Peculiar DNS queries
Lars Kollstedt
lk at man-da.de
Tue Dec 31 01:56:11 UTC 2019
Hi,
some additions.
on Monday, 30. December 2019, 23:48:41 CET I wrote:
> resolver1 asks Autoritative of the com-Zone for ImenT.Com or wWw.ImenT.Com
There are two ways for a resolver to behave.
The slower way which is leaking less information to the highest levels of the
authoritatives is to ask for NS records on each dot in the name, and only to
ask the most specific authoritative for the real query.
The many dots in ip6.arpa are massively slowing this down, but also DNSSEC
will require lots of queries in this case. If this way to ask is used and a
FQHN contains a deep hierarchy which is done to be able to delegate but not
all dots are real delegations at the time of the query, it will be slowed down
by this strategy.
The other way is to always forward the orignal query.
So the query to e.g. to g.gtld-servers.net (one of the com authoritatives) can
be
ImenT.Com IN NS
or
wWw.ImenT.Com IN A
Both will be answered with a NS RR for ImenT.Com.
Which strategy is used strongly depends on the used resolver software and
configuration. They can be also mixed in different ways, e.g. asking for NS
RRs in the first levels.
[...]
> client1 gets Www.IMent.coM IN A 216.55.100.245 back from resolver1
If client2 asks for www.IMEnT.CoM within the TTL of the A RR it will get an
answer for www.IMEnT.CoM, but resolver1 will not ask the autoritatives for
that again.
Thats (without the camelcase) how DNS caching already works for decades, and
that's what can be attacked when there isn't enough entropy in the query. If
the Resolver is connected with 10Gb/s or more the randomization of the source
port is definitely not enough.
The clue of dnsext-dns0x20-00 is that it can be used against most of the most
common implementations of authoritative dns without needing them to be adopted
for that. And it only produces some log lines the people operating them are
wondering about there. ;-)
Only the Resolver that is kind of well connected needs to run a software
version that implements dnsext-dns0x20-00 to be more secure by that.
Until the end of the 90s DNS-Queries were done with source and destination
port 53. Then the source port randomization was implemented. That's now not
enough any more, and attacks were already seen in the wild.
This is adressed by DNS cookies and dnsext-dns0x20-00, they are both (like the
sourceport randomization) not protecting against real MitM attacks, but
against spoofed UDP answers in large amounts.
DNS cookies must be implemented on both ends, and there were authoritatives
that were needing exceptions, because they didn't answer queries with DNS
cookies.
Hope this makes clear what the dnsext-dns0x20-00 is for.
If you need a real MitM proof DNS, all stakeholders relevant for you will have
to do DNSSEC. But NSEC and NSEC3 (the proof of nonexistence) is probably a bit
like choosing between pest and cholera.
NSEC can't be spoofed in any way but allows to walk the zone. NSEC3 will be
possibly/probably weak for being replayed in a real MitM scenario, since the
answer can be only checked for plausibility, since the signatures are done
over non revertable hashes without disclosing the data the hashes are
generated from.
On Mondagy, 30. December 2019, 19:54:13 CET Tony Finch wrote:
> Yes. And one prominent resolver that implements this is unbound
Not only unbound does. ;-)
On Montag, 30. December 2019, 20:10:57 CET Tony Finch wrote:
> Well, it's a bit more complicated than that, I'm afraid! The case that you
> use in zone files and UPDATEs should be preserved on disk and (I think?)
> through zone transfers, but not necessarily in answers to queries.
I at first misread the context of this. :-( Fred is of course talking about
DNS Update, and a least BIND is cleanly implementing the case insensitivity
for for DNS answers for many years.
But in the AXFR Data of BIND (9.10.3) and probably also on disk the character
case of an upper case character in the zone file is really preserved. Might be
that also happens with DNS Update. I'm not really sure that is useful. ;-)
But the NSCD stuff he also mentioned sometimes also uses other non DNS
mechanisms like mDNS, NIS+ or /etc/hosts as far as I remember. NIS+ and at
least some versions and parts of /etc/hosts tooling are really case sensitive.
Kind regards,
Lars
--
Lars Kollstedt
Telefon: +49 6151 16-71027
E-Mail: lk at man-da.de
man-da.de GmbH
Dolivostraße 11
64293 Darmstadt
Sitz der Gesellschaft: Darmstadt
Amtsgericht Darmstadt, HRB 9484
Geschäftsführer: Andreas Ebert
More information about the bind-users
mailing list