DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008.

Slides:



Advertisements
Similar presentations
SAVI Requirements and Solutions for ISP IPv6 Access Network ISP-access-01.txt.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Any Questions?.
CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Guide to Network Defense and Countermeasures Second Edition
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Chapter 5 The Network Layer.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
11- IP Network Layer4-1. Network Layer4-2 The Internet Network layer forwarding table Host, router network layer functions: Routing protocols path selection.
Subnetting.
ITIS 6167/8167: Network and Information Security Weichao Wang.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 7 Internet Protocol Version4.
Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Networking Components Chad Benedict – LTEC
A question of protocol Geoff Huston APNIC 36. Originally there was RFC791: “All hosts must be prepared to accept datagrams of up to 576 octets (whether.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Firewalls. What are firewalls? a hardware device and/or software program which sits between the Internet and the intranet, internet, of an organization.
Network Components 101 Travis Hill.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Tyre Kicking the DNS Testing Transport Considerations of Rolling Roots Geoff Huston APNIC.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
© 2007 Cisco Systems, Inc. All rights reserved. 1 Network Addressing Networking for Home and Small Businesses – Chapter 5 Darren Shaver – Modified Fall.
Understanding Networking Joe Cicero Northeast Wisconsin Technical College.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Network Layer Lecture 15 Imran Ahmed University of Management & Technology.
Home Gateways and DNS Ray Bellis, Advanced Projects, Nominet UK IETF 76, Hiroshima, 9 th November 2009.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Transport Layer3-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
CNIT 124: Advanced Ethical Hacking Ch 7: Capturing Traffic.
1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Dynamic Host Configuration Protocol (DHCP)
Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
1 COMP 431 Internet Services & Protocols The IP Internet Protocol Jasleen Kaur April 21, 2016.
NT1210 Introduction to Networking
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
DNS Security Advanced Network Security Peter Reiher August, 2014
Wireless Modes.
Introduction to Networking
CS 457 – Lecture 10 Internetworking and IP
Digital Pacman: Firewall Edition
NAT Configuration For ZyXEL ADSL Wireless Router
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Presentation transcript:

DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008

or: How not to write a DNS proxy

Study Details What is the impact of DNSSEC on consumer-class broadband routers? Joint study between Nominet UK and Core Competence Core Competence funded by Shinkuro, Inc., under contract from ISOC, ICANN, Affilias Conducted July and August 2008 Expansion of.SEs previous study

Devices Tested 4 SOHO Firewalls 12 Dual Ethernet Gateways 8 ADSL Routers Selected based on market share and popularity All tested with out of the box configuration as far as possible NAT-PT and DHCP

Test Environment Queries sent with dig and custom Perl scripts using Net::DNS Packets captured on both LAN and WAN side of unit under test with Wireshark/tcpdump Queries sent both directly to the unit under test (proxy mode) and through the unit to the upstream RDNS (routed mode) Upstream DNS on a private network, with a fake root RDNS and ADNS running Bind-9.5-P1

Test Environment

DHCP Behaviour 15 devices put their own (LAN) IP address in their DHCP servers Domain Name Server option –But 9 of those 15 have no way to change the DHCP settings A further six devices put the upstream address in, but only once the WAN link is up (chicken and egg problem) The remaining three dont proxy by default

Proxy Behaviour #1 Fragment reassembly was a big problem –Some fragments black-holed –Some sent from the wrong Source IP –Typically evident in packets near the WAN MTU Devices that were dumb about DNS tended to do better than smart devices, but only so long as they did the rest of UDP/IP correctly:

Proxy Behaviour #2 Responses truncated at 512 bytes (without setting TC) Responses having TC flag cleared in transit Packets dropped in either direction when CD=1 or AD=1 EDNS0 packets black-holed or rejected No support for failover to TCP QIDs not random [NB: this is for future study] Many implementors only appear to have read (some of) RFC1035, and no subsequent RFCs:

NAT-PT Behaviour Half of the devices tested had poor source port randomization in their NAT-PT logic Most (if not all) of those pick source ports sequentially –Risk of cache poisoning attacks not mitigated When combined with poor QID selection, severe risk of exposure to normal response spoofing attacks

Results Only six of 24 devices were mostly compatible with DNSSEC out of the box 18 of the 22 devices that actually do DNS proxying had limitations on packet size (512 bytes or ~MTU) 6 of those 22 had incompatibilities that effectively prevent use of proxy mode for DNSSEC However all devices handled DNSSEC correctly when using routed mode Only one device could proxy DNS over TCP

Unaffected Configurations Fully validating local recursors –NB: some still prone to cache poisoning –Potential high load on authority servers Clients with hard-coded settings –NB: some clients (e.g. Mac OS X) make it hard to ignore DHCP settings. They default to adding the hard-coded list to the DHCP settings, not replacing them. Anything using route mode: Good news! That covers most configurations that would be used by more technically sophisticated users

Affected Configurations the response is a large RRset (containing DNSSEC records or otherwise); or the server returns unexpected flags (c.f. Bind bug found in the.SE study); or the client is a security-aware stub –Is this a likely deployment model for desktop DNSSEC? –Could a client detect whether the proxy is good, and failover to fully recursive otherwise? Anything that uses DHCP to get DNS settings and where:

Study Follow-up IETF draft - BCP for how to write a proxy Vendor fixes? Research on the quality of PRNGs for –Source Port ID –Query ID Fuzzed queries and responses - can we actually crash the routers? fpdns Mk II - for identifying RDNS? How common is it to run a recursor behind NAT?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.