Intro To DNS Security with Cory Von Wallenstein & Chris Brenton

Intro To DNS SecurityOctober 23, 2013

Cory von WallensteinChief Technologist

@cvwdyn

Chris BrentonDirector of Security

@chris_brenton

http://www.linkedin.com/company/dyn

http://www.facebook.com/Dyn

http://twitter.com/dyninc

http://www.youtube.com/dyninc

Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton

Your Presenters

Cory von Wallenstein

Chief Technologist

@cvwdyn

Chris BrentonDirector of

Security@Chris_Brenton






What We Will Cover

DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info































Is DNS Still Sexy?

It’s old tech, so we must have it secured by now…right?






Is DNS Still Sexy?

DNS is effectively our root of trust:

You “ass-u-me” typing in www.google.com will always bring you to a Google server

If sent to the wrong IP address, would you even notice?






Is DNS Still Sexy?

If DNS is compromised, everything else falls apart.






Architecture

Run split DNS:






Architecture

Two separate sets of name server records:

One for use by internal clients One for use by the rest of the world






Architecture

Helps protect internal systems from cache poisoning and other various nastiness






Internal Name Servers

Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals






External Name Servers

Accessed by the rest of the Internet Contains only records you want the world to

see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals






Recursive Answers

DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an

answer is not in cache






Recursive Answers

Recursive = Do the lookup work for the client

Non-Recursive = Don't be so friendly






Non-Recursive Possibilities

Hand back the list of root name servers Referred to as an “upward referral”

Hand back the error code “Refused” Let the client figure out what to do next






Why Recursion Can Be Bad

Can be leveraged for cache poisoning attacks:

Redirect your employees to an IP owned by the attacker






Why Recursion Can Be Bad

Can be leveraged for DDoS attacks:

Most DNS is UDP based Connectionless, so its easy to spoof the

source IP Small questions that result in big answers =

amplification A savvy attacker can get 30X amplification






Why Upward Referrals Are Bad

Non-recursive servers have historically handed back a list of root name server

Considered the polite thing to do






Why Upward Referrals Are Bad

Every name server should already maintain a current list of root name servers

That “polite” answer still provides a 10X amplification in a DDoS attack






Configuring Bind

Disabling Recursion and upward referrals

In /etc/named.conf:

recursion no;additional-from-cache no;






DNSSEC

Spec to secure DNS






DNSSEC

Spec to secure DNS Provides authentication but not data privacy






DNSSEC

Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust

Designed to create “trusted” responses






DNSSEC


Designed to create “trusted” responses Protect against cache poisoning






DNSSEC


Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records






DNSSEC Pitfalls






DNSSEC Pitfalls

Large responses make DDoS issues even worse






DNSSEC Pitfalls

Large responses make DDoS issues even worse Can be problematic with split zone deployment






DNSSEC Pitfalls

Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus

answers are “a feature”






DNSSEC Pitfalls


answers are “a feature” Still no data privacy






DNSSEC Pitfalls


answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved






Should I Use DNSSEC?

Case-by-case judgment call







Case-by-case judgment call Useful when IP filtering is problematic

for protecting zone transfers








for protecting zone transfers May be mandated in some situations








for protecting zone transfers May be mandated in some situations Will probably be a requirement

Someday...maybe






Dyn Makes DNSSEC Easier To Enable






Protecting Your Registration

The easiest way to compromise all of your servers is to compromise your zone

Popular attack pattern Rapid7 owned by attackers with a…






Bit.ly/DynSec1






Domain Status Codes

Many registrars support codes to protect your domain

Permits you to limit zone management






Domain Status Codes

Predefine authentication process for changes:

Requires call back to a specified phone number

Only certain individuals can make changes






Status Code Examples

• Transfer prohibited• Delete prohibited• Update prohibited• Renew prohibited

Bit.ly/DynSec2






Protected Zone

foo$ whois dyn.com[whois.dyndns.com]Registrant: Hostmaster, Dyn-Inc [email protected]

…Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited






• What are my authentication options?

Questions to Ask Your Registrar






• What are my authentication options?• How will authorized changes be verified?







• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?







• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?







• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?• Can auth be circumvented via API or portal?







Questions?


Chief Technologist

@cvwdyn








Next Webinar: Wed., Nov. 20th


Chief Technologist

@cvwdyn



DNS Security: PCI in The Public Cloud





Technology

Intro To DNS Security with Cory Von Wallenstein & Chris Brenton