SlideShare ist ein Scribd-Unternehmen logo

DNS Vulnerabilities

Als PPTX, PDF herunterladen
Mike Spaulding
Mike Spaulding

DNS Vulnerabilities

Technologie
1 von 38
DNS Vulnerabilities and Security Remedies Michael Spaulding Security Nomad NetJets
Restrict Zone Transfers  Restricting zone transfers prevents  Others from taxing your name server  Hackers from listing the contents of your zones  To identify targets  Mail servers  Name servers  To gain “host demographic” information  How many hosts you have  What makes and models you have  What their names are (valuable if you name them after people or projects)
Restricting Zone Transfers with BIND  With BIND 4.9, use the xfrnets directive: xfrnets <address>[&<netmask>] [<address>[&<netmask>] …] e.g., xfrnets 207.69.231.3&255.255.255.255  This controls which name servers can transfer any zones from this name server
Restricting Zone Transfers with BIND  With BIND 8, use the allow-transfer substatement: options { allow-transfer { address_match_list; }; }; or, specific to a zone: zone “some.zone” { type master; file “db.some.zone”; allow-transfer { address_match_list; }; };
Restricting Zone Transfers with the Microsoft DNS Server  Use the Notify tab of the Zone Properties window:  Check Only Allow Access From Secondaries Included on Notify List
Notes on Restricting Zone Transfers  Remember to restrict zone transfers from slave name servers, not just the primary master  It’s just as easy to transfer a zone from a slave as it is from the primary master  With the Microsoft DNS Server, you’ll have to define a Notify List to restrict zone transfers  You obviously don’t need a Notify List to turn zone transfers off, though  nslookup’s ls command is implemented as a zone transfer
Restrict Dynamic Updates  Dynamic updates are both useful and dangerous  An authorized updater can delete all the records from a zone and add in completely different records  If you use dynamic update at all, restrict it as much as possible  To individual addresses  Since you’re using addresses for authentication, make sure you have strong anti-spoofing mechanisms in place  On your border router or  On your bastion host
Restricting Dynamic Updates with BIND  Only BIND 8 understands dynamic updates  BIND 8 won’t accept dynamic updates to a zone by default  You must add an access list to enable dynamic updates  Use the allow-update substatement: zone “some.zone” { type master; file “db.some.zone”; allow-update { address_match_list; }; };
Restricting Dynamic Updates with BIND  If you’re only updating records attached to one domain name, you can create a new zone that contains just that name  For example, if you’re just updating the address of www.acmebw.com: (in db.acmebw.com, delegating the new zone) www IN NS speakeasy.mspring.net. IN NS hearsay.mspring.net. IN NS rumor.mspring.net.
Restricting Dynamic Updates with BIND  In named.conf on the primary master name server for www.acmebw.com: zone “www.acmebw.com” { type master; file “db.www.acmebw.com”; allow-update { 206.168.119.178; }; };  At worst, a malicious updater could change the address of www.acmebw.com or add subdomains of www.acmebw.com, but couldn’t update the acmebw.com zone
Protect Against Spoofing  Accepting recursive queries from the Internet makes your name servers vulnerable to spoofing attacks  Hackers can query your name server for information in zones under their control  This forces your name server to query their evil name servers, which may spit back bogus data  To deal with this, you can either  Turn off recursion, if possible  Restrict the addresses the name server will respond to queries from
A Sample DNS Spoofing Attack alternic.net name server alternic.net name server target name server cache Data saved to cache
A Sample DNS Spoofing Attack alternic.net name server target name server alternic.net name server resolver cache Data saved to cache
Turning Off Recursion  Disabling recursion puts your name servers into a passive mode, telling them never to send queries on behalf of other name servers or resolvers  A non-recursive name server is very difficult to spoof, since it doesn’t send queries, and hence doesn’t cache any data  You can’t disable recursion on a name server if any legitimate resolvers query it, or if other name servers use it as a forwarder  If you can’t disable recursion, restrict the queries the name server will accept, shown later
Turning Off Glue fetching  Normally a name server returning NS records for which it does not have A records will attempt to retrieve them  This is called glue fetching  A potential source of a spoofed response  Turning off glue fetching prevents this lookup  The name server will never generate any queries  And will not build up a cache
Turning Off Recursion and Glue Fetching With BIND  With BIND 4.9.x, use the options directive: options no-recursion options no-fetch-glue  With BIND 8, use the options statement: options { recursion no; fetch-glue no; };
Turning Off Recursion with the Microsoft DNS Server  Use regedit or regedt32  Add the value NoRecursion to the Registry key HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesDNSParameters  The value type is REG_DWORD  Value is 1 (true, recursion disabled)
Restrict Queries  If you can’t turn off recursion, restrict the queries that your name servers accept to:  The addresses they should come from  The zones they should ask about  On most name servers  Queries for records in authoritative zones can come from anywhere, because the zones are delegated to the name server  Queries for records outside of authoritative zones should only come from internal addresses  On 8.2.1+ name servers, restrict the addresses your name server will accept recursive queries from directly with allow-recursion
Restricting Queries with BIND  Unfortunately, only BIND 8 (i.e., not BIND 4 or the Microsoft DNS Server) will let you establish such fine-grained access  Use a global allow-query substatement to restrict queries outside of authoritative zones to your internal addresses, and override it for authoritative zones: acl internal { address_match_list; }; options { directory “/var/named”; allow-query { internal; }; }; zone “some.zone” { type master; allow-query { any; }; };
Restricting Queries with BIND 8.2.1+  Or use a global allow-recursion substatement to restrict recursive queries to your internal addresses acl internal { address_match_list; }; options { directory “/var/named”; allow-recursion { internal; }; };
More Protection Against Spoofing  On any name server that queries name servers on the Internet, use use-id-pool to randomize message IDs and make spoofing harder options { directory “/var/named”; use-id-pool yes; };
Two Issues to Deal With  How do internal name servers communicate with Internet name servers to resolve Internet domain names?  “Inside looking out”  How much of your company’s name space is visible to Internet name servers?  “Outside looking in”  More to come
Forwarding  Forwarding works with either application gateways or packet filters  The only difference is where you run the forwarder  In an application gateway-based firewall, you run the forwarder on the bastion host  In a packet filter-based firewall, you run the forwarder (or forwarders) wherever you want  Inside the firewall, on name servers you designate as forwarders  Outside the firewall, on name servers on the DMZ or at your ISP
Forwarding Scenario •internal network Internet bastion host Internal name server •query •query •query •query low-speed link border router Internal name server Internal name server
The Problem with Forwarding  Forwarding aggregates queries from all over your network to one name server  If that name server goes down, your name servers can only resolve names in their local data  That name server will receive lots of burdensome recursive queries  Forwarding overrides normal resolution  For example, an acme.com name server that knows where the west.acme.com name servers are (through delegation information) will still send queries for west.acme.com to its forwarder
Split DNS  Running two versions of your name space is called a split DNS configuration  Some people say split brain  But that’s weird  Other people say split horizon  But that’s an IP routing term erroneously applied to DNS
Split-service Name Servers  Consider creating two kinds of name server, each optimized for a particular function:  Advertising name servers:  Authoritative for zones to “advertise”  Listed in zones’ NS records  Queried only by other name servers  Non-recursive  Resolving name servers:  (May be) authoritative for “internal” zones  Queried only by known resolvers (or forwarding name servers)  Answer recursive queries from trusted sources
Split-service Name Server Configs  An advertising name server: acl slaves { 207.69.231.3; 209.86.147.1; }; options { directory “/var/named”; recursion no; fetch-glue no; use-id-pool yes; allow-query { any; }; // the default }; zone “acmebw.com” { type master; file “db.acmebw.com”; allow-transfer { slaves; }; };
Split-service Name Server Configs  A resolving name server: acl internal { 192.168.0/24; }; options { directory “/var/named”; recursion yes; // the default use-id-pool yes; allow-query { internal; }; }; zone “.” { type hint; file “db.cache”; }; zone “acmebw.com” { type slave; masters { 207.69.231.2; }; file “bak.acmebw.com”; allow-transfer { internal; }; };
Shadow Name Space Contents  The shadow name space includes only the data that’s strictly needed by people on the Internet  For the acmebw.com zone, this information would be:  Information about the bastion host  MX records for acmebw.com  Information about publicly accessible servers  www.acmebw.com  ftp.acmebw.com  etc.
A Sample Shadow Zone: acmebw.com$TTL 2d @ IN SOA raven.acmebw.net. hostmaster.acmebw.com. ( 50 ; Serial 3h ; Refresh (3 hours) 1h ; Retry (1 hour) 1w ; Expire (1 week) 10m ) ; Default TTL (10 minutes) IN NS ns1.sanjose.acmebw.net. IN NS ns1.vienna.acmebw.net. IN NS ns1.denver.acmebw.net. IN A 207.69.209.143 IN MX 10 mail.acmebw.com. www IN CNAME @ ftp IN A 207.69.209.144 mail IN A 216.200.122.35
Shadow Name Space Name Servers  The shadow zone has, of course, a primary master and slaves  These name servers must be reachable by everyone on the Internet  They can be located:  On a DMZ (demilitarized zone)  An Internet-accessible network at your site, often on a separate interface off the bastion host  At an ISP  A combination of the two  Often the primary master on a DMZ for local control  Slaves at an ISP
Two Versions of acmebw.com Internet root NS’s com NS’s external acmebw.com NS’s external 209.69.207.in-addr.arpa NS’s internal acmebw.com NS’s west.acmebw.com name servers east.acmebw.com name servers internal 209.69.207.in-addr.arpa NS’s Firewall in-addr.arpa NS’s  Internal version has complete information  External version is pared-down shadow zone
Where are we today?  Three core areas of risk exposing our DNS:  Firewall Policy – Wide open to Port 53 DNS  External DNS Servers – Have they been patched and locked down?  Internal DNS Servers - Have they been patched, locked down, and are they pointing to the correct location for external name resolution?
Where are we today?  Three core areas of risk exposing our DNS:  Firewall Policy – Wide open to Port 53 DNS  We need to limit the external DNS servers to only point to AT&T’s Public Servers by filtering firewall rules/acl’s to limit the access.  We need to confirm that the DNS servers are within a DMZ and only reachable through a firewall.  We need to filter out internal calls to the external DNS servers residing within the DMZ  We need to only allow the internal (Microsoft DNS to make calls to the AT&T Public servers for address resolution
Where are we today?  Three core areas of risk exposing our DNS:  External DNS Servers – Have they been patched and locked down?  We need to confirm current OS and Bind versions and ensure that all patches have been added  We need to confirm that current security settings on the OS and Bind system are correct and expose only DNS information necessary.
Where are we today?  Three core areas of risk exposing our DNS:  Internal DNS Servers - Have they been patched, locked down, and are they pointing to the correct location for external name resolution?  We need to confirm current OS and DNS versions and ensure that all patches have been added  We need to confirm that current security settings on the OS and DNS system are correct and expose only DNS information necessary.  We need to point the DNS server to AT&T’s public DNS servers and not the external DNS servers in the DMZ.
Options?  We could:  Make these changes and maintain our DNS in the DMZ  Transfer responsibility of the external DNS servers to a different team within TS  We could transfer responsibility of the external DNS servers to an ISP or Provider  Thoughts?

Empfohlen

CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 

Empfohlen

CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2DNS Entrepreneurship Center
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1DNS Entrepreneurship Center
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache PoisoningChristiaan Ottow
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS SecurityNihal Pasham, CISSP
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy ArendsCommonwealth Telecommunications Organisation
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White PaperRyan Ellingson
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILUtah Networxs Consultoria e Treinamento
 
Dns
DnsDns
Dnsjulien pauli
 
Lets talk dns
Lets talk dnsLets talk dns
Lets talk dnsAbhinav Mehta
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
Dns
DnsDns
DnsPatruni Chidananda Sastry
 
Dns
DnsDns
DnsMd Shihab
 
6425 b 10
6425 b 106425 b 10
6425 b 10FMAB2010
 

Weitere ähnliche Inhalte

Was ist angesagt?

Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 

Was ist angesagt? (20)

8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)
 
DNS Cache Poisoning
DNS Cache PoisoningDNS Cache Poisoning
DNS Cache Poisoning
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Session 4.1 Roy Arends
Session 4.1 Roy ArendsSession 4.1 Roy Arends
Session 4.1 Roy Arends
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAILDNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
 
Dns
DnsDns
Dns
 
Lets talk dns
Lets talk dnsLets talk dns
Lets talk dns
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching Revisited
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
Dns
DnsDns
Dns
 

Ähnlich wie DNS Vulnerabilities

DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53Amazon Web Services
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns ConfigurationLohit Ahuja
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3ahariclant1
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2bhariclant1
 
domain-routing-220627173025-41f4dc7e (1).pdf
domain-routing-220627173025-41f4dc7e (1).pdfdomain-routing-220627173025-41f4dc7e (1).pdf
domain-routing-220627173025-41f4dc7e (1).pdfssusere9bd3b
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commandsSayed Ahmed
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 

Ähnlich wie DNS Vulnerabilities (20)

Dns
DnsDns
Dns
 
6425 b 10
6425 b 106425 b 10
6425 b 10
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
SFScon 22 - Dashamir Hoxha - Manage your own DNS.pdf
SFScon 22 - Dashamir Hoxha - Manage your own DNS.pdfSFScon 22 - Dashamir Hoxha - Manage your own DNS.pdf
SFScon 22 - Dashamir Hoxha - Manage your own DNS.pdf
 
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
(NET308) Consolidating DNS Data in the Cloud with Amazon Route 53
 
DNS
DNSDNS
DNS
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns Configuration
 
Configuring Dns
Configuring DnsConfiguring Dns
Configuring Dns
 
Pmw2 k3ni 1-3a
Pmw2 k3ni 1-3aPmw2 k3ni 1-3a
Pmw2 k3ni 1-3a
 
Pmw2 k3ni 1-2b
Pmw2 k3ni 1-2bPmw2 k3ni 1-2b
Pmw2 k3ni 1-2b
 
domain-routing-220627173025-41f4dc7e (1).pdf
domain-routing-220627173025-41f4dc7e (1).pdfdomain-routing-220627173025-41f4dc7e (1).pdf
domain-routing-220627173025-41f4dc7e (1).pdf
 
domain-routing.pptx
domain-routing.pptxdomain-routing.pptx
domain-routing.pptx
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 
Linux networking commands
Linux networking commandsLinux networking commands
Linux networking commands
 
7 understanding DNS
7 understanding DNS7 understanding DNS
7 understanding DNS
 
Active Directory
Active DirectoryActive Directory
Active Directory
 
Quad9 and DNS Privacy
Quad9 and DNS PrivacyQuad9 and DNS Privacy
Quad9 and DNS Privacy
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
Dot Com In A Day
Dot Com In A DayDot Com In A Day
Dot Com In A Day
 

Mehr von Mike Spaulding

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...Mike Spaulding
 
Redefining Security in the Cloud
Redefining Security in the CloudRedefining Security in the Cloud
Redefining Security in the CloudMike Spaulding
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsMike Spaulding
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended CutMike Spaulding
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsMike Spaulding
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage PresentationMike Spaulding
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorMike Spaulding
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015Mike Spaulding
 

Mehr von Mike Spaulding (11)

BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
BlackHat Presentation - Lies and Damn Lies: Getting past the Hype of Endpoint...
 
Redefining Security in the Cloud
Redefining Security in the CloudRedefining Security in the Cloud
Redefining Security in the Cloud
 
Attacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty YearsAttacking Automation: Hacking for the Next Fifty Years
Attacking Automation: Hacking for the Next Fifty Years
 
Building an AppSec Team Extended Cut
Building an AppSec Team Extended CutBuilding an AppSec Team Extended Cut
Building an AppSec Team Extended Cut
 
Windows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti ForensicsWindows 8 Forensics & Anti Forensics
Windows 8 Forensics & Anti Forensics
 
Policy Map
Policy MapPolicy Map
Policy Map
 
Data Leakage Presentation
Data Leakage PresentationData Leakage Presentation
Data Leakage Presentation
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
CMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec WarriorCMH Security Summit 2014 - InfoSec Warrior
CMH Security Summit 2014 - InfoSec Warrior
 
PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015PaloAlto Ignite Conference 2015
PaloAlto Ignite Conference 2015
 

Kürzlich hochgeladen

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Kürzlich hochgeladen (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

DNS Vulnerabilities

  • 1. DNS Vulnerabilities and Security Remedies Michael Spaulding Security Nomad NetJets
  • 2. Restrict Zone Transfers  Restricting zone transfers prevents  Others from taxing your name server  Hackers from listing the contents of your zones  To identify targets  Mail servers  Name servers  To gain “host demographic” information  How many hosts you have  What makes and models you have  What their names are (valuable if you name them after people or projects)
  • 3. Restricting Zone Transfers with BIND  With BIND 4.9, use the xfrnets directive: xfrnets <address>[&<netmask>] [<address>[&<netmask>] …] e.g., xfrnets 207.69.231.3&255.255.255.255  This controls which name servers can transfer any zones from this name server
  • 4. Restricting Zone Transfers with BIND  With BIND 8, use the allow-transfer substatement: options { allow-transfer { address_match_list; }; }; or, specific to a zone: zone “some.zone” { type master; file “db.some.zone”; allow-transfer { address_match_list; }; };
  • 5. Restricting Zone Transfers with the Microsoft DNS Server  Use the Notify tab of the Zone Properties window:  Check Only Allow Access From Secondaries Included on Notify List
  • 6. Notes on Restricting Zone Transfers  Remember to restrict zone transfers from slave name servers, not just the primary master  It’s just as easy to transfer a zone from a slave as it is from the primary master  With the Microsoft DNS Server, you’ll have to define a Notify List to restrict zone transfers  You obviously don’t need a Notify List to turn zone transfers off, though  nslookup’s ls command is implemented as a zone transfer
  • 7. Restrict Dynamic Updates  Dynamic updates are both useful and dangerous  An authorized updater can delete all the records from a zone and add in completely different records  If you use dynamic update at all, restrict it as much as possible  To individual addresses  Since you’re using addresses for authentication, make sure you have strong anti-spoofing mechanisms in place  On your border router or  On your bastion host
  • 8. Restricting Dynamic Updates with BIND  Only BIND 8 understands dynamic updates  BIND 8 won’t accept dynamic updates to a zone by default  You must add an access list to enable dynamic updates  Use the allow-update substatement: zone “some.zone” { type master; file “db.some.zone”; allow-update { address_match_list; }; };
  • 9. Restricting Dynamic Updates with BIND  If you’re only updating records attached to one domain name, you can create a new zone that contains just that name  For example, if you’re just updating the address of www.acmebw.com: (in db.acmebw.com, delegating the new zone) www IN NS speakeasy.mspring.net. IN NS hearsay.mspring.net. IN NS rumor.mspring.net.
  • 10. Restricting Dynamic Updates with BIND  In named.conf on the primary master name server for www.acmebw.com: zone “www.acmebw.com” { type master; file “db.www.acmebw.com”; allow-update { 206.168.119.178; }; };  At worst, a malicious updater could change the address of www.acmebw.com or add subdomains of www.acmebw.com, but couldn’t update the acmebw.com zone
  • 11. Protect Against Spoofing  Accepting recursive queries from the Internet makes your name servers vulnerable to spoofing attacks  Hackers can query your name server for information in zones under their control  This forces your name server to query their evil name servers, which may spit back bogus data  To deal with this, you can either  Turn off recursion, if possible  Restrict the addresses the name server will respond to queries from
  • 12. A Sample DNS Spoofing Attack alternic.net name server alternic.net name server target name server cache Data saved to cache
  • 13. A Sample DNS Spoofing Attack alternic.net name server target name server alternic.net name server resolver cache Data saved to cache
  • 14. Turning Off Recursion  Disabling recursion puts your name servers into a passive mode, telling them never to send queries on behalf of other name servers or resolvers  A non-recursive name server is very difficult to spoof, since it doesn’t send queries, and hence doesn’t cache any data  You can’t disable recursion on a name server if any legitimate resolvers query it, or if other name servers use it as a forwarder  If you can’t disable recursion, restrict the queries the name server will accept, shown later
  • 15. Turning Off Glue fetching  Normally a name server returning NS records for which it does not have A records will attempt to retrieve them  This is called glue fetching  A potential source of a spoofed response  Turning off glue fetching prevents this lookup  The name server will never generate any queries  And will not build up a cache
  • 16. Turning Off Recursion and Glue Fetching With BIND  With BIND 4.9.x, use the options directive: options no-recursion options no-fetch-glue  With BIND 8, use the options statement: options { recursion no; fetch-glue no; };
  • 17. Turning Off Recursion with the Microsoft DNS Server  Use regedit or regedt32  Add the value NoRecursion to the Registry key HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesDNSParameters  The value type is REG_DWORD  Value is 1 (true, recursion disabled)
  • 18. Restrict Queries  If you can’t turn off recursion, restrict the queries that your name servers accept to:  The addresses they should come from  The zones they should ask about  On most name servers  Queries for records in authoritative zones can come from anywhere, because the zones are delegated to the name server  Queries for records outside of authoritative zones should only come from internal addresses  On 8.2.1+ name servers, restrict the addresses your name server will accept recursive queries from directly with allow-recursion
  • 19. Restricting Queries with BIND  Unfortunately, only BIND 8 (i.e., not BIND 4 or the Microsoft DNS Server) will let you establish such fine-grained access  Use a global allow-query substatement to restrict queries outside of authoritative zones to your internal addresses, and override it for authoritative zones: acl internal { address_match_list; }; options { directory “/var/named”; allow-query { internal; }; }; zone “some.zone” { type master; allow-query { any; }; };
  • 20. Restricting Queries with BIND 8.2.1+  Or use a global allow-recursion substatement to restrict recursive queries to your internal addresses acl internal { address_match_list; }; options { directory “/var/named”; allow-recursion { internal; }; };
  • 21. More Protection Against Spoofing  On any name server that queries name servers on the Internet, use use-id-pool to randomize message IDs and make spoofing harder options { directory “/var/named”; use-id-pool yes; };
  • 22. Two Issues to Deal With  How do internal name servers communicate with Internet name servers to resolve Internet domain names?  “Inside looking out”  How much of your company’s name space is visible to Internet name servers?  “Outside looking in”  More to come
  • 23. Forwarding  Forwarding works with either application gateways or packet filters  The only difference is where you run the forwarder  In an application gateway-based firewall, you run the forwarder on the bastion host  In a packet filter-based firewall, you run the forwarder (or forwarders) wherever you want  Inside the firewall, on name servers you designate as forwarders  Outside the firewall, on name servers on the DMZ or at your ISP
  • 24. Forwarding Scenario •internal network Internet bastion host Internal name server •query •query •query •query low-speed link border router Internal name server Internal name server
  • 25. The Problem with Forwarding  Forwarding aggregates queries from all over your network to one name server  If that name server goes down, your name servers can only resolve names in their local data  That name server will receive lots of burdensome recursive queries  Forwarding overrides normal resolution  For example, an acme.com name server that knows where the west.acme.com name servers are (through delegation information) will still send queries for west.acme.com to its forwarder
  • 26. Split DNS  Running two versions of your name space is called a split DNS configuration  Some people say split brain  But that’s weird  Other people say split horizon  But that’s an IP routing term erroneously applied to DNS
  • 27. Split-service Name Servers  Consider creating two kinds of name server, each optimized for a particular function:  Advertising name servers:  Authoritative for zones to “advertise”  Listed in zones’ NS records  Queried only by other name servers  Non-recursive  Resolving name servers:  (May be) authoritative for “internal” zones  Queried only by known resolvers (or forwarding name servers)  Answer recursive queries from trusted sources
  • 28. Split-service Name Server Configs  An advertising name server: acl slaves { 207.69.231.3; 209.86.147.1; }; options { directory “/var/named”; recursion no; fetch-glue no; use-id-pool yes; allow-query { any; }; // the default }; zone “acmebw.com” { type master; file “db.acmebw.com”; allow-transfer { slaves; }; };
  • 29. Split-service Name Server Configs  A resolving name server: acl internal { 192.168.0/24; }; options { directory “/var/named”; recursion yes; // the default use-id-pool yes; allow-query { internal; }; }; zone “.” { type hint; file “db.cache”; }; zone “acmebw.com” { type slave; masters { 207.69.231.2; }; file “bak.acmebw.com”; allow-transfer { internal; }; };
  • 30. Shadow Name Space Contents  The shadow name space includes only the data that’s strictly needed by people on the Internet  For the acmebw.com zone, this information would be:  Information about the bastion host  MX records for acmebw.com  Information about publicly accessible servers  www.acmebw.com  ftp.acmebw.com  etc.
  • 31. A Sample Shadow Zone: acmebw.com$TTL 2d @ IN SOA raven.acmebw.net. hostmaster.acmebw.com. ( 50 ; Serial 3h ; Refresh (3 hours) 1h ; Retry (1 hour) 1w ; Expire (1 week) 10m ) ; Default TTL (10 minutes) IN NS ns1.sanjose.acmebw.net. IN NS ns1.vienna.acmebw.net. IN NS ns1.denver.acmebw.net. IN A 207.69.209.143 IN MX 10 mail.acmebw.com. www IN CNAME @ ftp IN A 207.69.209.144 mail IN A 216.200.122.35
  • 32. Shadow Name Space Name Servers  The shadow zone has, of course, a primary master and slaves  These name servers must be reachable by everyone on the Internet  They can be located:  On a DMZ (demilitarized zone)  An Internet-accessible network at your site, often on a separate interface off the bastion host  At an ISP  A combination of the two  Often the primary master on a DMZ for local control  Slaves at an ISP
  • 33. Two Versions of acmebw.com Internet root NS’s com NS’s external acmebw.com NS’s external 209.69.207.in-addr.arpa NS’s internal acmebw.com NS’s west.acmebw.com name servers east.acmebw.com name servers internal 209.69.207.in-addr.arpa NS’s Firewall in-addr.arpa NS’s  Internal version has complete information  External version is pared-down shadow zone
  • 34. Where are we today?  Three core areas of risk exposing our DNS:  Firewall Policy – Wide open to Port 53 DNS  External DNS Servers – Have they been patched and locked down?  Internal DNS Servers - Have they been patched, locked down, and are they pointing to the correct location for external name resolution?
  • 35. Where are we today?  Three core areas of risk exposing our DNS:  Firewall Policy – Wide open to Port 53 DNS  We need to limit the external DNS servers to only point to AT&T’s Public Servers by filtering firewall rules/acl’s to limit the access.  We need to confirm that the DNS servers are within a DMZ and only reachable through a firewall.  We need to filter out internal calls to the external DNS servers residing within the DMZ  We need to only allow the internal (Microsoft DNS to make calls to the AT&T Public servers for address resolution
  • 36. Where are we today?  Three core areas of risk exposing our DNS:  External DNS Servers – Have they been patched and locked down?  We need to confirm current OS and Bind versions and ensure that all patches have been added  We need to confirm that current security settings on the OS and Bind system are correct and expose only DNS information necessary.
  • 37. Where are we today?  Three core areas of risk exposing our DNS:  Internal DNS Servers - Have they been patched, locked down, and are they pointing to the correct location for external name resolution?  We need to confirm current OS and DNS versions and ensure that all patches have been added  We need to confirm that current security settings on the OS and DNS system are correct and expose only DNS information necessary.  We need to point the DNS server to AT&T’s public DNS servers and not the external DNS servers in the DMZ.
  • 38. Options?  We could:  Make these changes and maintain our DNS in the DMZ  Transfer responsibility of the external DNS servers to a different team within TS  We could transfer responsibility of the external DNS servers to an ISP or Provider  Thoughts?