dnstap webinar

© Men & Mice http://menandmice.com

DNSTAPa deep(er) look into DNS server operations

(featuring Unbound, Knot-DNS and BIND 9)

1


before we start (1)… please note: BIND 9 security issue

CVE: CVE-2015-8000

Document Version: 2.0 Posting date: 15 December 2015Program Impacted: BINDVersions affected: 9.0.x -> 9.9.8, 9.10.0 -> 9.10.3 Severity: CriticalExploitable: Remotely

Description:

An error in the parsing of incoming responses allows some records with an incorrect class to be be accepted by BIND instead of being rejected as malformed. This can trigger a REQUIRE assertion failure when those records are subsequently cached. Intentional exploitation of this condition is possible and could be used as a denial-of-service vector against servers performing recursive queries.

2


before we start (2)… please note: BIND 9 security issue

CVE: CVE-2015-8461 Document Version: 2.0Posting date: 15 December 2015Program Impacted: BINDVersions affected: 9.9.8 -> 9.9.8-P1, 9.9.8-S1 -> 9.9.8-S2, 9.10.3 ->9.10.3-P1 Severity: MediumExploitable: Remotely

Description:

Beginning with the September 2015 maintenance releases 9.9.8 and 9.10.3, an error was introduced into BIND 9 which can cause a server to exit after encountering an INSIST assertion failure in resolver.c

3


before we start (3)… please note: Concerning a recent OpenSSL security issue and new BIND build-time checks

The OpenSSL project recently announced several security issues including OpenSSL Security Advisory CVE-2015-1794. The official advisory from the OpenSSL project can be found at http://openssl.org/news/secadv/20151203.txt

but in brief: versions 1.0.2 through 1.0.2d have a vulnerability that potentially weakens encryption security in BIND. Version 1.0.2e is recommended as the secured version.

4


DNS server operations monitoring

it is difficult to monitor the internal operation of a DNS server

•classic monitoring has a huge performance impact (on busy DNS servers)

• Example: BIND 9 query-logging via "rndc querylog"

• up to 200% performance loss seen

• speed of the disk storage is the limiting factor

5


Network packet capturean alternative solution is to look from the outside via a network traffic capture tool

• no performance impact on the DNS server

• can only observe from the outside (no internal DNS server events, like cache-events, seen)

• difficult to work with UDP fragments and DNS data in TCP streams

• Example: Men & Mice DNS Traffic Monitor

• Example: DNS statistics collector (DSC) https://www.caida.org/tools/utilities/dsc/

6


dnstap

dnstap is an open protocol to capture and store DNS server events

• events are recorded inside the server

• fast and lightweight protocol

• non-blocking, designed to have minimal impact on the DNS servers performance

7


dnstap

8

DNS client

DNS resolver

DNS authoritative server


dnstap

9

DNS client

DNS resolver


DNS query

DNSTAP Ring-Buffer


dnstap

10

DNS client

DNS resolver


DNS query

DNSTAP Ring-Buffer

event


dnstap

11

DNS client

DNS resolver


DNS query

DNSTAP Ring-Buffer

event

IO Thread

write to file


dnstap

12

DNS client

DNS resolver


DNS query

DNSTAP Ring-Buffer

IO Thread


dnstap

13

DNS client

DNS resolver


DNS query

DNSTAP Ring-Buffer

IO Thread

event write to file


dnstap

14

DNS client

DNS resolver


DNS answer

DNSTAP Ring-Buffer

IO Thread

DNS answer


dnstap

15

DNS client

DNS resolver


DNS answer

DNSTAP Ring-Buffer

IO Thread

event write to file

DNS answer


dnstap

16

DNS client

DNS resolver


DNSTAP Ring-Buffer

IO Thread

event(s) write to file

DNS queries

one event lost


dnstap implementations

dnstap has been developed by Farsight Security (Paul Vixie and Robert Edmonds)

homepage is http://dnstap.info

• Unbound

• Knot 2.x

• BIND 9.11 (upcoming)

• NSD (planned)

• PowerDNS (planned)

17


using dnstap in your DNS server

dnstap is a compile-time option

• usually not enabled in distribution package code

• requires compilation from source

• can me made available in the Men & Mice build packages for Unbound and BIND 9 (please let us know)http://packages.menandmice.com/unbound

18


dnstap dependencies

fstrm (Frame Streams data transport protocol)

lightweight protocol to transport frames of data, can be used with any data serialisation format that produces byte sequences

https://github.com/farsightsec/fstrm

19


dnstap dependencies

Google Protocol Buffers

Protocol buffers are a language-neutral, platform-neutral extensible mechanism for serialising structured data.

https://developers.google.com/protocol-buffers/

20


dnstap tools

tools to read DNSTAP data files

•dnstap-golanghttps://github.com/dnstap/golang-dnstap

•dnstap-ldnshttps://github.com/dnstap/dnstap-ldns

•dnstap-read (part of BIND 9.11) http://source.isc.org

•Wireshark with dnstap support https://github.com/dnstap/wireshark

21


Demo: dnstap with unbound

simple Unbound configuration server: verbosity: 1 chroot: "" username: "" logfile: "unbound.log" use-syslog: no remote-control: control-enable: yes

dnstap: dnstap-enable: yes dnstap-socket-path: "/opt/dnstap.unbound" dnstap-send-identity: yes dnstap-send-version: yes dnstap-log-resolver-response-messages: yes dnstap-log-client-query-messages: yes

22



catching the DNSTAP stream from the socket and writing to a file # fstrm_capture -t protobuf:dnstap.Dnstap \ -u /opt/dnstap.unbound \ -w /opt/dnstap.out \ -ddddd

23

Protobuf information

Unix socket to read

file to write

heavy debug output



reading a DNSTAP data file (overview) # /usr/local/bin/dnstap-ldns -r /opt/dnstap.out

2015-12-15 17:04:48.672530 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:04:52.704455 CQ ::1 UDP 43b "menandmice.com." IN A 2015-12-15 17:05:25.255258 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:34.783531 CQ ::1 UDP 41b "dnssec.works." IN A 2015-12-15 17:05:58.998672 CQ ::1 UDP 48b "larger.dnssec.works." IN A 2015-12-15 17:06:05.958735 CQ ::1 UDP 49b "largerr.dnssec.works." IN A 2015-12-15 17:06:15.198618 CQ ::1 UDP 49b "largerr.dnssec.works." IN TXT 2015-12-15 17:06:20.493485 CQ ::1 UDP 48b "larger.dnssec.works." IN TXT

24

file with binary DNSTAP data

CQ = Client Query

command to read DNSTAP file


Demo: dnstap with unboundreading a DNSTAP data file (with details) # /usr/local/bin/dnstap-ldns -y —r /opt/dnstap.out

type: MESSAGEidentity: "csmobile4.home.strotmann.de"version: "unbound 1.5.7"message: type: CLIENT_QUERY query_time: !!timestamp 2015-12-15 17:06:20.493485 socket_family: INET6 socket_protocol: UDP query_address: ::1 query_port: 48107 query_message: | ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50271 ;; flags: rd ad ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;larger.dnssec.works. IN TXT ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; EDNS: version 0; flags: do ; udp: 4096

25

file with binary DNSTAP data

details output as YAML


simple Knot 2.x configuration server: listen: 0.0.0.0@53 listen: ::@53

log: - target: syslog any: info

mod-dnstap: - id: capture_all sink: /opt/dnstap.knot

template: - id: default storage: "/opt/knot-dnstap/var/lib/knot" global-module: mod-dnstap/capture_all

zone: - domain: example.com file: "/opt/knot-dnstap/etc/knot/example.com.zone"

Demo: dnstap with knot-dns

26


simple BIND 9.11 resolver configuration options { directory "/opt/bind9-dnstap"; dnstap { all; }; // client, auth, resolver, forwarder | query, response dnstap-output file "/opt/bind9.tap"; dnstap-identity hostname; dnstap-version "9.11.devel";

dnssec-validation auto; };

Demo: dnstap with BIND 9.11(devel)

27


reading a DNSTAP file with dnstap-read # dnstap-read /opt/bind9.dtp

15-Dec-2015 18:53:35.467 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 509b ./IN/NS 15-Dec-2015 18:53:35.514 RQ 2001:500:2d::d TCP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.550 RR 2001:503:ba3e::2:30 TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.468 RQ 2001:503:ba3e::2:30 UDP 40b ./IN/NS 15-Dec-2015 18:53:35.503 RR 2001:503:ba3e::2:30 UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.514 RR 2001:500:2d::d UDP 28b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:500:2d::d UDP 40b ./IN/DNSKEY 15-Dec-2015 18:53:35.534 RR 2001:500:2d::d TCP 736b ./IN/DNSKEY 15-Dec-2015 18:53:35.503 RQ 2001:503:ba3e::2:30 TCP 40b ./IN/DNSKEY


28

RQ: RESOLVER_QUERY RR: RESOLVER_RESPONSE CQ: CLIENT_QUERY CR: CLIENT_RESPONSE FQ: FORWARDER_QUERY FR: FORWARDER_RESPONSE […]

date and time

ip address of remote

machinetransport protcol

(UDP or TCP)

Size of (DNSTAP) data

domain, class and record type


reading a DNSTAP file with dnstap-read including packet data # dnstap-read -p /opt/bind9.dtp

15-Dec-2015 18:53:52.725 RQ 2001:7fe::53 UDP 67b demand.gamma.aridns.net.au/IN/AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23009;; flags: cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 512 ; COOKIE: f7208c0ca722db34;; QUESTION SECTION:;demand.gamma.aridns.net.au. IN AAAA15-Dec-2015 18:53:52.758 RR 2001:7fe::53 UDP 510b demand.delta.aridns.net.au/IN/AAAA;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37169;; flags: qr cd; QUESTION: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION:;demand.delta.aridns.net.au. IN AAAA

;; AUTHORITY SECTION:au. 172800 IN NS a.au.[…]au. 172800 IN NS u.au.au. 86400 IN DS 37976 8 1 ACCF50B2687DB697C404163DC1B9A07EE022E794au. 86400 IN DS 37976 8 2 EA7CDFAB57E4D9CB5F09BE95EC5EBD4F4A113DFA3F120AC9D6065282 D910B8A5 au. 86400 IN DS 41491 8 1 C104274A2F94B01DB84E76B298B69A53B3FB4919au. 86400 IN DS 41491 8 2 FCAABD135FFD9D1015438FC4AF8ACE4E9D2BEA04748C4DB3975CFD7C ABC30B88 au. 86400 IN RRSIG DS 8 1 86400 20151225170000 20151215160000 62530 . ccUToKhPaKIGE2O1fJgW/HjPAg/La2aQUNH1EVMgmTGyynx54IkS3NGY V1+xgqHRyYfp3Zr4lv2MLPC1w4ix+yMuAorPbdOxMDgxS3/D0PM8bTO4 Fs2CHSZ++NGML2WtUP2r8EGVYak+pysUgOBK8DvV8RQK+neXb7eoRwF0 Mag=


29


dnstap summary

a new, open standard for DNS server operation monitoring

• designed for large, busy DNS server

• minimal performance loss

• wide adoption among open source DNS server implementations

30


don't miss our next webinars

•January 2016 – the DNS server in Windows 2016 Server – a big leap forward (views, response rate limiting, ACLs and more)

•February 2016 - an Update on DNSSEC and DANE: new implementations, adoption in the market, new Internet StandardsSignup @ https://www.menandmice.com/resources/educational-resources/webinars/

31


Q/A

32

?2016 Schedule, Slides, Links, Recording and errata

will be published @

https://www.menandmice.com/resources/educational-resources/webinars/

dnstap webinar

Technology