DNS - ITEN Wired

DNS – The Unsung Hero
In Network Security
Jim Nitterauer
Senior Systems Administrator
A Bit About Me
• Senior Systems Administrator at AppRiver, LLC since 2006
• Is Responsible for global network deployment & security in 10 datacenters
• Manages SecureTide global infrastructure
• Filtering for more than 850,000 mailboxes
• 600 plus servers
• Manages SecureSurf global DNS infrastructure
• Anycast DNS Security
• 100 Plus servers providing DNS service for 10,000 plus users globally
•
•
•
•
Founded Creative Data Concepts Limited, Inc. in 1994 & GridSouth Networks, LLC in 2006
President of Gulf Breeze Area Chamber of Commerce 2003 & 2004
B.S Biology 1985 Ursinus College
M.S. Microbiology 1989 University of Alabama (Roll Tide!)
• Regular Black Hat and DEFCON attendee
• Completed Sans 560 – Network Penetration Testing and Ethical Hacking
Goals for Today
• Quick Recap of DNS basics
– Types (Caching vs. Authoritative)
– Common Records
– Common DNS Server Software
• Explore some common DNS misconfigurations
• Investigate how DNS is used to Exploit Networks
– Direct attack
– Botnet C&C
• Review some simple tools for analyzing DNS traffic logs
Goals for Today (continued)
• Examine some examples of compromise
– Inbound exploitation
– Outbound compromise
• Discuss strategies for securing DNS
– Server configuration
– Monitoring
– Preprocessing Rules
• Mention new directions in DNS
– EDNS0 Client subnet
– Anycast DNS
• Q&A
DNS Basics
• What is DNS?
– Domain Name Service
– A service that simply converts recognizable names into IP Addresses
• IPv4
• IPv6
– Records for a given domain name advertised by two or more authoritative
name servers
– Domain registrar tells the root servers which authoritative name servers
should be queried for answers
– Root servers for the Top Level Domain (TLD) tell recursive servers to look
to the authoritative name servers for answers
DNS Basics
• Authoritative DNS Server
– Provides authoritative answers for domains that have the server listed as
a nameserver with the registrar
– Is returned by the root domain servers as part of domain lookup chain
– Should answer for anyone that asks for domains it hosts
– Does not do recursion – bad idea!
• Recursive or Caching DNS
– Provides domain lookup services for a specific network
– Caches answers to speed up local DNS response times
– Usually locked down to specific network
DNS Basics
Typical DNS Request
DNS Basics
• Common DNS Record Types
– A Record – Defines an IPv4 address for a host name
– CNAME Record – Defines an alias for a host name record.
• Should point to a valid A record host name
• Not to another CNAME!
– NS Record – Defines the host names of the authoritative DNS servers for
the domain (zone)
• Must match the listings at the registrar
• Must have a valid A record for each
– SOA Record – Defines the start of authority for the domain (zone)
• Must contain at least 1 valid name server and
• Manages the default TTLs and the serial number (version) for the zone and
• An email contact for the domain (zone)
DNS Basics
• Common DNS Record Types
– AAAA Record – Defines an IPv6 address for a host name
– PTR Record – Used to resolve IP addresses to host names (reverse DNS
lookups)
• Must be expressed in correct format
• May be required in DNS for some services to function
– MX Records – Define the server(s) responsible for mail relay for the zone
• Must be FQDN (Fully Qualified Domain Name) that points to a valid A record
• IP addresses are NOT allowed by RFC (Request for Comment)
– TXT Records – Optional records used to send human-readable info via
DNS
DNS Basics
• Common DNS Record Types
– DNSSEC Related:
•
•
•
•
DNSKEY – Public Key record
DS – Delegation Signer
NSEC / NSEC3 – Next Secure Record
RRSIG – Signature for DNSSEC-Secured record set
• Basic DNS Lookup
– Use dig
• Free from ISC.ORG
• Windows (BIND for Windows) or Linux (bind-utils)
– More on this later
DNS Basics
• Common DNS Server Software
– BIND (Berkley Internet Name Daemon) (https://www.isc.org/downloads/)
• Version 9 or 10
• Bloated when used for caching server
– Unbound (http://www.unbound.net/)
• Version 5.4
• Caching or forwarding only
• Has pre-emptive cache loading so very fast
– Microsoft DNS
• AD usage
• Supports forwarding
• DO NOT USE FOR Internet Facing Authoritative DNS – you have been warned!
DNS Basics
• Simple DNS Plus (http://www.simpledns.com/)
– Windows
– Very good for Windows Authoritative DNS
– Very secure when configured properly
• Dnsmasq
– Included in most Linux distributions
– Limited functionality
– Built into many home Wi-Fi routers
Common DNS Misconfigurations
• Test Your DNS at DNS Stuff (http://www.dnsstuff.com/)
– Ex:
Common DNS Misconfigurations
• Stealth Name Servers
– The name servers (NS records) listed in DNS don’t fully match the
nameservers listed with the registrar
– Can cause issues with some DNS lookups
• NS Records point to unreachable IPs (No Glue)
– 192.168.0.10 – Private IP unreachable via Internet
• NS Records have no A record in DNS
– NS IN ns1.mydomain.com
– No ns1.mydomain.com IN A 200.200.200.10
– So nobody can get to name server
Common DNS Misconfigurations
• No Valid SOA Record
– Causes unpredictable record propagation
– Makes it difficult for other DNS servers to determine Primary NS
– Secondary servers sync improperly w/o serial number
• Improper TTLs
– TTL = Time To Live
– Too short – too many DNS refreshes
– Too Long – difficult to change records in a timely manner
• Lame Nameserver Delegation
– One or more listed nameservers have no information about domain
– No aa flag in the response
Common DNS Misconfigurations
• Allows Zone Transfers to anyone
– May expose more info than you wish to make public!
– Lock down transfers to known hosts
• CNAME pointing to NS Record
– Results in lame delegation
– Against RFC
• Great Reference - https://www.howtoforge.com/troubleshootingcommon-dns-misconfiguration-errors
DNS As An Attack Vector
• DNS Hijacking
– MITM attacks intercept DNS requests, redirect them to a malicious DNS
server and direct users to bogus sites
• DNS Cache Poisoning
– Similar to MITM. Requires luck to return spoofed DNS data to DNS cache
on port that is expecting response. Easier if no port range randomization
• DNS Amplification
– Small incoming query w/ spoofed source IP requesting large data (ANY,
RRSIG)
– Bad guy hits hundreds or thousands of open resolvers
– Results in target (spoofed IP) receiving a large number of unrequested
packets (DDoS)
DNS As An Attack Vector
• DNS Lockup
– Resolvers set up to deliberately initiate TCP connections
– Requesting resolver receives garbage from malicious resolver
– Resources eventually exhausted on requesting resolver
• DNS Tunneling
– Malware uses DNS (UDP 53) to export data from a compromised network
– May also be used as a full remote control channel to a compromised host
• Nice Summary Reference
– http://securitymiddleeast.com/2015/02/04/increasing-importance-dnsattack-vector/
DNS As An Attack Vector
• Domain Bit Flipping
–
–
–
–
–
Ex: google.com flip 4th bit goofle.com
Bit flipping happens with regularity in RAM
Increases at higher temps
Can occur BEFORE data is written to disk
https://www.youtube.com/watch?v=ZPbyDSvGasw
• Domain Generation Algorithms (DGAs)
– Also known as Domain Fluxing
– https://www.damballa.com/domain-generation-algorithms-dga-in-stealthymalware/
– Can transmit lifted data in DNS packets
DNS Analysis Tools
DNS Analysis Tools
DNS Analysis Tools
• Dig Installation
– Windows
• Download Bind for Windows - https://www.isc.org/downloads/file/bind-9-10-2p4/?version=win-64-bit
• Create a folder on the target drive – Ex. C:\dig
• Unzip the archive into the folder
• Add the folder to your Windows PATH statement
– Linux
• sudo apt-get install bind-utils
• sudo yum install bind-utils
DNS Analysis Tools
• Dig Examples
– dig @x.x.x.x domain.com –t NS
• Returns the Nameserver records for domain.com as reported by x.x.x.x
– Many useful options
•
•
•
•
•
•
dig –h or man dig for instruction
+trace – shows all the DNS queries in the chain from the root
+subnet to allow checking for EDNS 0 Client Subnet responses
+dnssec +sigchase to validate DNSSEC entire path
-f filename.txt allows parsing of a text file with one domain per line (load testing, etc)
-t RecordType allows retrieval of specific record types
– Much better than nslookup
DNS Analysis Tools
• Wireshark
–
–
–
–
–
–
–
www.wireshark.org
Use simple filters to capture traffic on Ethernet interfaces
Allows for analysis of pcap files collected on your Linux DNS servers
Tcpdump is used on Linux servers to grab and filter pcap data
Download pcap with WinSCP to Windows and use Wireshark
Filter example: dns
Allows for very granular packet capture and analysis
DNS Analysis Tools
DNS Analysis Tools
• Elasticsearch
– https://www.elastic.co/products/elasticsearch
– Distributed, scalable data collection and indexing platform
– Integrates with
•
•
•
•
Graylog
Kibana
Logstash
NXLog
– Basis for many useful data presentation platforms
– We will look at a few examples
DNS Analysis Tools
• Graylog (https://www.graylog.org/)
–
–
–
–
Extremely powerful logging platform for just about any type log
Works with Elasticsearch back end
Supports many formats
GELF – Graylog Extended Log Format
• Allows for granular field definitions and easy searchability
• Common format for many log shippers
– NXLog, Logstash, etc
– Dashboard Support
– Open source
– Data can be accessed with other tools, ex. Kibana
DNS Analysis Tools
• Nxlog (http://nxlog.org/products/nxlog-community-edition)
–
–
–
–
Log shipper for Linux and Windows
Multiple formats
Includes GELF support
Useful in shipping Windows logs to Graylog / Elasticsearch
• Kibana (https://www.elastic.co/products/kibana)
– Connects to Elasticsearch indexes
– Allows for the creation of versatile dashboards
– Supports alerting
• Logstash (https://www.elastic.co/products/logstash)
– Pipeline to help process logs & send to Elasticsearch
DNS Analysis Tools
DNS Analysis Tools
DNS Analysis Demos
• Demos
– Graylog showing AD DNS Requests
• Allow very simple isolation of requests from client IP
• Correlate with our CTN (Critical Threat Notification) generated by SecureSurf
• Isolate an infected workstation within minutes
– Graylog show DNS Amplification Dashboard
• We monitor numbers of A and ANY queries hitting our public resolvers
• If we see a new domain used in an attack, we can immediately block that domain at
all edge connections
– Graylog show Example of Compromise
• DNS Amplification Attacks (Inbound)
• Domain Generation Algorithm (DGA) traffic (Outbound)
Securing DNS
• Secure The Server!
– Disable recursion on Authoritative Servers
• Lock down by allowed IP
• Or disable completely
– Lock Down Zone Transfers
• Only to allowed IPs
• Secure with TSIG
– Do NOT mix Authoritative & Caching Servers
• OK For AD (No choice)
• No Public Zones on AD DNS Servers
– Limit Number and Types of Requests Allowed
• By Source IP
• By Record Type Request
Securing DNS
–
–
–
–
Secure Cache Against Pollution
Enable & Enforce DNSSEC if Possible
Force ANY Queries to Resend on TCP
Enable DNS Query Logging
• Ship logs to log analysis tool like Graylog
• Know what’s normal
– Recursive servers forward to root or known good servers!
• Define DNS Preprocessing Rules
– Ex. F5 iRules
• Applied to VIP in front of DNS servers
• Allows for very granular control
– Log UDP / DNS Traffic On the Edge
Securing DNS
• Deploy Firewall / IPS Rules on the Edge
–
–
–
–
Only allow vetted traffic
Drop all traffic from Bogons at Edge
Drop malformed DNS
Force large UDP requests to re-ask on TCP
• Disperse Authoritative Servers
– Use Anycast if possible
– Or Multiple ISPs to limit SPOF
Securing DNS
• Incorporate Blacklists
– Link to cache server to return IP for blocked content page
– Many sources that update regularly
– Easy to include in Unbound or BIND
• Use a DNS Filtering Service
– SecureSurf
– Others
• Outsource Primary DNS
– AppRiver DNS Plus
– Akamai
New DNS Directions
• EDNS 0 Client Subnet
– AKA draft-ietf-dnsop-edns-client-subnet
– https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-00
– Allows for authoritative servers to return different IP data based upon
client WAN subnet
– Think CDN via DNS
– Not widely adopted yet
– Limited cache server options
• Anycast DNS
– Same IP announced via BGP from multiple locations
– Failover
– Works well with UDP traffic since stateless
Wrap-up
• Questions & Answers
• Contact Info
–
–
–
–
[email protected]
@jnitterauer
https://www.linkedin.com/in/GridSouth
850-932-5338 ext. 6468