Announcement

Collapse
No announcement yet.

DEF CON DNSSEC

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • DEF CON DNSSEC

    I have been working to get DNSSEC enabled on the defcon.org zone, and it looks like Network Solutions just entered the DS records for me. We should be all DNSSEC signed and secure if your software supports it.

    Can people check it out and let me know what works and what doesn't?
    PGP Key: https://defcon.org/html/links/dtangent.html

  • #2
    Re: DEF CON DNSSEC

    Originally posted by Dark Tangent View Post
    I have been working to get DNSSEC enabled on the defcon.org zone, and it looks like Network Solutions just entered the DS records for me. We should be all DNSSEC signed and secure if your software supports it.

    Can people check it out and let me know what works and what doesn't?
    forum, pics, media, www -- all appear to validate fine for me.

    When using a DNS Server for checks that does not do DNSSEC, of course it does not work.

    Comment


    • #3
      Re: DEF CON DNSSEC

      Also, a useful tool for this work:

      URL1 = http://dnssec-debugger.verisignlabs.com/

      And to test your browser's support for DNSSEC:

      URL2 = http://test.dnssec-or-not.org/
      (No= Face-Palm picture of Jean-Luc Picard from STNG)
      (Yes= Borat with thumbs-up)
      (If some of the DNS Servers your OS/browser uses support DNSSEC but others do not, then you may get mixed results with text that says "Yes, you are using DNSSECYes, you are using DNSSEC" but shows the facepalm, or text that claims you do are not using DNSSEC, but shows borat with thumbs up.)

      Many ISP do not provide DNS Servers with DNSSEC or validate with DNSSEC for you, and even if they do, some home NAT-routers act as DNS proxies, to relay and cache lookups, but do not understand DNSSEC requests, and will act like DNS servers without support for DNSSEC.

      For your browser to support DNSSEC, your browser/OS needs DNS Servers that support DNSSEC first, then the domain/host being queried in DNS needs root-sig installed and complementary DNS Server support, too.

      If you do not see defcon.org is validated with DNSEC (unknown status) it is likely the DNS Servers (or intermediaries/proxies) you are using for lookups probably do not understand DNSSEC requests and lookups, or are not performing recursive lookups for you with support for dnssec, or are mis-configured.)


      Next, there is a scoreboard (even if it only has one sig-fig) shows DNSSEC is not widely implemented:
      URL3 = http://scoreboard.verisignlabs.com/
      [As of September 13, 2011]
      Domains Secured with DNSSEC
      Originally posted by URL3
      com 3,840
      net 1,650
      edu 67
      Graph Raw Number/Count of DS record domains over time:
      URL4 = http://scoreboard.verisignlabs.com/count-trace.png

      Graphs percent of domains with DS records over time:
      URL5 = http://scoreboard.verisignlabs.com/percent-trace.png

      Another tool is DNS Vizualition:
      URL6 = http://dnsviz.net/
      Which shows you the relationship between each hop, validity, and details about the links from FQDN, to DN, to TLD to "." (root)
      Last edited by TheCotMan; September 13, 2011, 18:56.

      Comment


      • #4
        Re: DEF CON DNSSEC

        I'm currently using this Firefox addon

        DNSSEC Validator
        http://www.dnssec-validator.cz/

        to check for DNSSEC, and I'm pretty sure I found it through something on the forums, but have been unable to locate it.

        While learning more about DNSSEC, I ran across this addon as well:

        Extended DNSSEC Validator
        https://os3sec.org/

        I've been playing around with both as well as reading info about them and trying to figure out the pros/cons of using one or the other. From what I can tell the Extended DNSSEC Validator seems to be more robust by checking TLSA records as well as TXT records when compared to the DNSSEC Validator by CZ.NIC Labs. Does anyone else have experience with these addons and what they think of them?

        Comment


        • #5
          Re: DEF CON DNSSEC

          Originally posted by Griff1371 View Post
          I'm currently using this Firefox addon

          DNSSEC Validator
          http://www.dnssec-validator.cz/

          to check for DNSSEC, and I'm pretty sure I found it through something on the forums, but have been unable to locate it.

          While learning more about DNSSEC, I ran across this addon as well:

          Extended DNSSEC Validator
          https://os3sec.org/

          I've been playing around with both as well as reading info about them and trying to figure out the pros/cons of using one or the other. From what I can tell the Extended DNSSEC Validator seems to be more robust by checking TLSA records as well as TXT records when compared to the DNSSEC Validator by CZ.NIC Labs. Does anyone else have experience with these addons and what they think of them?
          I've used DNSSEC Validator by CZ.NIC and found it convenient with checks done while the web page is loading. Using it really showed the small number of sites with DNS Servers that support DNSSEC. Several times I've seen it show failure (orange, not green) for poorly configured domanes/zones, bad records with a registrar, or replication problems. Gov sites I've visited have been more likely to support DNSSEC and have it properly configured.

          I saw the new DNSSEC plugin, but the early reviews were not favorable. I saw complaints about delays and how long the user had to wait for checks to be completed with this new plugin.I'll probably let other people be the beta testers and then try in out in a few months.

          When properly configured, these kinds of plugins may only be useful for debugging or for people that do not have and use only DNSSEC-enabled DNS Servers with their OS and applications.

          A buddy in Europe uses an ISP that supports DNSSEC. When he tried to web browse to, or "dig" a domain name that had DNS Servers that supported DNSSEC, BUT the configuration was broken, keys were out-of-date/expired, or other issues existed, my buddy's ISP resolved the lookup with a failure. This prevented him from even seeing any web pages load, or "dig" a FQDN to an IP address. Another guy in Washington (State, US) found similar results because his ISP used and enforced DNSSEC validation restrictions. (I know this, because a process I setup to automate key work failed, causing the keys I was using to be expired for one domain.)

          People with this plugin can get away with NOT using DNSSEC-enabled DNS Servers, but then have to rely on a limited list of DNSSEC validating resolvers, or have an IP address they can use instead for a server they use. This raises a question:
          "if they have an IP address for a DNSSEC-enabled DNS Server to enter into their plugin for checking, then why don't they configure their OS to use that same DNS for the system and resolution, and as a result improve the security of other applications by relying on a DNS Server that is enforcing restrictions based on what it observes as problems with following the chain of trust?"

          I can understand the value of it for testing, debugging, and as a way for researchers of attacks and malware to still visit "bad sites" by using DNS Servers that don't enforce restrictions with resolution based on failures to establish trust. I can also understand how someone might use it as they are looking to integrate DNSSEC, or are technical and interested in this. However, a majority of people *could* benefit by having their OS only use DNSSEC-enabled DNS Servers.

          Having people ONLY use DNSSEC-enabled DNS Servers is where a problem will happen with DNSSEC...

          If you have worked in IT, or even been support for friends and family, you have probably encountered people that unwisely try really hard to open malware, especially trojans.

          "But aunt jenny sent me this attachment and the text of her message makes it sound really awesome! My AV software is telling me it is bad, but I want to se it anyway! Aunt Jenny wouldn't send me something bad, so I disabled the AV software so I could see it. Now my computer seems to not be working like it once did."

          People will try really hard to bypass security, even when that security tells them there is a risk with the action they want to perform. The same may happen with DNSSEC enabled DNS Servers. Some Network Admin or Sysadmin fails to update their keys, or breaks the DNS config in some way to break DNSSEC, and suddenly, everyone that wanted to access hosts using this domain can't get to them because their DNSSEC-enabled DNS Servers are not resolving the IP address for them. Never fear! Their buddy on twitter, IM, SMS says they can change their DNS to a non-DNSSEC-enabled server [in China, Iran, Mafia-Town, EvilHacker-City] that won't stop them from viewing the latest LOL-cat video their Aunt Jenny emailed them about.

          I think Comcat (maybe another ISP) altered their DNSSEC-enabled DNS to resolve to a special IP bound to a server that answers requests for any domain name, but instead of showing you the content of http://fqdn/ they show you an error message telling you about DNSSEC and why you are on this page instead of the site you wanted to see.

          This will additionally create more work for support people.

          It is likely that slow adoption will continue to be an issue with DNSSEC until the cost of NOT having it is greater than the cost of installing it, supporting it, and the cost of customer satisfaction when there is down-time.

          Why this long tangent in discussion?

          The value of these plugins is proportional to the number of sites people visit where validating a domain name lookup matters. My viewing habits cause me to be lucky if I visit 5 sites in one day that support DNSSEC, and I visit many, many sites.

          The value of these plugins is eliminated if the DNS Servers being used by the OS and applications support DNSSEC and enforce restrictions when problems are found in validating lookups with DNS Servers that support DNSSEC and serve the domains being looked up and the registrar for that domain name has registered their keys.

          Fun? yes. Draw attention to DNSEC? Maybe. Debugging tool for admin? Sure. Aid for malware testers visiting "evil" sites on purpose? Yep. Value for most users lacking curiosity in such things? Not so much.

          I have been short-sighted in the past. Maybe I am being short-sighted right now. You or anyone else should feel free to argue the value of these plugins, and what their target audience would be. Maybe "you" (anyone choosing to reply) can provide other uses for these plugins that I have not considered.

          Comment


          • #6
            Re: DEF CON DNSSEC

            Comcast is my ISP and I have my OS set to use their DNSSEC server, but I haven't run into specific error messages that look like it was set up through Comcast if a site was unable to resolve the DNS through the DNSSEC server. I've run into one maybe two sites that failed to load but it looked more like the sites key was broken or misconfiguration from the error message and not a Comcast set up page.

            I've been using the plugin more as a visual notification for myself so I know if the site is DNSSEC secured or not. Similar to the padlock on Firefox for notifying the user the page is HTTPS. I agree that the Extended DNSSEC plugin doesn't seem to work as efficiently as the CZ.NIC one, which is why I've been using that more often then not. I think that once DNSSEC becomes more wide spread in use (I've gone to the tracker links you posted and noticed a slow but steady increase in the use) and

            Originally posted by TheCotMan View Post
            the cost of NOT having it is greater than the cost of installing it
            becomes true, the use of the plugins for things other then research will start to fade out. To me it seems like it may be one of those things that's subtly slipped into the under workings of the net where the common user is completely unaware. Such as with HTTPS, most people know these days that it's a more secure way of communication (online banks, online shopping, etc) even if they don't understand the inner workings of it. I feel that something similar may happen with DNSSEC, where major ISPs will automatically move to using DNSSEC servers instead of regular DNS servers with the general user being completely unaware. Unless they happen to go to a site that has been flagged as a spoofing site by either the ISP or browser as they become more known and the user is given a generic message that it's a potentially dangerous site.

            The thing with users trying as hard as possible to work around built in security measures is something I think that needs to be ingrained into society in general. For example, everyone knows that it's a good idea to lock their car after parking it downtown, or lock their house/apartment when they leave for the day. That's because of the decades of these practices being in use in society. As we get further into the digital age, and more things go electronic, this type of mentality will start to integrate itself into society that it's just a good idea to do or not do certain things when using the Internet and computers.

            Comment


            • #7
              Re: DEF CON DNSSEC

              Originally posted by Griff1371 View Post
              Comcast is my ISP and I have my OS set to use their DNSSEC server, but I haven't run into specific error messages that look like it was set up through Comcast if a site was unable to resolve the DNS through the DNSSEC server. I've run into one maybe two sites that failed to load but it looked more like the sites key was broken or misconfiguration from the error message and not a Comcast set up page.
              Perhaps things have changed:

              URL1
              Originally posted by URL1
              What happens to Comcast Domain Helper, which offers DNS redirect services, when you fully implement DNSSEC?

              We believe that the web error redirection function of Comcast Domain Helper is technically incompatible with DNSSEC.
              Comcast has always known this and plans to turn off such redirection when DNSSEC is fully implemented.
              The production network DNSSEC servers do not have Comcast Domain Helper's DNS redirect functionality enabled.
              We recently updated our IETF Internet Draft on this subject, available at http://tools.ietf.org/html/draft-livingood-dns-redirect, to reflect this.
              It is possible they had a page for DNSSEC error during testing, but removed it.

              More recent documents agree with a claim that their redirection service/helper is incompatible with DNSSEC.

              More support in browsers would be needed to explain why a site did not load if the cause was DNSSEC related. Some might even choose something like: "We are not loading this site to protect you. If you know what you are doing, you can continue." If they did, they would need to use a different DNS that did not enforce DNSSEC checks to "allow them to continue anyway." If a majority of ISP moved to offer DNSSEC on their DNS with enforcement of DNSSEC for validation and checking, then I would bet that a plugin to allow users to use a non-DNSSEC DNS to let them, "continue," would be more popular than these plugins that provide more details on DNSSEC enabled hostnames when visiting websites.

              Comment


              • #8
                Re: DEF CON DNSSEC

                Originally posted by TheCotMan View Post
                Perhaps things have changed:

                URL1

                It is possible they had a page for DNSSEC error during testing, but removed it.

                More recent documents agree with a claim that their redirection service/helper is incompatible with DNSSEC.
                That would explain why I didn't see a redirect page as the dates in that FAQ were a year ago and by now they have rolled out DNSSEC servers to everybody. Or at least those customers using the certain services they mentioned, which I do not seem to be a part of. When I manually point my DNS to 75.75.75.75 the DNS is secured, when I have it set to automatically choose a DNS server I get the DNSSEC warnings through both the plugin and the http://test.dnssec-or-not.org/ test page.

                I wonder how many other major ISPs are rolling out DNSSEC like Comcast. Either way, you make a good point about having a check to use non-DNSSEC servers if the user really wants to (for legit security research or ignorant users wanting to see the latest LOL-cat video that's really a malicious site). I'm thinking it probably will eventually built into the browser (like the HTTPS warning pages) if DNSSEC becomes the standard.

                Comment

                Working...
                X