Source Code Audit on Unbound DNS Server for Nlnet Labs
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Privacy in the Domain Name System (DNS): DNS Privacy in Practice
Privacy in the Domain Name System (DNS): DNS Privacy in Practice Sara Dickinson [email protected] https://sinodun.com @SinodunCom TMA Jun 2019 DNS Privacy https://github.com/Sinodun/tma_phd_school Overview • First - lets look at your DNS queries! • Desktop DoT stub resolvers (client) (Stubby) • Set up your own DoT recursive (Unbound) - decrypt DoT • DoH - Clients & Browsers (Firefox) - decrypt DoH Firefox DoH Decryption is • Mobile Apps easier…. • DNS Libraries (getdns) • Routers TMA, Jun 2019 2 DNS Privacy dnsprivacy.org • DNS Privacy Clients • DNS Privacy Servers setup guides Reference material here • DNS Privacy Test and Public resolvers for most setups and recursive resolvers • DNS Privacy Monitoring • DNS Privacy Current work TMA, Jun 2019 3 DNS Privacy DNS Basics TMA, Jun 2019 4 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘dig’ is available on most *nix systems (or ‘drill’) TMA, Jun 2019 5 DNS Privacy DNS Basics - A UDP query ‘nslookup’ is available on Windows order is important! TMA, Jun 2019 6 DNS Privacy DNS Basics -
Ispconfig 3 Manual]
[ISPConfig 3 Manual] ISPConfig 3 Manual Version 1.0 for ISPConfig 3.0.3 Author: Falko Timme <[email protected]> Last edited 09/30/2010 1 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. You may keep backup copies of the manual in digital or printed form for your personal use. All rights reserved. This copy was issued to: Thomas CARTER - [email protected] - Date: 2010-11-20 [ISPConfig 3 Manual] ISPConfig 3 is an open source hosting control panel for Linux and is capable of managing multiple servers from one control panel. ISPConfig 3 is licensed under BSD license. Managed Services and Features • Manage one or more servers from one control panel (multiserver management) • Different permission levels (administrators, resellers and clients) + email user level provided by a roundcube plugin for ISPConfig • Httpd (virtual hosts, domain- and IP-based) • FTP, SFTP, SCP • WebDAV • DNS (A, AAAA, ALIAS, CNAME, HINFO, MX, NS, PTR, RP, SRV, TXT records) • POP3, IMAP • Email autoresponder • Server-based mail filtering • Advanced email spamfilter and antivirus filter • MySQL client-databases • Webalizer and/or AWStats statistics • Harddisk quota • Mail quota • Traffic limits and statistics • IP addresses 2 The ISPConfig 3 manual is protected by copyright. No part of the manual may be reproduced, adapted, translated, or made available to a third party in any form by any process (electronic or otherwise) without the written specific consent of projektfarm GmbH. -
Oracle Berkeley DB Installation and Build Guide Release 18.1
Oracle Berkeley DB Installation and Build Guide Release 18.1 Library Version 18.1.32 Legal Notice Copyright © 2002 - 2019 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. Berkeley DB, and Sleepycat are trademarks or registered trademarks of Oracle. All rights to these marks are reserved. No third- party use is permitted without the express prior written consent of Oracle. Other names may be trademarks of their respective owners. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. -
To the Members of the Senate Judiciary Committee: We, The
To the members of the Senate Judiciary Committee: We, the undersigned, have played various parts in building a network called the Internet. We wrote and debugged the software; we defined the standards and protocols that talk over that network. Many of us invented parts of it. We're just a little proud of the social and economic benefits that our project, the Internet, has brought with it. We are writing to oppose the Committee's proposed new Internet censorship and copyright bill. If enacted, this legislation will risk fragmenting the Internet's global domain name system (DNS ), create an environment of tremendous fear and uncertainty for technological innovation, and seriously harm the credibility of the United States in its role as a steward of key Internet infrastructure. In exchange for this, the bill will introduce censorship that will simultaneously be circumvented by deliberate infringers while hampering innocent parties' ability to communicate. All censorship schemes impact speech beyond the category they were intended to restrict, but this bill will be particularly egregious in that regard because it causes entire domains to vanish from the Web, not just infringing pages or files. Worse, an incredible range of useful, law-abiding sites can be blacklisted under this bill. These problems will be enough to ensure that alternative name-lookup infrastructures will come into widespread use, outside the control of US service providers but easily used by American citizens. Errors and divergences will appear between these new services and the current global DNS, and contradictory addresses will confuse browsers and frustrate the people using them. -
Unbound: a New Secure and High Performance Open Source DNS Server
New Open Source DNS Server Released Today Unbound – A Secure, High-Performance Alternative to BIND – Makes its Debut within Open Source Community Amsterdam, The Netherlands and Mountain View, CA – May 20, 2008 – Unbound – a new open source alternative to the BIND domain name system (DNS) server– makes its worldwide debut today with the worldwide public release of Unbound 1.0 at http://unbound.net. Released to open source developers by NLnet Labs, VeriSign, Inc. (NASDAQ: VRSN), Nominet, and Kirei, Unbound is a validating, recursive, and caching DNS server designed as a high- performance alternative for BIND (Berkeley Internet Name Domain). Unbound will be supported by NLnet Labs. An essential component of the Internet, the DNS ties domain names (such as www.verisign.com) to the IP addresses and other information that Web browsers need to access and interact with specific sites. Though it is unknown to the vast majority of Web users, DNS is at the heart of a range of Internet-based services beyond Web browsing, including email, messaging and Voice Over Internet Protocol (VOIP) telecommunications. Although BIND has been the de facto choice for DNS servers since the 1980s, a desire to seek an alternative server that excels in security, performance and ease of use prompted an effort to develop an open source DNS implementation. Unbound is the result of that effort. Mostly deployed by ISPs and enterprise users, Unbound will also be available for embedding in customer devices, such as dedicated DNS appliances and ADSL modems. By making Unbound code available to open source developers, its originators hope to enable rapid development of features that have not traditionally been associated with DNS. -
Mullvad DNS Over HTTPS Server Audit
Report Mullvad DNS over HTTPS server audit Wictor Olsson, Emilie Barse, Benjamin Svensson, Johanna Abrahamsson Project Version Date MUL001 v1.0 2021-02-23 REPORT Project Version MUL001 v1.0 Date 2021-02-23 Executive summary Assured was tasked to perform a whitebox system audit of Mullvads DNS over HTTPS servers. The audit focused on configuration in regards to privacy, attack sur- face reduction and security best practices. The server deployment and config- uration displayed a good level of security in general. At the time of the au- dit, the exposed services were running at a good patch level, with no known vul- nerabilities. The most notable findings during the audit was related to a mis- configuration of the DNS service (Unbound), NTP service and iptables egress/ingress configuration, these issues were promptly resolved by the Mullvad team and ver- ified during the audit period. i REPORT Project Version MUL001 v1.0 Date 2021-02-23 Contents 1 Introduction 1 1.1 Background . 1 1.2 Constraints and disclaimer . 1 1.3 Project period and staffing . 1 1.4 Risk rating . 2 2 Scope and methodology 3 2.1 Scope . 3 2.1.1 Audit of Mullvad DNS over HTTPS servers . 3 2.2 Methodology . 3 2.2.1 System audit . 3 2.3 Limitations . 4 3 Observations 5 3.1 Mullvad DNS over HTTPS servers . 5 3.1.1 Low MITIGATED Unbound listening socket misconfigu- ration ......................... 5 3.1.2 Low FIXED Iptables should be more restrictive .. 6 3.1.3 Note FIXED Ntpd listening on all interfaces .... 7 3.1.4 Note Apparmor for exposed services . -
Domain Name Server Comparison
DomainNameServerComparison: BIND8vs.BIND9vs.djbdnsvs.??? BradKnowles SeniorConsultantforSnow,BV [email protected] http://www.shub-internet.org/brad/papers/dnscomparison/ Entirecontentscopyright©2003byBradKnowles,allrightsreserved Overview • Meta Information • TLD Survey Results • Software – Installation – Features – Performance • Conclusions 2003-01-28 Copyright©2003byBradKnowles 2 MetaInformation • Hardware Used • Software Used • Methodology 2003-01-28 Copyright©2003byBradKnowles 3 HardwareUsed • TLD Survey – OS: BSD/OS 4.2 – CPU: Pentium III – RAM: 512MB real, 1.0GB virtual 2003-01-28 Copyright©2003byBradKnowles 4 HardwareUsed • Performance Testing – Compaq Armada 4131T Laptop • OS: FreeBSD 4.6.2-RELEASE • CPU: Pentium 133 • RAM: 48MB real, 384MB virtual • NICs: Asanté FriendlyNET AL1011 “Prism2” 802.11b WiFi PC Card & Linksys EtherFast 10/100 PC Card (PCM100) • HD: 10GB IBM Travelstar 20GN – 4200 RPM – 12ms avg. seek 2003-01-28 Copyright©2003byBradKnowles 5 HardwareUsed: PerformanceTesting Image copyright © 2001 Sunset Computer Services, Inc. All Rights Reserved. 2003-01-28 Copyright©2003byBradKnowles 6 SoftwareUsed • ISC – BIND 8.3.3-REL – BIND 9.2.2rc1 • djbdns 1.05 – daemontools 0.76 – ucpsi-tcp 0.88 – tinydns-bent 1.1 • nsd 1.02b1 • Nominum – ANS (Authoritative Name Server) 2.0.1-1eval – CNS (Caching Name Server) 1.1.0b1 • PowerDNS 2.9.4 2003-01-28 Copyright©2003byBradKnowles 7 SomeSoftwareConsidered • QuickDNS (authoritative) – See <http://www.menandmice.com/2000/2600_isp_dns_solution.html> • Aimed at small-to-medium size businesses, -
Stateless DNS
Technical Report KN{2014{DiSy{004 Distributed System Laboratory Stateless DNS Daniel Kaiser, Matthias Fratz, Marcel Waldvogel, Valentin Dietrich, Holger Strittmatter Distributed Systems Laboratory Department of Computer and Information Science University of Konstanz { Germany Konstanzer Online-Publikations-System (KOPS) URL: http://nbn-resolving.de/urn:nbn:de:bsz:352-0-267760 Abstract. Several network applications, like service discovery, file dis- covery in P2P networks, distributed hash tables, and distributed caches, use or would benefit from distributed key value stores. The Domain Name System (DNS) is a key value store which has a huge infrastructure and is accessible from almost everywhere. Nevertheless storing information in this database makes it necessary to be authoritative for a domain or to be \registered" with a domain, e.g. via DynDNS, to be allowed to store and update resource records using nsupdate . Applications like the ones listed above would greatly benefit from a configurationless approach, giving users a much more convenient experience. In this report we describe a technique we call Stateless DNS, which allows to store data in the cache of the local DNS server. It works without any infrastructure updates; it just needs our very simple, configurationless echo DNS server that can parse special queries containing information desired to be stored, process this information, and generate DNS answers in a way that the DNS cache that was asked the special query will store the desired information. Because all this happens in the authority zone of our echo DNS server, we do not cause cache poisoning. Our tests show that Stateless DNS works with a huge number of public DNS servers. -
Sirdom. Sistema Para La Gestión Del Servicio De Resolución De Nombres De Dominios
Revista de investigación Editada por Área de Innovación y Desarrollo, S.L. Envío: 27-01-2013 Aceptación: 30-01-2013 Publicación: 19-02-2013 SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS SIRDOM. MANAGEMENT SYSTEM FOR THE RESOLUTION NAMES DOMAINS SERVICE. Yoedusvany Hernández Mendoza1 Yordanis Arencibia López2 Yankier Crespo González3 1. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 2. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. 3. Máster, Ingeniero Informático. Profesor del Departamento de Redes, UNICA. RESUMEN Este artículo presenta un estudio del comportamiento del servicio DNS, su funcionamiento, herramientas y por último se propone un sistema informático que permite configurar y gestionar dicho servicio a través de una serie de prestaciones y facilidades que las aplicaciones actuales no posibilitan. Este sistema permitirá gestionar el servicio de resolución de nombres de dominio sobre BIND en su versión 9. ABSTRACT This paper presents a study of the behavior of DNS, its operating principle, tools and finally proposes a computer system to configure and manage this service through a number of benefits and facilities that do not allow current applications. This system will manage the service of domain name resolution on BIND version 9. PALABRAS CLAVE Bind, DNS, dominio, resolución, sistema. KEYWORDS Bind, DNS, domain, resolution, system. SIRDOM. SISTEMA PARA LA GESTIÓN DEL SERVICIO DE RESOLUCIÓN DE NOMBRES DE DOMINIOS DE NOMBRES DE RESOLUCIÓN DE SERVICIO DEL GESTIÓN LA PARA SISTEMA SIRDOM. 2 INTRODUCCIÓN Las diferentes instituciones y organizaciones, siendo los centros educacionales unos de los principales, han tenido que cambiar sus esquemas tradicionales para adaptarse a la actual era de la información. -
The Impact of Time on DNS Security
The Impact of Time on DNS Security Aanchal Malhotray, Willem Tooropz, Benno Overeinderz, Ralph Dolmansz and Sharon Goldbergy Boston Universityy, NLnet Labs, Amsterdamz [email protected], fwillem, benno, [email protected], [email protected] July 5, 2019 Abstract Time is an important component of the Domain Name System (DNS) and the DNS Security Extensions (DNSSEC). DNS caches rely on an absolute notion of time (e.g., “August 8, 2018 at 11:59pm”) to determine how long DNS records can be cached (i.e., their Time To Live (TTL)) and to determine the validity interval of DNSSEC signatures. This is especially interesting for two reasons. First, absolute time is set from external sources, and is thus vulnerable to a variety of network attacks that maliciously alter time. Meanwhile, relative time (e.g., “2 hours from the time the DNS query was sent”) can be set using sources internal to the operating system, and is thus not vulnerable to network attacks. Second, the DNS on-the-wire protocol only uses relative time; relative time is then translated into absolute time as a part of DNS caching, which introduces vulnerabilities. We leverage these two observations to show how to pivot from network attacks on absolute time to attacks on DNS caching. Specifically, we present and discuss the implications of attacks that (1) expire the cache earlier than intended and (2) make the cached responses stick in the cache longer than intended. We use network measurements to identify a significant attack surface for these DNS cache attacks, focusing specifically on pivots from Network Time Protocol (NTP) attacks by both on-path and off-path attackers. -
Sysadmin Documentation Documentation Release 1.0
Sysadmin Documentation Documentation Release 1.0 Alexander Werner Nov 05, 2018 Contents: 1 FreeBSD 3 1.1 Resources.................................................3 1.2 Installation of software..........................................3 1.3 Update of software............................................3 1.4 System update..............................................4 1.5 Change system configuration......................................4 2 MariaDB Galera Cluster 5 2.1 Tasks...................................................5 3 PF - FreeBSD Packet Filter 7 3.1 Installation................................................7 3.2 Configuration...............................................7 4 Unbound DNS 9 4.1 Installation................................................9 4.2 Configuration...............................................9 5 ZFS 11 5.1 Installation................................................ 11 5.2 Operation................................................. 11 6 Setup of Debian 9 on a Lenovo Thinkpad 470 13 6.1 Preparation................................................ 13 6.2 Booting the Installer........................................... 13 6.3 Partitioning the disk........................................... 14 6.4 Software selection............................................ 14 6.5 Finishing the setup............................................ 14 6.6 Post-Setup................................................ 14 7 Resources 15 8 Indices and tables 17 i ii Sysadmin Documentation Documentation, Release 1.0 This manual serves as -
Powerdns Offerings Version Current As of November 2012 ● Remotely Pollable Statistics for Real Time Graphing ● High Performance ● SNMP Statistics Bridge (Read Only)
Products, Features & Services PowerDNS PowerDNS, founded in the late 1990s, is a premier supplier of DNS software, services and support. Deployed throughout the world with some of the most demanding users of DNS, we pride ourselves on quality software and the very best support available. PowerDNS customers include leading telecommunications service providers, large scale integrators, content distribution networks, cable networks / multi service operators and Fortune 500 software companies. In various important markets, like Scandinavia, Germany and The Netherlands, PowerDNS is the number one supplier of nameserver software. PowerDNS is based in The Netherlands, Europe and is privately held. Products Authoritative Server The PowerDNS Authoritative Server is the only solution that enables authoritative DNS service from all major databases, including but not limited to MySQL, PostgreSQL, SQLite3, Oracle, Sybase, Microsoft SQL Server, LDAP and plain text files. DNS answers can also be fully scripted using a variety of (scripting) languages like for example Lua, Java, Perl, Python, Ruby, C and C++. Such scripting can be used for dynamic redirection, (spam)filtering or real time intervention. In addition, the PowerDNS Authoritative Server is the leading DNSSEC implementation, hosting the majority of all DNSSEC domains worldwide. The Authoritative Server hosts at least 30% of all domain names in Europe, and around 90% of all DNSSEC domains in Europe. Recursor The PowerDNS Recursor is a highend, highperformance resolving name server which powers the DNS resolution of at least a hundred million subscribers. Utilizing multiple processors and supporting the same powerful scripting ability of the Authoritative Server, the Recursor delivers top performance while retaining the flexibility modern DNS deployments require.