CIA Lab 4 - DNS Security Extensions (DNSSec) and DNS-over-HTTPS (DoH)

###### tags: `finished` :::success # CIA Lab 4 - DNS Security Extensions (DNSSec) and DNS-over-HTTPS (DoH) **Name: Fige Polina** ::: ## Task 1 - DNS Insecurity :::info In what context was the DNS cache poisoning attack discovered? (Who, when, why) ::: In the context of exploiting a DNS vulnerability, "Attackers replaced a cache entry for www.google.com a web page that loaded ads hidden inside an iframe" - and most likely in the context of profit and the desire to make money. This happened in July 2008, on AT&T servers. :::info How does this attack work and how to prevent it? ::: This works precisely on caching name servers, the server accesses information from its cache (without the ability to check it), because it is much faster and increases the speed of work, that is, it does not recalculate the address. But at the same time, if you replace the information in this cache, the server will access it. The information remains in the cache until the expiration date (TTL) or until it is manually deleted. But if the records were poisoned, then the attacker could safely increase the TTL to, for example, 86,400 seconds, that is, save the record in the cache for a whole day, or even more. DNSSEC protocol is used to partially solve the problem by digitally signing data to help ensure its validity. :::info What is DNS spoofing and what tools can be used to integrate this attack? ::: What is DNS spoofing and what tools can be used to integrate this attack? The same as DNS poisoning, for example, there is such a framework as PytheM, it can be found among the tools for Kali Linux, with its help you can insinuate spoofing. :::info What does a validating resolver do? What is the difference between island-of-trust versus full-chain-of-trust? ::: The validating function of the resolver means that recursive queries are sent requesting DNSSEC, and responses are validated to authenticate the validity of the response. A chain of trust is a verified electronic signature or handshake at each DNS lookup node. It is a chain of requests verified by the digital signature of the domain name, which ensures the security of the request through all search nodes. As I understand it, trust islands are an intermediate state of the chain of trust that existed before the full deployment of DNSSEC. This could lead to a large number of keys without any decryption method in DNSSEC for key management. :::info Does DoH substitute DNSSec or complement it? What are the differences between them? ::: DNS over HTTPS is DNS, but encrypted over HTTPS. This means that requests and responses sent between endpoints and DNS servers are no longer plain text. DNSSEC is an extension of the protocol to the DNS server that allows you to establish a chain of trust so that the endpoint receiving the response from the DNS server can be sure that the response can be trusted. Thus, we can say that they complement each other. :::info What do you think about DoH vs DoT vs DNSCrypt? ::: Dot and DoT differ in the methods used for encryption, but their principles are similar. Including, probably, the difference can be called different levels of use (DOT- transport layer, DoH- application layer), but by and large they are similar. DNSCrypt uses the same port, 443, as DoH, so it is better to use them on different servers, but there are also multi-solutions. I cannot say that one of these protocols is better than the other, because their choice depends on the current situation that requires a solution. ## Task 2 - Validating Resolver <center> ![](https://i.imgur.com/LEYxCHY.png) Figure 1 - DNSSec activation and Confirmation </center> It's all about the flags that the command returns. **AD (Authentic data)** indicates that the recognizer considers the responses confirmed by DNSSEC. :::info How does dig or drill show whether DNSSec full-chain-of-trust validation was successful or not? ::: To do this, I used the `+trace` option: <center> ![](https://i.imgur.com/jEbFH48.png) Figure 2 - DNSSec verification </center> :::info Where does BIND or Unbound store the DNSSec root key? ::: <center> ![](https://i.imgur.com/kapIajs.png) Figure 3 - DNSSec root key ![](https://i.imgur.com/G7zRA3Y.png) Figure 4 - Unbound comes with an utility that downloads the proper anchor </center> ## Task 3 - Secure Zone We will need the `ldnsutils`. And after creating two keys, a Zone Signing Key (ZSK) and a Key Signing Key (KSK). ``` cd /etc/nsd ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 st7.sne21.ru ldns-keygen -r /dev/urandom -a ECDSAP256SHA256 -k st7.sne21.ru ``` <center> ![](https://i.imgur.com/UHuVk6T.png) Figure 5 - ZSK & KSK </center> I signed my zone with both keys using their base names. After validate all the signatures in the zone. ``` ldns-verify-zone st7.signed ``` <center> ![](https://i.imgur.com/dE4PdWw.jpg) Figure 6 - Validation ![](https://i.imgur.com/Jy6lkeQ.png) Figure 7 - DS-record ![](https://i.imgur.com/eXrIvWm.png) Figure 8 - Add st7.signed in NSD </center> :::info What is the difference between Key-Signing Key (KSK) and Zone-Signing Key (ZSK)? ::: Key-Signing Key (KSK) - means the key signing key (long-term use key). Zone-Signing Key (ZSK) - means the zone signature key (short-term use key). The role of the key-signing key (KSK) is to validate the ZSK and provide a means of ensuring trust through the entire DNSSEC system. The KSK validates the ZSK in much the same way as the ZSK validates the RRsets. <center> ![](https://i.imgur.com/dOP4prv.png) Picture 9 - The answer to the question does the parent zone provide secure delegation, yes, it does, there is an **ad** flag </center> ## Task 4 - Key Rollovers :::info What are the options for doing a ZSK rollover? Choose one procedure and motivate your choice. ::: The RFC 6781 standard describes several motives for the rotation of KSK keys, I chose to pre-publish the new key, it creates less DNS traffic. [RFC 6781 4.1.1.3](https://datatracker.ietf.org/doc/html/rfc6781#section-4.1.1.3) describes the pros and cons of each of the schemes. :::info How would you integrate this procedure with the tools for signing your zone? Which timers are important? ::: I will use **certbot** from the Let's Encrypt certificate authority, it does a great job with a small amount of data. It is necessary to take into account the expiration date of old signatures, take into account the sum of time intervals, including the maximum lifetime of TTL records, and the periodicity of requests from secondary servers to update the zone (the refresh value in the SOA record). :::info Can you use the same procedure for a KSK rollover? ::: No, I can't. And automation will be difficult and a double signature is required. :::info What does this depend on? ::: They differ in that, first of all, changing the KSK requires interaction with the domain registrar. ## Task 5 - DNS-over-HTTPS :::info 1.For this step you probably will need to recompile and reinstall your server (unbound requires --with-libnghttp2 flag and BIND requires Development Release). ::: Maybe, but I went through nginx. This will require a couple of additional modules. We need both a HTTPS service and a Stream service, and use JavaScript code and the NGINX JavaScript module (njs) to translate between the two protocols. ``` sudo apt install git git clone https://github.com/TuxInvader/nginx-dns.git sudo cp -r ./nginx-dns/njs.d/* /etc/nginx sudo vim /etc/nginx/sites-available/dns-doh ``` I have one extra "dog" address left, so I use it to get certificates from certbot: <center> ![](https://i.imgur.com/CIxZqWq.png) Picture 11 - dns-doh config ![](https://i.imgur.com/vQP0GJS.png) Picture 12 - nginx config ![](https://i.imgur.com/idzZTkc.png) Picture 13 - nginx config </center> `unknown directive "js_include"` - now we solve the problem of the unknown module by rebuilding nginx ``` sudo apt-get install mercurial hg clone http://hg.nginx.org/njs ``` <center> ![](https://i.imgur.com/JpHF3Oo.png) Picture 14 - Adding a module ![](https://i.imgur.com/hUEEpsQ.png) Picture 15 - Adding a module </center> And we put everything together with the `make` command. And some litle things for backup: ``` mv /usr/sbin/nginx /usr/sbin/nginx_back2 mv /usr/share/nginx/sbin/nginx /usr/sbin/nginx ``` <center> ![](https://i.imgur.com/eHWp6JL.png) Picture 16 - Running nginx </center> :::info 2.Also, you will need a certificate for your domain, you can use certbot to obtain it. ::: <center> ![](https://i.imgur.com/fsazDnY.png) Picture 17 - The work of certbot </center> :::info 3.Show configuration options that have to be tuned. ::: You have seen the main configurations in the screenshots above, at this point I would like to say that during the configuration of the modules, I did not always correctly understand the path where to move or unpack the files. <center> ![](https://i.imgur.com/bzdbyEB.png) Picture 18 - Final location of modules and necessary files </center> :::info 4.Verify that DNS-over-HTTPS is working (Chrome and Firefox has support for it) by inspecting server incoming queries in the log ::: To check, I changed the resolved DNS server in my browser settings to my own: `chrome://settings/security?search=dns` And then opened var/log/ and below you can see dns query with HTTP/2.0. <center> ![](https://i.imgur.com/ZJi3hjt.png) Picture - Log entries </center> ## References: 1. [First instance of new DNS exploit reported (2008)](https://gcn.com/articles/2008/07/31/first-instance-of-new-dns-exploit-reported.aspx) 2. [What is DNS cache poisoning?](https://www.cloudflare.com/learning/dns/dns-cache-poisoning/) 3. [Cloudflare adout DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) 4. [Distributing Keys for DNSSEC](https://datatracker.ietf.org/doc/html/draft-laurie-dnssec-key-distribution) 5. [DNS-over-HTTPS in Unbound](https://blog.nlnetlabs.nl/dns-over-https-in-unbound/) 6. [Introducing DNSCrypt](https://www.opendns.com/about/innovations/dnscrypt/) 7. [DoH through NGINX](https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/) 8. [github:nginx-dns](https://github.com/TuxInvader/nginx-dns)