DNS Workshop

Friday Dec 23, 2011

BIND installer packages for MacOS X 10.4/10.5 PowerPC (ppc)

Apple does not provide update to older MacOS X versions (such as 10.4 "Tiger") anymore. However these machines are still good to run a caching or an authoritative DNS Server.

MacOS X comes with ISC BIND pre-installed, but without security updates, running an old version of BIND on MacOS X is a risk.

To find out the current version of BIND installed on a machine, open the Terminal.app and enter "named -v":

$ named -v
BIND 9.4.2-P2

Men & Mice is offering installation packages for MacOS X 10.4 containing the latest BIND versions. The installer packages can be downloaded for free from http://support.menandmice.com/download/bind/macosx/10.4-Tiger/.

If you are running a BIND DNS Server on MacOS X, please check the version you're running and upgrade if the version if outdated. The BIND security matrix lists all known security issues with BIND versions.

Sunday Jul 03, 2011

Compiler options for creating secure DNS Server binaries (on Linux)

DNS server, as these processes recieving data from untrusted sources in the network, are vulnerable for attacks that exploit security proplems in the DNS servers program code. Special crafted DNS packets can trigger a software bug in the DNS servers code and which will execute code contained in the received data, allowing the attacker to change the behavior of the DNS software or even break into the operating system running the server.

Modern Linux systems contain exploit mitigation techniques that make it harder for attackers to sucessfully launch such attack. However most of this functions are not enabled by default, but must be enabled during compile time. This is especially imnportant if the DNS server software is custom compiled and not taken from the Linux distribution vendor. But even the binaries supplied by a Linux distribution might not have all the exploit mitigation security functions enabled.

The folks at NESO Security Labs have published a script that can be used to test existing binaries for the enabled security functions (checksec.sh script).

The screenshot below shows a BIND nameserver binary (named) with only some of the security functions enabled, and an Unbound nameserver binary that has all of the functions enabled:

The functions in detail:


RELRO rearranges the data sections inside an ELF (Linux executable file format) executable. It also marks certain areas as 'read-only' so that these data structures cannot be overwritten while the process is running.

Details about RELRO can be found in the blog post RELRO - A (not so well known) Memory Corruption Mitigation Technique.

There are two flavors of RELRO, 'partial' and 'full'. Only 'full RELRO' offers all security measures and is recommended.

Stack canary

A STACK CANARY is a special datastructure with a distinct bit-pattern that is placed in front of important data on the stack, for example in front of the return address of an subroutine call. A popular attack is to overwrite (using a buffer overflow or similar problems) the return address of a subroutine call, so that the execution process is redirected to execute program code injected by the attacker.

When using a stack canary, the operating system will check if the bit pattern placed in front of the stack datastructure is still intact (and not overwritten). Only if this is true, the jump through the return address will be taken. The named 'stack canary' comes from canary birds used in early mining operations, where the birds where used as in indicator that the air under ground is becoming foul. See GCC Stack-Smashing Protector (ProPolice) on how the canary is implemented in the GCC compiler suite.

NX bit

NX enabled refers to the NX (non-execute) or XD (execute disable) flags found in modern x86 CPUs (Intel and AMD). The NX flag are used to mark memory areas that only contain data (and no program code) as 'off-limit' for the CPUs instruction fetch. The data stored in this areas marked cannot be executed as a program by the CPU. Because this flag is implemented directly in the CPU, it has no overhead compared to exploit mitigation functions implemented in software. Some Linux systems running on hardware that does not support a 'no-execute' flag emulate this function in software.
See Wikipedia on NX bit.

PIE - Position independent code

PIE stands for 'Position Independent Executable' and describes a function where the operating system can load certain parts of the application at random positions inside the computers address space. In some attacks the attacker needs to know beforehand on which memory location a datastructure will be loaded (e.g. to jump into code that has been written using a buffer overflow). By having the operating system load the program code into different locations every time, the attacker cannot predict the memory location, which makes it harder to write a sucessful exploit.

Fortify source

In addition to the technologies above, the GCC C-Compiler can analyse the source code to be compiled and detect certain insecure sections (that might create a security problem). The compiler will replace the insecure function calls with special hardened code that will perform extra runtime checks while the process is executed. This is called FORTIFY SOURCE.

Compiler- and Linker-Flags

To enable these exploit mitigation functions in compiled binaries, special flags must be specified for the compiler (gcc) and linker.

  • RELRO: LDLFAGS="-z relro -z now"
  • STACK CANARY: CFLAGS="-fstack-protector" LDFLAGS="-fstack-protector"
  • NX: is enabled on the OS and BIOS level, but can be disabled in the ELF file. It should be enabled by default if not manually disabled for a binary.


example linker flags (32bit/64bit):

LDFLAGS="$LDFLAGS -fPIC -pie -z relro -z now -fstack-protector"

example c-compiler flags (32bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=i686 -fasynchronous-unwind-tables"

example c-compiler flags (64 bit):

CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector -fPIE -fPIC --param=ssp-buffer-size=4 -m64 -mtune=generic"

Of course the exploit mitigation techniques described here are also valid for all networked applicartions (such as SSH, webserver, NTP ...), not only for DNS server. But this is the DNS workshop ...


Wednesday Mar 16, 2011

RIPE E-Learning module 2 - DNS Vulnerabilities and the 'Kaminsky attack'

The RIPE Training team has released a new eLearning course on DNS Vulnerabilities and the 'Kaminsky attack'. The course can be found at http://www.ripe.net/lir-services/training/e-learning/dnssec/dns-vulnerabilities (requires flash).

This new module explains DNS 'man-in-the-middle' attacks as well as the 'Kaminsky style' cache poisoning attacks.

Screenshot of RIPE eLearning course

Saturday Feb 19, 2011

Configure DLV (DNSSEC Lookaside Validation) for Unbound

Not all ccTLD (Country Code Top Level Domains) ot gTLD (generic Top Level Domains) are DNSSEC signed (Status 2/2011). Domains below these unsigned TLDs are not in the 'Chain of Trust', even if they are DNSSEC signed, they cannot be validated.

Internet Software Consortium (ISC) runs a service called DLV (DNSSEC Lookaside Validation, RFC 5074). The DLV contains many trust anchors for DNS domains that are signed, but cannot be validated from the root zone down.

Instead of maintaining each trust-anchor in each validating DNS Servers configuration file, the DLV registry will contain the trust-anchors for the zones and the local validating DNS Server only needs to have one trust-anchor for the DLV zone.

A DLV registry functions like a database of trusted keys. In practice, it's a zone containing DLV records, which are functionally similar to DS records. Only one trust anchor is needed in the resolver config, to validate the DLV zone. The DLV records then validate other zones' public keys, just like DS records. Multiple DLV registries are possible, but there's one main one: dlv.isc.org. BIND 9.7+ and Unbound 1.4.1 ship with a trusted initial key for this DLV registry.

Because ISCs DLV zone is below "isc.org." and "org.", which are both signed, the trusted key can also be fetched by a validated DNS query (the resolving DNS Server must have DNSSEC and the trust-anchor for the root-zone configured:

dig dlv.isc.org. dnskey +dnssec +multi

; <<>> DiG 9.8.0rc1 <<>> dlv.isc.org. dnskey +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50425
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;dlv.isc.org.		IN DNSKEY

dlv.isc.org.		676 IN DNSKEY 256 3 5 (
				) ; key id = 64263
dlv.isc.org.		676 IN DNSKEY 257 3 5 (
				) ; key id = 19297
dlv.isc.org.		676 IN RRSIG DNSKEY 5 3 7200 20110321090006 (
				20110219090006 19297 dlv.isc.org.
				XX0ZBGqUEHUBfe6wOnx2jRqSvTt/RnOJTw== )
dlv.isc.org.		676 IN RRSIG DNSKEY 5 3 7200 20110321090006 (
				20110219090006 64263 dlv.isc.org.
				QYEFA2NTCYyPviEtirXpuPg9u2BoAYCdlizUaKk= )

;; Query time: 2 msec
;; WHEN: Sat Feb 19 13:33:01 2011
;; MSG SIZE  rcvd: 936

Check for the "AD" flag in the DNS query (AD = Authenticated Data).

For Unbound, we need the DNSKEY record (the public key) for the Key Signing Key (KSK) of the DLV Zone. A KSK DNSKEY Record has the secure entry point flag set in the flags field, so the first field has the value "257".

We copy the line containing the KSK DNSKEY record into a file called "dlv.isc.org.key", and add the line

dlv-anchor-file: "dlv.isc.org.key"

to the Unbound configuration file "unbound.conf".

A validating Resolver with DLV configured will first...

  • look if there are manual trust-anchors in the configuration
  • if that is not available, it will try to get the trust from the delegation tree (DS record in the parent zone)
  • if that is also not available, it will try to look up the trust-anchor in the DLV zone(s) ...
  • If there is more than one DLV zone configured that will match the target name (overlapping DLV domains)
    • The resolver will first try the DLV zone with the most matching labels (most specific domain), then trying the others with shorter matching labels (DLV for ?europe.company.example?, will 1st look in DLV for ?company.example?, then in DLV Zone for ?example? and then for ?.?)
  • The same behavior is used for finding DLV trust anchors in a DLV zone

Because DNSSEC validation using the parent has priority over DLV, once the parent of the zone is signed, validation is done using the DS records in the parent and not using DLV.

Information about the ISC DLV registry can be found at https://dlv.isc.org/

Friday Aug 21, 2009

Slax Live Linux modules with BIND, Unbound and DNS Tools for DNSSEC Training

Getting a classroom full of computer ready for a DNSSEC training can be a challenge. Installing a DNSSEC capable DNS server, resolver and troubleshooting tools on each student computer can take some time. DNSSEC tools are not common in today's operating-systems.

At Men & Mice we use add-on modules for the SLAX Live Linux System (http://slax.org). The SLAX System can be started on almost any PC-like computer machine with 256MB RAM or more from a USB-Stick, CD-ROM or by PXE Network boot. Especially the PXE-Networkboot is a convenient way to boot SLAX from the trainers PC to all the machines in a classroom. The trainer can prepare training packages that will automatically appear after reboot on the students machines.

The current version of the SLAX DNSSEC Training modules contains BIND 9.6.1-P1 (package 010-bind.lzm) and Unbound 1.33, libDNS 1.6.1, Drill, DNSTOP, DOC and dnstracer (package 011-dnstools.lzm) ready to use.
The single packages can be downloaded from the Men & Mice Support Download Server.

The full SLAX 6.1.2 system including the DNS-Tools and BIND packages can be found at http://support.menandmice.com/download/training/usb/slax-dns-training-stick.tgz (217 MB).

To install SLAX from a Linux Machine, uncompress the tar-ball to an FAT formatted USB Drive and call the "boot/bootinst.sh" script. Installation from a Windows System is similar, just used the "boot/bootinst.bat" batch file.

While being created for DNSSEC and DNS Trainings, the SLAX system with the DNS Modules makes a quick-to-use troubleshooting system for both plain old DNS and DNSSEC that can be carried around.

Tuesday May 19, 2009

RIPE eLearning Course - DNS Basics

The RIPE NCC eLearning Centre has released the first of a series of free DNS and DNSSEC Training courses. The courses are self-paced with nice animations.

The service is free of charge and can be found at https://e-learning.ripe.net/training/e-learning/

In the coming months more e-learning modules will be released covering the topics "DNS Vulnerabilities" and "DNSSEC".

Monday May 11, 2009

Notes from DNS Working Group at RIPE 58, Part 1

My notes from the RIPE 58 DNS Workinggroup (DNS-WG) sessions:
  • Shane Kerr (ISC) - BIND 10

    Shane gave some insights in the goals of the new BIND 10 project at ISC. BIND 9 is getting old and has some issue with performance and maintainability. The process model used for BIND 9 has been "en vouge" when BIND 9 was designed, but it has proven to be non-optimal for a server daemon that is handling a huge amount of small request packages. The goal with BIND 10 is to getting closer in performance with NSD and unbound. Another issue with BIND 9 is that the sourcecode is hard to understand and to change for new project members. This has been an issue hindering interested parties to do their own customizations to the BIND 9 sourcecode. Although BIND 9 is an open source project, only programmers for ISC have worked on the code and almost no outside contribution has been seen. BIND 10 source code is planned to be more modular and more easy to understand, to attract outside developers to contribute and customize BIND 10.

    BIND 10 is planned to have APIs and interfaces to integrate with existing provisioning systems and workflows. Integration into Microsoft Windows Operating Systems will worked on.

    The BIND 10 project timeframe is set for 5 years, with the 1st test version to be due in April 2010.

  • Anand Buddhev (RIPE NCC)- RIPE NCC Reverse Tree Lame Delegation Reports

    Anand gave a report on the reverse DNS tree lameless check done by RIPE NCC. The RIPE NCC is checking for lame delegations in the reverse DNS tree (the "in-addr.arpa." and "ip6.arpa." namespace). The presentation (linked above) contains the definition of a non-lame answer:

    • Every name server of each zone is resolved into A and AAAA records - several attempts are made in case of temporary failures
    • Every IP address found is queried for the SOA record of the associated zone - several attempts are made in case of temporary failures
    • The query is done over UDP and is non- recursive
    • if there was a response:
      • Response from the same address that the query was sent to
      • RCODE is "NOERROR"
      • Response has AA bit set
      • QNAME in the response and query is the same
      • Only one SOA record is returned

    The RIPE NCC has an DNS lameness FAQ online: http://www.ripe.net/info/stats/dns-lameness/faq.html

    Any answer that is not matching the criteria is seen as an lameless error, and an E-Mail is send to the contact person owning the IP Address space for this part of the reverse DNS delegation.

    Initially the lameness for the RIPE part of the reverse DNS tree was about 6%. After some runs in February and March 2009 the number of lame delegations has gone down to 5%.

    Although the DNS lameness checks where done on request from the RIPE DNS WG in 2006 (see RIPE-400), there was a controversial discussion in the group on the usefulness of the tests. Some participants were arguing that the lameness mostly effects the party receiving the delegation. Other said that the instruments to measure the effect of lameness must be improved first to be able to measure the effect of the checks and the lameness on the DNS System. Other participants found the service useful, as did most of the DNS delegation owners that received E-Mail from RIPE NCC. Further discussion on this topic will take place on the DNS WG Mailinglist.

Thursday Apr 23, 2009

BIND 10 development started

The Internet Systems Consortium announced today that development on the next generation of BIND DNS Server has started. The new development is sponsored by many TLD-Registries (Japan Registry Services Co., Ltd. (JPRS) and Canadian Internet Registration Authority (CIRA) as well as Afilias, AFNIC, DENIC, IIS.SE, Nominet, NIC.br, SIDN and .za Domain Name Authority) and will take some years to complete.[Read More]