Upload File

recursive dns cache auditing jose avila iii founder, onzra

  • Home
  • Documents
  • Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA
16
Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Upload: deborah-matthews

Post on 13-Dec-2015

220 views

Category:

Documents


0 download

Report

Tags:

TRANSCRIPT

Page 1: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Recursive DNS Cache Auditing

Jose Avila IIIFounder, ONZRA

Page 2: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Who Am I?

•One of the founders of ONZRA

•Security Researcher

•Previous Lead Developer at NeuStar for the Managed Internal DNS and SiteBacker2 products

Page 3: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Cache Poisoning Is Not New!

•We find out we were poisoned when services start failing!

•There is a need for a notification system

•Why aren’t there solutions to detect this?

Page 4: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Where Does ONZRA Fit In?

•Developing a Cache Verification Tool

•Verifies changes seen in cache

•Alert on potential Cache Poisoning Events

•Similar to DoX concept

Page 5: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

How Does It Work?

•Takes a dump of the in-memory cache

•Finds differences with an old dump

•Verifies the changes

•Checks authoritative servers

•Checks peer recursive servers

•Alerts if results could not be verified

Page 6: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Features

•Recordset comparison

•Content Delivery Network detection

•Record type based comparison

•Threshold based peer approval

•History tracking

•Alerting based on percentage of change

Page 7: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Content Delivery Network Detection

•Detected by comparing the record sets amongst the peers

•Can lower the alert level

Page 8: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Record Comparison

•Ordering of records does not matter

•We don’t have to verify everything

•What we do not verify:

•MX Record: Preference

•SOA Record: Serial, etc.

Page 9: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Threshold Based Peer Approval

• Based on the threshold of required peers we need to alter our probing interval.

• If too much time passes we will not be able to verify with peers

Page 10: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Probe Interval

•Verify Freq. = TTL-(THRESHxTTL/PEERS)

•Verifying against:

•20 Peers

•10% Threshold

•120s Min TTL

•Need to verify cache every 108 seconds

Page 11: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

History Tracking

•Stores a history of prior record sets

•If the record is not verified by peers its verified against historic values

Page 12: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Detecting Fast Flux

•Value changing quicker than the TTL

•Peers will have multiple values represented

•Screws up prior formula

•How can we verify these?

•Shared DB of historic data?

Page 13: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Tool Components

•TCP Daemon (Listens for Cache Dumps)

•Cache Dump Parsers

•Cache Compare

•Application Cache

•CDN / Fast Flux Detection

•Alerter (Currently only SYSLOG)

Page 14: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

What Resolvers Are Supported?

•Currently Supported

•Microsoft DNS

•Bind

•Supported eventually

•DJB DNS w/ custom Patch

•PowerDNS

Page 15: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Future Features

•Cache Verification Service?

•More Research Data

•Multiple Query Nodes

•Better CDN Detection

•Use peer cache dumps instead of querying

•Interaction with other DNS Projects

Page 16: Recursive DNS Cache Auditing Jose Avila III Founder, ONZRA

Questions?

[email protected]@ONZRA.com


DNSSEC Validation Failure - NASA.GOV - 20120118 - FINAL · 2014-11-25 · Analysis(of(DNSSEC(Validation(Failure(Comcast(–(DNS(Engineering(Page(4(of(12(Trust(Anchor(for(a(domain.(This(instructs(Comcast(DNS(recursive(resolvers(to

Recursive DNS Architectures and Vulnerability ImplicationsRecursive DNS Architectures and Vulnerability Implications David Dagon1, Manos Antonakakis1, Kevin Day2, Xiapu Luo1, Christopher

dnssec day 3-1 - bdNOGwiki.bdnog.org/lib/exe/fetch.php/bdnog7/dnssec_day_3-1.pdf29 June 2016 2.0. Overview •DNS Overview •BIND DNS Configuration •Recursive and Forward DNS

DNSSEC in Windows DNS Server...1 A DNS client sends a DNS query to a recursive DNS server. The DNS client can indicate that it is DNSSEC-aware (DO=1). 2 The recursive DNS server sends

Old but Gold: Prospecting TCP to Engineer DNS Anycast ...johnh/PAPERS/Moura20a.pdfon global DNS for reachability and load-balancing. We show that a recursive DNS resolver’s preference

DNS Concepts - APNICarchive.apnic.net/meetings/16/programme/tutorials/docs/... · • Recursive server – Do the actual lookups; ask questions to the DNS on behalf of the clients

Characterization of Collaborative Resolution in Recursive DNS … · 2019-11-25 · Berger et al. [11] associate IPv4 and IPv6 addresses in DNS queries to find dual-stack machines

High-Proof Data Recursive DNS Metrics TSDB Distillation of€¦ · TSDB Distillation of Recursive DNS Metrics 1 Alexis Fasquel [email protected]. DNSOARC • High-proof Data 2 Introduction

Dyn, DDoS, and DNS - Country Code Names Supporting ... In early August we started to see an uptick in DDoS attacks –Targeting our customers –Observed in our recursive DNS traffic

CSCI-1680 DNS - Brown Universitycs.brown.edu/courses/csci1680/f18/lectures/17-dns.pdf · Resolver operation •Apps make recursive queries to local DNS server (1) –Ask server to

The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC ...security.hsr.ch › lectures › Internet_Security_1 › 12-DNSSEC.pdf · • DNS resolution via recursive nameserver

An analysis of the DNS cache poisoning attackA DNS cache poisoning attack tries to forge the response from an authoritative NS thus forcing a recursive NS to store forged information

1 Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces Speaker: Jun-Yi Zheng 2010/03/29

Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces

Know Your Enemy Introduction to DDoS Threat...•HTTPS flood •DNS query flood •DNS recursive flood Low-and-slow •Slowloris •R.U.D.Y •Large file download Each year more attack

DNS Privacy - potaroo.net · DNSSEC and Recursive Resolvers •If you are going to use a DNSSEC-validating recursive resolver –Such as 1.1.1.1, 8.8.8.8, 9.9.9.9 or any other validating

The Hitchhiker’s Guide to DNS Cache Poisoningshmat/shmat_securecomm10.pdfThe Hitchhiker’s Guide to DNS Cache Poisoning 3 2.2 Caching and recursive resolution When a DNS resolver

CSCI-1680 DNS - Brown Universitycs.brown.edu › courses › cs168 › f17 › lectures › 17-dns.pdfResolver operation •Apps make recursive queries to local DNS server (1) –Ask

Boost DNS Privacy, Reliability, and E ciency with opDNS ... · application recursive DNS cache web server local opDNS cache client 1 2 0100101 1110010 1100110 1101101 1100001

CSCI-1680 DNS - Brown University › courses › cs168 › f18 › lectures › 17-dns.pdf · Resolver operation •Apps make recursive queries to local DNS server (1) –Ask server

NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities · Recursive DNS Inefficiencies and Vulnerabilities Yehuda Afek Anat Bremler-Barr Lior Shafir Tel-Aviv University Interdisciplinary

150415 - Verisign Recursive DNS

Recursive DNS Architectures and Vulnerability …wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/... · • DNS resolution happens first, as a precursor to almost

FRNOG 25 - BIND9 Recursive Client Rate limiting - notesHEADLINE: This type of random name query traffic is now well-known to most operators of large Recursive DNS Servers In early

Recent DNS Reflector Attacks · 2006-11-15 · Filter out open Recursive DNS Servers: ACL would be way too big to put on a router, too big to even have a blackholeroute-server, and

DNS Global Server Load BalancingWhen GSLB is deployed at the edge of the network on recursive DNS servers close to the users, health checking ensures accurate evalua-tion of application

Living on the Edge: (Re)focus DNS Efforts on the End-Points · Another possibility: DNS over TLS Validation Recursive resolver Authoritative net Authoritative. Authoritative dns-oarc.net

11 DNS NAT.tmp...Every local DNS server knows the root servers! Use cache to skip steps if possible e.g. skip the root and go directly to .edu if the root file is cached Recursive

Welcome! [nsrc.org] · •Recursive Server ... •Lab 3 – Configuring Domains –TEA BREAK •DNS Registries •Troubleshooting (dig, traceroute, nslookup, ethereal) ... triggers

We believe that we are on the verge of the Internet of ... · Recursive DNS Server IoT Platform retrieves public key from secure DNS Server . Sensor Keys DNS Registry device1.example.com

Recursive Algorithms Recursive procedure

NXNSAttack:RecursiveDNSInefficienciesandVulnerabilitiescyber-security-group.cs.tau.ac.il/dns-ns-paper.pdf · Authoritative name-server 2.6x 2x NXNSAttack a Recursive resolver 163x

SLA Monitoring System (SLAM) - ICANN · EPP EPP service availability ≤ 864 min of down(me (≈98%) ... DNS test • One non-recursive DNS query sent every minute from all probe

DNSSEC-Tools · DNSSEC-Tools Wes Hardaker Authoritative Server Administrator Recursive Server Administrator End User DNS Yesterday (there are both much

DNS NO ECOSISTEMA DE CIBERSEGURANÇA A … · • Despite adversaries’ reliance on DNS, 68% organizations do not monitor recursive DNS ... Workday – HR SAP IPS/IDS Email/SPAM