Scribd
Upload
19 views

05 Dns

This document discusses the Domain Name System (DNS) and outlines key concepts: - DNS provides human-friendly domain names that map to IP addresses. It uses a distributed hierarchical namespace and authoritative name servers. - Authoritative name servers are responsible for zones, which are subtrees of the global namespace. Zones contain resource records (RRs) like A records mapping names to IP addresses. - The resolver is a name server that queries authoritative servers to resolve names. It uses the zone file format and common RR types like NS, A, MX, AAAA.

Uploaded by

Mo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

05 Dns

This document discusses the Domain Name System (DNS) and outlines key concepts: - DNS provides human-friendly domain names that map to IP addresses. It uses a distributed hierarchical namespace and authoritative name servers. - Authoritative name servers are responsible for zones, which are subtrees of the global namespace. Zones contain resource records (RRs) like A records mapping names to IP addresses. - The resolver is a name server that queries authoritative servers to resolve names. It uses the zone file format and common RR types like NS, A, MX, AAAA.

Uploaded by

Mo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 58

iLab

DNS and DNSSEC

Dominik Scholz
Slides by Benjamin Hof
[email protected]

Chair of Network Architectures and Services


Department of Informatics
Technical University of Munich

Lab 5 – 18ss

1 / 32
Outline

Domain Name System

Authoritative name server

Resolver

Security

2 / 32
Outline

Domain Name System

Authoritative name server

Resolver

Security

3 / 32
The quest for memorable names

I IP addresses hard to remember for humans


I symbolic names mapped to addresses

address resolution
1. host files
I file with mappings
I copy between all machines
I /etc/hosts
2. protocol: Domain Name System
I by Paul Mockapetris in 1983
I wide deployment in 1988

4 / 32
Domain Name System

I application layer protocol on UDP, TCP


I glibc call getaddrinfo(3)
I distributed name database
I deployed globally
I hierarchical structure
I extensible
I e.g. DNSSEC: security extensions inside the protocol itself

5 / 32
Distributed hierarchical name space

net edu org

lwn tum gnu debian

cs ma ei

mail
Fully qualified domain name (FQDN) by label concatenation:
mail.cs.tum.edu.

6 / 32
Distributed hierarchical name space

root zone (empty label) .

top level domain net edu org

second level domain lwn tum gnu debian

cs ma ei

mail
Fully qualified domain name (FQDN) by label concatenation:
mail.cs.tum.edu.

6 / 32
Name server

Name servers can fulfill different functions:


1. authoritative name servers
I operated by a site on the Internet
2. resolver
I asked to resolve names
I contacts authoritative name servers

Example
Knot and unbound

7 / 32
Outline

Domain Name System

Authoritative name server

Resolver

Security

8 / 32
Zone

I subtree of the global name space


I delegated by parent
I managed by one organization
I hosted on an authoritative name server

Example
tum.edu. delegated by edu., containing www.tum.edu. and
mail.in.tum.edu.

9 / 32
Authoritative name server

I only knows about its own part of the name space


I responsible, “authoritative”, for its zone
I may serve multiple zones
I usually primary and secondary servers exist for a zone
I synchronized with zone transfer
I avoid disappearance of the zone in case of outage
I load balancing

10 / 32
Zones: example

net edu org

lwn tum gnu debian

cs ma ei

mail

11 / 32
Resource record

I zone contains resource records (RR)

example.net. 3600 IN A 198.51.100.5

owner TTL class type RDATA

domain name where RR is found

12 / 32
Resource record

I zone contains resource records (RR)

example.net. 3600 IN A 198.51.100.5

owner TTL class type RDATA

validity period in seconds when cached

12 / 32
Resource record

I zone contains resource records (RR)

example.net. 3600 IN A 198.51.100.5

owner TTL class type RDATA

only Internet is relevant for us

12 / 32
Resource record

I zone contains resource records (RR)

example.net. 3600 IN A 198.51.100.5

owner TTL class type RDATA

record type, e.g. IPv4 address

12 / 32
Resource record

I zone contains resource records (RR)

example.net. 3600 IN A 198.51.100.5

owner TTL class type RDATA

resource data: e.g. 32 bit IPv4 address

12 / 32
Resource records

owner TTL class type RDATA


i.example.net. 3600 IN AAAA 2001:db8::1
like.example.net. 3600 IN AAAA 2001:db8:af23::eb2
dns.example.net. 3600 IN A 192.0.2.25
i.example.net. 3600 IN A 192.0.2.205

13 / 32
Resource records

owner type RDATA


i.example.net. AAAA 2001:db8::1
like.example.net. AAAA 2001:db8:af23::eb2
dns.example.net. A 192.0.2.25
i.example.net. A 192.0.2.205
i.example.net. AAAA 2001:db8::2

I RRset for i.example.net. type AAAA with more than one record!
I note: TTL and class usually omitted

13 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]


; RRset with two records: NS
example.net. NS ns1 ; primary authoritative NS
example.net. NS ns2.registrar.example. ; secondary

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]


; RRset with two records: NS
example.net. NS ns1 ; primary authoritative NS
example.net. NS ns2.registrar.example. ; secondary
ns1 A 198.51.100.1

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]


; RRset with two records: NS
example.net. NS ns1 ; primary authoritative NS
example.net. NS ns2.registrar.example. ; secondary
ns1 A 198.51.100.1
example.net. MX 10 mail
; priority to order multiple MX RRs

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]


; RRset with two records: NS
example.net. NS ns1 ; primary authoritative NS
example.net. NS ns2.registrar.example. ; secondary
ns1 A 198.51.100.1
example.net. MX 10 mail
; priority to order multiple MX RRs
mail AAAA 2001:db8::1
A 198.51.100.2

14 / 32
Zone file and record types

$ORIGIN example.net. ; everything will be relative to this


$TTL 1h ; default TTL could be overwritten later

example.net. IN SOA ns1 hostmaster [. . . ]


; RRset with two records: NS
example.net. NS ns1 ; primary authoritative NS
example.net. NS ns2.registrar.example. ; secondary
ns1 A 198.51.100.1
example.net. MX 10 mail
; priority to order multiple MX RRs
mail AAAA 2001:db8::1
A 198.51.100.2
webmail CNAME mail ; alias for a canonical name

14 / 32
Delegation

sub.example.net. NS ns.sub.example.net.
ns.sub.example.net. A 198.51.100.3

I make ns.sub.example.net. responsible for the sub.example.net.


zone
I glue record to make the new name server findable
I possible misconfigurations
1. missing glue records
2. delegation loops

15 / 32
Outline

Domain Name System

Authoritative name server

Resolver

Security

16 / 32
Resolving name server tasks

I query: owner, class, type


I resolve a query from the root downwards
I cache responses based on TTL
I changes might only be visible after days
Allow access only from your network, never open for everybody

17 / 32
DNS packet layout

IP UDP DNS header query answer authoritative additional

ID, flags,
number of RRs records

header
c,s QR query or response
s AA authoritative answer
s TC truncation (TCP as fallback)
c RD recursion desired
s RA recursion available
s 4 bit response code: no error, name error, server failure, refused
I number of resource records in each section

18 / 32
DNS packet layout

IP UDP DNS header query answer authoritative additional

ID, flags,
number of RRs records

record sections
I query: only one record with owner, type, class
I answer: answer RRs
I authoritative section: name server delegation
I additional section: glue records, EDNS pseudo record

packet size limited to 512 octets

18 / 32
Lookup

stub forwarder recursor

IP?

in.tum.de.

I recursive queries

19 / 32
Lookup
k.root-servers.net.
2001:7fd::1
in.tum.de. A

de. NS a.nic.de.
a.nic.de. A 194.0.0.53
stub forwarder recursor

in.tum.de.

I recursive queries
I iterative queries
I glue
19 / 32
Lookup
k.root-servers.net.

in.tum.de. A a.nic.de.

stub forwarder recursor tum.de. NS dns1.lrz.de.


dns1.lrz.de A 129.187.19.183

in.tum.de.

I recursive queries
I iterative queries
I glue
19 / 32
Lookup
k.root-servers.net.

a.nic.de.

in.tum.de. A
stub forwarder recursor

in.tum.de. A 131.159.0.35 dns1.lrz.de.

in.tum.de.

I recursive queries
I iterative queries
I glue
19 / 32
Lookup
k.root-servers.net.

a.nic.de.

stub forwarder recursor

dns1.lrz.de.

in.tum.de.

I recursive queries
I iterative queries
I glue
19 / 32
Lookup
k.root-servers.net.

a.nic.de.

stub forwarder recursor

dns1.lrz.de.
131.159.0.35

in.tum.de.

I recursive queries
I iterative queries
I glue
19 / 32
Reverse lookup

IPv4
I PTR record type
I special domain in-addr.arpa.
I 198.51.100.5 → 5.100.51.198.in-addr.arpa.
I small subnets require lots of CNAMEs

IPv6
I ip6.arpa.
I can be delegated per nibble
I 2001:db8::1 is:

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.

20 / 32
Outline

Domain Name System

Authoritative name server

Resolver

Security

21 / 32
Common attacks using DNS

Cache poisoning
I send many packets with fake responses to a resolver
I spoofed source IP: address of an authoritative name server
I try to answer a query before the legitimate server does
Counter: randomize as much as possible: source port, query id

Distributed denial of service


I send queries with spoofed source address to open resolvers
I spoofed source address is attack target
I queries with high amplification factor
Counter: no open resolvers, ingress filtering (BCP 38)

22 / 32
Security extensions in DNS: DNSSEC

I data origin authentication


I data integrity
I no confidentiality
I inside the protocol, no *S layer
I no flag day

Basic idea
I signatures with public key cryptography
I zone owner signs RRsets offline using private key
I full resolvers verify signatures using public key

How do we know that the signing key really belongs to the zone
owner?

23 / 32
Changes

New RR types
I RRSIG: signature over RRset
I signature validity introduces absolute time into DNS
I DS (delegation signer): hash of public key
I DNSKEY: public key
I NSEC, NSEC3: for nonexisting domains

24 / 32
Changes (cont’d)

header bits
c CD checking disabled: request delivery of DNSSEC records
s AD answer authenticated: DNSSEC successfully verified

EDNS extension
I uses pseudo record
I larger UDP payload size
c DO bit: DNSSEC OK: include RRSIGs, DS

25 / 32
Zone signing
parent zone

signed child zone


RRset

child zone
RRset public key RRset

RRset private key

Note: root key comes with resolver software


26 / 32
Zone signing
parent zone

signed child zone


RRset

RRSIG
child zone
RRset public key RRset

RRset private key RRSIG

Note: root key comes with resolver software


26 / 32
Zone signing
parent zone

signed child zone


RRset

RRSIG
child zone
RRset public key RRset

RRset private key RRSIG

DNSKEY

RRSIG

Note: root key comes with resolver software


26 / 32
Zone signing
parent zone
DS
signed child zone
RRSIG RRset

RRSIG
child zone
RRset public key RRset

RRset private key RRSIG

DNSKEY

RRSIG

Note: root key comes with resolver software


26 / 32
Record collection

g.root-servers.net.

torproject.org. AAAA

org. NS a0.org.afilias-nst.info.
org. DS
resolver org. RRSIG DS
+ glue

torproject.org.?

27 / 32
Record collection

g.root-servers.net.

torproject.org. AAAA

resolver a0.org.afilias-nst.info.

torproject.org. NS ns1.torproject.org.
torproject.org. DS
torproject.org. RRSIG DS
+ glue

27 / 32
Record collection

g.root-servers.net.

resolver a0.org.afilias-nst.info.
torproject.org. AAAA

torproject.org. AAAA
torproject.org. RRSIG AAAA
ns1.torproject.org.

27 / 32
Record collection

g.root-servers.net.

. DNSKEY

. DNSKEY
. RRSIG DNSKEY
resolver a0.org.afilias-nst.info.

ns1.torproject.org.

27 / 32
Record collection

g.root-servers.net.

org. DNSKEY

resolver a0.org.afilias-nst.info.

org. DNSKEY
org. RRSIG DNSKEY

ns1.torproject.org.

27 / 32
Record collection

g.root-servers.net.

resolver a0.org.afilias-nst.info.
torproject.org. DNSKEY

torproject.org. DNSKEY
torproject.org. RRSIG DNSKEY
ns1.torproject.org.

27 / 32
Discussion
We have for each zone:
I DS
I RRSIG DS
I DNSKEY
I RRSIG DNSKEY
as well as the RRSIG AAAA.

Verify from the top:


1. org. DS, RRSIG using root DNSKEY/stored key
2. org. DS, org. DNSKEY
3. torproject.org. DS, RRSIG using org. DNSKEY
4. torproject.org. DS, torproject.org. DNSKEY
5. torproject.org. AAAA, RRSIG using torproject.org. DNSKEY

28 / 32
Alternative signing scheme
child zone
parent zone
DNSKEY: KSK
DS (KSK)
DNSKEY: ZSK
RRSIG
RRSIG

RRset

RRSIG

29 / 32
Deal with nonexisting domains

NSEC
sign the hole between two domains:
alice.example.net. NSEC charlie.example.net. A RRSIG NSEC
I + RRSIG
I no domains between alice and charlie
I alice only has A, RRSIG and NSEC records
I zone walking

NSEC3
I hash all domains
I order by hash value

0him. . . lfhr.example.net. NSEC3 0lver. . . oj3l A RRSIG

30 / 32
Operational considerations

I offline signing
I small key sizes recommended for speed
I many parameter choices
I limited key lifetime, frequent rollover required
I best practice: key signing key, zone signing key
⇒ operational complexity
Example
Software like OpenDNSSEC or Knot automates a lot of this.

31 / 32
Security gaps

I TLD/root key operators cannot be removed or replaced!


I last mile
I confidentiality
I actual connection content
I DDoS

32 / 32

You might also like