The Current State of DNS Resolvers and RPKI Protection By Erik Dekker and Marius Brouwer 1
Motivation Why is this research important? 2
Motivation BGP is old First RFC was published in 1989 (RFC 1105) BGP was developed in times when security problems were less prevalent And is vulnerable for certain attacks For example, BGP is prone to IP Prefix Hijacks 3
BGP IP Prefix Hijack 8.0.0.0/24 AS1 AS2 AS3 AS4 B AS5 1.0.0.0/24 A 8.0.0.0/24 AS666 C 4
Resource Public Key Infrastructure RPKI comes to the rescue! Documented in RFC 6480 But also in RFC 6481,6482, 6483, 6484, 6485, 6486, 6487, 6488, 6489, 6490, 6491, 6492, and 6493 5
How does RPKI work? RIRs assign IP prefixes to network operators For example RIPE assigns prefixes to SURFnet RPKI allows network operators to sign their assigned IP prefixes To prove that they have the right to originate this prefix The RIRs host the Trust Anchors This results in a Route Origin Authorization (ROA) record Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route Origin Validation) ROV == RPKI filtering 6
BGP IP Prefix Hijack with RPKI ROV ROA valid 8.0.0.0/24 AS3 AS4 AS1 AS2 B AS5 1.0.0.0/24 A 8.0.0.0/24 AS666 C 7 Invalid
DNS What does this have to do with DNS resolvers? 8
BGP IP Prefix Hijack ROV ROA valid DNS Server 8.0.0.0/24 AS3 AS4 AS1 AS2 B 9.0.0.0/24 Resolver D AS5 1.0.0.0/24 DNS Server A 8.0.0.0/24 AS666 C 9.0.0.1 9 Invalid
Example Amazon Route 53 BGP Hijack All traffic directed to MyEtherWallet was hijacked 10
Research question Main question: “What is the state of RPKI filtering on DNS resolvers?” Sub questions: How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection? How does anycast influence the protection of DNS resolvers? 11
Scope No DNSSEC No IPv6 12
Method – test setup RIPE Atlas Probes Can send DNS queries to their resolvers Who query our authoritative DNS servers Beacon TCPdump of all the queries Made a BGP dump 13
Method – experiment 2. $id.invalid.valid4.rootcanary.net 1. A record Valid 2. A record 3. $id.invalid4.rootcanary.net 3. Synthesized CNAME 4. A record 1. $id.invalid.valid4.rootcanary.net 5. Answer 4. $id.invalid4.rootcanary.net 6. Answer 6. $id.invalid4.rootcanary.net 5. $id.invalid4.rootcanary.net Invalid 14
Results 15
Coverage RPKI Probe Results – Number of Probes 10000 2500 5000 7500 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 Status Probe Protection Fully Partially Unprotected Total Probes 2020 − 02 − 01 2020 − 02 − 02 16 2020 − 02 − 03
Coverage RPKI Resolver Probe/ Results – Probe/Resolver Pairs 10000 15000 5000 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 RPKI Status 2020 − 02 − 01 Protected Unprotected Total 2020 − 02 − 02 17 2020 − 02 − 03
Results – Top 10 AS 5000 RPKI Status Protected Unprotected 4000 Queries 3000 2000 1000 0 15169 13335 36692 12322 8881 7922 6830 3320 3215 42 18 AS
Results – Top 19 AS highest filtering ASes 4000 RPKI Status Protected Unprotected 3000 Queries 2000 1000 0 13335 12322 13030 12392 15943 3265 7018 7132 8473 2119 2860 4739 3301 6939 1741 1241 1759 4802 553 19 AS
Results – Influence of Cloudflare anycast Cloudflare Prefixes 120 160 40 80 2020 − 01 − 23 2020 − 01 − 24 2020 − 01 − 25 2020 − 01 − 26 2020 − 01 − 27 2020 − 01 − 28 Date 2020 − 01 − 29 2020 − 01 − 30 2020 − 01 − 31 RPKI Status 2020 − 02 − 01 Protected Unprotected Total 2020 − 02 − 02 2020 − 02 − 03 20
Results – Influence of AS path length 1.00 0.75 Query Ratio RPKI Status 0.50 Unprotected Protected 0.25 0.00 21 2 3 4 5 6 7 8 9 10 11 AS Path Length
Results – Influence of AS path length 200,000 Queries 100,000 0 22 2 3 4 5 6 7 8 9 10 11 AS Path Length
Results – Influence of AS path length 1.00 0.75 200,000 Query Ratio Queries RPKI Status 0.50 Unprotected Protected 100,000 0.25 0 0.00 2 3 4 5 6 7 8 9 10 11 2 3 4 5 6 7 8 9 10 11 23 AS Path Length AS Path Length
Conclusions Main Research Question: “ What is the state of RPKI filtering on DNS resolvers? ” • How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection? •How does anycast influence the protection of DNS resolvers? 24
Discussion RPKI query coverage ≠ RPKI protected clients • Atlas probe AS could still be hijacked. • Small amount of ASes are fully protected • Expectation: Longer AS path more RPKI protection • Based on reverse path • Influence of anycast DNS relatively high and growing • Population of experiment is western oriented and geek biased • 25
Future Work Take DNS forwarders into account in future research • Make use of another query generator other than RIPE Atlas for a different population • Place more beacons in different regions/AS • Focus on specific open DNS resolvers e.g. Cloudflare and Verisign Public DNS • Longitudinal study of ongoing data capture • Analyze which DNS resolvers are aided by filtering along the path. • 26
Acknowledgements 27
Questions? 28
Recommend
More recommend