DNS Workshop

Mirror - Mirror -- Resources on DNS reflection attacks

NCSC 2013 conference Presentation

Presentation link is a compressed (gzip) PDF. You might need to rename the downloaded file to "presentation.pdf.gz" to be able to uncompress it!

RFC and BCP

• BCP 38 - "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing"
• BCP 140 - "Preventing Use of Recursive Nameservers in Reflector Attacks"

DNS Monitoring

• DSC: A DNS STATISTICS COLLECTOR
• dnstop
• dns wittness
• PacketQ
• Analysing DNS traffic using PacketQ

DNS reflection and amplification attacks

• John Kristoff - Open Resolvers and the Threat of Reflection Attacks (PDF)
• Joe Abley - DNS Reflection Attacks (PDF)

Open Resolvers

• OpenDNS Resolver Project
• DNS survey: open resolvers
• The Million Plus Open Resolver Challenge
• Animation showing an amplification attack (Team Cymru; Quicktime)
• CIO Magazine: Open DNS Resolvers Increasingly Abused to Amplify DDoS Attacks, Report Says

Minimal Responses

• 7 Jan 2013 What switching on "minimal responses" in BIND does to your average response size
• Decreasing your DNS footprint by 102 bytes
• BIND 9 Administration Manual

RateLimit

• Tony Finch - Rate limiting DNS
• BIND 9 patches by Paul Vixie and Vernon Schryver
• BIND 9 binaries for MacOS X, Debian, RedHat, Solaris with RRL patches applied (look for RRL in the filename)
• DNS Dampening by Lutz Donnerhacke
• DNS Response Rate Limit in NSD
• RRL in the Knot DNS Server (CZ.NIC Labs)
• BIND 10 RRL checkin information

DNS DDoS

• 4 Ways to Prepare for and Fend Off DDoS Attacks
• How to Launch a 65Gbps DDoS, and How to Stop One

Posted at 04:12PM Jan 23, 2013 by Carsten in Conferences  |  Comments[0]

DNSSEC with PowerShell und dnscmd (on Windows 2012)

Windows 2012 can DNSSEC sign zones using the GUI Management tools. That works fine for a handfull of zones. But how about automation, signing hundreds of zones? Windows 2012 could be used as a "hidden master" DNSSEC signing engine that provides DNSSEC signed zones to Unix based front-end servers, while automating the key rollovers and continuous re-singing of the zones to refresh the record signatures. In that scenario, automation can be important.

dnscmd

One automation option is the dnscmd tool. However, dnscmd is deprecated and might be removed from future versions of Windows. The more modern way is to use PowerShell (see below).

Usage: DnsCmd <ServerName> /ZoneAddSKD <ZoneName> /Alg <KeyAlg> [/Length <KeyLength>]
                      [/KSP <KeyStorageProviderName>] [/Flags <KeyFlags>] [/StoreKeysInAD]
                      [/DoNotStoreKeysInAD] [/InitialRolloverOffset <Seconds>]
                      [/DNSKEYSignatureValidityPeriod <Seconds>] [/DSSignatureValidityPeriod <Seconds>]
                      [/StandardSignatureValidityPeriod <Seconds>] [/RolloverPeriod <Seconds>]
                        
  <KeyStorageProviderName> -- "Microsoft Software Key Storage Provider" or
                     other KSP installed on this system
  <KeyAlg>        -- the key algorithm mnemonic string. Currently only
                     "RSASHA1", "NSEC3RSASHA1", "RSASHA256", "RSASHA512",
                     "ECDSAP256SHA256" and "ECDSAP384SHA384" are supported.
  <KeyLength>     -- length of the key in bits. For RSA algorithms the value
                     can range from 1024 bits in 64 bit increments up to 4096
                     bits. Key size is ignored for other algorithms.
  <KeyFlags>      -- bits to be set to 1 in DNSKEY flags field. If 
                     is "KSK",  the Secure Entry Point bit will be set to 1
                     to indicate that this key is a Key Signing Key. If no
                     /Flags is given, the key is considered to be a Zone
                     Signing Key.
  /StoreKeysInAD  -- if specified, keys will be stored on the zone object in
                     Active Directory and will replicate to other DNS servers
  /DoNotStoreKeysInAD -- if specified, keys will be stored in a self-signed
                     certificate in the local machine certificate store and
                     will not replicate to other DNS servers

In future versions of Windows, Microsoft might remove dnscmd.exe

The dnscmd subcommand ZoneAddSKD creates a new DNSSEC key and assigns that key to a zone. Without a key assigned, dnscmd will refuse to sign the zone. Be careful not to assign more than the needed keys to a zone. Every call to ZoneAddSKD will add a new key to the zone. Usually we want to have one Key Signing Key (KSK), and one Zone Signing Key (ZSK):

creating the KSK

PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 2048 /Flags KSK

Command returned the following Signing Key Descriptor:

SKD GUID {EDADBF50-A733-4C67-A95E-8145C77BE0A1}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 1
        signing algorithm                   = RSASHA256
        key size                            = 2048
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 65232000
        next rollover action                = Normal

Command completed successfully

PS C:\Users\Administrator> dnscmd server1 /ZoneAddSkd dnscmd.example.com /Alg RSASHA256 /Length 1024

Command returned the following Signing Key Descriptor:

SKD GUID {47D410EE-35A4-483C-9B3B-1FB763F5AAB5}
        key storage provider                = Microsoft Software Key Storage Provider
        store keys in AD                    = 0
        KSK flag                            = 0
        signing algorithm                   = RSASHA256
        key size                            = 1024
        initial rollover offset             = 0
        DNSKEY signature validity period    = 604800
        DS signature validity period        = 604800
        standard signature validity period  = 864000
        rollover period                     = 7776000
        next rollover action                = Normal

Command completed successfully.

To be precise, the commands above do not directly create the keys, instead they create a "Signing Key Descriptor (SKD)", which is a kind of policy that describes how DNSSEC keys are generated for this zone. The Windows 2012 DNS server then creates new keys based on the descriptors whenever needed (for example during a key rollover).

Now we can use dnscmd subcommand "ZoneSign" to sign the zone. The parameters for "ZoneSign" are:

Usage: DnsCmd  /ZoneSign <ZoneName>
  Generates keys and adds DNSSEC records to the zone using the zone signing
  parameters and Signing Key Descriptors (SKDs) currently set on this zone.

In future versions of Windows, Microsoft might remove dnscmd.exe.

The only required parameter is the name of the zone to sign. This zone must already have DNSSEC keys attached:

PS C:\Users\Administrator> dnscmd server1 /ZoneSign dnscmd.example.com
Command completed successfully.

PowerShell

With PowerShell, we use the command Add-DnsServerSigningKey to create and add the DNSSEC Signing Key Descriptors to a DNS zone:

SYNTAX: Add-DnsServerSigningKey [-ZoneName] <string> 
             [[-Type] <string> {KeySigningKey | ZoneSigningKey}] 
             [[-CryptoAlgorithm] <string> {RsaSha1 | RsaSha256 | RsaSha512 | RsaSha1NSec3 | ECDsaP256Sha256 | ECDsaP384Sha384}] 
             [[-KeyLength] <uint32>] 
             [-ComputerName <string>] 
             [-InitialRolloverOffset <timespan>] 
             [-DnsKeySignatureValidityPeriod <timespan>] 
             [-DSSignatureValidityPeriod <timespan>] 
             [-ZoneSignatureValidityPeriod<timespan>] 
             [-RolloverPeriod <timespan>] 
             [-ActiveKey <string>] 
             [-StandbyKey <string>] 
             [-NextKey <string>] 
             [-KeyStorageProvider <string>] 
             [-StoreKeysInAD <bool>] 
             [-PassThru] 
             [-CimSession <CimSession[]>] 
             [-ThrottleLimit <int>] 
             [-AsJob] 
             [-WhatIf] 
             [-Confirm]  
             [<CommonParameters>]

Again, we creating one for the KSK, and one for the ZSK:

creating the KSK

PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type KeySigningKey -CryptoAlgorithm RsaSha256 -KeyLength 2048 

PS C:\Users\Administrator> Add-DnsServerSigningKey powershell.example.com -Type ZoneSigningKey -CryptoAlgorithm RsaSha256 -KeyLength 1024

The last step is to sign the zone, where we use Invoke-DnsServerZoneSign.

SYNTAX: Invoke-DnsServerZoneSign [-ZoneName] <string>
                    [-SignWithDefault] 
                    [-DoResign] 
                    [-ComputerName <string>] 
                    [-Force] 
                    [-PassThru] 
                    [-CimSession <CimSession[]>] 
                    [-ThrottleLimit <int>] 
                    [-AsJob] 
                    [-WhatIf] 
                    [-Confirm]  
                    [<CommonParameters>]

PS C:\Users\Administrator> Invoke-DnsServerZoneSign powershell.example.com

Confirm
This will initiate online signing of the zone powershell.example.com on server SERVER1.
Do you want to continue?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

Happy automated zone signing!

Posted at 07:30PM Nov 04, 2012 by Carsten in Servers  |  Comments[0]

Who is asking for 0.0.0.0.in-addr.arpa.?

This morning I experienced a steep increase in NXDOMAIN responses in my home network, just about the time that I started to install Windows 2012 for some DNS experiments. There were around 15 queries per minute from one source for a non-existing domain.

A closer look revealed that the NXDOMAIN responses where caused by queries for "0.0.0.0.in-addr.arpa.". This looked like a misbehaving software.

However the originating IPv4 address that I could see sending the queries was non of my "well known" client- or server-systems.

It turned out to be the remote management card (iDRAC) inside the Dell r200 server I'm installing Windows 2012 on (IPv4 address 192.168.1.169 is the iDRAC card, 192.168.1.2 my BIND 9 resolving DNS). Luckily, because I'm running a recent version of BIND 9, these queries were stopped by the "automatic empty zones" feature in the recursive DNS server and not send out to the Internet.

The automatic empty zones are defined in RFC 6303 - "Locally Served DNS Zones" and can be controlled using the "empty-zones-enable" statement in named.conf. If you have Dell servers with iDRAC cards that show the same behaviour than mine, and you use BIND 9.5.0+ with automatic empty zones, you are fine. Look at your BIND recursive server startup messages. If you see a similar list as shown below, all is fine:

BIND "empty zones" startup messages

31-Oct-2012 12:39:26.753 automatic empty zone: 10.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 16.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 17.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 18.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 19.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 20.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 21.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 22.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 23.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 24.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 25.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 26.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 27.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 28.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 29.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 30.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 31.172.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 168.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 127.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 254.169.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 2.0.192.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 100.51.198.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 113.0.203.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
31-Oct-2012 12:39:26.753 automatic empty zone: D.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 9.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: A.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: B.E.F.IP6.ARPA
31-Oct-2012 12:39:26.754 automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA

If you do not see this messages, it might be because your BIND version is quite old. Consider upgrading. If you are using a different DNS Server product, it is good practice to define empty DNS zones for the address blocks defined in RFC 6303. These zones only contain one SOA and one NS record (see below), they are "empty" and the only purpose is to stop internal traffic to leak from your internal networks to the Internet by serving the NXDOMAIN response locally.

Example "empty" zone-file

@ 10800 IN SOA @ nobody.invalid. 1 3600 1200 604800 10800
@ 10800 IN NS @

Posted at 02:06PM Oct 31, 2012 by Carsten in Protocol  |  Comments[0]

DNSSEC signing a zone with Windows Server 2012

Windows 2012 Server was released on 4th of September 2012. Time to have a closer look at the DNSSEC signing capabilities (information about DNSSEC validation on Windows 2012 can be found in the article "DNSSEC validation in Microsoft DNS Server 2012").

For the DNSSEC zone signing walk-through a newly installed Windows 2012 "Standard" Server was used. Only the DNS role was installed in addition to the default components, no Active Directory. This article will cover the creation of a static DNS zone for the Internet. I do not cover the creation of an internal dynamic zones that is updated from clients or DHCP Server.

Posted at 07:31PM Sep 11, 2012 by Carsten in Servers  |  Comments[0]

Lesser known DNS tools and BIND tricks

A talk at the german unix user group (GUUG) meeting on 2nd August 2012 in Berlin. The name of the talk is "Lesser known DNS tools and BIND tricks".

The slides

Direct Link: Lesser known DNS tools and BIND tricks

PDF Version Lesser known DNS tools and BIND tricks

Tools mentioned in the talk

command	package / project	webpage	description
dnsget	udns	http://www.corpit.ru/mjt/udns.html	simple dns lookup tool
dig	bind9	http://isc.org	generic dns lookup tool
dnsmap	dnsmap	http://code.google.com/p/dnsmap/	brute force dns zone mapper
adnshost	adns	http://www.chiark.greenend.org.uk/~ian/adns/	fast, asynchronous dns lookup tool
adnsresfilter	adns	http://www.chiark.greenend.org.uk/~ian/adns/	dns IP to name resolution as a filter
avahi-browse	avahi	http://avahi.org	browse multicast DNS services
mdns-scan	mdns-scan	http://0pointer.de/lennart/projects/mdns-scan/	browse multicast DNS service
ldns-mx	ldns	http://www.nlnetlabs.nl/projects/ldns/	lookup mail server for a domain
dnstree	dnsbrowse	http://www.isi.edu/~johnh/SOFTWARE/DNS/	terse display of a zone
lookup	dnssec-tools	http://www.dnssec-tools.org/	graphical DNS and DNSSEC lookup tool
ldns-chaos	ldns	http://www.nlnetlabs.nl/projects/ldns/	find version of DNS server
fpdns	fpdns	https://github.com/kirei/fpdns	fingerprint DNS server version
echoping	echoping	http://echoping.sourceforge.net/	measure DNS server latency
dnstop	dnstop	http://dns.measurement-factory.com/tools/dnstop/	monitor local DNS traffic
dnscap	dnscap	https://www.dns-oarc.net/tools/dnscap/	capture DNS traffic
dnspktflow	dnssec-tools	http://www.dnssec-tools.org/	visualize DNS traffic in a network
dnstracer	dnstracer	http://www.mavetju.org/unix/dnstracer.php/	displays the DNS delegation tree
dnswalk	dnswalk	http://sourceforge.net/projects/dnswalk/	validate a DNS zone
zonecheck	zonecheck	http://zonecheck.fr	DNS zone debugger
mapper	dnssec-tools	http://www.dnssec-tools.org/	graphically display the content of a zone file
DNSSEC-check	dnssec-tools	http://www.dnssec-tools.org/	test DNSSEC caching resolver capabilities
sshfp	sshfp	http://www.xelerance.com/services/software/sshfp/	generate SSHFP records from knownhosts
ldns-walk	ldns	http://www.nlnetlabs.nl/projects/ldns/	"walks" a NSEC signed zone
walker	walker	http://josefsson.org/walker/	"walks" a NSEC signed zone
drill	ldns	http://www.nlnetlabs.nl/projects/ldns/	clone of 'dig' with extra functions
unbound-host	unbound	http://unbound.net	the ultimate DNS/DNSSEC troubleshooting tool
donuts	dnssec-tools	http://www.dnssec-tools.org/	validates a DNSSEC signed zone
ldns-verify	ldns	http://www.nlnetlabs.nl/projects/ldns/	validates a DNSSEC signed zone
named-checkconf	bind9	http://isc.org	verifies a BIND 9 configuration file and zones
named-checkzone	bind9	http://isc.org	verifies a DNS master zone file
named-compilezone	bind9	http://isc.org	converts a zone file between text and binary format
named-journalprint	bind9	http://isc.org	prints the content of a BIND 9 journal file
nsupdate	bind9	http://isc.org	sends DNS dynamic updates to a DNS server

Posted at 10:13PM Jul 19, 2012 by Carsten in Conferences  |  Comments[3]

DNS Name Resolution Design for proper DNSSEC validation

Many networks have a DNS name resolution design that uses a hybrid DNS server. A hybrid DNS server is a DNS server that combines both functions that a DNS server can operate in into one process: the authoritative function (hosting zones) and the resolving/caching function (looking up names in DNS on behalf of DNS clients).

Both BIND and Microsoft Windows DNS server can operate in a hybrid mode. Other (some would say "more modern") DNS servers such as Unbound (resolving only) and NSD (caching only) separate these functions.

While running a hybrid DNS server was fine in the world before DNSSEC, the deployment of DNSSEC requires a closer look at these "legacy" DNS designs.

Authoritative DNS servers, when queried for a name they are authoritative for, will set the AA-flag (Authoritative Answer) in the answer.

Resolving DNS server that perform DNSSEC validation will set the AD-flag, if the DNS data received is validating. The AA-flag and the AD-flag are mutually exclusive, there can only be either one in an DNS answer. The reason is that it would be extra work, but no added security, if an authoritative DNS server would validate its own data. After all, if the server has been compromised, it cannot trust its own data and it is not possible to detect the false data from within the authoritative DNS server. Only a DNS server external to the authoritative server can validate DNSSEC signed zone data.

For proper DNSSEC name resolution (AD flag set on all answers from DNSSEC secured zones), all queries must go through a resolving DNS Server that is separate from the DNS server hosting the zones.[Read More]

Posted at 03:51PM Jun 30, 2012 by Carsten in Protocol  |  Comments[4]

DNSSEC validation in Microsoft DNS Server 2012

The DNS Server in Windows 2012 now supports all bits and pieces necessary to validate DNSSEC signatures and keys in the Internet (including SHA256 and NSEC3). Here is a small tutorial on how to import the trust anchor for the Internet root zone into the Windows 2012 DNS Server to enable DNSSEC validation.[Read More]

Posted at 08:54PM Jun 23, 2012 by Carsten in Servers  |  Comments[3]

Supervising BIND 9

BIND 9 is a mature piece of software. Compared with its predecessors BIND 4 and BIND 8, it is more stable and has less security problems. One reason for this is the "Design by contract" programming style used by the BIND 9 team. BIND 9 is very paranoid about data it consumes, and about its internal data structures. Once BIND 9 finds an unexpected state in its internal data-structures, it terminates the DNS server process instead of continue to run with wrong data (and risking a security vulnerability).

While this behavior is good for security, it is very bad for service uptime. The DNS server process terminates, and with it the DNS service. Users (Customers) do not not so much care about security if they cannot reach Facebook. BIND 9 had several incidents in the past years where BIND 9 terminated because of issues inside the code or data-structures, like "BIND 9 Resolver crashes after logging an error in query.c".

BIND 10 is aiming to solve this, as project lead Shane Kerr writes in "Software Robustness and BIND 10". But until BIND 10 arrives, a work-around is needed for BIND 9.

The real issue for the DNS service is not BIND 9 terminating on bad data, but that BIND 9 cannot restart after the fact. There is no "supervisor" process in BIND 9.

Some operating systems have a build-in solution: MacOS X has launchd, and the BIND 9 version Apple delivers with the OS is automatically restarted should it terminate unexpected. Solaris has SMF (Service Management Facility), and BIND 9 can be integrated into SMF. Unbuntu Linux now has upstart, and Fedora systemd, which can also monitor processes and restart them if needed.

For Unix and Linux operating systems that do not ship with a process supervisor solution, supervisord is a nice and easy to setup solution. Supervisord comes as a package with many Linux distributions, and it also works on the BSD Unixes. The configuration below is for OpenBSD, but should require only minor tweaks to run on other Unix systems as well.

Installation

Supervisord is written in Python (2.4 - 2.7) and can be installed from source (where we have to download and install all dependencies) or with the help of setuptools, which takes care of downloading and installing all dependencies. Below I use setuptools:

bash# sh setuptools-0.6c11-py2.7.egg
bash# easy_install supervisor

A basic configuration file for BIND 9 "named"

Below is my basic /etc/supervisord.conf configuration file for one service, the BIND 9 DNS Server:

[unix_http_server]
file = /tmp/supervisor.sock
chmod = 0777
chown= nobody:nogroup

[rpcinterface:supervisor]
supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl]
serverurl=unix:///tmp/supervisor.sock

[supervisord]
logfile = /var/log/supervisord.log
logfile_maxbytes = 10MB
logfile_backups=10
loglevel = info
pidfile = /var/run/supervisord.pid
identifier = supervisor
directory = /tmp

[program:named]
command=/usr/sbin/named -f
process_name=%(program_name)s
numprocs=1
directory=/var/named
priority=100
autostart=true
autorestart=unexpected
startsecs=5
startretries=3
exitcodes=0,2
stopsignal=TERM
stopwaitsecs=10
redirect_stderr=false
stdout_logfile=/var/log/named_supervisord.log
stdout_logfile_maxbytes=1MB
stdout_logfile_backups=10
stdout_capture_maxbytes=1MB

starting "supervisord"

Once the configuration file is in place, we can start supervisord. Make sure that BIND 9 is not started, else you will end up with two instances of the BIND 9 server running, which is not a good idea. Also make sure that supervisord will be started on reboot of the server, either trough a startscript or other means. The Supervisord packages coming with Linux distributions install a startscript.

bash# supervisord
bash# tail /var/log/supervisord.log
2012-06-16 16:59:48,812 INFO Increased RLIMIT_NOFILE limit to 1024
2012-06-16 16:59:48,949 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,953 INFO RPC interface 'supervisor' initialized
2012-06-16 16:59:48,963 INFO daemonizing the supervisord process
2012-06-16 16:59:48,964 INFO set current directory: '/tmp'
2012-06-16 16:59:48,967 INFO supervisord started with pid 14724
2012-06-16 16:59:49,976 INFO spawned: 'named' with pid 16701
2012-06-16 16:59:55,020 INFO success: named entered RUNNING state, process has stayed up for > than 5 seconds (startsecs)

Great, supervisord has started, and it also started the BIND 9 process "named". DNS is working now.

simulating a BIND 9 crash

to simulate a BIND 9 crash, we "kill" the BIND 9 named process:

bash# ps aux | grep named
_syslogd 32633  0.0  0.1   512   648 ??  I     17Apr12    2:28.76 syslogd -a /var/named/dev/log -a /var/empty/dev/log
root     16701  0.0  0.8  5684  6500 ??  I      4:59PM    0:00.50 /usr/sbin/named -f
bash# bash-3.2# kill -9 16701
bash# tail supervisord.log 
2012-06-16 17:03:29,192 INFO exited: named (terminated by SIGKILL; not expected)
2012-06-16 17:03:30,201 INFO spawned: 'named' with pid 9832
bash#

Works as a expected. Supervisord has detected that the BIND 9 process has terminated, and has restarted a new one. DNS is still up and running.

Controlling supervisord

The supervisord can be controlled from the commandline using the supervisorctl command. A list of all a control commands can be found with "help", and a description of each command with "help command":

bash# supervisorctl help

default commands (type help ):
=====================================
add    clear  fg        open  quit    remove  restart   start   stop  update 
avail  exit   maintail  pid   reload  reread  shutdown  status  tail  version

bash# supervisorctl help status
status                  Get all process status info.
status            Get status on a single process by name.
status      Get status on multiple named processes.

bash# supervisorctl status
named                            RUNNING    pid 25770, uptime 0:00:12

bash# supervisorctl stop named
named: stopped

bash# supervisorctl start named
named: started

Now, whenever there is an assertion error in the code triggered, BIND 9 will terminate, but supervisord will bring it back from the dead. Your DNS service stays up, and the users and customers happy.

Read the supervisord documentation on how to setup event notifications, so that you get an E-Mail on the event that BIND 9 has been restarted. There might be a security vulnerability nontheless, which you would like to report to bind9-bugs@isc.org.

Of course supervisord can be used to restart other processes as well, including other types of DNS Servers (NSD, Unbound, dnsmasq ...).

Posted at 07:53PM Jun 16, 2012 by Carsten in Servers  |  Comments[0]

Fixing BIND 9.9.0 compilation on OpenBSD

Compiling the new BIND Version 9.9.0 can lead to an compilation error on systems that do not have the ENOTSUP constant defined (such as OpenBSD).

stdio.c: In function `isc_stdio_sync':
stdio.c:117: error: `ENOTSUP' undeclared (first use in this function)
stdio.c:117: error: (Each undeclared identifier is reported only once
stdio.c:117: error: for each function it appears in.)
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc/unix.
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib/isc (line 174 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0/lib (line 103 of Makefile).
*** Error code 1

Stop in /usr/src/bind-9.9.0 (line 107 of Makefile).

ISC has already applied a patch that will be out with the next version(s). For all that want to compile and run BIND 9.9.0 now, below is a patch that works for me:

*** /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h.orig        Wed Feb 29 21:04:43 2012
--- /usr/src/bind-9.9.0/lib/isc/include/isc/stdio.h     Wed Feb 29 21:05:34 2012
***************
*** 22,27 ****
--- 22,32 ----

  /*! \file isc/stdio.h */

+ /* OpenBSD doesn't have ENOTSUP, but does have EOPNOTSUPP */
+ #if defined (EOPNOTSUPP) && !defined (ENOTSUP)
+ #define ENOTSUP EOPNOTSUPP
+ #endif
+
  /*%
   * These functions are wrappers around the corresponding stdio functions.
   *

Posted at 08:32AM Mar 01, 2012 by Carsten in Servers  |  Comments[0]

Unbound & DNSSEC-Trigger Workshop at Augsburger Linutage

Workshop: secure DNS using Unbound and DNSSEC-Trigger

I will give a free workshop at the Augsburger Linux Infotage on Saturday, 24th March 2012 (http://www.luga.de/Aktionen/LIT-2012/Programm), on installing and using Unbound together with the new DNSSEC-Trigger tool.

Goal of this workshop is to learn about the security issues with plain DNS, how DNSSEC can help and how to deploy Unbound as a local DNSSEC validating DNS resolver to secure the personal mobile computer (laptop, netbook ...).

Please bring your own machine (WiFi required) to the workshop room "D", 11:00-13:00, pre-installed with either a flavor of Linux, MacOS X or Windows (Vista or newer, don't pretend to secure a XP machine). We will install Unbound and DNSSEC trigger during the workshop and learn some troubleshooting tricks on the way.

Posted at 02:59AM Feb 20, 2012 by Carsten in Conferences  |  Comments[2]

Give nsupdate a history

the useful nsupdate tool (used to send dynamic updates towards an authoritative DNS server, part of the BIND nameserver distribution, www.isc.org) does not have a commandline history, nor automatic command completion.

Luckily, on Unix systems, this missing feature can be added to nsupdate using a small tool called rlwrap. rlwrap stands for 'readline wrapper'. Readline is an open source library that implements command history and tab completion, and it is used inside many well known command line tools. However it needs to be linked at compile time to be work on a program by default. If the developer does not link readline, the functions are not part of the program.

However it is possible to start a commandline tool such as nsupdate under the control of the readline wrapper. In this case, the readline wrapper will intercept when the command line tool tries to read data from the keyboard and will add the additional readline functions to the command line tool. rlwrap is part of most Unix/Linux distributions and can often be installed using the systems package manager.

In case of nsupdate, we can start nsupdate with

$ rlwrap nsupdate 

and voila, our old dog nsupdate has just learned some new tricks, it has now a command history that can be used with the cursor up and down keys (see the readline man page for a complete list of possible key bindings).

If rlwrap finds a file (named with the name of the commandline tool) containing keywords (space separated) in its search path for completion files (on my system that is /usr/share/rlwrap/completions), it will auto-complete the keywords found in the file when the user presses the tabulator key. Please find attached to this blogpost my completion file for nsupdate.

I don't not want to encourage the usage of nslookup (use dig or drill), but rewrap works also on the old steam engine called nslookup.

Please have a look at the rlwrap manual page. There are some more tricks to rlwrap that are not mentioned in this blog post.

Attachments

• rlwrap completion file for nsupdate (rename to nsupdate-completions.zip after download)

Posted at 09:03AM Jan 11, 2012 by Carsten in Servers  |  Comments[3]

Take your DNSSEC with a grain of salt

DNSSEC has many useful properties. One is called 'Authenticated denial of existence'. This basically means that a DNSSEC validating DNS Server can prove that domain-names and resource records do not exist in the DNS.

But how does NSEC and NSEC3 work. And how to choose good values for NSEC3 salt and iterations?

[Read More]

Posted at 05:24PM Dec 30, 2011 by Carsten in Protocol  |  Comments[4]

BIND installer packages for MacOS X 10.4/10.5 PowerPC (ppc)

Apple does not provide update to older MacOS X versions (such as 10.4 "Tiger") anymore. However these machines are still good to run a caching or an authoritative DNS Server.

MacOS X comes with ISC BIND pre-installed, but without security updates, running an old version of BIND on MacOS X is a risk.

To find out the current version of BIND installed on a machine, open the Terminal.app and enter "named -v":

$ named -v
BIND 9.4.2-P2

Men & Mice is offering installation packages for MacOS X 10.4 containing the latest BIND versions. The installer packages can be downloaded for free from http://support.menandmice.com/download/bind/macosx/10.4-Tiger/.

If you are running a BIND DNS Server on MacOS X, please check the version you're running and upgrade if the version if outdated. The BIND security matrix lists all known security issues with BIND versions.

Posted at 05:15PM Dec 23, 2011 by Carsten in Servers  |  Comments[0]

Compiler options for creating secure DNS Server binaries (on Linux)

DNS server, as these processes recieving data from untrusted sources in the network, are vulnerable for attacks that exploit security proplems in the DNS servers program code. Special crafted DNS packets can trigger a software bug in the DNS servers code and which will execute code contained in the received data, allowing the attacker to change the behavior of the DNS software or even break into the operating system running the server.

Modern Linux systems contain exploit mitigation techniques that make it harder for attackers to sucessfully launch such attack. However most of this functions are not enabled by default, but must be enabled during compile time. This is especially imnportant if the DNS server software is custom compiled and not taken from the Linux distribution vendor. But even the binaries supplied by a Linux distribution might not have all the exploit mitigation security functions enabled.

The folks at NESO Security Labs have published a script that can be used to test existing binaries for the enabled security functions (checksec.sh script).

The screenshot below shows a BIND nameserver binary (named) with only some of the security functions enabled, and an Unbound nameserver binary that has all of the functions enabled:

The functions in detail:

RELRO

RELRO rearranges the data sections inside an ELF (Linux executable file format) executable. It also marks certain areas as 'read-only' so that these data structures cannot be overwritten while the process is running.

Details about RELRO can be found in the blog post RELRO - A (not so well known) Memory Corruption Mitigation Technique.

There are two flavors of RELRO, 'partial' and 'full'. Only 'full RELRO' offers all security measures and is recommended.

Stack canary

A STACK CANARY is a special datastructure with a distinct bit-pattern that is placed in front of important data on the stack, for example in front of the return address of an subroutine call. A popular attack is to overwrite (using a buffer overflow or similar problems) the return address of a subroutine call, so that the execution process is redirected to execute program code injected by the attacker.

When using a stack canary, the operating system will check if the bit pattern placed in front of the stack datastructure is still intact (and not overwritten). Only if this is true, the jump through the return address will be taken. The named 'stack canary' comes from canary birds used in early mining operations, where the birds where used as in indicator that the air under ground is becoming foul. See GCC Stack-Smashing Protector (ProPolice) on how the canary is implemented in the GCC compiler suite.

NX bit

NX enabled refers to the NX (non-execute) or XD (execute disable) flags found in modern x86 CPUs (Intel and AMD). The NX flag are used to mark memory areas that only contain data (and no program code) as 'off-limit' for the CPUs instruction fetch. The data stored in this areas marked cannot be executed as a program by the CPU. Because this flag is implemented directly in the CPU, it has no overhead compared to exploit mitigation functions implemented in software. Some Linux systems running on hardware that does not support a 'no-execute' flag emulate this function in software.
See Wikipedia on NX bit.

PIE - Position independent code

PIE stands for 'Position Independent Executable' and describes a function where the operating system can load certain parts of the application at random positions inside the computers address space. In some attacks the attacker needs to know beforehand on which memory location a datastructure will be loaded (e.g. to jump into code that has been written using a buffer overflow). By having the operating system load the program code into different locations every time, the attacker cannot predict the memory location, which makes it harder to write a sucessful exploit.

Fortify source

In addition to the technologies above, the GCC C-Compiler can analyse the source code to be compiled and detect certain insecure sections (that might create a security problem). The compiler will replace the insecure function calls with special hardened code that will perform extra runtime checks while the process is executed. This is called FORTIFY SOURCE.

Compiler- and Linker-Flags

To enable these exploit mitigation functions in compiled binaries, special flags must be specified for the compiler (gcc) and linker.

• RELRO: LDLFAGS="-z relro -z now"
• STACK CANARY: CFLAGS="-fstack-protector" LDFLAGS="-fstack-protector"
• PIE/PIC: CFLAGS="-fPIE -fPIC" LDFLAGS="-fPIC -pie"
• NX: is enabled on the OS and BIOS level, but can be disabled in the ELF file. It should be enabled by default if not manually disabled for a binary.
• FORTHFY-SOURCE: CFLAGS="-O2 -D_FORTIFY_SOURCE=2"

Examples

example linker flags (32bit/64bit):

LDFLAGS="$LDFLAGS -fPIC -pie -z relro -z now -fstack-protector"

example c-compiler flags (32bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=i686 -fasynchronous-unwind-tables"

example c-compiler flags (64 bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m64 -mtune=generic"

Of course the exploit mitigation techniques described here are also valid for all networked applicartions (such as SSH, webserver, NTP ...), not only for DNS server. But this is the DNS workshop ...

Resources:

• NX bit
• Security features in Ubuntu Linux
• Debian Hardining
• Basics of stack-smashing attacks and defenses against them
• Position Independent Code internals
• Buffer overflow and you
• Protections against buffer overflow
• Disabling the NX bit for specific apps
• Linux PAX security extension

Posted at 03:02PM Jul 03, 2011 by Carsten in Servers  |  Comments[1]

RIPE E-Learning module 2 - DNS Vulnerabilities and the 'Kaminsky attack'

The RIPE Training team has released a new eLearning course on DNS Vulnerabilities and the 'Kaminsky attack'. The course can be found at http://www.ripe.net/lir-services/training/e-learning/dnssec/dns-vulnerabilities (requires flash).

This new module explains DNS 'man-in-the-middle' attacks as well as the 'Kaminsky style' cache poisoning attacks.

Posted at 11:56AM Mar 16, 2011 by Carsten in General  |  Comments[0]