lost and found ( for me ? )

続: DNS-based Blocking と DNSSEC

キャッシュサーバがBINDで 、キャッシュサーバ - 権威サーバ間が DNSSEC になると DNSSECの検証失敗により、ServFail となる件、回避できる方法発見。。。

forward 先の偽回答DNSもDNSSEC に対応させ、偽回答DNSで作成した偽ゾーンの trusted-keys をキャッシュサーバに持たせれば名前解決できた。

・NG ( ServFail )

               偽回答DNS ( bad.test.co.jp = 1.1.1.1 )
                    | ← 偽回答 はキャッシュサーバが偽回答DNSに forward 。non DNSSEC
resolver --- cache --- internal root
                             internal  jp
     test.co.jp
    ( 良いサイト www.test.co.jp = 192.0.2.2 , 悪いサイト bad.test.co.jp = 192.0.2.4)


・OK ( 名前解決できた )

偽回答DNSをDNSSECに対応
偽回答DNSで作成した、偽key(? , bad.test.co.jp の key ) をキャッシュに登録し、キャッシュ - 偽回答DNS間でDNSSECのvalidation を成功するようにする。

               偽回答DNS ( bad.test.co.jp = 1.1.1.1 )
                    | ← 偽回答 はキャッシュサーバが偽回答DNSに forward 。DNSSEC。
resolver --- cache --- internal root
                             internal  jp
     test.co.jp
    ( 良いサイト www.test.co.jp = 192.0.2.2 , 悪いサイト bad.test.co.jp = 192.0.2.4)


原因はキャッシュが 偽回答DNS (11.134) に問い合わせたとき、偽回答DNS ( 11.134 ) は DNSSEC に対応していないので、non DNSSEC のレスポンスをかえす。( 2、3行目 )
1行目はリゾルバ -> キャッシュサーバ

キャッシュサーバはDNSSECに対応しているが、偽回答DNSから non DNSSEC がきたために、DNSSECの検証が本物のNSにいく(みたい forward を使っている場合 ) 。( 4行目以降 )

なので、偽回答DNSが DNSSEC のレスポンスを返し、検証に成功すれば、4行目以降のクエリは発生しないかなーと。実際にためしたら 4行名以降のクエリは発生しなくなり、名前解決できるようになった。
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000863 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.003087 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1
 0.004199 192.168.11.133 -> 192.168.11.130 DNS Standard query DS jp
 0.004558 192.168.11.133 -> 192.168.11.130 DNS Standard query NS
 0.005199 192.168.11.130 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.005264 192.168.11.130 -> 192.168.11.133 DNS Standard query response NS x.root-servers.net RRSIG
 0.006194 192.168.11.133 -> 192.168.11.130 DNS Standard query DNSKEY
 0.007366 192.168.11.130 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.008542 192.168.11.133 -> 192.168.11.130 DNS Standard query DS co.jp
 0.009785 192.168.11.130 -> 192.168.11.133 DNS Standard query response
 0.012937 192.168.11.133 -> 192.168.11.131 DNS Standard query DS co.jp
 0.013964 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.014867 192.168.11.133 -> 192.168.11.131 DNS Standard query DNSKEY jp
 0.016094 192.168.11.131 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.018170 192.168.11.133 -> 192.168.11.131 DNS Standard query DS test.co.jp
 0.019111 192.168.11.131 -> 192.168.11.133 DNS Standard query response DS DS RRSIG
 0.020028 192.168.11.133 -> 192.168.11.131 DNS Standard query DS bad.test.co.jp
 0.021019 192.168.11.131 -> 192.168.11.133 DNS Standard query response
 0.021402 192.168.11.133 -> 192.168.11.132 DNS Standard query DS bad.test.co.jp
 0.022447 192.168.11.132 -> 192.168.11.133 DNS Standard query response
 0.022876 192.168.11.133 -> 192.168.11.132 DNS Standard query DNSKEY test.co.jp
 0.023848 192.168.11.132 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.025958 192.168.11.133 -> 192.168.11.135 DNS Standard query response, Server failure


こんな感じなのかな。。。

・キャッシュサーバが BIND 9.7.0-P1 with forward only , 偽回答DNSをDNSSEC対応 , 偽回答DNSで作成した偽回答 bad.test.co.jp の key をキャッシュサーバに登録

横に見てね。

例えば、リゾルバ non DNSSEC , キャッシュ non DNSSEC , 権威サーバ DNSSEC 対応だと、
www.test.co.jptest.co.jp の NS から回答を得られる。また bad.test.co.jp は偽回答DNSから回答を得られる。
リゾルバ
キャッシュ(BIND)
権威サーバ(BIND)
www.test.co.jp
(本物のNSから回答を得られる)
bad.test.co.jp
(偽回答DNSから回答を得られる)
non DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
DNSSEC
non DNSSEC
DNSSEC
名前解決OK
名前解決OK
偽の回答
non DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決OK
偽の回答
偽回答はnon DNSSEC
DNSSEC
DNSSEC
DNSSEC
名前解決OK
DNSSECの検証OK
名前解決OK
偽の回答
偽回答はDNSSEC
リゾルバ自身が鍵を使用し検証すると失敗



・偽回答DNS

署名したゾーンに変更
zone "bad.test.co.jp" in {
       type master;
#       file "bad.test.co.jp.db";
       file "bad.test.co.jp.db.signed";
};


偽回答DNSの回答はこんな感じ
root@ubuntu-5:~# dig @127.1 bad.test.co.jp +dnssec

; <<>> DiG 9.7.0-P1 <<>> @127.1 bad.test.co.jp +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26052
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1
bad.test.co.jp.         0       IN      RRSIG   A 5 4 0 20101124012701 20101025012701 51063 bad.test.co.jp. JfZ2Pqtd9nkisHRbZRjua67gjo4CpBnGhvoFkNvgvK3Ul4Brf5CoTVfU idWaI6oj9SHFxU10egWDDB9xHfT4CDZjVJSSrdsMk9Zfjn9XZtXL6VpO 6x+Q3Onb5f4wgHijk5nyIK436/rOB7z4+Vbi4IEwX2WSfpFW0vk5D16a YEQ=


・キャッシュサーバ

trusted-keys に転送で指定したFQDN bad.test.co.jp の偽key(偽回答DNSで作成した鍵)を追加する。
この trusted-keys は 偽回答DNS で生成したもの。
trusted-keys {
"." 257 3 5 "AwEAAeEk9j1Bp2rVnZRosH+0xtXy9d6QbBMXEbmkzsCutyXkdDRSaGaP GePkuQOkA+kgYPNuI2OnwD5vEIglUaDRlBerOOXXuL3KrGkNENTAbFiY X6Vl0ph23uwESZkpNC7YtU5J4oOVNX/j5Bnj3Y5wqLDLoWsQVk80jvLR 071gISC3fMhznGC3YcAEsZPj73BfDJyEEeMS8cdqZUAPTFdR4H2EfIwt I+IMRjbItwRaB1WQWV+wIMaOjdOxWU5cmm/XwPd0whZaqfHyXhVG/EHj c3xGtz/9+zhYFueTalS2a4bxw/7Ibz6erEn02iI1ub5nHe1TN/fB9sA2 CRTNzfBeUC8=";
};

# fake trusted-key made on fake DNS server
trusted-keys {
"bad.test.co.jp." 257 3 5 "AwEAAb3XaX5IXcHh63Vhg/c5hnIWYGr//WHOamG8/aBmOszW6XhW7fWh akZRcGlbz4dLbV9KYZJywRgMIPQMxza/KmP9BStQ1IUPp4yzZG0JAHW0 cSvvg72qpepFLG+l2nnVEcVcPZABgFl2qw3XDrAicBufsVbrtqeEddPW KxhjtWmcqnPNEANCnON8sG79rdTEgkLd46tPBTAqvlBe81zzuByUdhiN harOl+3kA+uLjZXtv66j0CsyUj760ZqcG47VgsKOtmG2Oc5ureDmX+2d B2031o7GUwmAFELiTJ8I0aGvzEPPlNPoCrR35z0KL/rATbK4jGBx3o5k VQS1LXyVBJ8=";
};


・リゾルバから dig

まずは、正常な回答がえられるかチェック
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34312
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.co.jp.                        IN      A

;; ANSWER SECTION:
www.test.co.jp.         600     IN      A       192.0.2.2

;; AUTHORITY SECTION:
test.co.jp.             600     IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          600     IN      A       192.168.11.132


DNSSECクエリもOK
root@ubuntu-6:~# dig @192.168.11.133 www.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 www.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40684
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.test.co.jp.                IN A

;; ANSWER SECTION:
www.test.co.jp.         600 IN A 192.0.2.2
www.test.co.jp.         600 IN RRSIG A 5 4 600 20101205002136 (
                               20101105002136 31620 test.co.jp.
                               REDHv9qdhfDvXMaDi1y8xVYdo3U26PI0b9gJ6m36HZF4
                               4sFk/nuBZHNcFmce6vLOedS7yxNqJyJyw8+cVjlqcKK0
                               2CsG9//Kn2VixhEAX23CXCjG+0bBPyHFcswy2bn7YB3i
                               pCs0NMqr5gVfkbNfoPMyz4PHNIcrNI7b/gV544U= )

;; AUTHORITY SECTION:
test.co.jp.             600 IN NS ns.test.co.jp.
test.co.jp.             600 IN RRSIG NS 5 3 600 20101205002136 (
                               20101105002136 31620 test.co.jp.
                               RbF94QYUa/z5fGuLU0GgDpOP6UK+ah7atC4Z9DXSGFcn
                               DOrdL5Bygxf3ghqKzbGVEJAqWxKIbTIxQY3zMyjxvefW
                               JqZK7ToBJZuSbmD+AHyBPENWARbMhZ5DoZQiXkbC4pPi
                               x0haUKJpJTylsBCBzFmG5UDazyojK23QoYfFBbM= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          600 IN A 192.168.11.132
ns.test.co.jp.          600 IN RRSIG A 5 4 600 20101205002136 (
                               20101105002136 31620 test.co.jp.
                               hJWSDJmTEv1yu4Kfd0k3NE/1vOaN1b6JfVl3bjLKOIfG
                               LmRoRjdt56xxORhbFKGRDz78ajuQyRToTO23afLpC6iV
                               VTalpgzLl9+FDDPWNmRikFs0Yh7zJ8PdEjTqaIaSBMoi
                               HIDPMgUPeyOiAT/H8cQeu+kohSORWOAy49fd5xc= )


mark as secure
oot@ubuntu-4:~# egrep -i secure /var/cache/bind/dnssec.log
05-Nov-2010 01:57:25.215 debug 3: validating @0xb9a5d868: . DNSKEY: signed by trusted key; marking as secure
05-Nov-2010 01:57:25.216 debug 3: validating @0xb9a50fe8: . NS: marking as secure, noqname proof not needed
05-Nov-2010 01:57:25.225 debug 3: validating @0xb9a5dd50: jp DS: marking as secure, noqname proof not needed
05-Nov-2010 01:57:25.226 debug 3: validating @0xb9a5d2d8: jp DNSKEY: marking as secure (DS)
05-Nov-2010 01:57:25.227 debug 3: validating @0xb9a5c860: test.co.jp DS: marking as secure, noqname proof not needed
05-Nov-2010 01:57:25.229 debug 3: validating @0xb9a57340: test.co.jp DNSKEY: marking as secure (DS)
05-Nov-2010 01:57:25.229 debug 3: validating @0xb9a50fe8: www.test.co.jp A: marking as secure, noqname proof not needed


次に、bad.test.co.jp の回答が1.1.1.1 に書き換えられるかチェック。キャッシュ情報は flush しない。

リゾルバ - キャッシュ : non DNSSEC
キャッシュ - 権威サーバ : DNSSEC
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;bad.test.co.jp.                        IN      A

;; ANSWER SECTION:
bad.test.co.jp.         0       IN      A       1.1.1.1

;; AUTHORITY SECTION:
test.co.jp.             473     IN      NS      ns.test.co.jp.

;; ADDITIONAL SECTION:
ns.test.co.jp.          473     IN      A       192.168.11.132


偽回答DNSがDNSSECに対応しており、キャッシュサーバには偽回答DNSで生成したtrusted-keys ( bad.test.co.jp の trusted-keys ) を読み込んでいるので、キャッシュ - 偽回答DNS 間で DNSSECの検証と成功する。検証が成功したので、本物のNSに検証がはしらない。
root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.005284 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.006707 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1 RRSIG
 0.007513 192.168.11.133 -> 192.168.11.134 DNS Standard query DNSKEY bad.test.co.jp
 0.008840 192.168.11.134 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.011457 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1

root@ubuntu-4:~# egrep -i secure /var/cache/bind/dnssec.log
05-Nov-2010 01:59:32.487 debug 3: validating @0xb9a5d868: bad.test.co.jp DNSKEY: signed by trusted key; marking as secure
05-Nov-2010 01:59:32.488 debug 3: validating @0xb9a50fe8: bad.test.co.jp A: marking as secure, noqname proof not needed


DNSSECクエリ

リゾルバ - キャッシュ - 権威サーバ : DNSSEC
下記変えられた回答がえられた。
キャッシュ - 偽回答DNS間で検証が成功するので ad ビットがたつ。
root@ubuntu-6:~# dig @192.168.11.133 bad.test.co.jp +dnssec +multiline

; <<>> DiG 9.7.0-P1 <<>> @192.168.11.133 bad.test.co.jp +dnssec +multiline
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1733
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;bad.test.co.jp.                IN A

;; ANSWER SECTION:
bad.test.co.jp.         0 IN A  1.1.1.1
bad.test.co.jp.         0 IN RRSIG A 5 4 0 20101124012701 (
                               20101025012701 51063 bad.test.co.jp.
                               JfZ2Pqtd9nkisHRbZRjua67gjo4CpBnGhvoFkNvgvK3U
                               l4Brf5CoTVfUidWaI6oj9SHFxU10egWDDB9xHfT4CDZj
                               VJSSrdsMk9Zfjn9XZtXL6VpO6x+Q3Onb5f4wgHijk5ny
                               IK436/rOB7z4+Vbi4IEwX2WSfpFW0vk5D16aYEQ= )

;; AUTHORITY SECTION:
test.co.jp.             205 IN NS ns.test.co.jp.
test.co.jp.             205 IN RRSIG NS 5 3 600 20101205002136 (
                               20101105002136 31620 test.co.jp.
                               RbF94QYUa/z5fGuLU0GgDpOP6UK+ah7atC4Z9DXSGFcn
                               DOrdL5Bygxf3ghqKzbGVEJAqWxKIbTIxQY3zMyjxvefW
                               JqZK7ToBJZuSbmD+AHyBPENWARbMhZ5DoZQiXkbC4pPi
                               x0haUKJpJTylsBCBzFmG5UDazyojK23QoYfFBbM= )

;; ADDITIONAL SECTION:
ns.test.co.jp.          205 IN A 192.168.11.132
ns.test.co.jp.          205 IN RRSIG A 5 4 600 20101205002136 (
                               20101105002136 31620 test.co.jp.
                               hJWSDJmTEv1yu4Kfd0k3NE/1vOaN1b6JfVl3bjLKOIfG
                               LmRoRjdt56xxORhbFKGRDz78ajuQyRToTO23afLpC6iV
                               VTalpgzLl9+FDDPWNmRikFs0Yh7zJ8PdEjTqaIaSBMoi
                               HIDPMgUPeyOiAT/H8cQeu+kohSORWOAy49fd5xc= )

root@ubuntu-4:~# tshark -i eth0 port 53
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 0.000000 192.168.11.135 -> 192.168.11.133 DNS Standard query A bad.test.co.jp
 0.000618 192.168.11.133 -> 192.168.11.134 DNS Standard query A bad.test.co.jp
 0.002023 192.168.11.134 -> 192.168.11.133 DNS Standard query response A 1.1.1.1 RRSIG
 0.002789 192.168.11.133 -> 192.168.11.134 DNS Standard query DNSKEY bad.test.co.jp
 0.004037 192.168.11.134 -> 192.168.11.133 DNS Standard query response DNSKEY DNSKEY DNSKEY RRSIG RRSIG
 0.006700 192.168.11.133 -> 192.168.11.135 DNS Standard query response A 1.1.1.1 RRSIG


リゾルバが、公に公開されているkeyを使用し検証すると、偽回答DNSのkey(bad.test.co.jp の key ) を持っていないため、失敗となる。
root@ubuntu-6:~# unbound-host -v -r -F dnskey_root.txt -t a bad.test.co.jp
bad.test.co.jp has address 1.1.1.1 (BOGUS (security failure))
validation failure : misc failure

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.