DNS
Domain renewal scams
Oct 28th
Some of my domains are coming up for renewal, right on cue the scam letters start arriving in the post. The scammers trawl whois information and send out demands for “renewal” to unsuspecting domain users. Send enough of them and somebody, somewhere will pay up.
They’re getting pretty sophisticated compared to the ones from previous years, an accounts department could be easily tricked into paying them.
SpamAssassin DNS lookups over IPv6
Sep 15th
With the recent surge in AIB phishing mails, I thought it might be worth looking at our SpamAssassin setup to see if there was anything that could be done to filter them out.
AIB helpfully publish SPF records for the aib.ie domain, so the first port of call was SAs SPF lookups. Which I noticed weren’t happening, despite being enabled some time ago. Reloading SA resulting in the following log message in spamd.log:
Tue Aug 11 11:26:52 2009 [2221] warn: Error creating a DNS resolver
socket: at /usr/share/perl5/Mail/SpamAssassin/DnsResolver.pm line 233.
Aw snap, SA can’t do any DNS lookups, at all. Which means all of the DNS-based tests will be silently skipped. Going back through the spamd.log, I noticed these messages first started occurring when we enabled IPv6 DNS resolvers a number of months ago. Hmm, perl is obviously missing something fundamental.
So, it turns out a perl library required to create IPv6 sockets wasn’t installed, IO::Socket::INET6. This is conveniently packaged in Ubuntu:
aptitude install libio-socket-inet6-perl
A quick reload of spamassassin and we can say goodbye to all those “URGENT NOTIFICATION”s about our AIB online banking accounts. Although, the spammers have now copped on and aren’t even bothering to send from aib.ie addresses anymore..
Updates to bind and the open resolver project
Jul 29th
If you haven’t done so already, now would be a good time to update bind9. A remote exploit is doing the rounds.
In related news, Team Cymru is running a scan for open DNS resolvers. It’s surprising the amount of DNS servers out there that are un-intentionally left wide open and, even worse, don’t implement split-horizon DNS. Looks like they’ve been busy probing ns.spoofedpacket.net:
22-Jun-2009 23:33:54.393 security: client 38.229.0.10#55251: query (cache) 'recursion-test.cymru.com/A/IN' denied
23-Jul-2009 23:34:08.350 security: client 38.229.0.10#45412: query (cache) 'recursion-test.cymru.com/A/IN' denied
First steps towards DNSSEC
Apr 3rd
I recently began deploying DNSSEC within HEAnet. Things are at an early stage, but I’m hoping to have some signed zones up and running in the next few months.
For testing, I wanted to find a practical application of DNSSEC, rather than simply stating “now our zones are secure against attack A, B and C”.
RFC4255 provides exactly this, with automatic verification and trusting of SSH host keys through a combination of the SSHFP record type and DNSSEC validation. This removes the need to maintain a known_hosts file on each client, key fingerprints can simply be distributed through DNS.
I started by generating our zone signing key (ZSK) and key signing key (KSK) for the secure zone, login.heanet.ie. These are 1024bit RSASHA1 keypairs.
mkdir /etc/bind/keys cd !$ dnssec-keygen -r /dev/random -a RSASHA1 \ -b 1024 -n ZONE login.heanet.ie dnssec-keygen -r /dev/random -f KSK \ -a RSASHA1 -b 1024 -n ZONE login.heanet.ie
Then, I imported the trust anchor (KSK public part) for the zone into the DNS resolver. We are using Unbound but BIND etc. configuration is somewhat similar.
cp Klogin.heanet.ie.+005+61342.key /etc/unbound/anchors/login.heanet.ie.anchor ... vi /etc/unbound/unbound.conf ... # # login.heanet.ie test signed zone - robertg@heanet.ie 20090309 # trust-anchor-file: "/etc/unbound/anchors/login.heanet.ie.anchor" ...
To prepare the zone for signing, I published the ZSK and KSK public keys at the apex of the zone, ie: after NS records but before any other records are defined.
@ IN NS ns.heanet.ie. ; DNSSEC public keys $INCLUDE /etc/bind/keys/Klogin.heanet.ie.+005+01530.key ;ZSK $INCLUDE /etc/bind/keys/Klogin.heanet.ie.+005+61342.key ;KSK ; hosts charlene IN A 193.1.219.75 charlene IN AAAA 2001:770:18:2::193.1.219.75 charlene IN SSHFP 1 1 d343493a92fdd26281dddc26e90440e5504c3b1a charlene IN SSHFP 2 1 4fad90afa04a6b62371091662f88685822b07ebb
Now, to actually sign the zone! I signed the RRsets in the zone with dnssec-signzone and the ZSK and KSK keypairs we generated earlier. This produces a signed version of the zonefile, of the form zonefile.signed. The KSK (61342) is used to sign the keys we entered at the apex of the zone earlier, and the ZSK (01530) is used to sign all the other records in the zone.
dnssec-signzone -r /dev/random -o login.heanet.ie \ -k /etc/bind/keys/Klogin.heanet.ie.+005+61342.key \ login.heanet.ie /etc/bind/keys/Klogin.heanet.ie.+005+01530.key
Then, I loaded the .signed file into the authoritative nameserver.
zone "login.heanet.ie" {
type master;
file "pz/forward/login.heanet.ie.signed";
};
After doing this, it’s a good idea to check for any errors in name server log.
As a first test, I made a DNSSEC query to the resolvers. It should follow the chain of trust and securely resolve the query. The “ad” – authenticated data – flag in the flags: section of the dig output confirms that the zone data is signed and has been verified as authentic. The +dnssec option sets the DO (DNSSEC OK) bit on the query and the +multiline option is simply used for readability purposes.
dig @resolver0.heanet.ie charlene.login.heanet.ie +dnssec +multiline ; <<>> DiG 9.5.0-P2 <<>> @resolver0.heanet.ie charlene.login.heanet.ie +dnssec +multiline ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42200 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;charlene.login.heanet.ie. IN A ;; ANSWER SECTION: charlene.login.heanet.ie. 3600 IN A 193.1.219.75 charlene.login.heanet.ie. 3600 IN RRSIG A 5 4 3600 20090429144034 ( 20090330144034 1530 login.heanet.ie. dw8qCGcHEBA8kSfv3CTr7sTM7FEJvoGyY8tz9bEgIsNK adSgG3eUfHIQ5nMFVYvg7/MEXLfhUyXmByNjPuuMhfi0 mvX4GV0z+MqIRfVBb6bH8kPBlAjdXisny4e8rhrheRwu P8FyONy88cyy5OqTattjzz8bBtMevZo4wN/KfQs= ) ;; AUTHORITY SECTION: login.heanet.ie. 3600 IN NS ns.heanet.ie. login.heanet.ie. 3600 IN RRSIG NS 5 3 3600 20090429144034 ( 20090330144034 1530 login.heanet.ie. C7C54YAIMVqp9UJfrrM56dRd2U8OB+zkxHV2G2YN0QsR 7XFZHVcBEjw/9l8r1E6yiRIyAx2P3XGWT/tAvYvssAG8 p143UAn29Gqnibf5mGzhRQFGN/huCdmFSIL7yK2jinhA rw/ZgOrVkBnWiGYNRe4BWtIhkHbcVYZ6roWXlo8= ) ;; Query time: 2 msec ;; SERVER: 2001:770:f8::c101:ba02#53(2001:770:f8::c101:ba02) ;; WHEN: Wed Apr 1 17:07:12 2009 ;; MSG SIZE rcvd: 436
Now to test the signed SSHFP records. On the client, I added the following to resolv.conf.
options edns0
Also, I edited ~/.ssh/config and added this line in the Host section
VerifyHostKeyDNS yes
When ssh'ing to a the machine with signed SSHFP records, the user should not be prompted to accept the host key, even if it is "unknown".
ssh -v heanet@charlene.login.heanet.ie OpenSSH_5.1, OpenSSL 0.9.7j 04 May 2006 ... debug1: found 2 secure fingerprints in DNS debug1: matching host key fingerprint found in DNS debug1: ssh_rsa_verify: signature correct ...
Presto! No known_hosts file. Profit! etc.. No need to maintain host keys across multiple clients, simply distribute your SSH fingerprints through DNS.
$ ls -al /home/rob/.ssh/ total 16 drwx------ 2 rob users 512 Mar 31 14:35 . drwxr-xr-x 3 rob users 512 Mar 31 14:15 .. -rw------- 1 rob users 613 Mar 31 17:23 authorized_keys -rw-r--r-- 1 rob users 120 Mar 31 14:35 config
Of course there are a number of issues. I haven't gone through the required key rollover and resigning processes, however these are reasonably straightforward and can be automated with freely available tools.
TLD monitoring
Nov 26th
Now this is a good idea, TLD monitoring with nagios.
It highlights some interesting information, such as the large amount of open resolvers.