Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNSSEC Tips SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNSSEC Tips

We have covered DNSSEC before. But over the last few month, DNSSEC deployments have increased and yesterday's DNS poisoning diary by Manuel shows that attacks against unsecured zones certainly happen.

I wanted to put together a couple of tips to avoid common errors:

  • Patch your DNS server. Make sure you are running a recent version that supports current encryption algorithms. In particular, look for NSEC3 support.
  • Review your overall DNS configuration. Clean it up first before implementing DNSSEC.
  • Does your registrar have a facility to upload DS records?
  • If you are using DNSSEC on a resolver, make sure the root zone's key is kept up to date. Recent versions of BIND support RFC 5011 and can manage key updates for you.
  • Remember to regularly re-sign the zones. Signatures are typically valid for a month.
  • make sure your DNS server supports EDNS0 (should not be a problem)
  • make sure your firewall isn't blocking UDP DNS replies that are larger then 512 Bytes
  • pick an algorithm that supports NSEC3 (RSASHA1-NSEC3-SHA1, which is #7, is my preferred one as it appears to be well supported compared to other NSEC3 algorithms)
  • Test
  • Test
  • Test
  • only deposit DS records with your parent zone after you completed the prior three steps

Anything I forgot? Please add a comment...

Couple URLs to use as a reference:

http://dnsviz.net/ - Really nice visualization tool.
http://dnssec-debugger.verisignlabs.com/ - thorough test of DNSSEC settings
http://www.dnssec.net - links to standards and tools
https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/ - Firefox extension to validate DNSSEC
http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml - DNSSEC Algorithm Numbers
http://www.cymru.com/Documents/secure-bind-template.html - secure BIND template. Apply this first.
http://technet.microsoft.com/en-us/library/cc772661%28WS.10%29.aspx - Securing Microsoft DNS

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020

 Johannes

3834 Posts
ISC Handler
Subscribe Jun 28th 2011
8 years ago
Relating to EDNS0, and DNS responses larger than one packet, I once set up Linux IPTables to allow incoming UDP traffic to port 53 thinking that was enough. But IPTables 'port' matches don't match UDP fragments after the first one, so you either need to use stateful matching (-m state --state related,established) or specifically accept trailing fragments (the iptables "-f" option for IPv4, or "-m frag ! --fragid 0" for IPv6).
 Anonymous
Quote Jun 29th 2011
8 years ago

Sign Up for Free or Log In to start participating in the conversation!