursive

resolver

authoritative servers


Dns security extensions dnssec
DNS Security Extensions (DNSSEC) Visualization

  • DNS data signed with private keys for authentication

  • Signatures (RRSIGs) and public keys (DNSKEYs) published in zone data

  • Resolver response

    • If authentic: Authenticated data (AD) bit is set

    • If bogus: SERVFAIL message is returned

Query: www.bar.com/A ?

Query: www.bar.com/A ?

bar.com

Answer: 192.0.2.16

RRSIG

Query: bar.com/DNSKEY ?

RRSIG

Answer: DNSKEY…

validate

Answer: 192.0.2.16

AD

authoritative server

recursive/validating

resolver

stub resolver

9


Chain of trust
Chain of trust Visualization

Resolver

trust anchor

.

DNSKEY

  • DNSKEY must be authenticated

  • Resolver must have some notion of trust

  • Trust extends through ancestry to a trust anchor at resolver

  • DS resource record – provides digest of DNSKEY in child zone

Zone data

DS

com

DNSKEY

Zone data

DS

bar.com

DNSKEY

Zone data

10


Insecure delegations
Insecure delegations Visualization

Resolver

trust anchor

  • If child zone is unsigned, resolver must be able to prove it is insecure

  • NSEC resource records provide proof of absence of DS

.

DNSKEY

Zone data

DS

net

DNSKEY

Zone data

NSEC/DS

baz.net

Zone data

11


Dnssec maintenance
DNSSEC maintenance Visualization

  • RRSIGs must be periodically resigned to prevent expiration

  • DNSKEYs must be periodically rolled (replaced) to avoid prolonged exposure

  • Rollovers involving DS RRs must be coordinated with parent zones

  • Authoritative servers must serve consistent data

12


Outline1
Outline Visualization

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Classes of dnssec misconfiguration
Classes of DNSSEC misconfiguration Visualization

  • Zone misconfigurations

    • Missing, expired, or bogus RRSIG

    • Missing DNSKEYs

  • Delegation misconfigurations

    • No DNSKEY in child matching any DS in parent

    • Missing NSEC RRs for insecure delegation

  • Trust anchor misconfiguration

    • Stale trust anchor at resolver


Failure potential
Failure potential Visualization

  • Probability of bogus validation

  • Based on fraction of responsive authoritative servers serving bogus or incomplete data

    • Resolvers will retry if server non-responsive

    • Not all servers will retry if server responds with bogus data

  • Assumption: resolver queries any authoritative server with equal probability

bar.com

Valid

Bogus

Non-responsive

authoritative server

recursive/validating

resolver


Failure potential1
Failure potential Visualization

  • Formula extends to chain of trust in ancestor zones

  • Failure potential of each zone is combined independently of one another

.

com

bar.com

Recursive/validating

resolver

16

authoritative servers


Dnssec deployment survey
DNSSEC Deployment Survey Visualization

  • Polled ~1500 production signed zones over a six-week period

  • Recorded validation errors resulting from misconfiguration



Outline2
Outline Visualization

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Complexity analysis
Complexity analysis Visualization

  • Complexity creates potential for misconfiguration

  • Hierarchical complexity:

    • Size of ancestry (zone depth)

  • Administrative complexity:

    • Servers administered by distinct organizations

.

com

bar.com

20

20


Hierarchical reduction potential
Hierarchical reduction potential Visualization

  • If ancestry might reasonably be consolidated, what is the reduction?

  • Ancestry reduced, but original namespace can be preserved

.

.

com

com

= 0.25

bar.com

bar.com

sub.bar.com


Administrative complexity
Administrative Complexity Visualization

  • How diverse is the set of organizations administering a zone?

  • Complexity measured by random sampling (with replacement) of authoritative servers to determine the probability that two organizations are selected

bar.com

ns.bar.com

me.baz.net

= 0.5




Outline3
Outline Visualization

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Avoiding and mitigating effects of misconfiguration
Avoiding and mitigating effects of misconfiguration Visualization

  • Follow best practice operational standards (RFCs)

    • Key rollover procedures

    • Trust anchor rollover procedures

  • Validation diligence

    • Resolver keeps trying alternative authoritative servers to find valid response

    • Optimality can be difficult – where is the break in the chain?

    • Implemented in BIND 9


Soft anchoring
Soft anchoring Visualization

.

DNSKEY

  • DNSKEYs typically don’t change often

  • Resolvers configured with “hard” (traditional) trust anchors

  • “Soft” anchors are derived from DNSKEYs authenticated from existing hard anchors

Zone data

DS

com

DNSKEY

Zone data

DS

Resolver

Hard anchor

bar.com

DNSKEY

Soft anchor

Soft anchor

Zone data


Impact of soft anchoring
Impact of soft anchoring Visualization

.

DNSKEY

  • Resolution not inhibited by:

    • zone-class misconfigurations in ancestry

    • delegation-class misconfigurations

Zone data

DS

com

DNSKEY

Zone data

DS

Resolver

Hard anchor

bar.com

DNSKEY

Soft anchor

Soft anchor

Zone data


Maintaining soft anchors
Maintaining soft anchors Visualization

  • Resolvers follow procedure similar to that used for rolling hard trust anchors (RFC 5011)

  • Resolver periodically polls soft anchor zone

  • Soft anchor addition:

    • Newly authenticated DNSKEYs persist for “hold down” period

    • New DNSKEY seen with corresponding DS

  • Soft anchor removal:

    • Delegation to soft anchor made insecure

    • DNSKEY is revoked

    • DNSKEY and its DS RR are removed


Soft anchoring limitations
Soft anchoring limitations Visualization

  • Doesn’t help when misconfigurations are at or below the bottom “link” in the chain of trust

  • Resolver must have authenticated soft anchors through valid chain of trust before misconfiguration

  • Scalability

    • Maintenance overhead of all trust anchors may be intense

    • Least-recently used policy may help


Outline4
Outline Visualization

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Dnssec visualization
DNSSEC Visualization Visualization

  • Live analysis of DNS authentication chain at: http://dnsviz.net/


arpa: the “root” of reverse name resolution Visualization

RRSIG expired, invalidating NSEC necessary to prove insecure delegation




medicare.gov: RRSIGs

missing appropriate DNSKEY, resulting in broken delegation



Outline5
Outline RRSIGs

  • DNS/DNSSEC background

  • DNSSEC availability model

  • DNS complexity analysis

  • Misconfiguration mitigation

  • DNSSEC visualization

  • Summary and future work


Summary
Summary RRSIGs

DNS responses must be both accurate and available

DNSSEC deployment requires careful deployment and maintenance

Soft anchoring can mitigate effects of misconfiguration

DNSSEC visualization helps understanding and troubleshooting

Query: www.foo.com/A ?

Answer:192.0.2.16


Future work
Future work RRSIGs

  • Internet draft of soft anchoring to gain community support

  • Improved usability of DNS visualization tool

    • Monitoring and alerting

    • Better analysis of server inconsistencies


Acknowledgements
Acknowledgements RRSIGs

  • Jeff Sedayao, Krishna Kant at Intel Corporation

  • Prasant Mohapatra at UC Davis


Questions
Questions? RRSIGs

  • [email protected]


Visualization components
Visualization components RRSIGs

Domain name

DNSKEY/DS RR

SEP

Revoke

Published

DNSKEY attributes

Missing

Trust anchor

Missing

NSEC proving non-existence of

DS RRs (insecure delegation)


Visualization components1
Visualization components RRSIGs

Alias dependency

Valid

Bogus

Expired

Missing

Signature or digest

Secure

Bogus

Insecure

Misconfigured

Delegation

Sufficient

Insufficient

Proof of insecure

delegation


The bottom line
The bottom line RRSIGs

  • Status of nodes in graph, based on chain of trust

Secure

Bogus

Insecure


ad