scanning and evaluating dns deployments in the internet
play

Scanning and Evaluating DNS Deployments in the Internet Johannes - PowerPoint PPT Presentation

Scanning and Evaluating DNS Deployments in the Internet Johannes Naab Master Thesis Intermediate Talk Advisors: O. Gasser, R. Holz, J. Schlamp Supervisor: Prof. G. Carle Chair for Network Architectures and Services Department of Informatics


  1. Scanning and Evaluating DNS Deployments in the Internet Johannes Naab Master Thesis Intermediate Talk Advisors: O. Gasser, R. Holz, J. Schlamp Supervisor: Prof. G. Carle Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen October 22, 2013 Johannes Naab (TU M¨ unchen) DNS Scan 1

  2. Agenda DNS Concepts 1 Why is DNS interesting? 2 Related work 3 Preliminary results 4 Schedule 5 Johannes Naab (TU M¨ unchen) DNS Scan 2

  3. Domain Name System . Zone Domain with Client Resolver Resource Records Zone with auhoritative Query/ name servers Response Delegation de. Zone net. Zone Figure : DNS Overview based on https://en.wikipedia.org/wiki/File:Domain_name_space.svg Johannes Naab (TU M¨ unchen) DNS Scan 3

  4. Why is DNS interesting? DNS is ubiquitous, nearly everything on the Internet depends on DNS DNSSEC: use public key cryptography to sign and validate DNS data disruptions can cause major problems Causes for disruptions configuration errors: wrong name server configuration, invalid and/or old data in zone files malicious attacks Johannes Naab (TU M¨ unchen) DNS Scan 4

  5. Related Work Understanding implications of DNS zone provisioning (2008) [1] analysis of zone transfer data in com. and net. with respect to authoritative name server resilience DNS Survey: October 2010 [4] sample of 1% of com., net. and org. zone, statistics for name servers, SOA records, lame and sideway delegations Quantifying the operational status of the DNSSEC deployment (2008) [2] 12k DNSSEC zones, evaluation of availability, verification (How many trust anchors?, . is signed only since 2010), and validity Impact of configuration errors on DNS robustness (2004) [3] active measurement of 50k zones for lame delegations, cyclic dependencies and authoritative name server resilience Johannes Naab (TU M¨ unchen) DNS Scan 5

  6. Scope of Work Obtain data active scanning of global DNS starting points: zone lists and reverse DNS create snapshots of the DNS database scanning DNS efficiently and unobtrusively Analyze data focus on zones, delegations and authoritative name servers consistency of data between the name servers in the zone itself between the zone and the parent configuration errors: delegations and dependencies DNSSEC deployments and errors Johannes Naab (TU M¨ unchen) DNS Scan 6

  7. Preliminary results (new) DNS scanner written in python using ldns and twisted existing tools such as dns-scraper don’t provide the necessary features scanner does full DNS resolution starting at the root zone challenges proper tracking of (circular) dependencies discovering all zone cuts ambiguities in specifications, and not knowing how the name server in question implements it Johannes Naab (TU M¨ unchen) DNS Scan 7

  8. Initial Scans com. Zone with 110M domains from zone file query NS, SOA RR on all name servers, ANY RR on a working name server 1000 raw queries/second/core 100 domains/second/core, 3 days for entire com. zone 3kB of DNS data per Domain (NS and SOA from all NS, one ANY), 300GB of raw query data for one scan unfortunately GoDaddy (domaincontrol.com) drops us Due to previous bugs, only the final 27% (30M) Domains have be analyzed Johannes Naab (TU M¨ unchen) DNS Scan 8

  9. Delegations delegations (NS records) are names (which need to be resolved) authoritative NS records are given by the zone itself for 15% the NS sets of parent and apex don’t match $ dig @a.gtld-servers.net. level3.net. ... ;; AUTHORITY SECTION: level3.net. 172800 IN NS ns1.l3.net. level3.net. 172800 IN NS ns2.l3.net. ... $ dig @ns1.l3.net. level3.net. ns ... ;; ANSWER SECTION: level3.net. 3600 IN NS ns1.level3.net. level3.net. 3600 IN NS ns2.level3.net. ... Johannes Naab (TU M¨ unchen) DNS Scan 9

  10. Lame Delegations com. Zone example.com. ns.example.net. A 1.2.3.4 example.com. unreachable/REFUSED Figure : Lame Delegations Johannes Naab (TU M¨ unchen) DNS Scan 10

  11. Zone Status 29969223 Zones 100.0% 100 80 65.4% 60 % 40 23.6% 20 6.1% 2.1% 1.4% 0.9% 0.6% 0 all Zones ANY Queries w/o Reply NXDomain GoDaddy Non Auth NS Q. Error Lame NS RR Johannes Naab (TU M¨ unchen) DNS Scan 11

  12. RR Type Popularity Popularity of RR Types in 19593012 ANY Queries 100 92.2% 91.9% 90.8% 80 66.5% 60 % 40 27.8% 20 2.7% 1.3% 0.9% 0.6% 0.6% 0.4% 0.3% 0 A NS SOA MX TXT AAAA PTR CNAME RRSIG DNSKEY NSEC3PARAM SPF Johannes Naab (TU M¨ unchen) DNS Scan 12

  13. Schedule July August September October November December January 2014 Evaluation existing Tools Develop, extend and improve new scanner Preparation and Intermediate Talk DNS Scanning Data Analysis and Evaluation Thesis Writing Johannes Naab (TU M¨ unchen) DNS Scan 13

  14. Thank you for your attention Thank you for your attention Questions? Johannes Naab (TU M¨ unchen) DNS Scan 14

  15. References I [1] Andrew J. Kalafut, Craig A. Shue, and Minaxi Gupta. Understanding implications of dns zone provisioning. In Proc. 8th IMC , 2008. [2] Eric Osterweil, Michael Ryan, Dan Massey, and Lixia Zhang. Quantifying the operational status of the dnssec deployment. In Proc. 8th IMC , 2008. [3] Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, and Lixia Zhang. Impact of configuration errors on dns robustness. In Proc. SIGCOMM ’04 , 2004. [4] Geoffrey Sisson. Dns survey: October 2010. Johannes Naab (TU M¨ unchen) DNS Scan 15

  16. Circular Dependencies . Zone com. Zone net. Zone example.com. NS \ example.net. NS \ ns.example.net. ns.example.com. example.com. example.net. Figure : Circular Dependencies Johannes Naab (TU M¨ unchen) DNS Scan 16

  17. Questionable DNS Configurations eu. Zone nl. Zone pro-serve.eu. proserve.nl. pro-serve.eu. NS ns1.proserve.nl. proserve.nl. NS ns1.proserve.nl. pro-serve.eu. NS ns2.pro-serve.be proserve.nl. NS ns2.pro-serve.eu. pro-serve.eu. NS ns3.proserve.nl. proserve.nl. NS ns3.proserve.org. ns1.proserve.nl. A 80.84.224.85 (Glue) pro-serve.eu. proserve.nl. Apex NS RRSet consistent Apex NS RRSet consistent with delegation according to with delegation according to ns1.proserve.nl. 80.84.224.85 ns1.proserve.nl. 80.84.224.85 Figure : Questionable out of Tree delegation Johannes Naab (TU M¨ unchen) DNS Scan 17

  18. Acceptance of Glue Records . Zone de. net. Zone de.net. de. NS {a,f,z}.nic.de. with Glue de. NS {l,n,s}.de.net. with Glue de.net. NS ns{1,2,3}.denic.de. de. Zone de.net. Zone nic.de. denic.de. Figure : Influence of acceptance of Glue records Johannes Naab (TU M¨ unchen) DNS Scan 18

Recommend


More recommend