features免费dns
免费dns 时间:2021-04-20 阅读:()
IntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBPassiveDNSHardeningRobertEdmondsInternetSystemsConsortium,Inc.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEStructureofthistalkIntroductionDNSPassiveDNSISCSIEDNSsecurityissuesKashpurepoisoningKaminskypoisoningPassiveDNSsecurityissuesRecordinjectionResponsespoongISCDNSDBArchitectureDemosRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIETheDomainNameSystem"TheDNSmapshostnamestoIPaddresses.
"Moregenerally,itmaps(key,type)tuplestoasetofunorderedvalues.
again,wecanthinkoftheDNSasbasicallyamulti-valuedistributedkey-valuestore.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClients,caches,contentClientsrequestfullresolutionservicefromcaches.
CachesmakezeroormoreinquiriestoDNScontentserversonbehalfofclients.
Resultsarecachedforalimitedtimetoservefutureclientrequests.
ContentnameserversserveDNSrecordsforzonesthathavebeendelegatedtothem.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEClient-serverandinter-serverDNSprotocolsTheDNSisactuallytwodierentprotocolsthatshareacommonwireformat.
Theclient-to-serverprotocolspokenbetweenclientsandcaches.
Theinter-serverprotocolspokenbetweencachesandcontentservers.
PassiveDNSfocusesonthelatter.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSPassiveDNSreplicationisatechnologyinventedin2004byFlorianWeimer.
Manyuses!
Malware,e-crime,legitimateInternetservicesallusetheDNS.
Inter-serverDNSmessagesarecapturedbysensorsandforwardedtoacollectionpointforanalysis.
Afterbeingprocessed,individualDNSrecordsarestoredinadatabase.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIERobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEPassiveDNSdeploymentsFlorianWeimer'soriginaldnslogger,rstatRUS-CERT,thenatBFK.
de(2004–).
BojanZdrnja'sdnsparse(2006–).
ISC'sSecurityInformationExchange(2007–).
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBDNSPassiveDNSISCSIEISCSecurityInformationExchangeSIEisadistributionnetworkfordierenttypesofsecuritydata.
OneofthosetypesofdataispassiveDNS.
SensoroperatorsuploadbatchesofdatatoSIE.
DataisbroadcastontoprivateVLANs.
NMSGformatisusedtoencapsulatedata.
HasanumberoffeatureswhichmakeitveryusefulforstoringpassiveDNSdata,butwon'tbecoveredfurther.
SeeourGoogleTechTalkformoreinformation:http://www.
isc.
org/community/presentations/video.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningDNSSecurityIssuesPassiveDNScapturesbothsignedandunsigneddata,soDNSSECcannothelpus.
WhatsecurityissuesarethereintheDNSthatarerelevanttopassiveDNSKashpurepoisoningKaminskypoisoning(Actually,justresponsespoongingeneral.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningKashpurepoisoningisthenamegiventoaparticulartypeofDNScachepoisoning.
Theattackerrunsacontentnameserver.
Aclientisenticedtolookupadomainnameundertheattacker'scontrol.
Thecachecontactstheattacker'snameserver.
Theattacker'snameserverprovidesextrarecordstothecache.
Theextrarecordsareinsertedintothecacheinsteadofbeingdiscarded.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurepoisoningexampleQ:malicious.
example.
com.
INAR:malicious.
example.
com.
INNSwww.
example.
net.
R:www.
example.
net.
INA203.
0.
113.
67RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKashpurehardening1997:EugeneKashpurehijackstheInterNICwebsite.
BIND4.
9.
6and8.
1.
1introducehardeningagainstKashpurepoisoning.
RFC2181ispublished.
See§5.
4.
1"Rankingdata"fordetails.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningLackofentropy2000:DJBobservesthatamaximumofonlyabout31-32bitsofentropycanprotectaUDPDNSquery.
OtherDNSimplementationsslowtoadoptSPR.
32bitsofentropyparticularlyweakforasessionIDduetothebirthdayattackproblem.
NewerprotocolsusecryptographicallysecuresessionIDswith64,128,ormorebits.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBKashpurepoisoningKaminskypoisoningKaminskypoisoning2008:DanKaminskynoticesthattheTTLcanbebypassed.
Coordinated,multi-vendorpatchesarereleasedtoimplementsourceportrandomization.
SPRmakesKaminskyattacksharder,butnotimpossible.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageRelevancetopassiveDNSWeimer's2005papernotesseveralproblemswithverifyingpassiveDNSdata.
KashpureandKaminskypoisoningof"activeDNS"haveanaloguesinpassiveDNS.
PassiveDNSsensorscan'tseetheDNScache's"bailiwick",leadingtorecordinjection.
Spoofedresponsesaretreatedjustlikenormalresponses.
AsinglespoofedresponsecanpoisonthepassiveDNSdatabase!
Goal:makepassiveDNSatleastasreliableasactiveDNS.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingthecapturestageagainstresponsespoongCapturebothqueriesandresponses.
Correlateresponseswithpreviouslyseenqueries.
TheDNSmessage9-tuple:1.
InitiatorIPaddress2.
Initiatorport3.
TargetIPaddress4.
Targetport5.
Internetprotocol6.
DNSID7.
Queryname8.
Querytype9.
QueryclassRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagenmsg/dnsqrdnsqrisamessagemoduleforISC'slibnmsgspecicallydesignedforpassiveDNScapture.
UDPDNStransactionsareclassiedintothreecategories:1.
UDPQUERYRESPONSE2.
UDPUNANSWEREDQUERY3.
UDPUNSOLICITEDRESPONSEPerformsIPreassembly,too!
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstageProtectingtheanalysisstageagainstrecordinjectionCachesinternallyassociatea"bailiwick"witheachoutgoingquery.
Thecacheknowswhatbailiwicktouse,becauseitknowswhyit'ssendingaparticularquery.
Wehavetocalculatethebailiwickourselves.
Protectionagainstrecordinjectionrequiresprotectionagainstspoofedresponses.
(Otherwise,anattackercouldjustspooftherecordandthesourceIPaddressofanin-bailiwicknameserver.
)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmMustoperatecompletelypassively.
Mustprovideabooleantrueorfalseforeachrecord.
"Foreachrecordname,istheresponseIPaddressanameserverforthezonethatcontainsorcancontainthisname"Example:rootnameserverscanassertknowledgeaboutanyname!
Example:Verisign'sgtldserverscanassertknowledgeaboutanydomainnameendingin.
comor.
net.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmInitializebailiwickcachewithacopyoftherootzone.
CachestartsowithknowledgeofwhichserversservetherootandTLDs.
Findallpotentialzonesthatanamecouldbelocatedin.
Checkwhetheranyofthenameserversforthosezonesarethenameserverthatsenttheresponse.
EachtimeanNS,A,orAAAArecordisveriedbythealgorithm,itisinsertedintothebailiwickcache.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:example.
com.
Server:192.
5.
6.
30Potentialzones:example.
com.
com.
.
Zonesinbailiwickcache:com.
.
Check:example.
com.
/NSNotfound.
Check:com.
/NSFound13nameservers.
Check:areanyofthem192.
5.
6.
30Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexamplecom.
INNSa.
gtldservers.
net.
a.
gtldservers.
net.
INA192.
5.
6.
30RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;ADDITIONALSECTION:a.
ianaservers.
net.
172800INA192.
0.
34.
43b.
ianaservers.
net.
172800INA193.
0.
0.
236;;SERVER:192.
5.
6.
30#53(192.
5.
6.
30)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexample;;QUESTIONSECTION:;www.
example.
com.
INA;;ANSWERSECTION:www.
example.
com.
172800INA192.
0.
32.
10;;AUTHORITYSECTION:example.
com.
172800INNSa.
ianaservers.
net.
example.
com.
172800INNSb.
ianaservers.
net.
;;SERVER:192.
0.
34.
43#53(192.
0.
34.
43)RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBRelevanceCapturestageAnalysisstagePassiveDNSbailiwickalgorithmexampleName:www.
example.
com.
Server:192.
0.
34.
43Potentialzones:www.
example.
com.
example.
com.
com.
.
Zonesinbailiwickcache:example.
com.
com.
.
Check:www.
example.
com.
/NSNotfound.
Check:example.
com.
/NSFound2nameservers.
Check:areanyofthem192.
0.
34.
43Yes.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDNSDBDNSDBisadatabaseforstoringDNSrecords.
DataisloadedfrompassiveDNSandzoneles.
IndividualDNSrecordsarestoredinanApacheCassandradatabase.
Oerskey-valuestoredistributedacrossmultiplemachines.
GoodtforDNSdata.
Sustainsextremelyhighwritethroughputbecauseallwritesaresequential.
OersaRESTfulHTTPAPIandwebsearchinterface.
Databasecurrentlyconsumesabout500GBoutof27TB.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesArchitectureComponentsDatasourcesnmsg-dns-cacheDNSTLDzones(FTPviaZFAprograms):com,net,org,etc.
DNSzones(standardAXFR/IXFRprotocol)DataloadersDeduplicatedpassiveDNSZoneledataRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:nmsg-dns-cacheReadsrawDNSresponsesfrompassiveDNS.
ParseseachDNSmessageintoindividualDNSRRsets.
Seriesofltersreducethetotalamountofdatabyabout50%.
RRsetsaretheninsertedintoanin-memorycache.
CacheisexpiredinFIFOorder.
WhenRRsetsexpirefromthecache,theyformthenalnmsg-dns-cacheoutput.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesDatasource:zonelesgTLDZoneFileAccessprograms:com,net,org,info,biz,nameAXFR'dzones:isc.
org,afewother"test"zones.
RobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesExample#1:*.
google.
comRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardeningIntroductionDNSSecurityIssuesPassiveDNShardeningDNSDBArchitectureExamplesRobertEdmondsPassiveDNSHardening
- features免费dns相关文档
- IP免费dns
- disrupt免费dns
- 支持免费dns
- Users免费dns
- 域名免费dns
- drop免费dns
Digital-VM:服务器,$80/月;挪威/丹麦英国/Digital-VM:日本/新加坡/digital-vm:日本VPS仅$2.4/月
digital-vm怎么样?digital-vm在今年1月份就新增了日本、新加坡独立服务器业务,但是不知为何,期间终止了销售日本服务器和新加坡服务器,今天无意中在webhostingtalk论坛看到Digital-VM在发日本和新加坡独立服务器销售信息。服务器硬件是 Supermicro、采用最新一代 Intel CPU、DDR4 RAM 和 Enterprise Samsung SSD内存,默认...
优林云(53元)哈尔滨电信2核2G
优林怎么样?优林好不好?优林 是一家国人VPS主机商,成立于2016年,主营国内外服务器产品。云服务器基于hyper-v和kvm虚拟架构,国内速度还不错。今天优林给我们带来促销的是国内东北地区哈尔滨云服务器!全部是独享带宽!首月5折 续费5折续费!地区CPU内存硬盘带宽价格购买哈尔滨电信2核2G50G1M53元直达链接哈尔滨电信4核4G50G1M83元直达链接哈尔滨电信8核8G50G1M131元直...
Budgetvm12核心 16G 500 GB SSD 或者 2 TB SATA 10GB 20 TB 99美金
Budgetvm(原EZ机房),2005年成立的美国老品牌机房,主打美国4个机房(洛杉矶、芝加哥、达拉斯、迈阿密)和日本东京机房的独立服务器和VPS业务,而且不限制流量,默认提供免费的1800G DDoS防御服务,支持IPv6和IPMI,多种免费中文操作系统可供选择,独立服务器主打大硬盘,多硬盘,大内存,用户可以在后台自行安装系统等管理操作!内存可定制升级到1536G,多块硬盘随时加,14TBSA...
免费dns为你推荐
-
linux防火墙设置怎么更改linux的防火墙设置?德国iphone禁售令苹果在中国禁售了?说说看cisco2960配置cisco 2960 配置VLAN上网filezillaserver谁用过FileZilla_Server啊,请教波音737起飞爆胎美国737MAX又紧急迫降,为什么它还在飞?网站ipad计算机cuteftp文档下载手机下载的文件在哪里能找到3g手机有哪些现在有哪些比较适用的3g手机?地址栏图标网站添加地址栏图标代码怎么写?