1 / 8

DNS Cookies: Weak Authentication for Queries and Responses

This document describes DNS Cookies, a method to provide weak authentication for DNS queries and responses. DNS Cookies can help reduce forged source IP address traffic, protect against DoS attacks, and prevent reply cache poisoning attacks.

vivianj
Download Presentation

DNS Cookies: Weak Authentication for Queries and Responses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DNS Cookiesdraft-eastlake-dnsext-cookies-01.txt Donald E. Eastlake 3rd Donald.Eastlake@motorola.com +1-508-786-7554 IETF DNSEXT WG Cookies

  2. DNS Cookies • Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG. • No protection against “on-path” attackers, that is, no protection against anyone who can see the plain text queries and responses. • Requires no set-up or configuration. IETF DNSEXT WG Cookies

  3. DNS Cookies (cont.) • Intended to greatly reduce • Forged source IP address traffic amplification DOS attacks. • Forged source IP address recursive server work load DOS attacks. • Forged source IP address reply cache poisoning attacks. IETF DNSEXT WG Cookies

  4. The COOKIE OPT Option • A new Option to the OPT-RR 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION-CODE TBD | OPTION-LENGTH = 18 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Resolver Cookie upper half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Resolver Cookie lower half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Server Cookie upper half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Server Cookie lower half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IETF DNSEXT WG Cookies

  5. Resolver Warm Fuzzies • If DNS Cookies Enforced • Resolver puts a COOKIE in queries with • A Resolver Cookie that varies with server • Truncated HMAC(server-IP-address, resolver secret) • The resolver cached Server Cookie for that Cookie if it has one • Resolver ignores all replies that do not have the correct Resolver Cookie • Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie IETF DNSEXT WG Cookies

  6. Simplified Server Warm Fuzzies • If DNS Cookies Enforced • Server puts a COOKIE in replies with • A Server Cookie that varies with resolver • Truncated HMAC(resolver-IP-address, server secret) • The Resolver Cookie if there was one in the corresponding query • If query received with bad or no Server Cookie, send back short error message IETF DNSEXT WG Cookies

  7. RC:123 RC:123 RC:XYZ Example Resolver Server Query: RC:123, SC:???,E:0 ErrReply: RC:123, SC:789, E:BadC SC:789 Query: RC:123, SC:789,E:0 AnsReply: RC:123, SC:789,E:0 ForgedQuery: RC:XYZ, SC:???,E:0 ErrReply: RC:XYZ, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 IETF DNSEXT WG Cookies

  8. Complexities • Bad guy Resolver behind a NAT • Could get Server Cookie and attack other resolvers behind the NAT • Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished • Anycast Servers • Need to use the same server secret or assure that queries from the same resolver usually go to the same server IETF DNSEXT WG Cookies

More Related