Saturday, July 27, 2013

The DNS Curve Ball

One of the biggest problems with DNS,  has always been the lack of security.

Any response from a DNS server, could be forged or hijacked. And we have no real means to identify the sender of the data.

DNSSEC ( DNS Security Extensions ) and DNSCurve are two unique means for securing  DNS traffic. The former  DOES NOT encrypt the  response from the server, it only applies "Authentication", where as the  latter ensure "Privacy".

DNScruve  ( DNS elliptci Cruve cryptology ) provides both authentication, and  encryption,  & for both ; "  DNS request and it's response"

Now some would ask why on earth would you care about security within DNS services ?

That's very easy, security within DNS would accomplish the following;

1:  ensure the response are from a legit DNS server

2:  reduce or eliminate a DNS reflection attack

3:  eliminated DNS poisoning 

4:  eliminate any DNS replays attacks

 Okay so with the above plus, why are we not seeing more use within DNS security ?

1:  Lack of enforcement within  our exterior security policy

2:  A lack for  mass supported DNS servers and clients

3:  A major gap in the lack of knowledge within IT sector,  and more specifically us  IT security folks

4: And with DNSSEC ; the complexity with setup and crafting DS , KEY & DNSKEY   resource records.

5:  A finally "Major  issues with standardization & adoption  between DNS providers"

A OpenDNS has supported  DNScurve for a while using their DNSCrypt. And support has dribble towards  the  MAC/linux/Windows OS clients  over the last 3years or so.

So what happens within DNS curve?

For DNScruve to be effective, we need to encrypt the DNS queries and the server must understands this query? Take this unsecured dns traffic for example;

The above are DNS traffic captured off the wire. Any hacker in the middle could intercept and or mangle the  request or response. 

Now with ECC cryptology, we can quick encode the request and response and any hacker in the middle would only see;

( DNS traffic using DNScurve against OpenDNS servers are  port 443/udp )

Since the ECC public keys are 255bit in length, this provides us with protection that exceeds the RSA typical 1024bit key sizes, which are commonly used with  DNSSEC.


We also have the means to  enable DNScurve on our recursive  DNS servers to forward request  between non DNSCurve parties


Now to install DNSCrypt  I will show you the typical layout under  MACOSX  & Lion.

1: grab the dmg file

2: install the  DNScrypt into > Application folder

3: enable DNSCrypt  & OpenDNS as you primary resolver

And now your done. You can enable or disable it as required.

DNScurve has some negatives and that mainly due to the fact our   end-2-end encryption, is going to break  the firewalls abilities to inspect your dns traffic.  You could force inspection via a  proxy or a web-proxy and nail all of your clients behind the proxies. This would now require you to trust your  proxies.

And 2nd any web content filtering that  based around  DNS  lookup requests, would fail. So keep this in mind as you decide on on deploying  DNSCurve.

btw: this is a non-issues with DNSSEC

And lastly, OpendDNS uses udp/443 for it's services which may be filter  at a WiFi hotspot, but it will fallback to  port 53

More  information can be found here about DNScrypt

Ken Felix
Freelance Network/Security Engineer
kfelix ---at--- socpuppets-----d-o-t---com

   ^     ^
=( *  * )=
    /     \

No comments:

Post a Comment