dnstap webinar
TRANSCRIPT
© Men & Mice http://menandmice.com
DNSTAPa deep(er) look into DNS server operations
(featuring Unbound, Knot-DNS and BIND 9)
1
© Men & Mice http://menandmice.com
before we start (1)… please note: BIND 9 security issue
CVE: CVE-2015-8000
Document Version: 2.0 Posting date: 15 December 2015Program Impacted: BINDVersions affected: 9.0.x -> 9.9.8, 9.10.0 -> 9.10.3 Severity: CriticalExploitable: Remotely
Description:
An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries.
2
© Men & Mice http://menandmice.com
before we start (2)… please note: BIND 9 security issue
CVE: CVE-2015-8461 Document Version: 2.0Posting date: 15 December 2015Program Impacted: BINDVersions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 ->9.10.3-P1 Severity: MediumExploitable: Remotely
Description:
Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c
3
© Men & Mice http://menandmice.com
before we start (3)… please note: Concerning a recent OpenSSL security issue and new BIND build-time checks
The OpenSSL project recently announced several security issues including OpenSSL Security Advisory CVE-2015-1794. The official advisory from the OpenSSL project can be found at http://openssl.org/news/secadv/20151203.txt
but in brief: versions 1.0.2 through 1.0.2d have a vulnerability that potentially weakens encryption security in BIND. Version 1.0.2e is recommended as the secured version.
4
© Men & Mice http://menandmice.com
DNS server operations monitoring
it is difficult to monitor the internal operation of a DNS server
•classic monitoring has a huge performance impact (on busy DNS servers)
• Example: BIND 9 query-logging via "rndc querylog"
• up to 200% performance loss seen
• speed of the disk storage is the limiting factor
5
© Men & Mice http://menandmice.com
Network packet capturean alternative solution is to look from the outside via a network traffic capture tool
• no performance impact on the DNS server
• can only observe from the outside (no internal DNS server events, like cache-events, seen)
• difficult to work with UDP fragments and DNS data in TCP streams
• Example: Men & Mice DNS Traffic Monitor
• Example: DNS statistics collector (DSC) https://www.caida.org/tools/utilities/dsc/
6
© Men & Mice http://menandmice.com
dnstap
dnstap is an open protocol to capture and store DNS server events
• events are recorded inside the server
• fast and lightweight protocol
• non-blocking, designed to have minimal impact on the DNS servers performance
7
© Men & Mice http://menandmice.com
dnstap
9
DNS client
DNS resolver
DNS authoritative server
DNS query
DNSTAP Ring-Buffer
© Men & Mice http://menandmice.com
dnstap
10
DNS client
DNS resolver
DNS authoritative server
DNS query
DNSTAP Ring-Buffer
event
© Men & Mice http://menandmice.com
dnstap
11
DNS client
DNS resolver
DNS authoritative server
DNS query
DNSTAP Ring-Buffer
event
IO Thread
write to file
© Men & Mice http://menandmice.com
dnstap
12
DNS client
DNS resolver
DNS authoritative server
DNS query
DNSTAP Ring-Buffer
IO Thread
© Men & Mice http://menandmice.com
dnstap
13
DNS client
DNS resolver
DNS authoritative server
DNS query
DNSTAP Ring-Buffer
IO Thread
event write to file
© Men & Mice http://menandmice.com
dnstap
14
DNS client
DNS resolver
DNS authoritative server
DNS answer
DNSTAP Ring-Buffer
IO Thread
DNS answer
© Men & Mice http://menandmice.com
dnstap
15
DNS client
DNS resolver
DNS authoritative server
DNS answer
DNSTAP Ring-Buffer
IO Thread
event write to file
DNS answer
© Men & Mice http://menandmice.com
dnstap
16
DNS client
DNS resolver
DNS authoritative server
DNSTAP Ring-Buffer
IO Thread
event(s) write to file
DNS queries
one event lost
© Men & Mice http://menandmice.com
dnstap implementations
dnstap has been developed by Farsight Security (Paul Vixie and Robert Edmonds)
homepage is http://dnstap.info
• Unbound
• Knot 2.x
• BIND 9.11 (upcoming)
• NSD (planned)
• PowerDNS (planned)
17
© Men & Mice http://menandmice.com
using dnstap in your DNS server
dnstap is a compile-time option
• usually not enabled in distribution package code
• requires compilation from source
• can me made available in the Men & Mice build packages for Unbound and BIND 9 (please let us know)http://packages.menandmice.com/unbound
18
© Men & Mice http://menandmice.com
dnstap dependencies
fstrm (Frame Streams data transport protocol)
lightweight protocol to transport frames of data, can be used with any data serialisation format that produces byte sequences
https://github.com/farsightsec/fstrm
19
© Men & Mice http://menandmice.com
dnstap dependencies
Google Protocol Buffers
Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serialising structured data.
https://developers.google.com/protocol-buffers/
20
© Men & Mice http://menandmice.com
dnstap tools
tools to read DNSTAP data files
•dnstap-golanghttps://github.com/dnstap/golang-dnstap
•dnstap-ldnshttps://github.com/dnstap/dnstap-ldns
•dnstap-read (part of BIND 9.11) http://source.isc.org
•Wireshark with dnstap support https://github.com/dnstap/wireshark
21
© Men & Mice http://menandmice.com
Demo: dnstap with unbound
simple Unbound configuration server: verbosity: 1 chroot: "" username: "" logfile: "unbound.log" use-syslog: no remote-control: control-enable: yes
dnstap: dnstap-enable: yes dnstap-socket-path: "/opt/dnstap.unbound" dnstap-send-identity: yes dnstap-send-version: yes dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes
22
© Men & Mice http://menandmice.com
Demo: dnstap with unbound
catching the DNSTAP stream from the socket and writing to a file # fstrm_capture -t protobuf:dnstap.Dnstap \ -u /opt/dnstap.unbound \ -w /opt/dnstap.out \ -ddddd
23
Protobuf information
Unix socket to read
file to write
heavy debug output
© Men & Mice http://menandmice.com
Demo: dnstap with unbound
reading a DNSTAP data file (overview) # /usr/local/bin/dnstap-ldns -r /opt/dnstap.out
2015-12-15 17:04:48.672530 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:04:52.704455 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:05:25.255258 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:34.783531 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:58.998672 CQ ::1 UDP 48b "larger.dnssec.works." IN A 2015-12-15 17:06:05.958735 CQ ::1 UDP 49b "largerr.dnssec.works." IN A 2015-12-15 17:06:15.198618 CQ ::1 UDP 49b "largerr.dnssec.works." IN TXT 2015-12-15 17:06:20.493485 CQ ::1 UDP 48b "larger.dnssec.works." IN TXT
24
file with binary DNSTAP data
CQ = Client Query
command to read DNSTAP file
© Men & Mice http://menandmice.com
Demo: dnstap with unboundreading a DNSTAP data file (with details) # /usr/local/bin/dnstap-ldns -y —r /opt/dnstap.out
type: MESSAGEidentity: "csmobile4.home.strotmann.de"version: "unbound 1.5.7"message: type: CLIENT_QUERY query_time: !!timestamp 2015-12-15 17:06:20.493485 socket_family: INET6 socket_protocol: UDP query_address: ::1 query_port: 48107 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50271 ;; flags: rd ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;larger.dnssec.works. IN TXT ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096
25
file with binary DNSTAP data
details output as YAML
© Men & Mice http://menandmice.com
simple Knot 2.x configuration server: listen: 0.0.0.0@53 listen: ::@53
log: - target: syslog any: info
mod-dnstap: - id: capture_all sink: /opt/dnstap.knot
template: - id: default storage: "/opt/knot-dnstap/var/lib/knot" global-module: mod-dnstap/capture_all
zone: - domain: example.com file: "/opt/knot-dnstap/etc/knot/example.com.zone"
Demo: dnstap with knot-dns
26
© Men & Mice http://menandmice.com
simple BIND 9.11 resolver configuration options { directory "/opt/bind9-dnstap"; dnstap { all; }; // client, auth, resolver, forwarder | query, response dnstap-output file "/opt/bind9.tap"; dnstap-identity hostname; dnstap-version "9.11.devel";
dnssec-validation auto; };
Demo: dnstap with BIND 9.11(devel)
27
© Men & Mice http://menandmice.com
reading a DNSTAP file with dnstap-read # dnstap-read /opt/bind9.dtp
15-Dec-2015 18:53:35.467 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 509b ./IN/NS 15-Dec-2015 18:53:35.514 RQ 2001:500:2d::d TCP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.550 RR 2001:503:ba3e::2:30 TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.468 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/NS 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.514 RR 2001:500:2d::d UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:500:2d::d UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.534 RR 2001:500:2d::d TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:503:ba3e::2:30 TCP 40b ./IN/DNSKEY
Demo: dnstap with BIND 9.11(devel)
28
RQ: RESOLVER_QUERY RR: RESOLVER_RESPONSE CQ: CLIENT_QUERY CR: CLIENT_RESPONSE FQ: FORWARDER_QUERY FR: FORWARDER_RESPONSE […]
date and time
ip address of remote
machinetransport protcol
(UDP or TCP)
Size of (DNSTAP) data
domain, class and record type
© Men & Mice http://menandmice.com
reading a DNSTAP file with dnstap-read including packet data # dnstap-read -p /opt/bind9.dtp
15-Dec-2015 18:53:52.725 RQ 2001:7fe::53 UDP 67b demand.gamma.aridns.net.au/IN/AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23009;; flags: cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 512 ; COOKIE: f7208c0ca722db34;; QUESTION SECTION:;demand.gamma.aridns.net.au. IN AAAA15-Dec-2015 18:53:52.758 RR 2001:7fe::53 UDP 510b demand.delta.aridns.net.au/IN/AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37169;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION:;demand.delta.aridns.net.au. IN AAAA
;; AUTHORITY SECTION:au. 172800 IN NS a.au.[…]au. 172800 IN NS u.au.au. 86400 IN DS 37976 8 1 ACCF50B2687DB697C404163DC1B9A07EE022E794au. 86400 IN DS 37976 8 2 EA7CDFAB57E4D9CB5F09BE95EC5EBD4F4A113DFA3F120AC9D6065282 D910B8A5 au. 86400 IN DS 41491 8 1 C104274A2F94B01DB84E76B298B69A53B3FB4919au. 86400 IN DS 41491 8 2 FCAABD135FFD9D1015438FC4AF8ACE4E9D2BEA04748C4DB3975CFD7C ABC30B88 au. 86400 IN RRSIG DS 8 1 86400 20151225170000 20151215160000 62530 . ccUToKhPaKIGE2O1fJgW/HjPAg/La2aQUNH1EVMgmTGyynx54IkS3NGY V1+xgqHRyYfp3Zr4lv2MLPC1w4ix+yMuAorPbdOxMDgxS3/D0PM8bTO4 Fs2CHSZ++NGML2WtUP2r8EGVYak+pysUgOBK8DvV8RQK+neXb7eoRwF0 Mag=
Demo: dnstap with BIND 9.11(devel)
29
© Men & Mice http://menandmice.com
dnstap summary
a new, open standard for DNS server operation monitoring
• designed for large, busy DNS server
• minimal performance loss
• wide adoption among open source DNS server implementations
30
© Men & Mice http://menandmice.com
don't miss our next webinars
•January 2016 – the DNS server in Windows 2016 Server – a big leap forward (views, response rate limiting, ACLs and more)
•February 2016 - an Update on DNSSEC and DANE: new implementations, adoption in the market, new Internet StandardsSignup @ https://www.menandmice.com/resources/educational-resources/webinars/
31