docDNS - ITEN Wired
download 
Report Transcription
DNS - ITEN Wired
DNS – The Unsung Hero In Network Security Jim Nitterauer Senior Systems Administrator A Bit About Me • Senior Systems Administrator at AppRiver, LLC since 2006 • Is Responsible for global network deployment & security in 10 datacenters • Manages SecureTide global infrastructure • Filtering for more than 850,000 mailboxes • 600 plus servers • Manages SecureSurf global DNS infrastructure • Anycast DNS Security • 100 Plus servers providing DNS service for 10,000 plus users globally • • • • Founded Creative Data Concepts Limited, Inc. in 1994 & GridSouth Networks, LLC in 2006 President of Gulf Breeze Area Chamber of Commerce 2003 & 2004 B.S Biology 1985 Ursinus College M.S. Microbiology 1989 University of Alabama (Roll Tide!) • Regular Black Hat and DEFCON attendee • Completed Sans 560 – Network Penetration Testing and Ethical Hacking Goals for Today • Quick Recap of DNS basics – Types (Caching vs. Authoritative) – Common Records – Common DNS Server Software • Explore some common DNS misconfigurations • Investigate how DNS is used to Exploit Networks – Direct attack – Botnet C&C • Review some simple tools for analyzing DNS traffic logs Goals for Today (continued) • Examine some examples of compromise – Inbound exploitation – Outbound compromise • Discuss strategies for securing DNS – Server configuration – Monitoring – Preprocessing Rules • Mention new directions in DNS – EDNS0 Client subnet – Anycast DNS • Q&A DNS Basics • What is DNS? – Domain Name Service – A service that simply converts recognizable names into IP Addresses • IPv4 • IPv6 – Records for a given domain name advertised by two or more authoritative name servers – Domain registrar tells the root servers which authoritative name servers should be queried for answers – Root servers for the Top Level Domain (TLD) tell recursive servers to look to the authoritative name servers for answers DNS Basics • Authoritative DNS Server – Provides authoritative answers for domains that have the server listed as a nameserver with the registrar – Is returned by the root domain servers as part of domain lookup chain – Should answer for anyone that asks for domains it hosts – Does not do recursion – bad idea! • Recursive or Caching DNS – Provides domain lookup services for a specific network – Caches answers to speed up local DNS response times – Usually locked down to specific network DNS Basics Typical DNS Request DNS Basics • Common DNS Record Types – A Record – Defines an IPv4 address for a host name – CNAME Record – Defines an alias for a host name record. • Should point to a valid A record host name • Not to another CNAME! – NS Record – Defines the host names of the authoritative DNS servers for the domain (zone) • Must match the listings at the registrar • Must have a valid A record for each – SOA Record – Defines the start of authority for the domain (zone) • Must contain at least 1 valid name server and • Manages the default TTLs and the serial number (version) for the zone and • An email contact for the domain (zone) DNS Basics • Common DNS Record Types – AAAA Record – Defines an IPv6 address for a host name – PTR Record – Used to resolve IP addresses to host names (reverse DNS lookups) • Must be expressed in correct format • May be required in DNS for some services to function – MX Records – Define the server(s) responsible for mail relay for the zone • Must be FQDN (Fully Qualified Domain Name) that points to a valid A record • IP addresses are NOT allowed by RFC (Request for Comment) – TXT Records – Optional records used to send human-readable info via DNS DNS Basics • Common DNS Record Types – DNSSEC Related: • • • • DNSKEY – Public Key record DS – Delegation Signer NSEC / NSEC3 – Next Secure Record RRSIG – Signature for DNSSEC-Secured record set • Basic DNS Lookup – Use dig • Free from ISC.ORG • Windows (BIND for Windows) or Linux (bind-utils) – More on this later DNS Basics • Common DNS Server Software – BIND (Berkley Internet Name Daemon) (https://www.isc.org/downloads/) • Version 9 or 10 • Bloated when used for caching server – Unbound (http://www.unbound.net/) • Version 5.4 • Caching or forwarding only • Has pre-emptive cache loading so very fast – Microsoft DNS • AD usage • Supports forwarding • DO NOT USE FOR Internet Facing Authoritative DNS – you have been warned! DNS Basics • Simple DNS Plus (http://www.simpledns.com/) – Windows – Very good for Windows Authoritative DNS – Very secure when configured properly • Dnsmasq – Included in most Linux distributions – Limited functionality – Built into many home Wi-Fi routers Common DNS Misconfigurations • Test Your DNS at DNS Stuff (http://www.dnsstuff.com/) – Ex: Common DNS Misconfigurations • Stealth Name Servers – The name servers (NS records) listed in DNS don’t fully match the nameservers listed with the registrar – Can cause issues with some DNS lookups • NS Records point to unreachable IPs (No Glue) – 192.168.0.10 – Private IP unreachable via Internet • NS Records have no A record in DNS – NS IN ns1.mydomain.com – No ns1.mydomain.com IN A 200.200.200.10 – So nobody can get to name server Common DNS Misconfigurations • No Valid SOA Record – Causes unpredictable record propagation – Makes it difficult for other DNS servers to determine Primary NS – Secondary servers sync improperly w/o serial number • Improper TTLs – TTL = Time To Live – Too short – too many DNS refreshes – Too Long – difficult to change records in a timely manner • Lame Nameserver Delegation – One or more listed nameservers have no information about domain – No aa flag in the response Common DNS Misconfigurations • Allows Zone Transfers to anyone – May expose more info than you wish to make public! – Lock down transfers to known hosts • CNAME pointing to NS Record – Results in lame delegation – Against RFC • Great Reference - https://www.howtoforge.com/troubleshootingcommon-dns-misconfiguration-errors DNS As An Attack Vector • DNS Hijacking – MITM attacks intercept DNS requests, redirect them to a malicious DNS server and direct users to bogus sites • DNS Cache Poisoning – Similar to MITM. Requires luck to return spoofed DNS data to DNS cache on port that is expecting response. Easier if no port range randomization • DNS Amplification – Small incoming query w/ spoofed source IP requesting large data (ANY, RRSIG) – Bad guy hits hundreds or thousands of open resolvers – Results in target (spoofed IP) receiving a large number of unrequested packets (DDoS) DNS As An Attack Vector • DNS Lockup – Resolvers set up to deliberately initiate TCP connections – Requesting resolver receives garbage from malicious resolver – Resources eventually exhausted on requesting resolver • DNS Tunneling – Malware uses DNS (UDP 53) to export data from a compromised network – May also be used as a full remote control channel to a compromised host • Nice Summary Reference – http://securitymiddleeast.com/2015/02/04/increasing-importance-dnsattack-vector/ DNS As An Attack Vector • Domain Bit Flipping – – – – – Ex: google.com flip 4th bit goofle.com Bit flipping happens with regularity in RAM Increases at higher temps Can occur BEFORE data is written to disk https://www.youtube.com/watch?v=ZPbyDSvGasw • Domain Generation Algorithms (DGAs) – Also known as Domain Fluxing – https://www.damballa.com/domain-generation-algorithms-dga-in-stealthymalware/ – Can transmit lifted data in DNS packets DNS Analysis Tools DNS Analysis Tools DNS Analysis Tools • Dig Installation – Windows • Download Bind for Windows - https://www.isc.org/downloads/file/bind-9-10-2p4/?version=win-64-bit • Create a folder on the target drive – Ex. C:\dig • Unzip the archive into the folder • Add the folder to your Windows PATH statement – Linux • sudo apt-get install bind-utils • sudo yum install bind-utils DNS Analysis Tools • Dig Examples – dig @x.x.x.x domain.com –t NS • Returns the Nameserver records for domain.com as reported by x.x.x.x – Many useful options • • • • • • dig –h or man dig for instruction +trace – shows all the DNS queries in the chain from the root +subnet to allow checking for EDNS 0 Client Subnet responses +dnssec +sigchase to validate DNSSEC entire path -f filename.txt allows parsing of a text file with one domain per line (load testing, etc) -t RecordType allows retrieval of specific record types – Much better than nslookup DNS Analysis Tools • Wireshark – – – – – – – www.wireshark.org Use simple filters to capture traffic on Ethernet interfaces Allows for analysis of pcap files collected on your Linux DNS servers Tcpdump is used on Linux servers to grab and filter pcap data Download pcap with WinSCP to Windows and use Wireshark Filter example: dns Allows for very granular packet capture and analysis DNS Analysis Tools DNS Analysis Tools • Elasticsearch – https://www.elastic.co/products/elasticsearch – Distributed, scalable data collection and indexing platform – Integrates with • • • • Graylog Kibana Logstash NXLog – Basis for many useful data presentation platforms – We will look at a few examples DNS Analysis Tools • Graylog (https://www.graylog.org/) – – – – Extremely powerful logging platform for just about any type log Works with Elasticsearch back end Supports many formats GELF – Graylog Extended Log Format • Allows for granular field definitions and easy searchability • Common format for many log shippers – NXLog, Logstash, etc – Dashboard Support – Open source – Data can be accessed with other tools, ex. Kibana DNS Analysis Tools • Nxlog (http://nxlog.org/products/nxlog-community-edition) – – – – Log shipper for Linux and Windows Multiple formats Includes GELF support Useful in shipping Windows logs to Graylog / Elasticsearch • Kibana (https://www.elastic.co/products/kibana) – Connects to Elasticsearch indexes – Allows for the creation of versatile dashboards – Supports alerting • Logstash (https://www.elastic.co/products/logstash) – Pipeline to help process logs & send to Elasticsearch DNS Analysis Tools DNS Analysis Tools DNS Analysis Demos • Demos – Graylog showing AD DNS Requests • Allow very simple isolation of requests from client IP • Correlate with our CTN (Critical Threat Notification) generated by SecureSurf • Isolate an infected workstation within minutes – Graylog show DNS Amplification Dashboard • We monitor numbers of A and ANY queries hitting our public resolvers • If we see a new domain used in an attack, we can immediately block that domain at all edge connections – Graylog show Example of Compromise • DNS Amplification Attacks (Inbound) • Domain Generation Algorithm (DGA) traffic (Outbound) Securing DNS • Secure The Server! – Disable recursion on Authoritative Servers • Lock down by allowed IP • Or disable completely – Lock Down Zone Transfers • Only to allowed IPs • Secure with TSIG – Do NOT mix Authoritative & Caching Servers • OK For AD (No choice) • No Public Zones on AD DNS Servers – Limit Number and Types of Requests Allowed • By Source IP • By Record Type Request Securing DNS – – – – Secure Cache Against Pollution Enable & Enforce DNSSEC if Possible Force ANY Queries to Resend on TCP Enable DNS Query Logging • Ship logs to log analysis tool like Graylog • Know what’s normal – Recursive servers forward to root or known good servers! • Define DNS Preprocessing Rules – Ex. F5 iRules • Applied to VIP in front of DNS servers • Allows for very granular control – Log UDP / DNS Traffic On the Edge Securing DNS • Deploy Firewall / IPS Rules on the Edge – – – – Only allow vetted traffic Drop all traffic from Bogons at Edge Drop malformed DNS Force large UDP requests to re-ask on TCP • Disperse Authoritative Servers – Use Anycast if possible – Or Multiple ISPs to limit SPOF Securing DNS • Incorporate Blacklists – Link to cache server to return IP for blocked content page – Many sources that update regularly – Easy to include in Unbound or BIND • Use a DNS Filtering Service – SecureSurf – Others • Outsource Primary DNS – AppRiver DNS Plus – Akamai New DNS Directions • EDNS 0 Client Subnet – AKA draft-ietf-dnsop-edns-client-subnet – https://tools.ietf.org/html/draft-ietf-dnsop-edns-client-subnet-00 – Allows for authoritative servers to return different IP data based upon client WAN subnet – Think CDN via DNS – Not widely adopted yet – Limited cache server options • Anycast DNS – Same IP announced via BGP from multiple locations – Failover – Works well with UDP traffic since stateless Wrap-up • Questions & Answers • Contact Info – – – – jnitterauer@appriver.com @jnitterauer https://www.linkedin.com/in/GridSouth 850-932-5338 ext. 6468
