features免费dns
免费dns 时间:2021-04-20 阅读:(
)
IntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBPassiveDNSHardeningRobertEdmondsInternetSystemsConsortium,Inc.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
官方网站:点击访问青云互联活动官网优惠码:终身88折扣优惠码:WN789-2021香港测试IP:154.196.254美国测试IP:243.164.1活动方案:用户购买任意全区域云服务器月付以上享受免费更换IP服务;限美国区域云服务器凡是购买均可以提交工单定制天机防火墙高防御保护端口以及保护模式;香港区域购买季度、半年付、年付周期均可免费申请额外1IP;使用优惠码购买后续费周期终身同活动价,价格不...
美得云怎么样?美得云好不好?美得云是第一次来推广软文,老板人脾气特别好,能感觉出来会用心对待用户。美得云这次为大家提供了几款性价比十分高的产品,美国cera 2核4G 15元/月 香港1核 1G 3M独享 15元/月,并且还提供了免费空间给大家使用。嘻嘻 我也打算去白嫖一个空间了。新用户注册福利-8折优惠码:H2dmBKbF 截止2021.10.1结束。KVM架构,99.99%高可用性,依托BGP...
青果云香港CN2_GIA主机测评青果云香港多线BGP网络,接入电信CN2 GIA等优质链路,测试IP:45.251.136.1青果网络QG.NET是一家高效多云管理服务商,拥有工信部颁发的全网云计算/CDN/IDC/ISP/IP-VPN等多项资质,是CNNIC/APNIC联盟的成员之一。青果云香港CN2_GIA主机性能分享下面和大家分享下。官方网站:点击进入CPU内存系统盘数据盘宽带ip价格购买地...
免费dns为你推荐
操作http163yeahyeah邮箱和163邮箱的区别在哪里 那个好用特朗普吐槽iPhone华为余承东吐槽iPhone X,除了贵啥优点都没有flashfxp下载怎么用flashFXP下载空间内容tumblr上不去为什么,爱看软件打不开?页面一直在加载即时通EC营销即时通是什么?做什么的?什么是通配符什么是介母什么是seo学习SEO的好处是什么?kingcmsKingCMS 开始该则呢么设置呢?discuz7.0安装discuz出现Discuz! Database Error (0) notconnect 怎么办?
大连虚拟主机 greengeeks ftp空间 payoneer 免费个人博客 web服务器架设软件 html空间 嘉洲服务器 php空间申请 世界测速 福建铁通 国外免费asp空间 免费私人服务器 双线机房 外贸空间 网站防护 石家庄服务器 cdn加速 什么是dns cc加速器 更多