Cupfighter.net

Slides are here

Bert Hubert introduced us in the world of DNS. He opened by stating that “DNS is Scary and complex” and “DNS it is everywhere”.

Why is DNS scary and complex. DNS answers consist of a single UDP packet with binary variable length fields. It is a common misperception that DNS answers end in a NULL character. E.g. \3www\9my\0domain\3com\0 is a valid answer for www.my\0domain.com so same bug that is present in may SSL implementation may also exist in DNS.
DNS compression also causes issues, because it allows you to use pointers to refer to other parts of the answer. This other part of the answer can contain a pointer as well which means you can cause a loop. Some DNS implementations will follow these endless loops very fast.

In order to have a secure and stable DNS implementation you need to do each and everything right

DNS is everywhere and there is more and more devices containing DNS like 20 euro ADSL routers who interfere with your DNS queries, camera’s, phones. DNS also has more and more alternative uses like anti-virus, advertising and also censorship.

What are the threats to DNS?
The main risks are around availability. If there is no DNS, “The Internet is Down”. A single resolver may be servicing anything from 1 to more then 100,000 users. The largest authoritive DNS server hosts more then 8,000,000 zones.

Exploitation is also a risk. If you owning a DNS you own the internet for the users trusting that DNS, also if you own the DNS server you usually own the box the DNS is running on.

Another further interesting angle is integrity. If the DSN sends you the wrong way, your traffic goes to the wrong server and your money will follow.

When you talk about availability, the situation is not very good, it is extremely easy to kill a DNS server. It only takes about 10,000 well designed queries per second to kill a resolver. If you can generate about 50,000 queries per second you will be able to kill an authorative server. This is why large companies like akamai and large provider have stacks and stacks of DNS servers.

Exploitation is also a risk, typical resolver routines in common OS-es and appliances have very old DNSSEC code of 1984 in it. The most scaring part is that nobody seems to care, the original windows XP used ’1′ or ’2′ as its random DNS transaction ID.

Integrity however is the biggest issue. The whole internet is built on top of DNS. From a technical perspective DNS spoofing is easy: anybody can answer a DNS query if they have the right source IP, destination port and transaction ID and the right name on it and should arrive before any other answer.
Luckily changes of doing this successfully are 1:2,000,000,000, before people stated to patch for the Kaminski code, the changes was 1:65535. By randomizing the source port the time to get a 50% change of spoofing DNS increased from 10 seconds to 10 hours.

Currently in order to successfully spoof DNS you need to create too much traffic. This traffic will kill the DNS servers and “People notice that”.

But what if we are patient and start a slow attack? If we regenerate 100 queries per second, we have a 50% change of succeeding after trying for 6 weeks. However if you spoof . (the root zone) 6 weeks it not that long to wait. Because once I can spoof the root zone, I own the DNS for that resolver.

The details of this technique is kept quiet because it works very well. The countermeasures against it don’t work or these measures break too much stuff.

What are the medium term solutions?
Why not do DNS over TCP? Most people will tell you that this is not performing well enough, but this is mainly because the RFP states that there should be a 2 minute timeout.
Another solution might be to send every DNS query three times and pick the majority answer. However round-robin servers or servers like Akamai will actually give you an different answer for every query.
The speaker has proposed an alternative solution, EDNS-PING, and extra 16 bit number added to DNS.

What are the long term solutions?
DNSSEC does solve all spoofing risks, unfortunately it increases the packet size and thus increases the DoS risks. Also DNSSEC only works if everybody uses DNSSEC.

The speaker believes that DNSSEC is way too complex. That is why he created PowerDNSSEC, because “if we use DNSSEC it should be easy”.

In summary:
•    DNS security is hard to get right, which is bad because it is everywhere.
•    Slow DNS attacks are worrying and there are no real countermeasures.
•    If DNSSEC is not done right it will only make it more complex.