powerdns technical deep-dive
TRANSCRIPT
PowerDNS Technical Deep Dive Dynamic Filtering for Malware & Parental Control
Pieter Lexis, Peter van Dijk, Bert Hubert, Alexander ter Haar, Andrea Tosatto
2 | PowerDNS Platform
Agenda: Technical Deep DiveOctober 2016
• PowerDNS (re)introduction• Why (malware) filtering? How effective is it?• How does it work, challenges• Recursor 4.0 relevant features: Lua & RPZ• Sources of security data• Platform implementation: IP address tracking, user
preferences, help desk panel, spotting infected users, query logging
• Demo time!
3 | PowerDNS Platform
PowerDNS introduction
4 | PowerDNS Platform
1999
Company introduces database driven DNS and geographical load balancing,
2002-2006
PowerDNS Nameserver and PowerMail go open source; PowerDNS Express launched for EU, US markets
2007-2013
P o w e r D N S Authoritative, Recursor open source products l a u n c h e d ; 2 4 / 7 migration, installation, i n t e g r a t i o n , consolidation services & support
2015
PowerDNS merges with Open-Xchange: target audience and instal led base are amongst the largest Telcos globally
PowerDNSBe open or be history
2016
PowerDNS 4.0• Malware protection• Parental control
• Reporting
5 | PowerDNS Platform
Market ShareLarge ISPs and Telcos use PowerDNS
• Authoritative:• 30%+ of all hosted domains (40-50% in Europe)• 75% - 95% of all hosted DNSSEC domains• Hundreds of millions of phone numbers (call routing, number portability)• PowerDNS is default choice for very large scale hosting deployments
• Recursor: • 150 million+ users served by PowerDNS Recursor • Shipped with all major Linux & BSD distributions
• PowerDNS Products have over 150k+ deployed instances• 1315 profiles on LinkedIn mention PowerDNS experience
Who are you?
6
7
8 | PowerDNS Platform
PowerDNS Core TechnologiesWhat we do: more than just name serversPowerDNS Authoritative Server: Up to extremely large scale domain hosting, fully automated DNSSEC, database backed, error checking API drivenPowerDNS Recursor: Resolves domain names, robust, focus on customer experience, security, (per-subscriber) statistics, dynamic domain redirection, very flexiblednsdist: highly DoS and DNS aware load balancer and firewallPowerDNS Tooling: powerful tools to visualize & study DNS problems and measure performance
• Platform: • fully graphical, monitored, GUI controllable, High Availability environment for Authoritative
and Recursor• Recursor platform including support for (selectively) filtered DNS (Malware detection and
parental control, long term query logging & user statistics (malware)
9 | PowerDNS Platform
PowerDNS AuthoritativeThe gold standard for large scale hosting
Standard & compliant serving of DNS information from all relevant databases:
• MySQL, PostgreSQL, LDAP, SQLite, MS SQLServer
• Text files, dynamic scripts • Native support for legacy BIND zonefiles
Leading DNSSEC implementation worldwide• Hosting over 75% of DNSSEC domains• “1 click DNSSEC”
Scales to millions of domains per server
Powerful dynamic features:• Geographical load balancing• Content redirection, smart failover
10 | PowerDNS Platform
PowerDNS RecursorFast & Flexible
Standards compliant resolution of domain names• Strive for maximum resolution percentage
• At highest speed• With least operator intervention
• or conversely: least customer complaints!• DNSSEC, RPZ
• Powerful dynamic capabilities• Query & answer modification for security & filtering• Dynamic–aware cache
11 | PowerDNS Platform
DNSDISTDNS and DoS aware load balancing• DNS benefits from special load balancing policies not
frequently found in existing load balancing solutions
• Example is “query concentration”, leading to a few very busy servers with extremely high cache hit rates
• Customers may also be abusing DNS for tunneling purposes, or otherwise irregular use
• Infected users generate harmful traffic, which dnsdist filters & reports (at very high query rates)
• dnsdist delivers complete flexibility in routing and measuring of DNS traffic, even on non-PowerDNS platforms
12 | PowerDNS Platform
DNSDISTDNS and DoS aware load balancing
• Per subscriber rate-limiting• “Abusive queries pool” for difficult customers• DoS defence by detection of:
• Timeout generation• Servfail generation• NXDOMAIN overloading• Random subdomain attacks• Botnets
• Kernel based many gigabit/s filltering• DNS tunneling detection/blocking• Known bad domain detection & shunting• UDP to TCP forcing to fend off spoofing attacks• Extensive statistics on ”right now” query traffic
13 | PowerDNS Platform
PowerDNS PlatformFull featured DNS solution
• Management of DNS infrastructure to deliver high performance resolution and always-on availability
• Even legacy servers• Granular level graphing and
analysis of performance and subscriber behaviour
• Protection from DoS aimed at the nameservers
• Protection of subscribers from malware, phishing and malicious websites
• Per user content control for subscribers to prevent access to undesirable websites
• Subscriber metadata storage & search
14 | PowerDNS Platform
Product lineup
Authoritative Platform • Management interfaces • Report & Analytics • Automation • Load Balancing • DOS Protection +Basic Support Services
Recursor Platform • Management interfaces • Report & Analytics • Automation • Load Balancing • DOS Protection +Basic Support Services
PowerDNS Recursor
Opt
iona
l M
odul
es
PowerDNS Authoritative Server
Parental Control
Malware Filtering
DNS Dist DNS Dist
OX PowerDNS for Internet Service
Providers
OX PowerDNS for Hosting providers
Plat
form
Long term query logging
ENUM
Long term query logging
15 | PowerDNS Platform
Security Challenges• Old software, old phones, old anti-virus• You may be on up to date OS, up to date
browser• Many of your users are not!• Windows XP is still out there. Old Android
phones • Old = 1 year
• Goal: do something for security from the network
16 | PowerDNS Platform
Parental Control• In some countries, governments demand “safe internet” browsing
• For kids• For .. Husbands?• A bit like “18+ movies” which must be labelled
• Some parents also just want this, because the internet can be a scary place
• Can install app on every tablet, computer, phone, tv in the house• Or.. The network can filter
17 | PowerDNS Platform
DNS based (malware) filtering
1. Check if user wants / should get filtering, and what kind of filtering
2. Check DNS lookups against reputation, categorization, malware supplier databases
3. Compare with filtering requirements• Some people WANT malware!
4. Either answer DNS query as normal, or, fake in IP address of “sorry” page
• And keep statistics for user feedback
18 | PowerDNS Platform
DNS Filtering: does it work? Is it right? What do you think?• Malware, Botnets, Phishing, Parental Control• Evasion (8.8.8.8)• Non-DNS malware• Speed of list updates• Ethics
• Opt-in• “Double opt-in”• Opt-out
• Network neutrality
19 | PowerDNS Platform
PowerDNS Filtering: Open platformAn open platform for detecting and preventing subscriber infection
• PowerDNS Filtering is an open platform • Integrates with all major categorization / threat list providers
?
20 | PowerDNS Platform
PowerDNS Open Source Features Relevant for filtering• Available for 10 years: Lua based question/answer
modification• Synchronous• Asynchronous lookups (!)
• New in 4.0: • RPZ support
• Modifiable from Lua• Protobuf based logging of all queries
21 | PowerDNS Platform
RPZ: Response Policy Zone
• Innovation by ISC, Paul Vixie, Vernon Schryver• Describes how to treat content matched by:
• A domain name• A response IP address• A nameserver (potentially) used in resolution
• Transferred via IXFR• Updates every few seconds if needed• Many RPZ feeds are available• Support in: BIND and PowerDNS
22 | PowerDNS Platform
Challenges for per-user (malware) filtering
• Can’t do 100% mandatory filtering for everyone• Not legally, and there are always people that want access to malware• For parental control: not everyone is a parent or cares
• Per-user settings are nice, but name server sees IP addresses, not users• And users may not be circuit-ids or MAC addresses or IMSIs!• 1M users, 5 hours lease time: 55 updates/second• Or: 1 update/minute -> 3000 people get wrong settings
• Needs to be 100% reliable and low-overhead• Needs UI for users, customer support and (re)categorization
23 | PowerDNS Platform
PowerDNS Infrastructure
• Lua support• Determine status of user (CDB, Redis)• Determine status of domain (custom modules per provider)
• Or: configure RPZ flags• PowerDNS:
• Consult the right cache (filtering, non-filtering)• If miss, do the right lookup or provide the A-record of the sorry page• Store answer in the right cache
24 | PowerDNS Platform
Malware FilteringSafe Guard your Subscribers against malware
PowerDNS Malware Filtering offers possibility to:• Prevent infection• Detect & warn infected users
• retroactively detect infection • Investigate suspicious traffic
For ISP’s:• Offer to all or some of your customers • Detect problems to better help subscribers (i.e. ‘slow internet complaints’)• Enabled / disabled ‘globally’ or ‘per user’ (as an upsell)
25 | PowerDNS Platform
Malware FilteringSafe Guard your Subscribers against malware
PowerDNS Malware Filtering offers possibility to:• Prevent infection• Detect & warn infected users
• retroactively detect infection • Investigate suspicious traffic
For ISP’s:• Offer to all or some of your customers • Detect problems to better help subscribers (i.e. ‘slow internet complaints’)• Enabled / disabled ‘globally’ or ‘per user’ (as an upsell)
26 | PowerDNS Platform
Parental ControlSafe Guard your Customers with Multi-Level Access Control
PowerDNS offers unique Multi-Level Control for Browsing:• Safe Browsing • Easy to use Web Control Panel• Supports categories and time-windows• Both white lists and black lists• Per-device/per-user parental control
• CPE assistance required
Architecture
27
28 | PowerDNS Platform
PowerDNS Platform Components• Stock PowerDNS Recursor, dnsdist• Lua modules that take decisions for filtering• Nginx server that hosts “sorry” page, and proxies URL-level filters• Sniproxy for TLS termination• User-interface for subscribers/customers
• Database to store it• Helpdesk interface to (re)set customer preferences• Full DNS traffic logging (dstore)• Malware analysis of logged traffic• IP/User listener (Radius)• Reporting module• Redis distribution of IP/User/Preferences setting• Deployment script
30 | PowerDNS Platform
Dstore: Query logging & searchingOn commodity hardware• Store all queries for days, weeks or months
• Response codes• Response latency• Response records
• Used to:• Investigate customer/domain complaints (‘x doesn’t resolve for me’)• Determine source and target of DoS attacks• Comply with Lawful Intercept / Data retention regulations• Find/flag infected subscribers / devices• Find sources of spam without using DPI
• Potentially fully anonymized
31
Recursor Recursor Recursor Recursor
dnsdist dnsdist
dstore dstore
dstore dstore
Dgateway
Raw packets
32 | PowerDNS Platform
IP/User matching listener• Receive IP address (IPv4, IPv4:port, IPv6) mappings
• Radius• DHCP• “tail –f”
• Highly redundant• Multiple receivers
• To protect against state loss• Distributed to every resolver
• Knows about multiple level mappings: circuit-id to user to IP
33 | PowerDNS Platform
Parental Control: Fine-grained control over Parental Control filter
34 | PowerDNS Platform
Malware Filtering: Analysis• Analysis of Per-query, per user results. • Shows detailed user data for advanced troubleshooting
35 | PowerDNS Platform
What is an infected user?Security application
• Many users click on bad links from time to time• Does not make you infected
• Large wifi at school will have many infected laptops, but whole school can not be flagged as infected
• Detection is in fact a dynamic process that needs to be tuned and monitored• Impact of wrongly flagging a user as infected is huge• PowerDNS Platform Security Solution therefore offers:
• Modular flagging • Potential for manual verification in interface
• Note: customer care processes can benefit greatly from knowing user’s infected status!
36 | PowerDNS Platform
Query logging & searchingFunctionality
• Search via API, command line or attractive web interface• Output as JSON, XML or HTML
• Example scenario: 1 million qps, 1 week retention, 5 small storage servers, 200TB of data total
• Rapid queries keyed on: source IP, query name, response content• Few second response times worst case
• Scanning queries based on time window at 25 million queries/s• In other words, scan an hour of traffic in 2 minutes
• Delivers exact queries, error codes, responses, drops and response times• No dependencies beyond regular server hardware, works on rotating media• FULL ANONIMYZATION MODULE
37 | PowerDNS Platform
Query logging & searchingOther notable features
• Easy rotation/archiving of old data• Split out per day/week
• “Hot data” can live on SSD/NVMe and copied over to near-line storage for slower but still rapid retrieval
• Can be configured for various scenarios (long term low cost lower performance, short term, low cost, higher performance etc)
• Data sources:• PCAP (vendor neutral), • Port mirror (vendor neutral) • native from PowerDNS
38 | PowerDNS Platform
Query logging & searchingSecurity application
• Combines with malware filtering to store status of query• Blocked• Flagged
• Delivers lists of (recently) infected users• Combines with subscriber communications for notifying infected users• Detecting which users are infected, or simply clicked on the wrong link, is a
customizable process. • Rules will depend on business logic and risk appetite
39 | PowerDNS Platform
Reporting and insight
40 | PowerDNS Platform
Dashboard for real-time informationLive display:• Plot statistics
• Overview of Query rate and pattern • historical and 'here and now'.
• Keeps NOC informed on current DNS performance. • Live display for technical personnel
41 | PowerDNS Platform
Dashboard: live security panelLive display for real-time continuous information• Shows attacks currently in progress, and • Which IP addresses and domain names are being shielded
42 | PowerDNS Platform
Weekly Automated ReportsAutomatically generated Reports • Overview of DNS performance• Mailed to relevant staff• Current metrics + comparison with past• Gives management overview
Per server quality & volume metrics• CPU utilization, Peak memory use• Allows resource management
43 | PowerDNS Platform
Highly Scalable solutionLow latency, high resilience againt DoSInternet traffic and related DNS queries grow:• Number of DNS queries grows 30% per year• With LTE, mobile internet looks more like fixed internet• 500kqps = 5 million subscribers!
PowerDNS benefits from special load balancing policies not frequently found in existing load balancing solutions:
• Example is “query concentration”, leading to a few very busy servers with extremely high cache hit rates
• dnsdist delivers complete flexibility and protection in routing and measuring of DNS traffic, even on non-PowerDNS platforms
44 | PowerDNS Platform
Demo time!
45 | PowerDNS Platform
The PowerDNS Demo APFull locally hosted setup
• The full PowerDNS Platform stack• Nameserver, • DHCP/Radius tracker• Statistics,• Logging, queries, reporting• Filtering: malware & parental• User control panel• Customer care control panel• Hardware: one i7 Intel NUC with a number of virtual machines• This setup would support millions of internet users
46 | PowerDNS Platform
Join the PowerDNS Demo APAnd be filtered
• Join the “PowerDNS Demo” AP• Password: PowerDNS
• You will get a highly dynamic IP address• To change your settings and find out your
PowerDNS Name, go to:• http://filter-user.demo.powerdns.com/
• Turn on some filtering!
47 | PowerDNS Platform
Join the PowerDNS Demo APAnd be filtered
• BE CAREFUL
• Your DNS lookups will appear on the big screen!!!• With your PowerDNS Name
• If you have malware, we’ll also see that• Suggested test domain: hollandcasino.nl which is blocked as ‘gambling’ and ‘games’.• Please be careful testing adult sites!
Germany
Open-Xchange AGRollnerstrasse 1490408 NurembergTel.: +49-2761-8385-0
Netherlands
PowerDNS Herengracht 38B2511 EJ Den HaagTel.: +31-15-785-0372
USA, California
Open-Xchange530 Lytton AvenuePalo Alto, CA 94301Tel.: +1-408-500-0768
Spain
Open-XchangeCamino del Cerro de los Gamos 28224, MadridTel.: +34 91-79-012-26
Contact us
www.powerdns.com www.open-xchange.com
49 | PowerDNS Platform
Questions/discussion