Zone walking DNSSEC

DNSSEC

  • DNSSEC provides a layer of security by adding cryptographic signatures to existing DNS records
  • These signatures are stored alongside common record types like A, AAAA, MX

DNSSEC - New records

Record Purpose
RRSIG Contains a cryptographic signature.
NSEC and NSEC3 For explicit denial-of-existence of a DNS record
DNSKEY Contains a public signing key
DS Contains the hash of a DNSKEY record
$ dig +multi +dnssec A paypal.com

... snipped ...

;; ANSWER SECTION:
paypal.com.     54 IN A 64.4.250.33
paypal.com.     54 IN A 64.4.250.32
paypal.com.     54 IN RRSIG A 5 2 300 (
                20170804231420 20170705224524 11811 paypal.com.
                U5vZ/hpuquFk3M9bgSFlSngl3DBJTJiJZzprBSU50jgB
                KKj0e8D3UkRgAntYyS3Em85ddO3AGTviWbZu/amCk7Rj
                bdm2PnqkljtdZtzLmNXMZ6a5WqjyIbYwdeIVGcA/uX1V
                E6P/dL4W78tkPbRfl49klvd/kwrzId9OKSzd1Cg= )

... snipped ...

DNSSEC - Authenticated Denial of Existence(RFC 7129)

In DNS, when client queries for a non-existent domain, the server must deny the existence of that domain. It is harder to do that in DNSSEC due to cryptographic signing.

Problems with Authenticated Denial of Existence(DNSSEC)

  1. NXDOMAIN responses are generic, attackers can spoof the responses
  2. Signing the responses on the fly would mean a performance and security problem
  3. Pre-signing every possible NXDOMAIN record is not possible as there will be infinite possibilities

NSEC

  • Zone entries are sorted alphabetically, and the NextSECure(NSEC) records point to the record after the one you looked up
  • Basically, NSEC record says, “there are no subdomains between sub-domain X and sub-domain Y.”
$ dig +dnssec  @ns1.insecuredns.com firewallll.insecuredns.com
... snipped ...
firewall.insecuredns.com. 604800 IN NSEC mail.insecuredns.com. A RRSIG NSEC
... snipped ...

Installing ldnsutils

  • The ldns-walk(part of ldnsutils) can be used to zone walk DNSSEC signed zone that uses NSEC.
# On Debian/Ubuntu
$ sudo apt-get install ldnsutils
# On Redhat/CentOS
$ sudo yum install ldns
# You may need to do
$ sudo yum install -y epel-release

Zone walking NSEC - LDNS

$ ldns-walk @name_server domain_name

ldns-iana

Zone walking NSEC - Dig

  • You can list all the sub-domains by following the linked list of NSEC records of existing domains.
$ dig +short NSEC api.nasa.gov
apm.nasa.gov. CNAME RRSIG NSEC
$ dig +short NSEC apm.nasa.gov
apmcpr.nasa.gov. A RRSIG NSEC

Extracting the sub-domain from NSEC

  • You can extract the specific sub-domain part using awk utility.
$ dig +short NSEC api.nasa.gov |  awk '{print $1;}'
apm.nasa.gov.

NSEC3

  • The NSEC3 record is like an NSEC record, but, NSEC3 provides a signed gap of hashes of domain names.
  • Returning hashes was intended to prevent zone enumeration(or make it expensive).
231SPNAMH63428R68U7BV359PFPJI2FC.example.com. NSEC3 1 0 3 ABCDEF
NKDO8UKT2STOL6EJRD1EKVD1BQ2688DM A NS SOA TXT AAAA RRSIG DNSKEY NSEC3PARAM
NKDO8UKT2STOL6EJRD1EKVD1BQ2688DM.example.com. NSEC3 1 0 3 ABCDEF
231SPNAMH63428R68U7BV359PFPJI2FC A TXT AAAA RRSIG

NSEC3 - Linked list of hashes

nsec3-record
nsec3-record

Generating NSEC3 hash for a domain name

  • ldns-nsec3-hash(part of ldnsutils) generates NSEC3 hash of domain name for a given salt value and number of iterations
  • Number of iterations & salt value is available as part of NSEC3 record.
$ ldns-nsec3-hash -t 3 -s ABCDEF example.com 
231spnamh63428r68u7bv359pfpji2fc.
$ ldns-nsec3-hash -t 3 -s ABCDEF www.example.com 
nkdo8ukt2stol6ejrd1ekvd1bq2688dm.

Zone walking NSEC3

  • An attacker can collect all the sub-domain hashes and crack the hashes offline
  • Tools like nsec3walker, nsec3map help us automate collecting NSEC3 hases and cracking the hashes

Installing nsec3walker

  • Installation instructions are available at https://dnscurve.org/nsec3walker.html
  • I used following commands to install nsec3walker on Ubuntu 16.04.
    • build-essential package is a prerequisite.
# Installing nsec3walker
$ wget https://dnscurve.org/nsec3walker-20101223.tar.gz
$ tar -xzf nsec3walker-20101223.tar.gz
$ cd nsec3walker-20101223
$ make

Zone walking NSEC3

Zone walking NSEC3 protected zone using nsec3walker:

# Collect NSEC3 hashes of a domain
$ ./collect insecuredns.com > insecuredns.com.collect
# Undo the hashing, expose the sub-domain information.
$ ./unhash < insecuredns.com.collect > insecuredns.com.unhash

Zone walking NSEC3

# Checking the number of sucessfully cracked sub-domain hashes
$ cat icann.org.unhash | grep "icann" | wc -l
45
# Listing only the sub-domain part from the unhashed data
$ cat icann.org.unhash | grep "icann" | awk '{print $2;}'
del.icann.org.
access.icann.org.
charts.icann.org.
communications.icann.org.

... snipped ...

redis.icann.org.
svn.icann.org.
admin.icann.org.
orbis.icann.org.
jira.icann.org.
omblog.icann.org.
pptr.icann.org.
splunk.icann.org.
nomcom.icann.org.
rssac.icann.org.
sftp.icann.org.
netscan.icann.org.

results matching ""

    No results matching ""