modeling dns security: misconfiguration, availability, and visualization
DESCRIPTION
Modeling DNS Security: Misconfiguration, Availability, and Visualization. Casey Deccio Sandia National Laboratories. BYU Computer Science Dept. Colloquium Sep 9, 2010. - PowerPoint PPT PresentationTRANSCRIPT
Modeling DNS Security: Misconfiguration, Availability,
and VisualizationCasey Deccio
Sandia National Laboratories
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
BYU Computer Science Dept. Colloquium
Sep 9, 2010
Criticality of the DNS
The DNS is the “phone book” for the Internet Domain name to IP
address translation Mail server lookup Service discovery
Most Internet applications rely on DNS name resolution
2
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
Availability and security
DNS must be both available and accurate
Security was added as a retrofit Security increases complexity Troubleshooting is difficult
Misconfigurations abound, rendering name resolution unavailable Examples:
medicare.gov, nasa.gov, arpa
3
4
Objectives
Establish model and metrics for assessing availability of DNSSEC deployments
Quantify complexity that may increase potential for DNSSEC misconfiguration
Introduce techniques to mitigate effects of misconfiguration
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
5
DNS namespace
Namespace is organized hierarchically
DNS root is top of namespace
Zones are autonomously managed pieces of DNS namespace
Subdomain namespace is delegated to child zones
6
. .
com com net net
bar.combar.combaz.netbaz.net
foo.comfoo.com
DNS name resolution Resolvers query authoritative servers Queries begin at root zone, resolvers follow
downward referrals Resolver stops when it receives authoritative
answer
7
…
.
…
.
…
com
…
com
…
bar.com
…
bar.comstub resolverstub resolver recursive
resolverrecursiveresolver
authoritative serversauthoritative servers
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
DNS attacks Tainted DNS responses can direct users to malicious services To forge DNS responses:
Guess query ID and UDP source port Arrive before legitimate response
Attackers success rate increased by: Eliciting queries of the resolver Sending large number of responses
8
bar.combar.com
stub resolverstub resolver recursiveresolverrecursiveresolver authoritative serversauthoritative servers
attackerattackerQuery: www.bar.com/A ?Query: www.bar.com/A ?
Answer: ??Answer: ??
DNS Security Extensions (DNSSEC) DNS data signed with private keys for authentication Signatures (RRSIGs) and public keys (DNSKEYs) published in zone
data Resolver response
If authentic: Authenticated data (AD) bit is set If bogus: SERVFAIL message is returned
99
bar.com
bar.com
stub resolverstub resolverrecursive/validatingresolverrecursive/validatingresolver
authoritative serverauthoritative server
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16 RRSIGRRSIG
Query: bar.com/DNSKEY ?Query: bar.com/DNSKEY ?
Answer: DNSKEY…Answer: DNSKEY… RRSIGRRSIG
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16 ADAD
validatevalidate
Chain of trust
DNSKEY must be authenticated
Resolver must have some notion of trust
Trust extends through ancestry to a trust anchor at resolver
DS resource record – provides digest of DNSKEY in child zone
1010
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver trust anchortrust anchor
Insecure delegations
If child zone is unsigned, resolver must be able to prove it is insecure
NSEC resource records provide proof of absence of DS
1111
baz.net
baz.net
Zone dataZone data
net
netZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
NSEC/DSNSEC/DS
ResolverResolver trust anchortrust anchor
DNSSEC maintenance RRSIGs must be
periodically resigned to prevent expiration
DNSKEYs must be periodically rolled (replaced) to avoid prolonged exposure
Rollovers involving DS RRs must be coordinated with parent zones
Authoritative servers must serve consistent data
1212
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
13
Classes of DNSSEC misconfiguration
14
Zone misconfigurations Missing, expired, or bogus
RRSIG Missing DNSKEYs
Delegation misconfigurations No DNSKEY in child
matching any DS in parent Missing NSEC RRs for
insecure delegation Trust anchor
misconfiguration Stale trust anchor at resolver
Failure potential Probability of bogus validation Based on fraction of responsive authoritative
servers serving bogus or incomplete data Resolvers will retry if server non-responsive Not all servers will retry if server responds with bogus data
Assumption: resolver queries any authoritative server with equal probability
bar.combar.com
ValidValid BogusBogus Non-responsiveNon-responsive
recursive/validatingresolverrecursive/validatingresolver
authoritative serverauthoritative server
15
€
Pf (z) =| bogus_ servers |
| responsive _ servers |
Failure potential Formula extends to chain of trust in ancestor
zones Failure potential of each zone is combined
independently of one another
1616
…
.
…
.
…
com
…
com
…
bar.com
…
bar.comRecursive/validatingresolverRecursive/validatingresolver
authoritative serversauthoritative servers
€
Pfr(z) =1− (1− Pf (i))
i=z
anchor
∏
DNSSEC Deployment Survey
Polled ~1500 production signed zones over a six-week period
Recorded validation errors resulting from misconfiguration
Statistic Value
Production signed zones polled 1,456
Total misconfigurations resulting in certain failure 194
Zone-class misconfigurations 134 (69%)
Delegation-class errors resulting in certain failure 60 (31%)
Errors (any class) caused by misconfigured ancestor zones 61 (31%)17
Failure Potential of Zones
18
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
19
Complexity analysis
Complexity creates potential for misconfiguration
Hierarchical complexity: Size of ancestry (zone
depth)
Administrative complexity: Servers administered by
distinct organizations
202020
…
.
…
.
…
com
…
com
…
bar.com
…
bar.com
Hierarchical reduction potential
If ancestry might reasonably be consolidated, what is the reduction?
Ancestry reduced, but original namespace can be preserved
21
sub.bar.comsub.bar.com
bar.combar.com
comcom
..
bar.combar.com
comcom
..
€
HRP =| orig _ zones | − | consolidated _ zones |
| orig _ zones |
= 0.25
Administrative Complexity
How diverse is the set of organizations administering a zone?
Complexity measured by random sampling (with replacement) of authoritative servers to determine the probability that two organizations are selected
22
bar.combar.comns.bar.comns.bar.com me.baz.netme.baz.net
= 0.5
€
AC =1−| servers(o) |
| all _ servers |
⎛
⎝ ⎜
⎞
⎠ ⎟2
o∈orgs∑
Hierarchical Reduction Potential
23
Administrative complexity
24
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
25
Avoiding and mitigating effects of misconfiguration
Follow best practice operational standards (RFCs) Key rollover procedures Trust anchor rollover procedures
Validation diligence Resolver keeps trying alternative authoritative
servers to find valid response Optimality can be difficult – where is the break in
the chain? Implemented in BIND 9
26
Soft anchoring DNSKEYs typically don’t
change often Resolvers configured with
“hard” (traditional) trust anchors
“Soft” anchors are derived from DNSKEYs authenticated from existing hard anchors
27
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver Hard anchorHard anchor
Soft anchorSoft anchor
Soft anchorSoft anchor
Impact of soft anchoring
Resolution not inhibited by: zone-class
misconfigurations in ancestry
delegation-class misconfigurations
28
bar.com
bar.comZone dataZone data
DNSKEYDNSKEY
com
comZone dataZone data
DNSKEYDNSKEY
.
.Zone dataZone data
DNSKEYDNSKEY
DSDS
DSDS
ResolverResolver Hard anchorHard anchor
Soft anchorSoft anchor
Soft anchorSoft anchor
Maintaining soft anchors
Resolvers follow procedure similar to that used for rolling hard trust anchors (RFC 5011)
Resolver periodically polls soft anchor zone
Soft anchor addition: Newly authenticated
DNSKEYs persist for “hold down” period
New DNSKEY seen with corresponding DS
Soft anchor removal: Delegation to soft anchor
made insecure DNSKEY is revoked DNSKEY and its DS RR
are removed
29
Soft anchoring limitations
Doesn’t help when misconfigurations are at or below the bottom “link” in the chain of trust
Resolver must have authenticated soft anchors through valid chain of trust before misconfiguration
Scalability Maintenance overhead of all trust anchors may be
intense Least-recently used policy may help
30
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
31
DNSSEC Visualization
Live analysis of DNS authentication chain at: http://dnsviz.net/
32
33
34
arpa: the “root” of reverse name resolution
RRSIG expired, invalidating NSEC necessary to prove insecure delegation
35
Some authoritative servers for kiae.ru not serving RRSIGs
36
Some authoritative servers for dshield.org have expired RRSIGs
37
medicare.gov:missing appropriate DNSKEY, resulting in broken delegation
38
Misconfiguration in a complex system of DNS dependencies
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
39
40
Summary
DNS responses must be both accurate and available
DNSSEC deployment requires careful deployment and maintenance
Soft anchoring can mitigate effects of misconfiguration
DNSSEC visualization helps understanding and troubleshooting
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
Future work
Internet draft of soft anchoring to gain community support
Improved usability of DNS visualization tool Monitoring and alerting Better analysis of server inconsistencies
41
Acknowledgements
Jeff Sedayao, Krishna Kant at Intel Corporation
Prasant Mohapatra at UC Davis
42
Visualization components
44
Domain name
DNSKEY/DS RR
SEP Revoke Published
Missing
DNSKEY attributes
NSEC proving non-existence ofDS RRs (insecure delegation)
Missing
Trust anchor
Visualization components
45
Alias dependency
Signature or digest
Valid Bogus Expired
Delegation
Secure Bogus Insecure Misconfigured
Proof of insecuredelegation
Sufficient Insufficient
Missing
The bottom line
Status of nodes in graph, based on chain of trust
46
Secure InsecureBogus