Response Policy Zones



Similar documents
DNS Response Policy Zone (DNSRPZ)

Response Policy Zones for the Domain Name System (DNS RPZ) By Paul Vixie, ISC (et.al.) 2010 World Tour

DNS Firewalls with BIND: ISC RPZ and the IID Approach. Tuesday, 26 June 2012

How to set up the Integrated DNS Server for Inbound Load Balancing

DNS and BIND. David White

The Use of DNS Resource Records

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Copyright

Talk-101 User Guide. DNSGate

Networking Domain Name System

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

JPNIC Public Forum. Paul Vixie. Chairman, Internet Software Consortium. January 21, 2003

Networking Domain Name System

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

How to Add Domains and DNS Records

Networking Domain Name System

OpenSRS Service DNS Configuration Guide

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

DNS as a Control Point for Cyber Risk. Dr. Paul Vixie, CEO Farsight Security

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Computer Networks: Domain Name System

Global Service Loadbalancing & DNSSEC. Ralf Brünig Field Systems Engineer r.bruenig@f5.com DNSSEC

Measures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

Understanding DNS (the Domain Name System)

The Domain Name System

Application and service delivery with the Elfiq idns module

How To Manage Dns On An Elfiq Link Load Balancer (Link Balancer) On A Pcode (Networking) On Ipad Or Ipad (Netware) On Your Ipad On A Ipad At A Pc Or Ipa

DNS at NLnet Labs. Matthijs Mekking

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNS and BIND Primer. Pete Nesbitt linux1.ca. April 2012

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

FAQ (Frequently Asked Questions)

Getting Started with AWS. Hosting a Static Website

DNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop

DNS. Spring 2016 CS 438 Staff 1

- Domain Name System -

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Domain Name Abuse: How Cheap New Domain Names Fuel The ecrime Economy

Configuring a Domain to work with your Server

Domain Name System (DNS) Fundamentals

DNS based Load Balancing with Fault Tolerance

Using the DNS as a Hammer The Good, the Bad and the Ugly

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

Parallels Plesk Automation. Customer s Guide. Parallels Plesk Automation 11.5

Enterprise Architecture Office Resource Document Design Note - Domain Name System (DNS)

Security of IPv6 and DNSSEC for penetration testers

DANE for SMTP. Viktor Dukhovni & Wes Hardaker. IETF 87, Berlin July 2013

Domain Name System Security

DNSSEC Applying cryptography to the Domain Name System

Applied Network Services. Janet Services for Resilience. Andrew Davis Network Services Coordinator

Managing DNS Server Properties

DOMAIN AND GLOSSARY The phrases and terms you may encounter, when registering a domain name

Mail agents. Introduction to Internet Mail. Message format (2) Authenticating senders

Internet-Praktikum I Lab 3: DNS

The Domain Name System from a security point of view

Conexim DNS Administrator s Guide

Securing an Internet Name Server

DMARC and your.bank Domain. September 2015 v

Using the Domain Name System for System Break-ins

DNS RPZ in the Swiss NREN

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

Internet Monitoring via DNS Traffic Analysis. Wenke Lee Georgia Institute of Technology

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Configuring an External Domain

Use Domain Name System and IP Version 6

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

The Domain Name System

HTG XROADS NETWORKS. Network Appliance How To Guide: DNS Delegation. How To Guide

GL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days

Switching Your DNS WiredTree

Getting Started with AWS. Hosting a Static Website

Domain Name System (DNS) RFC 1034 RFC

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

KB Windows 2000 DNS Event Messages 1 Through 1614

DNS Conformance Test Specification For Client

Transferring Your Internet Services

Domain Name Servers. Domain Types WWW host names. Internet Names. COMP476 Networked Computer Systems. Domain Name Servers

Collateral Damage. Consequences of Spam and Virus Filtering for the System. Peter Eisentraut 22C3. credativ GmbH.

Transcription:

Response Policy Zones Taking Back the DNS, V2.0 Paul Vixie Chairman and Chief Scientist Internet Systems Consortium

Abstract DNS works as well for the bad guys (criminals, spammers, spies) as for respectable citizens, and the bad guys are taking better advantage of DNS's resiliency and distributed autonomy. Something has got to be done. ISC is doing it. RPZ 2.0 is part of BIND 9.8.0 (now at Beta 1)

Problem Statement DNS is a decentralized system offering complete distributed autonomy, and the relationships between operators and content owners are both tenuous and resilient. The split registry/registrar/registrant model insulates all parties from responsibility, so the global DNS lacks accountability complaints are ineffective, even with provable crime/losses. This resiliency and unaccountability is of greater benefit to bad actors than their victims.

Historical Context DNS is not unique in its unaccountability. Most Internet systems (mail, blogs, I-M) are similar. In e-mail it's extremely common to subscribe to an DNSBL (realtime blackhole list) in order to reject messages from known-bad sources. Features similar to DNSBL exist for DNS in proprietary products (Nominum) and services (OpenDNS). RPZ (ISC Response Policy Zone) is an open standard for DNSBL-like features in the DNS.

RPZ History RPZ 1.0 released as patches to BIND9 in 2010: Rule-based system, triggered on query name/type Rule-forced outcomes: Return a fake alias (CNAME), for walled gardens Return a fake NXDOMAIN, to blackout the name Return a fake answer of the type being queried Protect the name against subsequent policy triggers Subscription model: recursive name servers would become stealth servers for one or more RPZs. Rules/outcomes encoded as RPZ zone content.

Lessons Learned From RPZ 1.0 Sometimes the trigger has to be answer-based E.g., if the A or AAAA RR is within a CIDR block E.g., if the NS name or address is poisoned Sometimes the subscriber wants to import the triggers but locally specify the policy outcome E.g., import a list of bad names, but decide locally whether to blackout or alias those names We have implemented some of these features in RPZ Format 2, released in BIND 9.8.0 (B1).

RPZ Content Examples (1) If rpz.net is a response policy zone and example.com is a name to be blacked out: example.com.rpz.net CNAME. If all subdomains of example.com are to be aliased to a local walled garden: *.example.com.rpz.net CNAME wg.mydom.cn If www.example.com/a should be redirected: www.example.com A 198.168.6.66

RPZ Content Examples (2) If www.partner.com is to be protected from any policy action by any subsequent RPZ: www.partner.com.rpz.net CNAME www.partner.com If www.example.com is to appear to be empty: www.example.com.rpz.net CNAME *. If a A RRs in 192.168.1.0/24 are to be replaced with a local walled garden address: 24.0.1.168.192.rpz-ip.rpz.net A 192.168.6.66

RPZ Content Examples (3) If AAAA RR's in 2001:500:2f::/48 ought to cause fake NXDOMAIN responses, except 2001:500:2f::f which is to be returned as normal: 128.f.zz.2f.500.2001.rpz-ip.rpz.net CNAME *. 48.zz.2f.500.2001.rpz-ip.rpz.net CNAME. Note: zz in this context means ::.

Subscriber Configuration in BIND9 options { // other stuff response-policy { zone "dns-policy1.vix.com"; zone "dns-policy2.vix.com" policy given; zone "dns-policy3.vix.com" policy NO-OP; zone "dns-policy4.vix.com" policy NXDOMAIN; zone "dns-policy5.vix.com" policy NODATA; zone "dns-policy6.vix.com" policy CNAME walled-garden.isp.net; }; }; zone dns-policy1.vix.com { }; type slave; masters { 192.168.1.123; }; // note: TSIG would probably be used in a production environment // and similar for the other rpz zones

Producer/Consumer Model in RPZ Producers can use RFC 2136 UPDATE to maintain their zone, or just periodically regenerate it and use ixfr-from-differences to tell BIND to compute deltas. Producers will use IXFR for efficient zone delta transmission, and TSIG for protection of RPZ data and authenticity of producer/consumer endpoints. Result: low cost, low bandwidth, low latency, and strong data protection.

Possible Good Specialization of labour: security experts can produce robust and targetted patterns for use by customer DNS recursive name servers. Competition: many security experts, many name server implementors (not just BIND!), and a global market of potential customers. Effect on crime: a domain or IP address used only for evil will not remain usable even if its registrant, registrar, registry, or ISP never suspends or terminates it.

Possible Harm Governments could use RPZ to enforce laws about censorship, since it is an open standard. Some RPZ data sources will inevitably be politically, racially, or religiously motivated ( all Christian web sites or all Muslim web sites ). As with all reputation systems, the systemic effect on DNS will be to make it less reliable and harder to diagnose or characterize. We hope these effects will be more pronounced on bad actors than on the rest of us.

Resources Questions and comments always welcome: vixie@isc.org There is a mailing list for RPZ discussions: dnsrpz-interest-request@lists.isc.org The current draft RPZ specification: ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt The blog post that started it all: Google vixie taking back the dns

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information