80 likes | 107 Views
This document describes DNS Cookies, a method to provide weak authentication for DNS queries and responses. DNS Cookies can help reduce forged source IP address traffic, protect against DoS attacks, and prevent reply cache poisoning attacks.
E N D
DNS Cookiesdraft-eastlake-dnsext-cookies-01.txt Donald E. Eastlake 3rd Donald.Eastlake@motorola.com +1-508-786-7554 IETF DNSEXT WG Cookies
DNS Cookies • Provides weak authentication of queries and responses. Can be viewed as a weak version of TSIG. • No protection against “on-path” attackers, that is, no protection against anyone who can see the plain text queries and responses. • Requires no set-up or configuration. IETF DNSEXT WG Cookies
DNS Cookies (cont.) • Intended to greatly reduce • Forged source IP address traffic amplification DOS attacks. • Forged source IP address recursive server work load DOS attacks. • Forged source IP address reply cache poisoning attacks. IETF DNSEXT WG Cookies
The COOKIE OPT Option • A new Option to the OPT-RR 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | OPTION-CODE TBD | OPTION-LENGTH = 18 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Resolver Cookie upper half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Resolver Cookie lower half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Server Cookie upper half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Server Cookie lower half | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Error Code | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ IETF DNSEXT WG Cookies
Resolver Warm Fuzzies • If DNS Cookies Enforced • Resolver puts a COOKIE in queries with • A Resolver Cookie that varies with server • Truncated HMAC(server-IP-address, resolver secret) • The resolver cached Server Cookie for that Cookie if it has one • Resolver ignores all replies that do not have the correct Resolver Cookie • Caches new Server Cookie and retries query if it gets a Bad Cookie error with a correct Resolver Cookie IETF DNSEXT WG Cookies
Simplified Server Warm Fuzzies • If DNS Cookies Enforced • Server puts a COOKIE in replies with • A Server Cookie that varies with resolver • Truncated HMAC(resolver-IP-address, server secret) • The Resolver Cookie if there was one in the corresponding query • If query received with bad or no Server Cookie, send back short error message IETF DNSEXT WG Cookies
RC:123 RC:123 RC:XYZ Example Resolver Server Query: RC:123, SC:???,E:0 ErrReply: RC:123, SC:789, E:BadC SC:789 Query: RC:123, SC:789,E:0 AnsReply: RC:123, SC:789,E:0 ForgedQuery: RC:XYZ, SC:???,E:0 ErrReply: RC:XYZ, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 IETF DNSEXT WG Cookies
Complexities • Bad guy Resolver behind a NAT • Could get Server Cookie and attack other resolvers behind the NAT • Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished • Anycast Servers • Need to use the same server secret or assure that queries from the same resolver usually go to the same server IETF DNSEXT WG Cookies