Tag: bind

Operation KSK-ROLL by cyberstorm.mu – KSK Rollover Explained

The last cyberstorm.mu event was on OpenSource licensing with Dr. Till Jaeger at Flying Dodo, Bagatelle Mall Mauritius. We discussed several issues concerning cybersecurity laws, trademarks, OpenSource licensing issues etc.. Dr. Till Jaeger appreciated the meetup and encouraged us to evangelize more on OpenSource. The event was organized by Loganaden Velvindron member of cyberstorm.mu.

Dr. Till Jaeger and logan with a surprise gift.
Dr. Till Jaeger brought a surprise gift to Logan 🙂

I should say that we were already planning about our next event, hence, a hackathon on Operation KSK-ROLL by the cyberstorm.mu team which was pretty easy, important and successful. Dr. Till Jaeger congratulate us for creating the cyberstorm.mu team. Several pull requests sent to many repositories to encourage developers to adopt the new key.

What is Operation KSK-ROLL?

At cyberstorm.mu all Non-IETF hackathons are usually given a name. This time for the KSK rollover hackathon we have chosen 'Operation KSK-Roll'. Operation KSK-ROLL has been started to make sure that software is up-to-date with the new KSK key.

What is the KSK rollover?

The DNS KSK Rollover happened on 11 October at 11:00 UTC. Rolling the KSK means generating a new key cryptographic key pair (public and private key).

What are those keys?

The public key is distributed to those who operate valid DNS resolvers such as ISPs, network administrators, system integrators etc.. whilst, the private key is kept secret.

If its secret, why do we need to generate another secret key?

For security purpose, the secret key is generated anew and this ensures that DNS resolvers have a more robust security layer on top of the DNS AKA: DNSSEC

What are DNS resolvers?

All websites, example tunnelix.com which is a domain name is behind an IP Address. For your browser to be able to resolve the website, a DNS resolver which is located at several parts of the world will identify the IP with the domain name. Consequently, this will render the website on your browser.

What is DNSSEC?

As mentioned previously, DNSSEC (DNS Security) is a layer added by ICANN to ensure by means of cryptographic keys to ensure an online protection from the provider of the root domain name to your browser.

How will you know if a website is DNSSEC signed?

There is a tool by VeriSign lab which provides DNSSEC Analyzer. You can enter the name of the domain, say tunnelix.com which will analyze the domain show you the public key and the chain from the . (dot),  com and tunnelix.com.

credits to: verisignlabs.com
credits to: verisignlabs.com

Is there another way to verify it?

Yes, you can use the nslookup or dig tool to check it. In the case of the dig tool here is a screenshot.

What is the logic behind the DIG command?

Some years back (the Year 2015), I explained the anatomy of the dig command. You can view more details about the blog post called "Anatomy of a simple dig result".


What is the role of the KSK?

The KSK private key is used to generate a digital signature for the ZSK. In fact, the KSK public key is stored in the DNS to be used for authenticating the ZSK. So, the KSK is a key to sign another key for the ZSK. That is why it is called the "Key Signing Key".

So, what is the ZSK?

The ZSK (Zone Signing Key) is another private-public key pair which is used to generate a digital signature known as RRSIG ( Resource Record Signature). The RRSIG in itself is a digital signature for each RRSET (Resource Record Sets) in a zone. In fact, the ZSK is stored in the domain name system to authenticate the RRset.

What are RRsets?

RRsets (Resource Record sets) is a group of records DNS Record Set (RRsets) with the same record type, for example, all DNS A records are one RRset.

My contributions for KSK ROLL

Please follow me on my Github account. One of the repositories is Nagval which is a plugin to check the validity of one of more DNSSEC domains.

For more information about DNSSEC, ZSK, PSK etc, I would advise to check out Cloudflare which provided a good source of information.

Cyberstorm.mu continue to go beyond and further with innovations and more ideas to protect and secure the Internet. We believe that though we are a small team will be able to recruit more people who are strongly interested in developing their skills to strive for excellence.

I also wish to seize this opportunity to thanks Manuv Panchoo for designing the logo of  tunnelix.com


All rights reserved: tunnelix.com
All rights reserved: tunnelix.com

Counter DNS Attack: Enabling DNSSEC

To reach another person on the Internet you have to type an address into your computer – a name or a number. That address has to be unique so computers know where to find each other. ICANN coordinates these unique identifiers across the world. Without that coordination we wouldn’t have one global Internet. When typing a name, that name must be first translated into a number by a system before the connection can be established. That system is called the Domain Name System (DNS) and it translates names like www.icann.org into the numbers – called Internet Protocol (IP) addresses. ICANN coordinates the addressing system to ensure all the addresses are unique. – ICANN

Screenshot from 2016-07-23 20-56-11

Finally, i decided to enable DNSSEC on Tunnelix.com. It can be tested on the http://dnssec-debugger.verisignlabs.com link and its really cool. This is just another security addons to kept away from being attacked. For example, an attacker can take control of the session with the aim to make the user believe that the hijacker deceptive website is the right one. We also need to understand the basics of how  DNS traffic work. We are normally like three players in the normal DNS world that is your computer, the ISP’s recursive DNS servers, and the website’s authoritative DNS servers. Of course there are cached DNS servers that facilitate the DNS query. So to get into more detail how the attack goes on is where the attacker try to trick the resolver making it to believe that, lets say, tunnelix.com lives at the IP xx.xx.xx.xx and even to remember it for lets say 7 days. Its important to understand that since most of the traffic pass on UDP, it is kind difficult to prevent attackers from sending a flood of responses to the resolver.

DNSSEC is a technology which acts as a security layer on top of the DNS traffic by means of cryptographic tools to re-assure you that the website you are visiting is the real one. In 2008, Dan Kaminsky revealed a flaw that could allow attackers to easily perform cache poisoning attacks on most nameservers. Here is a link from the ISC (Internet System Consortium) which shed lots of interesting material about the DNSSEC technology. For bloggers behing Cloudfare, you can easily activate DNSSEC on for your domain, of course, if the root domain name is supporting DNSSEC, otherwise its impossible to achieve it. For example .mu domain does not support DNSSEC. On cloudflare, the steps are easy. You just need to activate the DNSSEC with a simple click and save all those informations like DS records, Digest, Digest type, Algorithm uses, Public key etc.. and feed it to the domain name registrar. The information will be verified by Cloudflare after which you are happily DNSSEC enabled domain owner.

Screenshot from 2016-07-23 21-48-53

To test out on your linux  terminal if a domain is signed use the following command:

[email protected]er:~# dig tunnelix.com +dnssec

; <<>> DiG 9.10.3-P4-Ubuntu <<>> tunnelix.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36645
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;tunnelix.com. IN A

;; ANSWER SECTION:
tunnelix.com. 177 IN A 104.18.41.96
tunnelix.com. 177 IN A 104.18.40.96
tunnelix.com. 177 IN RRSIG A 13 2 300 20160724190355 20160722170355 35273 tunnelix.com. L5t/xVbsuB99HntpdpHkYu4ig52YL9QA+Vvi509KFgdgKrtY3pvZfKfD LGjtT0Ev0UFEn73TObofJyOmzIEmUg==

;; Query time: 46 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Jul 23 22:05:57 MUT 2016
;; MSG SIZE rcvd: 181

“To fix this, all major DNS servers implemented Source Port Randomization, as both djbdns and PowerDNS had before. This fix is widely seen as a stopgap measure, as it only makes the attack up to 65,536 times harder. An attacker willing to send billions of packets can still corrupt names. DNSSEC has been proposed as the way to bring cryptographic assurance to results provided by DNS, and Kaminsky has spoken in favor of it.” – blackhat.com

Domain owners might consider enabling DNSSEC on their domains to increase the security of letsencrypt in their infrastructure for ACME, as there is a return on investment in terms of security. Loganaden of cyberstorm.mu

Other article i wrote on BIND: Anatomy of a simple dig result 

 

CVE-2015-7547 – Update Glibc & restart BIND with Ansible

You might be seeing a huge crowd of system administrators and Devops rushing to update their servers immediately due to the security flaws detected on Glibc. This security leak is identified as skeleton key under CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow. What is most sour to taste is where the Glibc library is used in the BIND application!

 In brief, the CVE-2015-7547 vulnerability is simply where an attacker can performed mutilple stack-based overflows of the function send_dg and send_vc in the Glibc library to execute malicious code even causing denial of service attack.

Screenshot from 2016-02-21 12:14:09

Redhat have put it in this way “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.” I have try a little Ansible cookbook to update your Glibc package. Check it out on my Git Account

- - - 
  - hosts: ansible2
     user: root
     tasks:
       - name: update Glib
          yum: name=glibc* state=latest
       - name: restart named
          service: name=named state=restarted

Screenshot from 2016-02-21 11:30:52

Other articles on Buffer Overflow of Memory:

Other article related to Ansible

Anatomy of a simple dig result

The ‘dig’ (Domain Information Gropper) command is one of the tools which is frequently used to troubleshoot DNS and BIND configurations. Its main purpose is to perform DNS lookups and query DNS servers. Though the subject is vast, I decided to blog some DNS stuff under the ‘Bind and DNS tools’ category which I just created. I will keep on updating this article as I keep on finding interesting dig commands.


Screenshot from 2015-11-08 15:45:52

Let’s analyze the result from a simple dig google.com. You would have a result similar to this one (In green). By default, dig perform query A record when launched without any arguments.

1. I made a dig google.com on my Linux terminal

[[email protected] ~]# dig google.com

2. The header section starts here. Several files in /etc/ld.so.* is being read and the dig command will also launch a uname with the argument sys and node. The uname is already inbuilt in the code of the dig command. It then reads the /etc/resolv.conf


; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> google.com

3. The ;; global options: +cmd is referred to the default arguments sets by dig to use only the +cmd variables.  The opcode value is always static. The status is to inform us if any error occurred during the query. Each query is also associated with an id number ( ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35133).

The flags qr (query response), rd (recursion desired) and ra (recursion available) are also information retrieved from the DNS header. As per the IETF RFC1035, when a dig with the default arguments is performed it will flag the qr, rd, ra and when the bit is 1 it’s a response and 0 for a query. Therefore ‘qr’ appears as 1

The ANSWER:2 is the numbers of answers received in the Answer section, same for QUERY, AUTHORITY and ADDITIONAL.


 ;; global options: +cmd
 ;; Got answer:
 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35133
 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

4. The “question section” is what you are querying for. In this case, a ‘dig’ has been done on the A record. An A record simply means Adress i.e; the address associated with the website. We have several DNS records types which I will elaborate in future articles.

;; QUESTION SECTION:
 ;google.com.            IN    A

5. The number 173 is the TTL (Time To Live), IN refers to Internet i.e the class in which it is. TTL  is a 32 bit signed integer which corresponds to the time interval a record can be cached before the information is again queried. A TTL zero is used for extremely volatile data.

To resume we read it as follows: Google.com has a 173 seconds Time To Live on the Internet with the IP Address 74.125.226.168


;; ANSWER SECTION:
 google.com.        173    IN    A    74.125.226.168
 google.com.        173    IN    A    74.125.226.162

6. This section acts like a stat section. Information is given about the time it takes to query. The server IP address i.e; 4.2.2.1 and the port number 53 which is associated with it. The date and finally the message size received is 204 bytes.

;; Query time: 22 msec
 ;; SERVER: 4.2.2.1#53(4.2.2.1)
 ;; WHEN: Sun Nov 08 01:19:23 EST 2015
 ;; MSG SIZE  rcvd: 204

More analysis can be performed by launching a strace in front of a dig command. The RFC 1035 is also of great help. You can also check out the Internet System Consortium (ISC) website for more details.

Tips:

  • dig -t MX google.com will show you in the list of MX records in the ‘Answer Section’
  • A  dig result is compose of only 5 parts i.e; Header, Question (question for the name server), Answer (resource records answering the question ), Authority (resource records pointing towards an authority) and Additional (resource records holding additional information).
  • To filter information from a default dig command you can use dig google.com +nocomments +noauthority +noadditional +nostats which will give you only the answer. With an additional +noanswer wont give you anything.
  • However, the reverse way to filter dig results with a specific answer can be dig google.com +noall +answer will give you only the answer section.