• Home

  • Documents

  • Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013
16
Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Tags:

Embed Size (px)

Citation preview

Page 1: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Self-Service Open Resolver Scanning

Duane Wessels

DNS-OARC Workshop Dublin

May 12, 2013

Page 2: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

2

What Is An Open DNS Resolver?

Probe Target Authquery

(no reply)

Probe Target Authquery

reply

Probe Target Authquery

reply

Probe Target Authquery

reply

query

(no reply)

reply

query

✖ No

✔ Yes

✔ Yes

✖ No

Duane’s definition: An Open Resolver is a DNS server which accepts queries from outside of its administrative domain and attempts to resolve the query by forwarding it to other name servers.

Page 3: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

3

• Recent increased awareness of open resolvers thanks to record-breaking DDoS attacks and Jared’s Open DNS Resolver Project

• Other Surveys/data by:• Team Cymru• The Measurement Factory

Open Resolver Awareness

Page 4: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

4

• Updated on surveyor’s schedule

• Want to provide data to address space owners, but keep it away from the bad guys• TMF selects email addresses from whois data and handles

other inquiries manually.• Cymru always validates manually?• openresolverproject limits searches to IPv4 /22 and others

validated manually.

• Surveyor might receive some abuse complaint emails.

• IPv6 surveys unrealistic.

Open Resolver Surveys

Page 5: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

5

• On the user’s schedule.• Probes initiated by the user from addresses of their

choosing.• Offers some motivation to not scan other’s address space.

• IPv6 a possibility.• The user knows which addresses are in use.

• But: no public pressure (shaming).

Self-Service Scanning?

Page 6: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

6

How Does It Work?

Page 7: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

7

• Register for an account.• Create a “token” for some chunk of address space.

• Token valid for 7 days.

• Run the scanner tool.• Sends queries to coded names in orscan.verisignlabs.com

• Authoritative name server validates and logs received queries.

• Authoritative name server does not reply!• Login to view scan results.

Overview

Page 8: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

8

• Identify an instance of a scan• Some crypto to prevent simple spoofing• Time-limited (one week) to prevent replays• Restrict the scope of scanning

• IPv4 /8• IPv6 /64

Why Tokens?

Page 9: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

9

Step-by-Step Example

Page 10: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

10

Login

Page 11: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

11

Create a Token

Page 12: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

12

Run the Scan

Page 13: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

13

Check Results

Page 14: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

14

Detailed Results

Page 15: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

15

Feedback Welcomed!

https://www.verisignlabs.com/orscan/

Page 16: Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Thank You

© 2013 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.


OARC Status Keith Mitchell OARC Programme Manager Internet Systems Consortium OARC Workshop Seattle, 16 th Nov 2006

OARC Status Keith Mitchell OARC Programme Manager Internet Systems Consortium OARC Workshop Seattle, 16 th Nov 2006

Documents
Hall 2C Tuesday 13h30 - Jan Wessels

Hall 2C Tuesday 13h30 - Jan Wessels

Environment
CURRICULIM VITEA OF FRANK WESSELS NEW 2017

CURRICULIM VITEA OF FRANK WESSELS NEW 2017

Documents
Maarten Wessels - Universiteit Twenteessay.utwente.nl/58288/1/scriptie_M_Wessels.pdf · Maarten Wessels Control vs ... 2.1.1The Dubai Business Environment ... 2.6 Strategic Thinking

Maarten Wessels - Universiteit Twenteessay.utwente.nl/58288/1/scriptie_M_Wessels.pdf · Maarten Wessels Control vs ... 2.1.1The Dubai Business Environment ... 2.6 Strategic Thinking

Documents
Sudokus para resolver

Sudokus para resolver

Documents
SFX - Link Resolver

SFX - Link Resolver

Documents
Duane Wessels DNS-OARC Workshop, Amsterdam · 1 ZSK RSA 1024 ZSK RSA 1536 ZSK RSA 2048 ZSK Roll RSA 1024 ZSK Roll RSA 1536 ZSK Roll RSA 2048 KSK Roll RSA 2048 Note that KSK Roll RSA

Duane Wessels DNS-OARC Workshop, Amsterdam · 1 ZSK RSA 1024 ZSK RSA 1536 ZSK RSA 2048 ZSK Roll RSA 1024 ZSK Roll RSA 1536 ZSK Roll RSA 2048 KSK Roll RSA 2048 Note that KSK Roll RSA

Documents
A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK ......A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover Duane Wessels DNS-OARC 26 San Jose, CA September

A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK ......A Look at RFC 8145 Trust Anchor Signaling for the 2017 KSK Rollover Duane Wessels DNS-OARC 26 San Jose, CA September

Documents
Welcome to the OARC e-Magazine - OARC - Ogden Amateur

Welcome to the OARC e-Magazine - OARC - Ogden Amateur

Documents
OARC 2014 Delegate Package

OARC 2014 Delegate Package

Documents
DNS-OARC 2014 AGM President's Report › event › 20 › contributions › ... · DNS-OARC Staff Resources President, Secretary (Keith Mitchell) 0.75 FTE Systems Engineer (William

DNS-OARC 2014 AGM President's Report › event › 20 › contributions › ... · DNS-OARC Staff Resources President, Secretary (Keith Mitchell) 0.75 FTE Systems Engineer (William

Documents
Long Term Analysis of Root Server System Performance using ... · Long Term Analysis of Root Server System Performance using RIPE Atlas Data Duane Wessels 31stDNS-OARC Workshop, Austin

Long Term Analysis of Root Server System Performance using ... · Long Term Analysis of Root Server System Performance using RIPE Atlas Data Duane Wessels 31stDNS-OARC Workshop, Austin

Documents
DNSHarness Duane Wessels DNS-OARC Workshop, Dublin May 12, 2013

DNSHarness Duane Wessels DNS-OARC Workshop, Dublin May 12, 2013

Documents
Fisica Como Resolver

Fisica Como Resolver

Documents
Multi-Signer DNSSEC Models - DNS-OARC

Multi-Signer DNSSEC Models - DNS-OARC

Documents
A1 Resolver Based Punch Press Controls Resolver Based

A1 Resolver Based Punch Press Controls Resolver Based

Documents
Wessels “Wes Amelie” fiRst ContAineRshiP to be ConveRted ... · Press Release Wessels “Wes Amelie” fiRst ContAineRshiP to be ConveRted to lnG Wessels Reederei Gmbh & Co. KG

Wessels “Wes Amelie” fiRst ContAineRshiP to be ConveRted ... · Press Release Wessels “Wes Amelie” fiRst ContAineRshiP to be ConveRted to lnG Wessels Reederei Gmbh & Co. KG

Documents
1 Comparing Squid Filesystem Performance with Web Polygraph O’Reilly Open Source Convention July 24, 2002 Duane Wessels wessels@squid-cache.org

1 Comparing Squid Filesystem Performance with Web Polygraph O’Reilly Open Source Convention July 24, 2002 Duane Wessels [email protected]

Documents
Welcome to the OARC e-Magazine

Welcome to the OARC e-Magazine

Documents
Taryn (Wessels) Kish

Taryn (Wessels) Kish

Career
AIESEC OARC 2011 PARTNERSHIP PROPOSAL

AIESEC OARC 2011 PARTNERSHIP PROPOSAL

Documents
Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Updates to ‘dnscap’ Duane Wessels DNS-OARC Workshop Dublin May 12, 2013

Documents
Wessels michaelvisualresume

Wessels michaelvisualresume

Documents
OARC Microcontroller Club Project 2009 Picaxe PIC16F886

OARC Microcontroller Club Project 2009 Picaxe PIC16F886

Documents
Fort Wagner, Van Eps, Wessels, Windecker, Huyck

Fort Wagner, Van Eps, Wessels, Windecker, Huyck

Documents
Crimenes sin resolver

Crimenes sin resolver

Health & Medicine
Introduction to Possible Preferences - Ulla Wessels · mcmahan, peter singer, thomas spitzley, and ulla wessels Symposium on Possible Preferences Christoph Fehige and Ulla Wessels:

Introduction to Possible Preferences - Ulla Wessels · mcmahan, peter singer, thomas spitzley, and ulla wessels Symposium on Possible Preferences Christoph Fehige and Ulla Wessels:

Documents
1 Resolver ecuaciones lineales - Big Ideas Learning · 2015-07-22 · 1Resolver ecuaciones lineales 1.1 Resolver ecuaciones simples 1.2 Resolver ecuaciones de varios pasos 1.3 Resolver

1 Resolver ecuaciones lineales - Big Ideas Learning · 2015-07-22 · 1Resolver ecuaciones lineales 1.1 Resolver ecuaciones simples 1.2 Resolver ecuaciones de varios pasos 1.3 Resolver

Documents
Resolver Catalog

Resolver Catalog

Documents
Raspberry Pi OARC Presentation

Raspberry Pi OARC Presentation

Documents