[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Fedora mulls providing a local DNSSEC resolver

By Nathan Willis
May 21, 2014

The Domain Name System (DNS) has never been secure, yet a great many other Internet services would not function without it. That is why the DNS Security Extensions (DNSSEC) were created. But the security of DNSSEC hinges on validating that the information returned from a DNS server has not been tampered with. Any application can perform its own DNS lookups—as is true in non-DNSSEC DNS—but most rely on an external resolver to perform the function on their behalf. Consequently, applications place a considerable amount trust in the DNS resolver: DNSSEC can safeguard against cache poisoning and other attacks, but the system does not offer protection if the resolver itself is compromised. To provide the most trustworthy DNSSEC service it can, Fedora is considering making a local DNSSEC resolver the default for the forthcoming Fedora 22 release—although most of the changes should land in time for Fedora 21, giving users and developers an opportunity to battle test them.

The proposed change is meant to ensure that there is always a trusted DNSSEC resolver available, even though the average portable computer is used on a variety of untrusted networks (such as on a public WiFi access point). On many of these untrusted networks, DNS server information is provided to client machines by DHCP. At best, a remote DNSSEC resolver on such an untrusted wireless LAN should be regarded with caution, and in practice many public hotspots do not offer DNSSEC at all, which means that DNS queries fall back to unverified DNS. With a DNSSEC resolver running as a local process, however, less trust is placed in unverified systems.

In a nutshell, DNSSEC is designed to permit cryptographic verification of DNS record lookups by having DNS servers digitally sign all of their messages: IP address lookup, MX records, certificate records, and so on. Notably, DNSSEC servers sign—but do not encrypt—DNS messages, although Daniel J. Bernstein's DNSCurve protocol does perform encryption, including encrypting DNSSEC. DNSCurve, however, is not widely supported among the major DNS service providers.

DNSSEC is broadly available, but, for any given domain, it is up to the domain owner to create and deploy the public/private key pair used to sign authoritative DNS messages for the domain. The root and top-level name servers (i.e., .com, .org, .net, etc.) have already implemented DNSSEC, though, as have many domains, and many recursive name servers are already DNSSEC aware.

As is usual for Fedora proposals, program manager Jaroslav Reznik posted the local-DNSSEC-resolver proposal on the Fedora development list on April 29, on behalf of change owners Prasad J. Pandit, Pavel Šimerda, and Tomas Hozza. The list of benefits to implementing the proposal include providing increased security and privacy for users (in light of how many public networks are not trustworthy), providing a more reliable DNS-resolving solution than that often found on public networks, and the simple principle of pushing forward with items like DNSSEC and IPv6 adoption. DNSSEC and IPv6 are the future, after all; it would be better to get implementations in working order before they become mandatory.

The change proposes setting up a validating DNSSEC resolver running on the Fedora machine, bound to 127.0.0.1:53. The resolver software to be used has yet to be selected, although unbound was suggested as a likely candidate. Paul Wouters said that the Fedora project has been working with the unbound team on adding necessary features, and it has also been selected by FreeBSD.

With the DNSSEC resolver running on a local port, applications configured to use the system default would automatically send their queries to the local server. By default, Fedora uses NetworkManager to configure DNS and other basic network options; if the machine joins a network on which a DHCP server supplies DNS server recommendations, the local DNSSEC resolver would pick those up as transient resolvers. Naturally, implementing the change would have a ripple effect on a number of other components for some systems. Users who manually edit their /etc/resolv.conf or /etc/sysconfig/network-scripts/ifcfg-* files would need more effort to migrate.

There are a few issues yet to be resolved with the proposal. First, the mailing list discussion revealed that there is not a clear, bright line between "trusted" and "untrusted" networks. A network may provide DNS service for machines in the local domain. In that case, the Fedora system can either choose not to trust the LAN's DNS server (and thus be unable access to local machines), or to trust the LAN's DNS server and run the risk that it will respond to queries with malicious replies. Of course, the root of this problem is that it is not entirely clear how the local DNS resolver (DNSSEC or otherwise) could automatically distinguish between a trusted and untrusted network.

But that is not a problem limited just to DNS or DHCP; which networks are trusted and which are untrusted is a question generally only the user can answer. The user knows which locations (home and office, for example) are trustworthy and which are not (like the neighborhood coffee franchise). There is some risk of confusing the two in NetworkManager's saved network information, such as in the case of multiple networks that use the same SSID (e.g., "linksys," "dd-wrt," or other defaults). But that possibility of confusion is already present. In all likelihood, Fedora will delegate the decision to trust a network or not to the user, as it does for other security questions such as firewall policy.

Matthew Miller asked whether the team working on Fedora's cloud product had been consulted, noting that DNS resolvers are not lightweight processes, and cloud admins prefer to run as few services as possible. Also, the stated justification that Fedora machines are portable/mobile devices moving between networks assumes things that are not true for the cloud product.

There is another major challenge with less clarity about possible solutions, however: Docker. Fedora is moving forward with a plan to offer Docker containerization for applications, but as Alexander Larsson pointed out, Docker (as well as, potentially, some other applications) makes use of network namespaces. Inside the namespace, 127.0.0.1:53 would point to the container itself rather than to the host, so DNS resolution would fail.

Several possible solutions were proposed, each of which include some drawbacks. Colin Walters suggested offering a local API for the resolver (either using Unix sockets or over kdbus); that suggestion was rejected because it would require modifying every program that performed DNS queries. Simo Sorce proposed modifying Docker, providing it with an IP address that would be redirected to the host. The problem there is finding an IP address that would be guaranteed to be available for both the container and the host.

Larsson pointed out that the Docker container and the host both reserve the entire 127.0.0.* address block for loopback usage; finding another usable address would probably mean hijacking an address officially reserved for some other purpose (Sorce suggested something from 192.168.*.*, which is used for similar reasons by libvirt, or 169.254.*.*, which is owned by Microsoft but designated for auto-address-assignment by hosts experiencing local collision).

Chuck Anderson asked whether the DNS resolver could simply listen on another address, such as 127.0.0.53. That would also interfere with the 127.0.0.* loopback reservation already mentioned, but Pandit responded that it would be easier to modify the container to forward 127.0.0.1:53 to the host system. Since it seems like modifying Docker's behavior is required for any solution, how best to proceed is still up in the air. As Sorce had noted earlier, the problem of how an application inside a Docker container might communicate with the host system is akin to the problems tackled by other virtualization projects, so it is certainly not unsolvable.

Although the cloud and Docker cases have yet to be resolved, the change is proposed for deployment a full release cycle away, which should provide plenty of time to explore and test possible solutions. For the Fedora 21 release, users may choose to install and run unbound (or another DNSSEC-validating local resolver), gaining the benefits of DNSSEC validation—as well as always having a relatively trustworthy DNS resolver on hand, regardless of the state of the network itself.

Index entries for this article
SecurityDistribution security
SecurityDomain Name System (DNS)

to post comments

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 8:10 UTC (Thu) by Tjebbe (guest, #34055) [Link] (2 responses)

Microsoft might be the first (and only?) to use it, but they do not own 169.254/16; it's been officially reserved by IANA for link-local addressing.

See http://tools.ietf.org/html/rfc3927 http://tools.ietf.org/html/rfc6890 or the WHOIS entry for 169.254/16

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 10:25 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Microsoft are definitely not the only people implementing link local addressing on IPv4 (LLv4), but obviously the colossal number of Windows machines means it's quite likely that your first encounter with it would be on a Windows PC.

(Some?) Linux distributions tried treating LLv4 the way that LLv6 is handled (it's normal in IPv6 to have a link-local address as well as, rather than instead of, a global one). But some applications don't play well with that and it seems to have largely died out.

I don't really know how the Microsoft reference got into that article, I thought that maybe unknown to me 169.254/16 had been donated from a larger allocation by Microsoft, but records indicate it was allocated specifically by IANA from the outset for this purpose. Maybe the article's author can clue us in?

Fedora mulls providing a local DNSSEC resolver

Posted Jun 3, 2014 10:50 UTC (Tue) by gdt (subscriber, #6284) [Link]

The issue is easily fixed. Ask a regional routing registry for a returned portable /24 for this purpose. On each host statically route that to the DNSSEC server to use (presumably to the lo:1 interface in the laptop case and off the machine in the cluster case).

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 13:07 UTC (Thu) by justincormack (subscriber, #70439) [Link] (7 responses)

People using containers would have an easier life if they used ipv6.

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 17:23 UTC (Thu) by bronson (guest, #4806) [Link] (6 responses)

Seems like ipv6 has the same problem as ipv4: what address should be selected as the magic host address?

There are plenty of potential addresses to choose from, but none appear very well suited. ipv6 just has vastly more unsuitable addresses.

Or is there something more to it that I'm missing?

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 20:20 UTC (Thu) by Comet (guest, #11646) [Link] (5 responses)

With IPv6, anyone with a /48 allocation can feel free to say "hey, this /64 here? we're reserving it for this purpose, we guarantee to never allocate IPs for it on the wire, feel free to use it in this way".

The difference is entirely in approach and economics when a scarce resource becomes plentiful.

So if I'm handling IP allocation at RedHat and we've been allocated 2001:db8:42::/48 then I could say "2001:db8:42:d0ce::/64 is henceforth reserved for container/host links providing services from the host to containers; we won't use it, feel free to incorporate it into products".

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 11:12 UTC (Fri) by justincormack (subscriber, #70439) [Link] (4 responses)

That is not a good idea as people will expect to route stuff under 2000::/3. However there is a non externally routed ULA space for these kind of applciations http://tools.ietf.org/search/rfc4193 https://en.wikipedia.org/wiki/Unique_local_address - anyone can register a /48.

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 19:58 UTC (Fri) by Comet (guest, #11646) [Link] (3 responses)

ULA doesn't get registered, but there's a voluntary system set up by folks adding more bureaucracy in the hope that doing so will protect against people not following the randomness rules.

A key point is that all ULA is a local issue. Nobody _can_ tell you "hey, this ULA block over here should be used for purpose X" -- the uniqueness designs add some nice features, but nobody can dictate how one block should be used. By contrast, if address-space has been _assigned_ to you, then you can.

The routing is a non-issue: that's about a default handling, the whole point of reserving a block is that consenting systems can choose to handle it in a non-default way (but it doesn't impact anyone else). It even works with VMs, as the client VM routes outwards for 2000::/3 and the VM host environment routes one reserved block of that that to itself (or another VM for isolation), where there's a local DNSSEC resolver. So the traffic gets to the designated handler.

Worst case scenario, some config leaks to a system which is not set up with a local handler; sites can either treat the block as anycast and point it at something local, or let it out onto the Internet. It's then up to RH as to whether they provide a free DNSSEC resolver, provide nothing at all, or publish a blackhole route for that block via BGP.

Fedora mulls providing a local DNSSEC resolver

Posted May 24, 2014 7:32 UTC (Sat) by mbunkus (subscriber, #87248) [Link] (2 responses)

> ULA doesn't get registered, but there's a voluntary system set up by folks adding more bureaucracy in the hope that doing so will protect against people not following the randomness rules.

That's piqued my curiosity (the folks volunteering, not that they don't get registered in the first place). Could you please provide some more information or give a link to some? Thanks.

Fedora mulls providing a local DNSSEC resolver

Posted May 24, 2014 8:07 UTC (Sat) by Comet (guest, #11646) [Link] (1 responses)

https://www.sixxs.net/tools/grh/ula/
This page allows you to generate and then 'register' your IPv6 ULA (Unique Local Address) RFC4193 prefix. Note that this does not concern ULA-Central, though this system could easily handle that too. When you have registered your ULA prefix here, it allows others to check up if they accidentally generated the same prefix, before using it. This should absolutely minimize the number of collisions for ULA space. We hope that everybody using ULA prefixes register their prefixes here, to avoid these collisions.

Fedora mulls providing a local DNSSEC resolver

Posted May 25, 2014 10:50 UTC (Sun) by tialaramex (subscriber, #21167) [Link]

Right

In the same way that two corporations will try to merge and find that they had both chosen to stick loads of devices into 10.1/16 and none in 10.183/16 because humans are simultaneously stupid AND lazy, with ULA inevitably some idiots will pick values that were easy to remember or convenient for some other reason and then be "surprised" that others did the same.

If you actually use random numbers (hexadecimal dice are pretty cheap, buy a few for your network administrators) then there's no more problem with ULA collisions than with people accidentally flying a 747 into your data centres. You would need about a million randomly generated ULA organisational prefixes to be sharing a "private" network before the statistics are in favour of just one collision (because of the birthday paradox). Somewhere in the first few thousand such prefixes it's time to say "Hey, I don't think this is a private network after all" and get real IPv6 prefixes from your RIR.

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 13:40 UTC (Thu) by lambda (subscriber, #40735) [Link] (3 responses)

I like this idea from a security standpoint. But there are going to be a lot of practical problems implementing this for laptop users.

For one, many wifi hotspots rely on DNS hijacking to present you with the login page. This will mean that you never see that login page, and thus are never allowed to log in to stop your packets from being blackholed.

For another, content deliver networks like Akamai use your DNS request to figure out what network you're on, and thus direct you to a topologically close server. They keep a big map of the most common DNS resolvers on the Internet, with metrics for how close each of those networks are to each of their data centers. If you're running your own resolver, you won't be in their database and thus will most likely get a more generic result. There are other techniques used to mitigate this somewhat, but it's still likely that you'll get somewhat worse performance for content hosted on CDNs if you run your own personal resolver rather than using your ISP's.

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 20:22 UTC (Thu) by Comet (guest, #11646) [Link]

Hotspot handling is managed by the dnssec-trigger project, related to unbound, and RedHat people can be seen on the mailing-list for that project, providing patches.

dnssec-trigger is a rather nice cross-platform tool. http://www.nlnetlabs.nl/projects/dnssec-trigger/

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 23:03 UTC (Thu) by drag (guest, #31333) [Link] (1 responses)

> For one, many wifi hotspots rely on DNS hijacking to present you with the login page.

The ones I've ran into resolve DNS to ip addresses correctly. It's just when you try to connect to a website or whatever the gateway redirect your browser session to their web server.

Or at least that is how they seem to work.

I know this because it's possible to tunnel TCP/IP over DNS...

Fedora mulls providing a local DNSSEC resolver

Posted May 23, 2014 15:25 UTC (Fri) by raven667 (subscriber, #5198) [Link]

I've seen a captive portal that works via DNS hijacking, or at least the DHCP response to clients in the pre-auth network assigns the captive portal box as the DNS server, and the DNS server on the captive portal box responds to everything (except for a few resources allowed to unauthenticated users) with its own IP address. This architecture doesn't require the captive portal to be in-line or in the same layer2 network as the clients which helps with scalability.

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 17:45 UTC (Thu) by drag (guest, #31333) [Link]

Is it possible to have a really really lightweight 'dumb' DNS resolver that can be run inside of containers?

Just need something to check signatures on DNS results from other DNS servers and read /etc/hosts file or whatever. It doesn't seem like that would be a huge deal to whip up a small daemon. Even something like dnsmasq would be largely overkill for what is needed to validate dns signatures locally.

Fedora mulls providing a local DNSSEC resolver

Posted May 22, 2014 19:43 UTC (Thu) by bwelling (subscriber, #13189) [Link]

The basic description of DNSSEC here is slightly incorrect. DNSSEC is designed to permit DNS authorities to digitally sign all of the DNS content, and DNS servers can transmit the signed content. The messages containing the content are not themselves signed. DNSCurve, on the other hand, does sign and encrypt messages, making it independent of and orthogonal to DNSSEC.

Fedora mulls providing a local DNSSEC resolver

Posted May 29, 2014 6:22 UTC (Thu) by dlang (guest, #313) [Link] (2 responses)

The Fedora folks should stop by the cerowrt mailing list archives, they've been attempting to roll out DNSSEC by default and run into a number of headaches

among them, DNSSEC doesn't work without accurate time, but how do you lookup your NTP servers?

they've also found that a number of ISPs do things with DNS traffic that break DNSSEC.

Fedora mulls providing a local DNSSEC resolver

Posted May 30, 2014 8:25 UTC (Fri) by sourcejedi (guest, #45153) [Link] (1 responses)

I think it's a problem because cerowrt target machine(s) don't have a battery-backed clock that's set at the factory. Fedora's targets generally do (except maybe some ARM boards).

Fedora mulls providing a local DNSSEC resolver

Posted May 30, 2014 19:13 UTC (Fri) by dlang (guest, #313) [Link]

If you depend on the system clock being correct to operate properly, you are going to be in trouble sooner or later.


Copyright © 2014, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds