features免费dns
免费dns 时间:2021-04-20 阅读:()
IntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBPassiveDNSHardeningRobertEdmondsInternetSystemsConsortium,Inc.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
- features免费dns相关文档
- IP免费dns
- disrupt免费dns
- 支持免费dns
- Users免费dns
- 域名免费dns
- drop免费dns
特网云,美国独立物理服务器 Atom d525 4G 100M 40G防御 280元/月 香港站群 E3-1200V2 8G 10M 1500元/月
特网云为您提供高速、稳定、安全、弹性的云计算服务计算、存储、监控、安全,完善的云产品满足您的一切所需,深耕云计算领域10余年;我们拥有前沿的核心技术,始终致力于为政府机构、企业组织和个人开发者提供稳定、安全、可靠、高性价比的云计算产品与服务。公司名:珠海市特网科技有限公司官方网站:https://www.56dr.com特网云为您提供高速、稳定、安全、弹性的云计算服务 计算、存储、监控、安全,完善...
提速啦(900元/月),杭州BGP E5-2665/89*2 32核 48G 100G防御
提速啦的来历提速啦是 网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑提速啦的市场定位提速啦主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。提速啦的售后保证提速啦退款 通过于合作商的友好协商,云服务器提供3天内全额退款,超过3天不退款 物理机部分支持当天全额退款提速啦提现 充...
pacificrack:VPS降价,SSD价格下降
之前几个月由于CHIA挖矿导致全球固态硬盘的价格疯涨,如今硬盘挖矿基本上已死,硬盘的价格基本上恢复到常规价位,所以,pacificrack决定对全系Cloud server进行价格调整,降幅较大,“如果您是老用户,请通过续费管理或升级套餐,获取同步到最新的定价”。官方网站:https://pacificrack.com支持PayPal、支付宝等方式付款VPS特征:基于KVM虚拟,纯SSD raid...
免费dns为你推荐
-
常回家snsoutlookexpress系统自带的outlook express有什么用?怎么用?360arp防火墙在哪谁知道360防火墙的arp防火墙文件在哪正大天地网二三线城市适合做生鲜b2b电商吗中国保健养猪网最具权威的养猪信息网站是哪个 啊灌水机什么是论坛灌水机?在哪里可以下载到呢?开源网店系统国内有哪些好的java开源电子商城系统社区动力我是一名新入职社区员工,怎样做好社区工作?建站之星突唯阿和建站之星等有什么区别?财务单据出纳要用什么单据?