Securing Dns

Strategies & Techniques for Simplifying and Securing Your DNS, DHCP, & IP Infrastructure

Securing Your DNS Infrastructure Presented By Alex Drescher, Director, Software Product Planning Tim Rooney, Director, Software Product Management

INS Background ‹

Vendor-independent, global provider of IT infrastructure consulting services and software

‹

„

13 years of business-centric technology consulting

„

Scalable software solutions for complex IP networks

„

30+ offices across North America, Europe & SE Asia

Focus on Fortune 1000 enterprises and major service providers

2

„

Experience with >75% of Fortune 500

„

Conducting business with >50% of the Fortune 100

„

Conducting business with all major voice and data SPs

The knowledge behind the network.®

January 2005

You Mean My DNS Isn’t Secure?

3

The knowledge behind the network.®

January 2005

Importance of DNS Security ‹ ‹ ‹

IP applications usability DNS ubiquity DNS attack impacts „

„

„

4

Attacker access to host and IP address information on your network Attacker can modify zone data, pointing web or email servers elsewhere Denial of service attacks can prevent web server and email access

The knowledge behind the network.®

January 2005

Man in the Middle or Spoofing Attacks ‹

Attacker name server “intercepts” DNS query

‹

Attacker name server responds with a misleading response „ „

‹

Packet Interception ID Guessing – ID field 16 bits + 16 bit server UDP port – 232 possibilities

Resolver caches this false information

Intended Name Server What is the address for www.ins.com?

The address is 168.77.23.15

? s.com n i . w w fo r w s s e r dd th e a s i t a Wh The

5

The knowledge behind the network.®

addr

January 2005

e ss i s 16 8.77 .2

3.15

Attacker Name Server

DNS Spoofing/Cache Poisoning ‹

Resolver queries a local DNS server

‹

The local DNS server issues recursive query to obtain the information if not authoritative or cached

‹

Attacker spoofs intended name server response

‹

Local DNS server caches this information

‹

Resolver caches this information

What is the address for www.ins.com?

The address is 168.77.23.15

ww fo r w s s e r dd th e a w o n uk Do yo Sure it’

6

The knowledge behind the network.®

s 16 8.77 .23.1 5

January 2005

.ins.

Intended Name Server com?

Attacker Name Server

Name Chaining ‹

‹

‹

Attacker’s response includes one or more RRs with DNS names in their RDATA Attacker introduces DNS names or the attacker’s choosing Attacker can provoke a query for such names „

E.g., graphic link in email – victim’s email program resolves link Intended Name Server What is the address for www.ins.com?

The address is 198.134.150.150

? s.com n i . w w fo r w s s e r dd th e a s i t a Wh The addr e ss i And s 19 h ere 8.13 is so 4.15 me a 0.15 0 dd’l info

7

The knowledge behind the network.®

January 2005

Attacker Name Server

DNS Buffer Overflow ‹ ‹

‹

‹

‹

8

“Smashing the Stack” Can result in attacker gaining root user access to the name server Attacker can obtain zone information from the master server to identify hosts and IP addresses for subsequent attack Attacker can also modify resource records to hijack certain applications or resources Attacker can also, as a root user, access and modify other applications on that server

The knowledge behind the network.®

January 2005

Client Resolver Configuration Attack ‹

Attacker modifies the DNS server IP addresses configured on the client and/or hosts.txt file „ „

‹ ‹

Web plug-in DHCP or PPP configuration

Client issues DNS queries to the attacker’s DNS servers Attack can arise in the form of trojan horse web download

Control Channel Access ‹

9

Attacker utilizes ndc or rndc commands to stop or start the name server, reload a zone and other critical functions

The knowledge behind the network.®

January 2005

Vulnerability Summary ‹

DNS Server Integrity „ „

‹

DNS Service Availability „ „

‹

„ „

Footprinting or viewing zone data Man in the middle, spoofing, cache poisoning, name chaining Client resolver attack

DNS Communications Integrity „ „

10

Name server deployment Denial of Service

DNS Information Integrity „

‹

Buffer overflows OS vulnerabilities

Communications interception, disruption, and unauthorized updates Control Channel access

The knowledge behind the network.®

January 2005

Securing DNS Server Integrity ‹

Run DNS on dedicated hardware „ „

‹

Run latest version of DNS software „

‹

„

„

If attacker gains access, limits root and file system access named –u user –g group –t chroot_directory chroot_subdirectory below file system root

Hardened OS and/or OS platform diversity „ „ „

11

Reduce buffer overflow and other vulnerabilities

Jailed environment – chroot (Unix/Linux) „

‹

If attacker gains access, limits exposure to other apps Appliance or general purpose hardware

Run only necessary OS services Restrict open TCP/UDP ports Limit users and permissions as much as possible

The knowledge behind the network.®

January 2005

Securing DNS Service Availability ‹ ‹ ‹

Deploy multiple authoritative servers for high availability Deploy servers on multiple networks and/or ISPs Deploy external name space on external servers separate from internal servers „

„

„

„

‹

Consider running internal roots „

12

Minimize open ports on external servers in particular Minimize open ports on internal gateway between internal and external name servers Deploy appropriate ACLs and security options on all servers If multiple servers not possible implement BIND 9 Views Internal servers hints file modification

The knowledge behind the network.®

January 2005

Securing DNS Information Integrity ‹ ‹

‹

Maintain currency of DNS server releases Configure logging on each server and monitor for exceptions Lock down controls on access to DNS information „

‹ ‹

13

Implement ACLs for query, transfer, update, notify

“Hide” your master DNS servers Keep up to latest releases of OS/IP stack (resolver) to minimize resolver vulnerabilities

The knowledge behind the network.®

January 2005

Securing DNS Communications Integrity ‹

Restrict zone transfers and updates via ACLs „

‹

Digitally sign transfers and updates „

‹

controls statement

Disallow recursive queries on “delegation point” servers „

Resolvers should not “point” to these servers

‹

Separate network for zone transfers and control channels

‹

Secure the management interface to the server „ „

14

TSIG, GSS-TSIG

Control channel access control „

‹

allow-transfer, allow-update, allow-notify

User definable port Data encryption

The knowledge behind the network.®

January 2005

DNS Communications Integrity Example TSIG Configuration

15

1.

Create pairwise key

2.

Deploy the key to each server

The knowledge behind the network.®

January 2005

DNS Communications Integrity Example TSIG Configuration

16

3.

Inform the servers of the key

4.

Instruct the servers to apply the key

5.

Apply on ACLs as well

The knowledge behind the network.®

January 2005

Summary of Major DNS Options Impacting Security ‹

ACLs „

‹

allow-transfer

z

allow-recursion

z

allow-notify

z

allow-query

z

allow-update

z

blackhole

view “viewname” { options and zone blocks };

IP address/port specifications

„

query-source address addr port port; recursive query source notify-source IP-addr [port port];

„

listen-on { IP-addr port port; ... ; };

„

„

17

z

DNS views – multiple servers on one server „

‹

acl “aclname” { addresses }

use-id-pool yes; randomize query message IDs – standard for BIND 9

The knowledge behind the network.®

January 2005

Summary of Major DNS Options Impacting Security ‹

Logging „ „

‹

‹

18

logging { channel channel-name channel-specs }; category name { channel-name ; ... ; };

Control channel access „

controls ( inet * allow { ACL; } keys {“rndc-key”;};

„

rndc.conf

Miscellaneous „

recursion no;

„

version “faux version text”

„

pidfile “pathname to named.pid”

„

directory “pathname to zone data files”

„

fetch-glue no

Standard on BIND 9 (no)

The knowledge behind the network.®

January 2005

What About DNSSEC? ‹

Services Provided „

‹

„

Authenticated public key process for accessing signed zones

„

Security of DNS data (not communications)

New Resource Record Types „

RRSIG – stores the zone’s digital signature(s)

„

DNSKEY – stores the zone’s public key

„

„

19

Provides integrity and origin authentication to resolvers via digital signatures

DS – stores the public key(s) used in the process of determining a delegated zone’s key(s) NSEC – canonically links existing names in a zone to enable a security aware resolver to authenticate a negative reply for name or type non-existence

The knowledge behind the network.®

January 2005

DNSSEC Pros and Cons ‹

Pros „ „ „

‹

Cons „

„ „

20

End to end integrity checks Better protects resolver Provides protection of DNS information integrity z Origin authentication z Information integrity protection Not widely implemented or deployed as yet z Intervening non-security-aware devices such as NATs, DNS proxies or recursive name servers may invalidate security Resolver performance Key rollover

The knowledge behind the network.®

January 2005

Microsoft Recommendations for DNS Security ‹ ‹ ‹ ‹ ‹ ‹

Deploy external name space on external servers separate from internal servers Deploy servers on multiple networks and/or ISPs Encrypt zone replication traffic Configure firewalls to enforce packet filtering for UDP and TCP port 53. Restrict which DNS servers are allowed to initiate a zone transfer for each zone Prevent unauthorized access to your servers „ „

‹ ‹

Monitor the DNS logs Implement Active Directory™ for internal servers „

21

Allow only secure dynamic update for your zones Limit the list of DNS servers that are allowed to obtain a zone transfer.

Integrated zones with secure dynamic update.

The knowledge behind the network.®

January 2005

INS IPControl Software Simplifying DNS Security Configuration

Graphical web interface ‹ DNS option dictionaries ‹ Address match lists facilitate ACL creation ‹ Auto TSIG key generation ‹ Pairwise server TSIG assignment ‹ Simple internal root server designation and hints file customization ‹ Easy definition of logging channels and association with categories ‹ Auto rndc.conf creation ‹ Much more… Contact us at [email protected] or +1-800-390-6295 ‹

22

The knowledge behind the network.®

January 2005

Resources ‹

White Papers

http://www.ins.com/knowledge/whitepapers.asp „ „

‹

Best Practices for Next Generation IP Address Management INS IPControl™ Return on Investment Analysis

NetKnowledge Webinars

http://www.ins.com/knowledge/webseminar_archives.asp „

‹

Websites „ „ „ „

‹

ISC BIND Site - www.isc.org/sw/bind CERT® – www.cert.org (advisories) or www.us-cert.gov DNSSEC – www.dnssec.net Microsoft DNS Resources – www.microsoft.com/windowsserversystem/default.mspx

IETF Working Groups „ „

23

IP Management Best Practices – Facing the New Reality

DNS Extensions - www.ietf.org/html.charters/dnsext-charter.html DNS Operations - www.ietf.org/html.charters/dnsop-charter.html

The knowledge behind the network.®

January 2005

Question and Answer ‹

Tell us what you think about this webinar http://www.ins.com/knowledge/surveys/feedback.asp

‹

Upcoming webinars „

Understanding End-to-End Performance to Optimize Business Solutions, Feb. 16th

„

‹

Adaptable IP Inventory, Feb. 24th

For more information „

Call 1-888-767-2988 in the U.S., 44 (0) 1628 503000 in Europe, or 1-408-330-2700 worldwide

24

The knowledge behind the network.®

January 2005

Glossary ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹ ‹

25

ACL – Access Control List BIND – Berkeley Internet Name Domain DMZ – Demilitarized Zone DNS – Domain Name System DNSSEC – DNS Security Extensions GSS-TSIG – Generic Security Specification – Transaction Signature NAT – Network Address Translation NDC – Name Daemon Controller PPP – Point-to-Point Protocol RNDC – Remote Name Daemon Controller RDATA – Record Data field within each resource record RR – Resource Record TCP – Transmission Control Protocol TSIG – Transaction Signature UDP – User Data Protocol

The knowledge behind the network.®

January 2005