modeling dns security: misconfiguration, availability, and visualization

Modeling DNS Security: Misconfiguration, Availability,

and VisualizationCasey Deccio

Sandia National Laboratories

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.

BYU Computer Science Dept. Colloquium

Sep 9, 2010

Criticality of the DNS

The DNS is the “phone book” for the Internet Domain name to IP

address translation Mail server lookup Service discovery

Most Internet applications rely on DNS name resolution

2

Query: www.foo.com/A ?Query: www.foo.com/A ?

Answer: 192.0.2.16Answer: 192.0.2.16

Availability and security

DNS must be both available and accurate

Security was added as a retrofit Security increases complexity Troubleshooting is difficult

Misconfigurations abound, rendering name resolution unavailable Examples:

medicare.gov, nasa.gov, arpa

3

4

Objectives

Establish model and metrics for assessing availability of DNSSEC deployments

Quantify complexity that may increase potential for DNSSEC misconfiguration

Introduce techniques to mitigate effects of misconfiguration


Answer: 192.0.2.16Answer: 192.0.2.16

Outline

DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work

5

DNS namespace

Namespace is organized hierarchically

DNS root is top of namespace

Zones are autonomously managed pieces of DNS namespace

Subdomain namespace is delegated to child zones

6

. .

com com net net

bar.combar.combaz.netbaz.net

foo.comfoo.com

DNS name resolution Resolvers query authoritative servers Queries begin at root zone, resolvers follow

downward referrals Resolver stops when it receives authoritative

answer

7

…

.

…

.

…

com

…

com

…

bar.com

…

bar.comstub resolverstub resolver recursive

resolverrecursiveresolver

authoritative serversauthoritative servers

Query: www.bar.com/A ?Query: www.bar.com/A ?

Answer: 192.0.2.16Answer: 192.0.2.16

DNS attacks Tainted DNS responses can direct users to malicious services To forge DNS responses:

Guess query ID and UDP source port Arrive before legitimate response

Attackers success rate increased by: Eliciting queries of the resolver Sending large number of responses

8

bar.combar.com

stub resolverstub resolver recursiveresolverrecursiveresolver authoritative serversauthoritative servers

attackerattackerQuery: www.bar.com/A ?Query: www.bar.com/A ?

Answer: ??Answer: ??

DNS Security Extensions (DNSSEC) DNS data signed with private keys for authentication Signatures (RRSIGs) and public keys (DNSKEYs) published in zone

data Resolver response

If authentic: Authenticated data (AD) bit is set If bogus: SERVFAIL message is returned

99

bar.com

bar.com

stub resolverstub resolverrecursive/validatingresolverrecursive/validatingresolver

authoritative serverauthoritative server


Answer: 192.0.2.16Answer: 192.0.2.16 RRSIGRRSIG

Query: bar.com/DNSKEY ?Query: bar.com/DNSKEY ?

Answer: DNSKEY…Answer: DNSKEY… RRSIGRRSIG


Answer: 192.0.2.16Answer: 192.0.2.16 ADAD

validatevalidate

Chain of trust

DNSKEY must be authenticated

Resolver must have some notion of trust

Trust extends through ancestry to a trust anchor at resolver

DS resource record – provides digest of DNSKEY in child zone

1010

bar.com

bar.comZone dataZone data

DNSKEYDNSKEY

com

comZone dataZone data

DNSKEYDNSKEY

.

.Zone dataZone data

DNSKEYDNSKEY

DSDS

DSDS

ResolverResolver trust anchortrust anchor

Insecure delegations

If child zone is unsigned, resolver must be able to prove it is insecure

NSEC resource records provide proof of absence of DS

1111

baz.net

baz.net

Zone dataZone data

net

netZone dataZone data

DNSKEYDNSKEY

.

.Zone dataZone data

DNSKEYDNSKEY

DSDS

NSEC/DSNSEC/DS

ResolverResolver trust anchortrust anchor

DNSSEC maintenance RRSIGs must be

periodically resigned to prevent expiration

DNSKEYs must be periodically rolled (replaced) to avoid prolonged exposure

Rollovers involving DS RRs must be coordinated with parent zones

Authoritative servers must serve consistent data

1212

Outline


13

Classes of DNSSEC misconfiguration

14

Zone misconfigurations Missing, expired, or bogus

RRSIG Missing DNSKEYs

Delegation misconfigurations No DNSKEY in child

matching any DS in parent Missing NSEC RRs for

insecure delegation Trust anchor

misconfiguration Stale trust anchor at resolver

Failure potential Probability of bogus validation Based on fraction of responsive authoritative

servers serving bogus or incomplete data Resolvers will retry if server non-responsive Not all servers will retry if server responds with bogus data

Assumption: resolver queries any authoritative server with equal probability

bar.combar.com

ValidValid BogusBogus Non-responsiveNon-responsive

recursive/validatingresolverrecursive/validatingresolver

authoritative serverauthoritative server

15

€

Pf (z) =| bogus_ servers |

| responsive _ servers |

Failure potential Formula extends to chain of trust in ancestor

zones Failure potential of each zone is combined

independently of one another

1616

…

.

…

.

…

com

…

com

…

bar.com

…

bar.comRecursive/validatingresolverRecursive/validatingresolver

authoritative serversauthoritative servers

€

Pfr(z) =1− (1− Pf (i))

i=z

anchor

∏

DNSSEC Deployment Survey

Polled ~1500 production signed zones over a six-week period

Recorded validation errors resulting from misconfiguration

Statistic Value

Production signed zones polled 1,456

Total misconfigurations resulting in certain failure 194

Zone-class misconfigurations 134 (69%)

Delegation-class errors resulting in certain failure 60 (31%)

Errors (any class) caused by misconfigured ancestor zones 61 (31%)17

Failure Potential of Zones

18

Outline


19

Complexity analysis

Complexity creates potential for misconfiguration

Hierarchical complexity: Size of ancestry (zone

depth)

Administrative complexity: Servers administered by

distinct organizations

202020

…

.

…

.

…

com

…

com

…

bar.com

…

bar.com

Hierarchical reduction potential

If ancestry might reasonably be consolidated, what is the reduction?

Ancestry reduced, but original namespace can be preserved

21

sub.bar.comsub.bar.com

bar.combar.com

comcom

..

bar.combar.com

comcom

..

€

HRP =| orig _ zones | − | consolidated _ zones |

| orig _ zones |

= 0.25

Administrative Complexity

How diverse is the set of organizations administering a zone?

Complexity measured by random sampling (with replacement) of authoritative servers to determine the probability that two organizations are selected

22

bar.combar.comns.bar.comns.bar.com me.baz.netme.baz.net

= 0.5

€

AC =1−| servers(o) |

| all _ servers |

⎛

⎝ ⎜

⎞

⎠ ⎟2

o∈orgs∑

Hierarchical Reduction Potential

23

Administrative complexity

24

Outline


25

Avoiding and mitigating effects of misconfiguration

Follow best practice operational standards (RFCs) Key rollover procedures Trust anchor rollover procedures

Validation diligence Resolver keeps trying alternative authoritative

servers to find valid response Optimality can be difficult – where is the break in

the chain? Implemented in BIND 9

26

Soft anchoring DNSKEYs typically don’t

change often Resolvers configured with

“hard” (traditional) trust anchors

“Soft” anchors are derived from DNSKEYs authenticated from existing hard anchors

27

bar.com


DNSKEYDNSKEY

com


DNSKEYDNSKEY

.

.Zone dataZone data

DNSKEYDNSKEY

DSDS

DSDS

ResolverResolver Hard anchorHard anchor

Soft anchorSoft anchor


Impact of soft anchoring

Resolution not inhibited by: zone-class

misconfigurations in ancestry

delegation-class misconfigurations

28

bar.com


DNSKEYDNSKEY

com


DNSKEYDNSKEY

.

.Zone dataZone data

DNSKEYDNSKEY

DSDS

DSDS

ResolverResolver Hard anchorHard anchor



Maintaining soft anchors

Resolvers follow procedure similar to that used for rolling hard trust anchors (RFC 5011)

Resolver periodically polls soft anchor zone

Soft anchor addition: Newly authenticated

DNSKEYs persist for “hold down” period

New DNSKEY seen with corresponding DS

Soft anchor removal: Delegation to soft anchor

made insecure DNSKEY is revoked DNSKEY and its DS RR

are removed

29

Soft anchoring limitations

Doesn’t help when misconfigurations are at or below the bottom “link” in the chain of trust

Resolver must have authenticated soft anchors through valid chain of trust before misconfiguration

Scalability Maintenance overhead of all trust anchors may be

intense Least-recently used policy may help

30

Outline


31

DNSSEC Visualization

Live analysis of DNS authentication chain at: http://dnsviz.net/

32

34

arpa: the “root” of reverse name resolution

RRSIG expired, invalidating NSEC necessary to prove insecure delegation

35

Some authoritative servers for kiae.ru not serving RRSIGs

36

Some authoritative servers for dshield.org have expired RRSIGs

37

medicare.gov:missing appropriate DNSKEY, resulting in broken delegation

38

Misconfiguration in a complex system of DNS dependencies

Outline


39

40

Summary

DNS responses must be both accurate and available

DNSSEC deployment requires careful deployment and maintenance

Soft anchoring can mitigate effects of misconfiguration

DNSSEC visualization helps understanding and troubleshooting


Answer: 192.0.2.16Answer: 192.0.2.16

Future work

Internet draft of soft anchoring to gain community support

Improved usability of DNS visualization tool Monitoring and alerting Better analysis of server inconsistencies

41

Acknowledgements

Jeff Sedayao, Krishna Kant at Intel Corporation

Prasant Mohapatra at UC Davis

42

Questions?

[email protected]

43

Visualization components

44

Domain name

DNSKEY/DS RR

SEP Revoke Published

Missing

DNSKEY attributes

NSEC proving non-existence ofDS RRs (insecure delegation)

Missing

Trust anchor

Visualization components

45

Alias dependency

Signature or digest

Valid Bogus Expired

Delegation

Secure Bogus Insecure Misconfigured

Proof of insecuredelegation

Sufficient Insufficient

Missing

The bottom line

Status of nodes in graph, based on chain of trust

46

Secure InsecureBogus

modeling dns security: misconfiguration, availability, and visualization

Documents

dns root

dns namespacenamespace

dnsthe dns

authoritative answer

modeling dns security

root zone

com bar

child zones