DOCSLIB.ORG

The Case of Ipv6 LLU Endpoint Address Support in DNS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Case of Ipv6 LLU Endpoint Address Support in DNS The case of IPv6 LLU endpoint address support in DNS Erwin Hoffmann Frankfurt University of Applied Sciences Faculty of Computer Science and Engineering January 12, 2020 Abstract The fehQlibs and djbdnscurve6 provide a DNS library which support IPv6 LLU endpoint addresses. The inclusion of IPv6 LLU endpoint addresses for DNS services is discussed and shown to be beneficial for particular use cases. Applications linked with this library allow user-specific DNS settings. Apart from binding to IPv6 LLU addresses and dual-stack usage, additionally ’reverse IPv6 anycasting’ is an achieved goal welcomed for IoT devices. 1 IPv6 in DNS There is no question that IPv6 LLU ad- dresses never can be object of any DNS The support of IPv6 addresses within DNS lookup; but could they be the acting subject Resource Records (RR) has been settled with of DNS resolver and perhaps a DNS server? RFC 3596 [30] taking only the Quad-A format Could the DNS query and also the response AAAA into consideration. The inverse nibble facilitate IPv6 LLU endpoint addresses? format for IPv6 addresses is also well defined. This questions will be investigated here and However, there is a significant gap applying a solution will be outlined using the DNS IPv6 addresses within the DNS, though RFC implementation ’djbdnscurve6’[14] together 4472 [5] clearly expels IPv6 Link-Local Unicast with the separate DNS stub resolver library (LLU) addresses as AAAA RRs in a zone file: available with ’fehQlibs’[10]. Both solutions are based on D.J. Bernstein’s developments [2] 2.1. Limited-Scope Addresses and are particular tailored for IPv6 support, The IPv6 addressing architecture including all required functions to deal with [RFC4291] includes two kinds of local- parsing and representation of IPv6 addresses, use addresses: link-local (fe80::/10) and which are partially taken from Felix von Leit- site-local (fec0::/10). The site-local ad- ner’s patches [18]. dresses have been deprecated [RFC3879] but are discussed with unique local addresses in Appendix A. 1.1 IPv6 LLU support and the In- Link-local addresses should never be terface Index published in DNS (whether in forward or reverse tree), because they have only Unlike IPv4 addresses, IPv6 addresses are local (to the connected link) significance ’scoped’. [fig.1] gives an overview of this situ- [WIP-DC2005]. ation. 1 Global Globaler Unicast: 2000::/3 unique route-able Link Local Unicast: within the IPv6 Internet ULA solely useable in local fc00::/7 link segment; autonomous derived, not unique; LLU Unique Local Unicast: requires interface index fe80::/10 unique and route-able in local link-segments Unspecified address: Host used as sender address ::/128 for multicasts Figure 1: Overview of the IPv6 address hierarchy In the IPv4 world we consider ’public’ In IPv6 the interface index (aka the scope and ’private’ IP addresses (together with the index) is part of the socket definition. For loopback 127/8 network and the multicast route-able addresses it is simply ’0’, while for regime). Within IPv6, the situation is more LLU addresses it is derived from the interface. strictly structured using the high order bits of The kernel provides a translation between the the IPv6 address [8]. interface name (in Unix often eth0) and its IPv6 LLU addresses – like private IPv4 ad- numeric index, ie. 1. dresses – are not route-able and usable only on This matching is done either statically – the attached local link-segment. Unlike IPv4 upon the boot of the operating system – or dy- private addresses however, each link-segment namically, whenever a interface is added and has its own name space. In practice, this made available. An interface index may also means that the same IPv6 LLU address can be removed, upon disabling the interface. This be used on different links [31]. behaviour corresponds with the usage of mod- In order to facilitate a distinction, the kernel ern IT equipment – like smartphones – enter- needs to know to which link-segment an IPv6 ing and exiting a ’flight mode’. LLU address belongs to; thus the interface to However, we not only need to consider phys- which it is bound. In a typical case, one may ical interfaces here, but also taking care of consider a system having an Ethernet and a additional virtual interfaces: The Operating WiFi interface with the following addresses: System may create (or dismiss) a virtual or logical interface on demand: At first it be- § fe80::1%eth0 comes assigned an EUI-64 (MAC) address and § fe80::2%wifi0 as second step the corresponding IPv6 unique where the ’%’ is the usual delimiter to sepa- and multicast addresses are derived algorith- rate an IPv6 address from its interface identi- mically (SLAAC) [29][1]. fier. A well-known ’logical’ interface is the loop- The lower 64 bit part of the IPv6 address back interface, often named lo0. For IPv4, is typically build from the interface MAC ad- the loopback interface is assigned with the dress (or using the ’privacy extension’). Fixed 127/8 net (and not only the IPv4 address addresses independent from the hardware are 127.0.0.1). Rather, for IPv6 two differently common for Internet servers. Often, the none scoped loopback addresses exist: route-able part indicates a certain use, like 2001:1ab::fefe:53 for a DNS service. § Global scoped: ::1 2 § Local scoped: fe80::1%lo0 1.3 Use cases for DNS IPv6 LLU endpoint addresses The kernel sees those as different entities and allows binding to each of them. Applying djbdnscurve6 and applications based on fehQlibs with its stub resolver rou- 1.2 DNS in the IPv6 working model tines, we In IPv6 networks, the LLU addresses are used 1. can setup a DNS (content or cache) server to setup a network automatically employing listening on any interface with the provided the ICMPv6 protocol: IPv6 LLU address, § Stateless Address Autoconfiguration 2. can build network applications successfully (SLAAC) is used to determine the unique- querying DNS servers given their LLU ad- ness of the autonomous chosen and dresses while being attached to the same configured IPv6 address of the interface on local link-segment. a link-segment. § Neighbor Discovery Protocol (NDP) [22] is Advantage 1: the substitute for IPv4’s ARP (Address Res- On this link-segment DNS query/responses olution Protocol)[23]. can be operated (irrespectively of the con- § Neighbor Solicitation (NS) and Neighbor tent provided by the Resource Records RR) Advertisement (NA) [22] are used to provide by the usage of LLU addresses. The transmit- a cache for the neighbor’s link-addresses. ted IPv6 data packets are limited to the local link-segment only and are not visible outside § Router Advertisements (RA) and Router (except someone forwards these unsolicited to Solicitation (RS) together with Unsolicited an outside eavesdropper). Router Advertisements [22] are able to transmit IPv6 routing prefixes, the set of Advantage 2: default routers, the MTU size, and in partic- Within that link-segment we are under con- ular a list of IPv6 addresses of DNS servers trol of our DNS resources. DNS poisoning of to all nodes on the local link-segment [16]. the stub resolvers is impossible from sources outside this local net. Given the capabilities to provide DNS infor- Advantage 3: mation in an IPv6 network, DHCPv6 [21] can DNS allows to be setup in a ’split-horizon’ be used or – as explained – the RA protocol. manner. The DNS information (in particular In the last case, the messages are encapsulated hints to the authoritative name servers) can as ICMPv6 packages with the IPv6 LLU ad- be tailored to the local needs. dress of the sender and targeting either the link-local multicast address, or the LLU ad- Advantage 4: dress of a specific node on the link-segment. Location based services (LBS) [28][27] can be In short, within IPv6 networks packets with defined and be made authoritative in the local LLU addresses are used to transmit messages net only. containing network configuration information. Disadvantage: It would be a natural choice to setup a DNS A DNS Cache Resolver (like dnscache) solely service – either as server or as resolver – to use bound to the IPv6 LLU address can not share IPv6 LLU addresses as endpoints for both the its cached DNS information with potential query and the reply. DNS clients outside the link-segment. 3 We will discuss later, how this disadvan- As a side-effect, the DNS resolver routines tage can be compensated for and mitigated are capable of handling up to 32 name servers; by applying a socket binding technique called enough to cover the a-m.root-servers.net ’reverse IPv6 anycasting’. [15] supporting both their IPv4 and IPv6 ad- dresses. In summary, using the local link-segment Common to all servers – including for the communication and DNS message ex- tcpserver and sslserver – is the capability change between the DNS stub resolver and a to bind to any IPv6 address (and of course DNS server – in particular a caching Name IPv4 addresses too). server – is beneficial and provides anonymity for the stub resolvers while refraining them to use other public DNS caches like Google’s 2.1 Binding to IPv6 LLU addresses ’8.8.8.8’. Though IPv6 is now on the market since 25 years and Google has evaluated that its use 2 DNS server with IPv6 LLU is approaching now 30%1, applying IPv6 LLU addresses for DNS (unicast) services is not well support defined yet. Within djbdnscurve6 and the auxiliary Within djbdnscurve6 five DNS server dae- tools ucspi-tcp6 [13] and ucspi-ssl [12] two mons are provided: different ways to provide the required interface § tinydns is a UDP-only DNS content server.
Load more

Recommended publications
  • Linux Networking Cookbook.Pdf
    Linux Networking Cookbook ™ Carla Schroder Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo Linux Networking Cookbook™ by Carla Schroder Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (safari.oreilly.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or [email protected]. Editor: Mike Loukides Indexer: John Bickelhaupt Production Editor: Sumita Mukherji Cover Designer: Karen Montgomery Copyeditor: Derek Di Matteo Interior Designer: David Futato Proofreader: Sumita Mukherji Illustrator: Jessamyn Read Printing History: November 2007: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. The Cookbook series designations, Linux Networking Cookbook, the image of a female blacksmith, and related trade dress are trademarks of O’Reilly Media, Inc. Java™ is a trademark of Sun Microsystems, Inc. .NET is a registered trademark of Microsoft Corporation. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
    [Show full text]
  • Linux Server Security, 2Nd Edition Expertly Conveys to Administrators
    Linux Server Security, 2nd Edition By Michael D. Bauer Publisher: O'Reilly Pub Date: January 2005 ISBN: 0-596-00670-5 Pages: 542 Table of • Contents • Index • Reviews • Examples Linux Server Security, 2nd Edition expertly conveys to administrators and Reader developers the tricks of the trade that can help them avoid serious • Reviews security breaches. It covers both background theory and practical step-by- • Errata step instructions for protecting a server that runs Linux. Packed with • Academic examples, this must-have book lets the good guys stay one step ahead of potential adversaries. Linux Server Security, 2nd Edition By Michael D. Bauer Publisher: O'Reilly Pub Date: January 2005 ISBN: 0-596-00670-5 Pages: 542 Table of • Contents • Index • Reviews • Examples Reader • Reviews • Errata • Academic Copyright dedication Dedication Preface What This Book Is About The Paranoid Penguin Connection The Second Edition Audience What This Book Doesn't Cover Assumptions This Book Makes Organization of This Book Conventions Used in This Book Safari® Enabled How to Contact Us Using Code Examples Acknowledgments Chapter 1. Threat Modeling and Risk Management Section 1.1. Components of Risk Section 1.2. Simple Risk Analysis: ALEs Section 1.3. An Alternative: Attack Trees Section 1.4. Defenses Section 1.5. Conclusion Section 1.6. Resources Chapter 2. Designing Perimeter Networks Section 2.1. Some Terminology Section 2.2. Types of Firewall and DMZ Architectures Section 2.3. Deciding What Should Reside on the DMZ Section 2.4. Allocating Resources in the DMZ Section 2.5. The Firewall Chapter 3. Hardening Linux and Using iptables Section 3.1.
    [Show full text]
  • Pipenightdreams Osgcal-Doc Mumudvb Mpg123-Alsa Tbb
    pipenightdreams osgcal-doc mumudvb mpg123-alsa tbb-examples libgammu4-dbg gcc-4.1-doc snort-rules-default davical cutmp3 libevolution5.0-cil aspell-am python-gobject-doc openoffice.org-l10n-mn libc6-xen xserver-xorg trophy-data t38modem pioneers-console libnb-platform10-java libgtkglext1-ruby libboost-wave1.39-dev drgenius bfbtester libchromexvmcpro1 isdnutils-xtools ubuntuone-client openoffice.org2-math openoffice.org-l10n-lt lsb-cxx-ia32 kdeartwork-emoticons-kde4 wmpuzzle trafshow python-plplot lx-gdb link-monitor-applet libscm-dev liblog-agent-logger-perl libccrtp-doc libclass-throwable-perl kde-i18n-csb jack-jconv hamradio-menus coinor-libvol-doc msx-emulator bitbake nabi language-pack-gnome-zh libpaperg popularity-contest xracer-tools xfont-nexus opendrim-lmp-baseserver libvorbisfile-ruby liblinebreak-doc libgfcui-2.0-0c2a-dbg libblacs-mpi-dev dict-freedict-spa-eng blender-ogrexml aspell-da x11-apps openoffice.org-l10n-lv openoffice.org-l10n-nl pnmtopng libodbcinstq1 libhsqldb-java-doc libmono-addins-gui0.2-cil sg3-utils linux-backports-modules-alsa-2.6.31-19-generic yorick-yeti-gsl python-pymssql plasma-widget-cpuload mcpp gpsim-lcd cl-csv libhtml-clean-perl asterisk-dbg apt-dater-dbg libgnome-mag1-dev language-pack-gnome-yo python-crypto svn-autoreleasedeb sugar-terminal-activity mii-diag maria-doc libplexus-component-api-java-doc libhugs-hgl-bundled libchipcard-libgwenhywfar47-plugins libghc6-random-dev freefem3d ezmlm cakephp-scripts aspell-ar ara-byte not+sparc openoffice.org-l10n-nn linux-backports-modules-karmic-generic-pae
    [Show full text]
  • Curriculum Vitae
    Curriculum Vitae Personal Contact Information Name: Georgi Georgiev Address: Dobrich, Maxim Gorki 5 Dobrich, Bulgaria Mobile: +359889085362 E-mail: [email protected] PROFESSIONAL CERTIFICATION Cisco CCNA2 certificate Management Game Certificate (Arnhem Business School) University education: 2006 - 2008 Studied 2 years in International University College – Dobrich, Bulgaria specialty of "International Business and Management". Currently I am graduating HRQM (Human Resources & Quality Management) student at “Arnhem Business School” The Netherlands. I'm looking for a company to start with my Graduation assignment which has to be in the field of Strategic Human Resources. Secondary School Education: Natural-Mathematics High School "Ivan Vazov", Dobrich Study Profile: Mathematics and Informatics with intensive learning of English Language Form of Education: by day, term of education 3 years Driving License: Category B Mobile: +359889085362 Georgi Dimitrov Georgiev Mail: [email protected] Personal Information Birth Date: 08.10.1983 Place of Birth: Dobrich, Bulgaria Citizenship: Dobrich Merital Status: Single Work Experience 23.05.2001 - 01.09.2002 - Windows and Linux Tech support at Internet Coffee Club in the town of Dobrich, Bulgaria Worked in a small Internet Coffee my task was to support the local Internet Router and Support user desktop stations running Windows 98, Windows XP, Mandrake Linux, Redhat Linux. 20.02.2003 - 25.03.2004 - remote Linux System Administrator at Internet Coffee Club located in the town of Radnevo, Bulgaria My job assignments there were to administrate remotely two Linux servers running different client services, like mail server (exim), linux firewall, samba server, apache 1.x webserver and also to help the IT personnel in the Internet club with maintenance advices.
    [Show full text]
  • The Qmail Handbook by Dave Sill ISBN:1893115402 Apress 2002 (492 Pages)
    < Free Open Study > The qmail Handbook by Dave Sill ISBN:1893115402 Apress 2002 (492 pages) This guide begins with a discussion of qmail s history, architecture and features, and then goes into a thorough investigation of the installation and configuration process. Table of Contents The qmail Handbook Introduction Ch apt - Introducing qmail er 1 Ch apt - Installing qmail er 2 Ch apt - Configuring qmail: The Basics er 3 Ch apt - Using qmail er 4 Ch apt - Managing qmail er 5 Ch apt - Troubleshooting qmail er 6 Ch apt - Configuring qmail: Advanced Options er 7 Ch apt - Controlling Junk Mail er 8 Ch apt - Managing Mailing Lists er 9 Ch apt - Serving Mailboxes er 10 Ch apt - Hosting Virtual Domain and Users er 11 Ch apt - Understanding Advanced Topics er 12 Ap pe ndi - How qmail Works x A Ap pe ndi - Related Packages x B Ap pe ndi - How Internet Mail Works x C Ap pe ndi - qmail Features x D Ap pe - Error Messages ndi x E Ap pe - Gotchas ndi x F Index List of Figures List of Tables List of Listings < Free Open Study > < Free Open Study > Back Cover • Provides thorough instruction for installing, configuring, and optimizing qmail • Includes coverage of secure networking, troubleshooting issues, and mailing list administration • Covers what system administrators want to know by concentrating on qmail issues relevant to daily operation • Includes instructions on how to filter spam before it reaches the client The qmail Handbook will guide system and mail administrators of all skill levels through installing, configuring, and maintaining the qmail server.
    [Show full text]
  • Secure Design and Coding for DNS D
    Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS D. J. Bernstein University of Illinois at Chicago http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. http://cr.yp.to /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. 2007: “Some thoughts on security http://cr.yp.to after ten years of qmail 1.0.” /talks.html#2009.03.02 /talks.html#2009.03.03 /talks.html#2009.03.04 Attacks on DNS 1996: qmail 0.70. 1997: qmail 1.00. Cryptography in DNS 1998: qmail 1.03. Secure design and coding for DNS 1999: djbdns (dnscache) 0.60. D. J. Bernstein 2000: djbdns (dnscache) 1.00. University of Illinois at Chicago 2001: djbdns 1.05. 2007: “Some thoughts on security http://cr.yp.to after ten years of qmail 1.0.” /talks.html#2009.03.02 /talks.html#2009.03.03 > 1000000 of the Internet’s /talks.html#2009.03.04 SMTP servers are running qmail.
    [Show full text]
  • The IRONSIDES Project: Final Report
    197 The IRONSIDES Project: Final Report Barry S. Fagin and Martin C. Carlisle Dept of Computer Science, US Air Force Academy 80840 Tel: 1-719-333-3338; email: [email protected]. Abstract rigorous software design and provable security properties. The two most popular DNS servers, BIND and WINDNS, In a project intended to improve the security of have a large number of known security flaws, including internet software, the authors developed IRONSIDES: crashing in response to the injection of bad data and bugs A DNS server written in Ada/SPARK. Our long-term that permit remote execution [3], [4]. These are described goals were a) to show that a fully functional in more detail in the sections that follow. component of the internet software suite could be written with provably better security properties than 2 The IRONSIDES Project existing alternatives, b) to show that it could be done The authors believed many of the security problems with within the relatively modest re-sources available for a DNS servers, web servers, and other internet software research project at an undergraduate university, c) to could be avoided with the use of better programming tools, determine the suitability of Ada/SPARK for such a such as the use of different programming languages and project, and d) to compare the performance of the formal methods. They chose Ada and SPARK as an resulting software to existing alternatives and appropriate development environment to implement a determine to what extent, if any, the addition of provably secure DNS server from the ground up. provable security properties affects performance.
    [Show full text]
  • The LPIC-2 Exam Prep I
    The LPIC-2 Exam Prep i The LPIC-2 Exam Prep Copyright 2013 Snow B.V. The LPIC-2 Exam Prep ii Copyright © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Snow B.V. Copyright 2013 Snow B.V. The LPIC-2 Exam Prep iii COLLABORATORS TITLE : The LPIC-2 Exam Prep ACTION NAME DATE SIGNATURE WRITTEN BY Heinrich W. 2010 Klöpping, Beno T.J. Mesman, Piet W. Plomp, Willem A. Schreuder, Ricky Latupeirissa, Patryck Winkelmolen, Many, many Snow B.V. colleagues for peer reviewing and authoring updates., Jos Jansen, and Joost Helberg REVISION HISTORY NUMBER DATE DESCRIPTION NAME Copyright 2013 Snow B.V. The LPIC-2 Exam Prep iv Contents 0 Capacity Planning (200) 1 0.1 Measure and Troubleshoot Resource Usage (200.1) . .1 0.1.1 iostat .....................................................2 0.1.2 vmstat ....................................................2 0.1.3 netstat ....................................................3 0.1.4 ps .......................................................4 0.1.5 pstree .....................................................5 0.1.6 w .......................................................5 0.1.7 lsof ......................................................5 0.1.8 free ......................................................6 0.1.9 top . .6 0.1.10 uptime ....................................................7 0.1.11 sar ......................................................7 0.1.12 Match / correlate system symptoms with likely problems . .8 0.1.13 Estimate throughput and identify bottlenecks in a system including networking . .8 0.2 Predict Future Resource Needs (200.2) . .8 0.2.1 ........................................................9 0.2.2 Predict future growth . .9 0.2.3 Resource Exhaustion . .9 0.3 Questions and answers . 10 1 Linux Kernel (201) 11 1.1 Kernel Components (201.1) . 11 1.1.1 Different types of kernel images .
    [Show full text]
  • Creating a Patch and Vulnerability Management Program
    Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated below). Archived Publication Series/Number: NIST Special Publication 800-40 Version 2.0 Title: Creating a Patch and Vulnerability Management Program Publication Date(s): November 2005 Withdrawal Date: July 2013 Withdrawal Note: SP 800-40 is superseded by the publication of SP 800-40 Revision 3 (July 2013). Superseding Publication(s) The attached publication has been superseded by the following publication(s): Series/Number: NIST Special Publication 800-40 Revision 3 Title: Guide to Enterprise Patch Management Technologies Author(s): Murugiah Souppaya, Karen Scarfone Publication Date(s): July 2013 URL/DOI: http://dx.doi.org/10.6028/NIST.SP.800-40r3 Additional Information (if applicable) Contact: Computer Security Division (Information Technology Lab) Latest revision of the SP 800-40 Revision 3 (as of June 19, 2015) attached publication: Related information: http://csrc.nist.gov/ Withdrawal SP 800-40 Version 2 provides basic guidance on establishing patch announcement (link): management programs, and guidance to organizations with legacy needs. Date updated: June Ϯϯ, 2015 Special Publication 800-40 Version 2.0 Creating a Patch and Vulnerability Management Program Recommendations of the National Institute of Standards and Technology (NIST) Peter Mell Tiffany Bergeron David Henning NIST Special Publication 800-40 Creating a Patch and Vulnerability Version 2.0 Management Program Recommendations of the National Institute of Standards and Technology Peter Mell Tiffany Bergeron David Henning C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2005 U.S.
    [Show full text]
  • Seguridad En DNS
    Seguridad en DNS. Francisco José Bordes Romaguera Máster Interuniversitario en Seguridad de las Tecnologías de la Información y la Comunicación Seguridad empresarial Manuel Jesús Mendoza Flores Víctor García Font Domingo 22 de diciembre de 2019 i Esta obra está sujeta a una licencia de Reconocimiento-NoComercial- SinObraDerivada 3.0 España de Creative Commons ii FICHA DEL TRABAJO FINAL Título del trabajo: Seguridad en DNS Nombre del autor: Francisco José Bordes Romaguera Nombre del consultor/a: Manuel Jesús Mendoza Flores Nombre del PRA: Nombre y dos apellidos Fecha de entrega (mm/aaaa): 12/2019 Máster Interuniversitario en Seguridad de las Titulación: Tecnologías de la Información y la Comunicación Área del Trabajo Final: M1.849 - TFM-Seguridad empresarial aula 1 Idioma del trabajo: Español Palabras clave DNS, RPZ, malware, seguridad, ioc2rpz Resumen del Trabajo (máximo 250 palabras): Con la finalidad, contexto de aplicación, metodología, resultados i conclusiones del trabajo. Este trabajo expone una solución contra el acceso a dominios malintencionados que no requiere apenas cambios en cualquier infraestructura de red ya organizada. La solución de ioc2rpz permite gestionar de manera gráfica los dominios a los que queremos bloquear el acceso desde nuestra red a nivel de DNS y actualiza la configuración de nuestro servidor DNS. Los resultados del trabajo han sido que, sin propagar peticiones, nuestro servidor DNS devuelve respuestas NXDOMAIN a peticiones de dominios que hemos configurado en ioc2rpz que son maliciosos. Aplicar rpz nos permite proteger nuestra red de una manera proactiva y con pocos recursos dedicados a la gestión, aunque sí es necesario disponer de recursos destinados para el análisis e investigación.
    [Show full text]
  • How Qmail Works
    APPENDIX A How qmail Works You DON'T NEED TO UNDERSTAND how qmail works to install or use qmail. And you don't have to be an auto mechanic to operate a car or a watchmaker to tell time. Eut if you really want to master qmail, knowing exactly how it does what it does is crucial. Luckily, qmail's simple, modular design makes understanding how it works easy for a system as complex as a Mail Transfer Agent (MTA). This appendix takes a top-down approach: first looking at how the modules interact with each other, then looking at how each module does its job. High-Level Overview The grand division in qmail is between the modules that accept new messages and place them into the queue and the modules that deliver them from the queue. We'll call these functions receivingand sending. The separation between receiving and sending is complete: Either of these functions can be fully oper­ ational while the other is shut down. Figure A-l shows the high-level organization of qmail. Incoming Receiving Queue Sending Delivered Messages Messages Figure A -1. High-level qmail organization Receiving Messages enter the queue through two main routes: local injection using qmail-inject or sendmail and network injection using qmail-smtpd, qmail-qmtpd 417 AppendixA or qmail-qmqpd. Both ofthese routes use qmail-queue to actually inject their mes­ sages into the queue. Figure A-2 shows the organization ofthe receiving function. QMQP tcpserver QMTP tcpserver SMTP tcpserver Queue Local------------­ MUA Figure A-2. The receivingfunction Sending Messages are delivered from the queue through two main routes: local delivery using qma il-loca 1 and remote delivery using qma il-remote.
    [Show full text]
  • January/February 2021
    January/February 2021 Case Studies: n Tarsnap n Netflix n BALLY WULFF Also: FreeBSD for the Writing Scholar New Faces of FreeBSD Practical Ports ® LETTER J O U R N A L from the Foundation E d i t o r i a l B o a r d John Baldwin FreeBSD Developer and Chair of • FreeBSD Journal Editorial Board. Justin Gibbs Founder of the FreeBSD Foundation, • President of the FreeBSD Foundation, elcome 2021! and a Software Engineer at Facebook. Like many of you, the Foundation team Daichi Goto Director at BSD Consulting Inc. • (Tokyo). was pretty happy to see that clock strike Tom Jones FreeBSD Developer, Internet Engineer W Midnight on January 1, 2021. Last year will definitely • and Researcher at the University of Aberdeen. go down as one of the most memorable in the Dru Lavigne Author of BSD Hacks and • The Best of FreeBSD Basics. Foundation’s 20-year history. However, we’re happy Michael W Lucas Author of Absolute FreeBSD. to report it ended on a positive note. Thanks to your • Ed Maste Director of Project Development, generous support, the Foundation was able to raise • FreeBSD Foundation and Member of the FreeBSD Core Team. enough funds to not only continue our efforts to Kirk McKusick Treasurer of the FreeBSD Foundation support the FreeBSD Project, but also expand our • Board, and lead author of The Design and Implementation book series. software development and advocacy efforts in 2021. George V. Neville-Neil Director of the FreeBSD Foundation Board, • Member of the FreeBSD Core Team, and From new hires in the software development group co-author of The Design and Implementation to increased online content and greater focus on of the FreeBSD Operating System.
    [Show full text]