features免费dns
免费dns 时间:2021-04-20 阅读:(
)
IntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBPassiveDNSHardeningRobertEdmondsInternetSystemsConsortium,Inc.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
目前,我们都在用哪个FTP软件?喜欢用的是WinSCP,是一款免费的FTP/SFTP软件。今天在帮助一个网友远程解决问题的时候看到他用的是FlashFXP FTP工具,这个工具以前我也用过,不过正版是需要付费的,但是网上有很多的绿色版本和破解版本。考虑到安全的问题,个人不建议选择破解版。但是这款软件还是比较好用的。今天主要是遇到他的虚拟主机无法通过FTP连接主机,这里我就帮忙看看到底是什么问题。一...
最近AS9929线路比较火,联通A网,对标电信CN2,HostYun也推出了走联通AS9929线路的VPS主机,基于KVM架构,开设在洛杉矶机房,采用SSD硬盘,分为入门和高带宽型,最高提供500Mbps带宽,可使用9折优惠码,最低每月仅18元起。这是一家成立于2008年的VPS主机品牌,原主机分享组织(hostshare.cn),商家以提供低端廉价VPS产品而广为人知,是小成本投入学习练手首选。...
wordpress公司网站模板,wordpresss简洁风格的高级通用自适应网站效果,完美自适应支持多终端移动屏幕设备功能,高级可视化后台自定义管理模块+规范高效的搜索优化。wordpress公司网站模板采用标准的HTML5+CSS3语言开发,兼容当下的各种主流浏览器: IE 6+(以及类似360、遨游等基于IE内核的)、Firefox、Google Chrome、Safari、Opera等;同时...
免费dns为你推荐
co教我如何注册日本YAHOOhttp://www.yahoo.co.jp/支持ipad在线代理怎么样设置代理,让别人看我的IP是别的地方,不是我真实的IP?centos6.5linux centos 6.5 怎么安装软件苹果appstore宕机apple id登陆不了app store怎么办mysql下载Navicat for mysql怎么安装特朗普吐槽iPhone为什么iphone x卖的这么好课程cuteftp宜人贷官网宜信信用贷款上征信吗新团网美团网是谁创办的呀?
上海vps krypt qq云存储 buyvm hawkhost 镇江联通宽带 牛人与腾讯客服对话 域名评估 免费测手机号 超级服务器 空间登入 starry 114dns 七十九刀 开心online 第八届中美互联网论坛 windowsserverr2 e-mail 服务器操作系统 vim 更多