Network Security

Workshop
Yogyakarta, Indonesia
25 – 27 June, 2013
Proudly Supported by:
Presenters
Champika Wijayatunga

Training Unit Manager, APNIC

Champika is responsible for managing its training activities in the
Asia Pacific region and brings several years of experience, having
worked in a number of countries in the IT industry, academia,
research, and training environments.

Areas of interests:
Internet Resource Management, IPv6, DNS/DNSSEC, Network
Security

Contact: champika@apnic.net
Presenters
Wita Laksono

Internet Resource Analyst, APNIC

Wita is responsible for analyzing IP address and AS number
requests from APNIC members. He also supports APNIC
helpdesk and skilled in Network Engineering aspects.

Areas of interests:
Internet Resource Management, IPv6

Contact: wita@apnic.net
DNS Security
 Concept: Resolving process & Cache

Question: www.apnic.net A
www.apnic.net A ? root-server

Ask net server @ X.gtld-servers.net (+ glue)

www.apnic.net A ?

Resolver Caching
192.168.5.10 forwarder www.apnic.net A ?
(recursive) gtld-server
Ask apnic server @ ns.apnic.net (+ glue)

Add to cache www.apnic.net A ?

192.168.5.10

apnic-server
BIND
Retrieving BIND
• HTTP, FTP
– Internet Systems Consortium
• http://www.isc.org

• Other packages
– OpenSSL
• Will be needed for DNSSEC
BIND
• Version 9
– Current version (9.9.2)
• Release
• Release Candidate (Betas)
• Snapshots (Alphas)
– Never Use Snapshots on production servers

• Getting BIND
– http://www.isc.org/software/bind/992/download/bind-992targz
Unpacking BIND9
• tar xvfz bind-9.9.2.tar.gz
– Uncompresses and creates directory
– bind-9.9.2

• What's in there?
– A lot of stuff (dig, libraries etc)
– ./configure (script)
– ./doc/arm/Bv9ARM.html
• Administrator's Reference Manual
• Good source!!!
Building BIND9

• must be in the BIND 9.9.2 directory

>./configure –with-openssl
– Determine the appropriate includes and compiler settings
> make
– Build and compile
> make install
– sudo (if not root)
– Install BIND
What happens
• Executables
– /usr/local/sbin
• dnssec-keygen, dnssec-makekeyset, dnssec-signkey, dnssec-
signzone
• lwresd, named-checkconf, named-checkzone
• rndc, rndc-confgen
• named
– /usr/local/bin
• dig
• host, isc-config.sh, nslookup
• nsupdate

• And libraries included

Testing
• Make sure right version is now installed
> named –v
> BIND 9.9.2
Bind DNSSEC Tools

• Named
• dnssec-keygen
– Generate keys of various types
• dnssec-signzone
– Sign a zone
• dig
– Troubleshoot: Usage: dig +dnssec @…
• named-checkzone & named-checkconf
– syntax check for zonefiles and named.conf
13
Server/Named Configuration

• The configuration file is called “named.conf”

• Documentation in <src>/doc/arm/Bv9ARM.html
• Turn on logging for troubleshooting
– Several categories
– Categories are processed in one or more channels
– Channels specify where the output goes

14
Questions ?
Recursive Server
Overview
• Recursive Service
• Root server list
• localhost
• 0.0.127.in-addr.arpa
• named.conf
Recursive Server
• Used to lookup data by applications
• Needs to know how to reach top of DNS
• Also should stop some queries
– localhost, 127.0.0.1
• Files
– named.conf
– root.hints
– localhost zone
– 0.0.127.in-addr.arpa zone
Root server list
• List of the 13 root server records
• Where to get it
– ftp rs.internic.net
• anonymous login
• cd domain
• get one of these files (they are the same)
– db.cache
– named.root
– named.cache
What it looks like
; This file holds the information on root name servers needed to!

; initialize cache of Internet domain name servers (e.g. reference this file in the
"cache . <file>"!

; configuration file of BIND domain name servers).!

; This file is made available by InterNIC under anonymous FTP as!

; file /domain/named.root on server FTP.INTERNIC.NET!

; -OR- RS.INTERNIC.NET!

; last update: Feb 04, 2008 related version of root zone: 2008020400!

; formerly NS.INTERNIC.NET!

. 3600000 IN NS A.ROOT-SERVERS.NET.!

A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4!

A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30!

; operated by WIDE!

. 3600000 NS M.ROOT-SERVERS.NET.!

M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33!

M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35!

; End of File!

!
localhost
• Loopback name in operating systems
• Means 127.0.0.1
• Queries for this shouldn't use recursion
• So we will configure a file to define the localhost. zone
– Note the "."
localhost file

$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; serial
1800 ; refresh
900 ; retry
69120 ; expire
1080 ; negative cache ttl
)
NS localhost.
A 127.0.0.1
Reverse for localhost
• Since we want "localhost -> 127.0.0.1" we want to have
"127.0.0.1 -> localhost"

• We need a zone called 0.0.127.in-addr.arpa.

0.0.127.in-addr.arpa file
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; serial
1800 ;refresh
900 ;retry
69120 ;expire
1080 ;negative cache ttl
)
NS localhost.
1 PTR localhost.
!
Assembling the files
• Here's my directory:
[/var/named/recursive] % ls!
0.0.127.in-addr.arpa localhost named.root!

• The directory name and file names will be in named.conf

• Now create a named.conf file in the same directory

named.conf
options {
directory "/var/named/recursive";
recursion yes; // by default recursion is on
};
zone "." {
type hint;
file "named.root";
};
zone "localhost." {
type master;
file "localhost";
};
zone "0.0.127.in-addr.arpa." {
type master;
file "0.0.127.in-addr.arpa";
};
Running the server
• From the directory
% named -g -c named.conf
Testing the server
• Just to show it is alive
% dig @127.0.0.1 www.arin.net!
; <<>> DiG 9.2.2rc1 <<>> @127.0.0.1 www.arin.net!
;; global options: printcmd!
;; Got answer:!
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16580!
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 10, ADDITIONAL: 0!
;; QUESTION SECTION:!
;www.arin.net. IN A!
;; ANSWER SECTION:!
www.arin.net. 10800 IN A 192.149.252.17!
www.arin.net. 10800 IN A 192.149.252.16!
;; AUTHORITY SECTION:!
arin.net. 10800 IN NS arrowroot.arin.net.!
(and so on)!
;; Query time: 3066 msec!
;; SERVER: 127.0.0.1#53(127.0.0.1)!
;; WHEN: Wed Feb 19 11:07:05 2003!
;; MSG SIZE rcvd: 251
TSIG/DNSSEC
Background
• The original DNS protocol wasn’t designed with security in
mind

• It has very few built-in security mechanism

• As the Internet grew wilder & wollier, IETF realized this

would be a problem
– For example DNS spoofing was to easy

• DNSSEC and TSIG were develop to help address this

problem
DNS Protocol Vulnerability
• DNS data can be spoofed and corrupted between master
server and resolver or forwarder
• The DNS protocol does not allow you to check the validity
of DNS data
– Exploited by bugs in resolver implementation (predictable
transaction ID)
– Polluted caching forwarders can cause harm for quite some time
(TTL)
– Corrupted DNS data might end up in caches and stay there for a
long time
• How does a slave (secondary) knows it is talking to the
proper master (primary)?

31
Reminder: DNS Resolving
Question:
www.apnic.net A
root-server
1" 2" www.apnic.net A ?

www.apnic.net A ? 3"“go ask net server @ X.gtld-servers.net”

(+ glue)
Resolver Caching
192.168.5.10
forwarder 4" www.apnic.net A ?
8" (recursive) gtld-server
5" “go ask ripe server @ ns.apnic.net”
(+ glue)
9"
Add to cache
6" www.apnic.net A ?

10" TTL
“192.168.5.10” 7"
apnic-server
DNS: Data Flow
Zone administrator
1"
4"
Zone file master Caching forwarder

2"
3" 5"

Dynamic
updates
slaves
resolver
 DNS Vulnerabilities
Corrupting data" Impersonating master"
Cache impersonation"
Zone administrator
1"
4"
Zone file master Caching forwarder

2"
3" 5"

Dynamic
updates
slaves
resolver
Cache pollution by"
Data spoofing"
Unauthorized updates"

Server protection! Data protection!

What is TSIG - Transaction Signature?
• A mechanism for protecting a message from a primary to
secondary and vice versa

• A keyed-hash is applied (like a digital signature) so recipient

can verify message
– DNS question or answer
– & the timestamp

• Based on a shared secret - both sender and receiver are

configured with it
What is TSIG - Transaction Signature?
• TSIG (RFC 2845)
– authorizing dynamic updates & zone transfers
– authentication of caching forwarders

• Used in server configuration, not in zone file

TSIG example
verification"

AXFR" AXFR"

Sig ...! Sig ...!

Query: AXFR"

Slave" Master"
KEY: KEY:
%sgs!f23fv! %sgs!f23fv!

Response: Zone"
SOA " SOA "
…" …"
SOA" SOA"

Sig ...! Sig ...!

verification"

37
TSIG steps

1. Generate secret

2. Communicate secret

3. Configure servers

4. Test

38
TSIG - Names and Secrets
• TSIG name
– A name is given to the key, the name is what is transmitted in the
message (so receiver knows what key the sender used)

• TSIG secret value

– A value determined during key generation
– Usually seen in Base64 encoding
TSIG – Generating a Secret
• dnssec-keygen
– Simple tool to generate keys
– Used here to generate TSIG keys

> dnssec-keygen -a <algorithm> -b <bits> -n host

<name of the key>!
TSIG – Generating a Secret
• Example!
> dnssec-keygen –a HMAC-MD5 –b 128 –n HOST ns1-
ns2.pcx.net

This will generate the key

> Kns1-ns2.pcx.net.+157+15921

>ls
Ø Kns1-ns2.pcx.net.+157+15921.key
Ø Kns1-ns2.pcx.net.+157+15921.private
TSIG – Generating a Secret
• TSIG should never be put in zone files!!!
– might be confusing because it looks like RR:

ns1-ns2.pcx.net. IN KEY 128 3 157 nEfRX9…bbPn7lyQtE=!

TSIG – Configuring Servers
• Configuring the key
– in named.conf file, same syntax as for rndc
– key { algorithm ...; secret ...;}

• Making use of the key

– in named.conf file
– server x { key ...; }!
– where 'x' is an IP number of the other server
Configuration Example – named.conf
Primary server 10.33.40.46! Secondary server 10.33.50.35

! !
key ns1-ns2.pcx. net {! key ns1-ns2.pcx.net {!
!algorithm hmac-md5;! !algorithm hmac-md5;!
!secret "APlaceToBe";! !secret "APlaceToBe";!
};! };!
server 10.33.50.35 {! server 10.33.40.46 {!
!keys {ns1-ns2.pcx.net;};! keys {ns1-ns2.pcx.net;};!
};! };!
zone "my.zone.test." {! zone "my.zone.test." {!
!type master;! !type slave;!
!file “db.myzone”;! !file “myzone.backup”;!
!allow-transfer {! !masters {10.33.40.46;};!
!key ns1-ns2..pcx.net ;};!};!
};!

You can save this in a file and refer to it in the named.conf

using ‘include’ statement:
include “/var/named/master/tsig-key-ns1-ns2”;
TSIG Testing : dig
• You can use dig to check TSIG configuration
– dig @<server> <zone> AXFR -k <TSIG keyfile>!

$ dig @127.0.0.1 example.net AXFR \!

-k Kns1-ns2.pcx.net.+157+15921.key!

• Wrong key will give “Transfer failed” and on the server

the security-category will log this.

45
TSIG Testing - TIME!
• TSIG is time sensitive - to stop replays
– Message protection expires in 5 minutes
– Make sure time is synchronized
– For testing, set the time
– In operations, (secure) NTP is needed
 DNS Vulnerabilities
Corrupting data" Impersonating master"
Cache impersonation"
Zone administrator
1"
4"
Zone file master Caching forwarder

2"
3" 5"

Dynamic
updates
slaves
resolver
Cache pollution by"
Data spoofing"
Unauthorized updates"

Server protection! Data protection!

Questions?