Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi...

Hands-OnDNSSECwithDNSVizCaseyDeccio

BrighamYoungUniversityNANOG69,Feb.8,2017

Washington,DC

Preparation

• Demoandexercisesavailableat:• http://dnsviz.net/demo/

• Includeslinkstothefollowing:• VirtualBox software• VirtualBox demoimage• Tutorialexercises

2

Objectives

• UnderstandthebasicsofDNSandDNSSEC• BecomefamiliarwithDNSserverandanalysistools

• DiG• BIND• DNSViz

• Learnhowtoolsmightbeusedtoroutinelyanalyze/monitoryourDNShealth

3

Caveats

• Theexercisesrangefromnovice-leveltoadvanced.• Manyoftheexercisesaremoretofacilitateunderstandingthanefficiency.

• TheexercisesarebemeantforlearningDNS/DNSSECandrelatedtools,butdonotcoveralldetailsforproperDNS/DNSSECmaintenance.

4

DNSOverview

5

DNSNamespace

• Namespaceisorganizedhierarchically

• DNSrootistopofnamespace

• ZonesareautonomouslymanagedpiecesofDNSnamespace

• Subdomainnamespaceisdelegatedtochildzones

6

.

com net

example.com

example.net

referrals

DNSNameResolution

• Resolversqueryauthoritativeservers• Queriesbeginatrootzone,resolversfollowdownwardreferrals

• Resolverstopswhenitreceivesauthoritativeanswer

7

…

.

…

com

…

example.comstubresolver recursiveresolver

authoritativeservers

Answer: 192.0.2.16

Query:example.com/A?

VirtualEnvironmentInitialization

• Unzipdnsviz-demo-v4.zip• Opendnsviz-demo-v4/dnsviz-demo-v4.vbox

• “Start”VM• Enlargescreen• Double-click“TutorialExercises”file

• (Exercises0.1– 0.2)• Open“TerminalEmulator”• Changeto“demo”directory

8

$ cd demo

QueryDNSServers(1.1– 1.5)

9

queryaspecificserver(ratherthanqueryingyour

configuredresolver)

$ dig @a.root-servers.net example.com

norecordtypespecified,sodefaulttype“A”(address)isused

$ dig @a.gtld-servers.net example.com

$ dig @a.iana-servers.net example.com

$ dig example.com

noserverisexplicitlydesignated,soquerygoes

tolocalresolver

$ dig @a.iana-servers.net foobar.example.com

QueryaRootServer

10

QueryaTLDServer

11

QueryanSLDServer

12

QueryLocalRecursiveResolver

13

QueryforaNon-existentName

14

DNSSECOverview

15

PublicKeyCryptography

• Keys• Public Key– advertisedtoeveryone• Private Key– kepthidden

• Signatures• Madebyprivatekey• Validatedwithpublickey

• Validation• Consumerusespublickey,message,andsignaturetovalidatemessage

16

Data

PrivateKeySig

Data

PublicKey

Sig ValidorBogus?

DNSSecurityExtensions(DNSSEC)

• DNSdatasignedwithprivatekeys• Signatures(RRSIGs)andpublickeys(DNSKEYs)publishedinzonedata

• Resolverresponse• Ifauthentic:Authenticateddata(AD)bitisset• Ifbogus:SERVFAILmessageisreturned

17

example.com

stubresolverrecursive/validatingresolver

authoritativeserver


Answer:192.0.2.16 RRSIG

Query:example.com/DNSKEY?

Answer: DNSKEY… RRSIG


Answer: 192.0.2.16 AD

validate

DNSSECChainofTrust

• DNSKEYmustbeauthenticated.

• Trustextendsthroughancestrytoatrustanchoratresolver.

• DSresourcerecord–providesdigestofDNSKEYinchildzone.

• Resolvermuststartwithtrustedkey,atroot.

18

example.comZone data

DNSKEY

comZone data

DNSKEY

.Zone data

DNSKEY

DS

DS

Resolver trust anchor

KeyRoles– KSK/ZSK

• DNSKEYRRset usuallyhasmultiplekeys,oftenwithsplitroles.

• KSK(Keysigningkey)• Signs(only)theDNSKEYRRset.

• CorrespondstoDSrecordsinparent,providing“secureentrypoint”intozone.

• ZSK(Zonesigningkey)• Signstherestofthezone.

19

example.com Zone data

DNSKEY (ZSK)

comZone data

DNSKEY

DS

DNSKEY (KSK)

…

example.com

AuthenticatedDenialofExistence

• Howdoyouprovesomethingdoesn’texist?• “Chain”ofnamesofzoneformedusingNSECrecords.• NSECrecordsformcomprehensivechainofnames(andtheirrecordtypes)inzoneincanonicalordering.

• ServerusesNSECrecordstoprovenon-existence.

20

example.com.

apple.example.com.

banana.example.com.

grape.example.com.

recursive/validatingresolver

authoritativeserver

Query:coconut.example.com/A?

NXDOMAIN:banana.example.com/NSEC RRSIG

Query:example.com/DNSKEY?

Answer: DNSKEY… RRSIGvalidate

QueryforDNSSECRecords(2.1–2.5)

23

includeDNSSECrecordsinresponse(e.g.,RRSIG)

$ dig +dnssec +multi @a.iana-servers.net example.com

presentresponseinmulti-lineformatwithcomments(for

readability)

$ dig +dnssec +multi @a.iana-servers.net example.com DNSKEY

queryforrecordsoftype“DNSKEY”(DNSSECpublickey)insteadofthe

default,“A”(address)

$ dig +dnssec +multi @a.gtld-servers.net example.com DS

querya“parent”serverbecausewe’reseekingaDSrecord

$ dig +dnssec +multi example.com

$ dig +dnssec +multi @a.iana-servers.netfoobar.example.com

QueryforDNSSECRecords(RRSIGs)

24

QueryforDNSSECRecords(DNSKEY)

25

QueryforDNSSECRecords(DS)

26

QueryforDNSSECRecords

27

QueryForDNSSECRecords(NSEC)

28

DNSViz

29

referrals

DNSAnalysisUsingDNSViz(dnsviz probe commandline)• Queriesissued– IPv4/IPv6UDP/TCP

• Referralqueries– tolearndelegationNSrecordsfromparent• NSqueries– tolearnauthoritativeNSrecords• DNSKEY/DSqueries– forbuildingaDNSSECchain• A/AAAA/TXT/MX/SOAqueries• Diagnosticqueries(specialhandlingoferrors,etc.)

30

.

com

example.com

output.json

OnlineanalysisSerializedonlineanalysis(JSON)$ dnsviz probe

example.com

DNSAnalysisUsingDNSViz(dnsviz grok/graph/printcommandline)• Responsesanalyzed(offline)

• Responsiveness• Querytimeouts• Networkerrors• EDNS/fragmentation

capabilities• Consistency

• Acrossservers• BetweenDNSKEY/RRSIG• BetweenDNSKEY/DS

• Correctness• RRSIG

• Expiration/inceptiondates• Cryptographicsignature

• DS- Cryptographichash• Negativeresponses

• NSECproofcorrectness• SOArecordcorrectness

31

$ dnsviz grok

output.json

Serializedonlineanalysis(JSON)

output-p.json Serializedofflineanalysis(JSON)

Analysisgraph(jpg,png,html)

$ dnsviz graph

Colorterminal/textoutput

abcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuvabcdefghijklmnopqrstuv

$ dnsviz print

AnalyzeUsingdnsviz probe(3.1– 3.2)

32

$ dnsviz probe -A -a . -p example.com > example.com.json

followreferralsfromroot(“.”)toanalyze

name

maketheoutput“pretty”(forreadability)

storeanalysisinfilecalled“example.com.json”

$ medit example.com.json &

Issuediagnosticqueriestoauthoritativeservers,rather

thanrecursiveservers

$ dnsviz grok < example.com.json > example.com-p.json

AnalyzeUsingdnsviz grok(3.3– 3.4)

33

storeanalysisinfilecalled“example.com-p.json”

readanalysisfrom“example.com.json”

$ medit example.com-p.json

$ dnsviz grok -l info < example.com.json \> example.com-p1.json

AnalyzeUsingdnsviz grok(3.5– 3.6)

34

showonlyinformationthatisofpriority“info”or

higher

$ medit example.com-p1.json

AnalyzeUsingdnsviz grok(3.7)

35

displayoutput(ifany)toscreen,insteadof

redirectingtofile

$ dnsviz grok -l error < example.com.json

showonlyinformationthatisofpriority“error”or

higher

$ dnsviz graph -Thtml -t /dev/null < example.com.json \> example.com.html

AnalyzeUsingdnsviz graph(3.8– 3.11)

36

outputinteractiveHTMLformat

$ firefox example.com.html &

$ dnsviz graph -Thtml < example.com.json \> example.com.html


Don’tuseanytrustanchor

$ dnsviz print -t /dev/null < example.com.json

AnalyzeUsingdnsviz print (3.12– 3.13)

37

$ dnsviz print < example.com.json

anchortrustwithrootKSK

Don’tuseanytrustanchor

Viewdnsviz probe Output

38


39


40

Viewdnsviz grok Output

41


42


43


44


45

Viewdnsviz graph Output

46


47


48

Viewdnsviz print Output

49

Viewdnsviz print Output

50

SigningaDNSZone

51

SetupVirtualDNSEnvironment(4.1– 4.2)

52

VirtualBox Guest

UMLGuest

UMLGuest

UMLGuest

Host$ ./start_all

(Waitforallthreeconsolestocomeup)

$ cd /etc/bind

Changedirectoryforallthreeconsoles:root,tld1,sld1

SetupVirtualDNSEnvironment(4.3)

53

VirtualBox Guest

UMLGuest“root1”

UMLGuest“sld1”

UMLGuest“tld1”

$ ./dns_change_root local

(pointDNSroothintsandtrustedkeystointernalrootserver)

virtualswitch

Host

virtualswitch

Analyzeexample.com inLocalEnvironment(4.4– 4.6)

54

$ dnsviz probe -A -a . -p example.com | dnsviz graph -Thtml -O

Piperesultsdirectlytodnsviz graph,

ratherthanredirectingtofile

Outputanalysistofilenamed

“example.com.html”

$ ./dnsviz_analyze example.com (scriptincludedforsimplification)



55

AddRecordstoexample.comZone(5.1– 5.4)• AddArecordsfornames“a”,“c”,and“e”(onsld1)(hint:seeexistingrecordfor“www”)

• Checkzone

• Reloadzone

• Checkthatrecordshowsup(queryfromVirtualBox guest)

56

# nano zones/db.example.com

# vi zones/db.example.com

or

# service bind9 reload

# named-checkzone example.com zones/db.example.com

$ dig @sld1 a.example.com

AddRecordstoexample.comZone

57

AddRecordstoexample.comZone

58

CreateDNSSECKeysforexample.com Zone(6.1– 6.3)

59

# KSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`

# ZSK=`dnssec-keygen -n ZONE -a RSASHA256 -b 1024 \-r /dev/urandom example.com`

Setthe“SEP”bitforthisDNSKEY

Createa2048-bitkey

UsealgorithmRSASHA256forsigning

No“SEP”bithere

(onsld1)

Createa1024-bitkey

# ls $KSK* $ZSK*

AddDNSKEYRecordstoexample.com Zone(6.4– 6.9)• LookatDNSKEYrecords(onsld1):

• AddDNSKEYrecordstozone

• Reloadzone

• Re-analyze

60


# cat $KSK.key $ZSK.key >> zones/db.example.com

# cat $KSK.key $ZSK.key

$ ./dnsviz_analyze example.com


$ dig +noall +comment +ad example.com

CreateDNSSECkeysforexample.com Zone

61

CreateDNSSECkeysforexample.com Zone

62

Viewdnsviz graph Output:DNSKEYswithnoRRSIGs

63

Viewdig Output:noADbit

64

SignRecordsinexample.comZone(7.1– 7.4)• Signzone(sld1)

• Pointnamed.conf tosignedzonefile

• Reloadzone

65

# dnssec-signzone -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK

Usepseudo-randomentropysource(notfor

productionuse)

Signentirezonewiththiskey

SignonlyDNSKEYrecordswiththiskey


# sed -i -e ‘s:/db.example.com:&.signed:’ named.conf.local




Viewdnsviz graph Output:Signedexample.com Zone

66

Viewdig Output:noADbit

67

GenerateDSRecordsforexample.com (8.1– 8.2)(onsld1)

68

# dnssec-dsfromkey $KSK

AddDSRecordsforexample.com(8.3a– 8.3c)(ontld1)

69

# nano zones/dsset-example.com.

SignRecordsin“example.com”Zone(8.4)• CheckDSconsistencybeforetheyaredeployed(preview)

• Re-analyze

70

$ ./dnsviz probe -A -a . \-N example.com:a.local-sld-servers.net \-D example.com:zones/dsset-example.com. \-p example.com | dnsviz graph -Thtml -O


SignRecordsin“example.com”Zone(8.5– 8.6)• Signzone(ontld1)

• Re-analyze

71

# ./resign_tld




Previewdnsviz graphOutput:FullChainofTrust

72

Viewdnsviz graph Output:FullChainofTrust

73

Viewdig Output:ADbit

74

FunwithDNSViz

75

UseKSKtoOnlySignDNSKEYRRset (9.1– 9.3)

76

# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK

Don’tsignzonedatawithKSK





Viewdnsviz graph Output:KSK-only

77


78

AddNewKSKtoexample.comZone(9.4– 9.8)• GeneratenewKSK:

• Re-signzone:

• Reloadzone

79


# NEWKSK=`dnssec-keygen -n ZONE -f KSK -a RSASHA256 -b 2048 \-r /dev/urandom example.com`

# dnssec-signzone -x -r /dev/urandom \-k $KSK -o example.com zones/db.example.com $ZSK



# cat $NEWKSK.key >> zones/db.example.com


Viewdnsviz graph Output:StandbyKSK

80


81

AddNewKSKtoexample.comZone(9.9– 9.11)• Re-signzonewithtwoKSKs:

• Reloadzone

82


# dnssec-signzone -x -r /dev/urandom \-k $KSK -k $NEWKSK -o example.com zones/db.example.com $ZSK




Viewdnsviz graph Output:MultipleKSKs

83


84

ChangeKSKforexample.comZone(9.12– 9.13)

• SignwithonlythesecondKSK:

85

# dnssec-signzone -x -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK


$ dnsviz probe -A -a . -x example.com:zones/db.example.com.signed -p \example.com | dnsviz graph -Thtml -O

ChangeKSKforexample.comZone(9.14– 9.15)

• Reloadzone

86





Viewdnsviz graph Output:DSMismatch

87

Viewdig Output:SERVFAIL

88

TamperwithRecordContent(9.16– 9.18)• ChangeSOArecord:

89

# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed




Viewdnsviz graph Output:InvalidSignatures

90

ChangeRRSIGExpiration(9.19–9.22)• SettheRRSIGexpirationexplicitlyto1secondfrom“now”

• Manipulate(again)SOArecord

• Reloadzone

91


# dnssec-signzone -x -e now+1 -r /dev/urandom \-k $NEWKSK -o example.com zones/db.example.com $ZSK



# sed -i -e ‘s/root.localhost/root1.localhost/’ \zones/db.example.com.signed

Viewdnsviz graph Output:ExpiredRRSIGs

92

RemoveRRSIGs(9.23– 9.26)• RemoveRRSIGcoveringAAAArecord(onsld1)

• Checkzone

• Reloadzone

93

# nano zones/db.example.com.signed

# vi zones/db.example.com.signed

or


# named-checkzone example.com zones/db.example.com.signed



RemoveRRSIGforAAAARecordfromZone

94

Viewdnsviz graph Output:MissingRRSIGs

95

ModifyTCPConnectivity(9.27–9.28)• RejectTCPconnectionrequests

96

# ip6tables -A INPUT -m state --state NEW -p tcp \--dport 53 -j REJECT



Viewdnsviz graph Output:NoTCP

97

ModifyPathMTU(9.29– 9.30)

• DropUDPresponseswithpayloadslargerthan512bytes

98

# iptables -A OUTPUT -p udp --sport 53 \-m length --length 540:65535 -j DROP



Viewdnsviz graph Output:LowPMTU

99

AddLameDelegation(9.31–9.33)• AddseconddelegationNSrecordforexample.com incomzone(ontld1)

• Signcomzone(ontld1)

100

# nano zones/db.com

# vi zones/db.com

or

# ./resign_tld



AddSecondNSRecordforexample.com

101

Viewdnsviz graph Output:LameDelegation

102

GraphOnlySelectRRsets (9.34)

103


$ dnsviz graph -R A,AAAA -Thtml -O < example.com-working.json

OnlygraphAandAAAARRsets

Viewdnsviz graph Output:SelectRRsets

104

Analyzewithdnsviz print (9.35)

105

$ dnsviz print -R A,AAAA < example.com-working.json

Viewdnsviz graph Output:SelectRRsets

106

DNSViz RecursiveServerAnalysis

107

Analyzeexample.com onRecursiveServer(10.1)

108

$ dnsviz probe example.com | dnsviz graph -Thtml -O

No“-A”optionmeansquery

recursiveservers


Viewdnsviz graph Output:Recursive

109

DNSViz ProgrammaticAnalysis

110

dnsviz probe Revisited(11.1)

111

$ medit example.com-working.json &

$ vi example.com-working.json

or

Viewdnsviz probe Output:DiagnosticQueryHistory

112

Viewdnsviz probe Output:DiagnosticQueryHistory

113

dnsviz grok Revisited(10.3–10.4)

114

$ dnsviz grok -l warning -p < example.com-broken.json \> example.com-working-p.json

$ medit example.com-working-p.json &

$ vi example.com-working-p.json

or

Viewdnsviz grok Output:Errors,Warnings,Statuses

115


116


117

MonitoringwithDNSViz• Samplescriptusescombinationofdnsviz getanddnsviz graph,e.g.,forusewithcron

118

#!/bin/shname=$1date=`date +%Y%m%d%H%M%S`probe_out=/tmp/$name-probe-$date.jsongrok_out=/tmp/$name-grok-$date.jsongraph_out=/tmp/$name-graph-$date.png

dnsviz probe -A -d 0 -p $name > $probe_outdnsviz grok -l warning -p $name < $probe_out > $grok_outif (( $( stat -c %s $grok_out ) > 0 )); then

dnsviz graph -Tpng -o $graph_out $name $name < $probe_outgzip $probe_outcat $grok_out | \mutt -s “Problems with $name” -a $graph_out $grok_out.gz -- \

[email protected]

rm $probe_out* $grok_out $graph_out

Summary

• UnderstandingandanalyzingDNSandDNSSECcanbecomplex.

• DiG,BIND,DNSViz,andothertoolscanaidinunderstanding,troubleshooting,andmonitoring.

• MaintainandmonitoryourDNSzones!

119

FurtherInformationonDNSViz

• Source:https://github.com/dnsviz/dnsviz (License:GPLv2)

• Onlineversion:http://dnsviz.net/• Mailinglist:https://groups.google.com/d/forum/dnsviz-users

120

Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi...

Documents

Transcript of Hands-On DNSSEC with DNSViz - NANOG Archive...Feb 06, 2017 · $ dig +dnssec+multi...