1 of 33

DNS and IPv6 Implementation Considerations

1

DNS and IPv6 Implementation Considerations

Hosted by Robert Nagy, CEO of DeepDive Networking

Presented by: DeepDive Networking

DeepDive�Networking

2 of 33

Overview

2

Welcome and Housekeeping

Thank you for attending

Interaction is the name of the game ☺

Who am I?

Who are you?

Without further ado, lets get rolling

DeepDive�Networking

3 of 33

3

A Quick Review

Presented by: DeepDive Networking

DeepDive�Networking

4 of 33

DNS Overview

DNS = Domain Name System
Internet “ phone book”

4

DeepDive�Networking

5 of 33

What most people understand?

5

www.redsealnetworks.com

DeepDive�Networking

6 of 33

Basic DNS Resolution

6

www.redsealnetworks.com

DeepDive�Networking

7 of 33

Anatomy of DNS Message

7

From RFC1035 Section 4.1:

+---------------------+

| Header |

+---------------------+

| Question | the question for the name server

+---------------------+

| Answer | RRs answering the question

+---------------------+

| Authority | RRs pointing toward an authority

+---------------------+

| Additional | RRs holding additional information

+---------------------+

www.redsealnetworks.com

DeepDive�Networking

8 of 33

Anatomy of a Resource Record

8

1 1 1 1 1 1

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

| |

/ /

/ NAME /

| |

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

| TYPE |

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

| CLASS |

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

| TTL |

| |

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

| RDLENGTH |

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--|

/ RDATA /

/ /

+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

DeepDive�Networking

9 of 33

Anatomy of a DNS Message

9

; <<>> DiG 9.8.3-P1 <<>> ns1.example.com. A

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345

;; flags: qr rd ra aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

-

;; QUESTION SECTION:

;ns2.example.com. IN A

-

;; ANSWER SECTION:

ns2.example.com. 300 IN A 10.11.12.13

www.redsealnetworks.com

DeepDive�Networking

10 of 33

DNS Header

10

ID: Transaction ID, a 16 bit identifier

QR: Query, 0 if it’s a question, 1 if it’s a response

RD: Recursion Desired

RA: Recursion Available

AA: Authoritative Answer

www.redsealnetworks.com

DeepDive�Networking

11 of 33

Message IDs

Name servers use 16-bit message IDs to match responses with queries

11

Message ID 38789

ns1

ns2

Message ID 38789

www.redsealnetworks.com

DeepDive�Networking

12 of 33

DNS Tool: dig

12

dig (ohhh my DIG!!)
domain information groper
does not use cache
gives you complete information
easy to understand output
status and flags included :)
DNS admins love dig

DeepDive�Networking

13 of 33

Resource Record (RR): A Record

13

Name to IPv4 address mapping
The most common record type in use today

Name

www.google.com

Class

IN

TTL

3600

Data

74.125.239.148

Type

A

DeepDive�Networking

14 of 33

Resource Record (RR): AAAA Record

14

AAAA record (pronounced “quad A”)
name to IPv6 address record

Name

www.google.com

Class

IN

TTL

3600

Data

74.125.239.148

Type

A

Name

www.google.com

Class

IN

TTL

3600

Data

2607:dead:beef:c07::68

Type

AAAA

Name

www.google.com

Class

IN

TTL

3600

Data

2607:dead:beef:c07::68

Type

AAAA

— So a dual stack server would typically have both

DeepDive�Networking

15 of 33

Resource Record (RR): PTR Record (IPv4)

15

Name

10.38.239.216.in-addr.arpa.

Class

IN

TTL

3600

Data

ns4.google.com

Type

PTR

PTR = Pointer Record
IP address to name mapping
Used extensively by applications such as traceroute, ping, netstat, syslog, tcpdump, emails, and other apps
Uses special domain name in-addr.arpa

DeepDive�Networking

Teacher’s Notes:

PTR (pointer) records are commonly known as “reverse DNS”

Point out the “special” zones that are used for reverse records, for IPv4 it’s in-addr.arpa, for IPv6 it’s ip6.arpa.

Hint about reverse-mapping zones, we will talk about them in the next module.

PTR records are used more than most people realized, mostly by applications. For example, the *NIX program “rlogin” it when you try to login to a hostname, if it cannot also resolve the PTR record, it will report that it cannot resolve the hostname and refuses to work at all.

Lots of system and network utility programs such as trace route, ping, and tcpdump, netstat, and syslog, have the ability to translate IP addresses back to names for better readability, and it does so via DNS reverse lookup.

Example of IPv6 shorthand:

E3D7:0000:0000:0000:51F4:9BC8:C0A8:6420 can be written as:

E3D7::51F4:9BC8:C0A8:6420

(omit consecutive 0’s)

Handy link to convert IPv6 addresses:

http://ipv6-literal.com/

Notes to read:

PTR can be used for DNS-SD (service discovery), which is related to Multicast DNS. Not sure if we even want to mention it.

16 of 33

Resource Record (RR): PTR Record (IPv6)

16

Name

10.38.239.216.in-addr.arpa.

Class

IN

TTL

3600

Data

ns4.google.com

Type

PTR

Name

f.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.2.0.0.0.0.5.0.1.0.0.2.ip6.arpa.

Class

IN

TTL

3600

Data

f.root-servers.net

Type

PTR

IPv6 reverse uses special domain ip6.arpa.
You cannot shorthand the IPv6 name field like with an IPv6 address, because it’s not an IP address, it’s a name!
It doesn’t even fit on our screen

DeepDive�Networking

Teacher’s Notes:

PTR (pointer) records are commonly known as “reverse DNS”

Point out the “special” zones that are used for reverse records, for IPv4 it’s in-addr.arpa, for IPv6 it’s ip6.arpa.

Hint about reverse-mapping zones, we will talk about them in the next module.

PTR records are used more than most people realized, mostly by applications. For example, the *NIX program “rlogin” it when you try to login to a hostname, if it cannot also resolve the PTR record, it will report that it cannot resolve the hostname and refuses to work at all.

Lots of system and network utility programs such as trace route, ping, and tcpdump, netstat, and syslog, have the ability to translate IP addresses back to names for better readability, and it does so via DNS reverse lookup.

Example of IPv6 shorthand:

E3D7:0000:0000:0000:51F4:9BC8:C0A8:6420 can be written as:

E3D7::51F4:9BC8:C0A8:6420

(omit consecutive 0’s)

Handy link to convert IPv6 addresses:

http://ipv6-literal.com/

Notes to read:

PTR can be used for DNS-SD (service discovery), which is related to Multicast DNS. Not sure if we even want to mention it.

17 of 33

Section End

17

Thank you for bearing with me.

Any Questions?

DeepDive�Networking

18 of 33

18

Implementation Considerations

DeepDive�Networking

19 of 33

Considerations with IPv6

Everything and nothing
New RR for IPv6 Forward and Reverse

We just saw these :-)

IPv6 reverse needed a new path in ARPA
Tons of new Standards!

But for the average operator these do not effect our day to day

The trick lies in compatibility!

19

DeepDive�Networking

20 of 33

Dealing with the mismatch

Some Use cases to think through…

What if we move to IPv6 and only publish an IPv6 Address for our Web Server?

What if we have an IPv6 only client and need to access a website that only has IPv4?

20

DeepDive�Networking

21 of 33

NAT versus NAT64 / DNS64

How these work together

Used for IPv6 only clients looking up IPv4 only services
When IPv6 only client looks up a record, DNS detects that there is only an A record
Alerts NAT64 it needs to translate an IPv6 address to the IPv4 resource
Returns that NAT64 IPv6 Address to the client

21

DeepDive�Networking

22 of 33

Dynamic DNS (DDNS)

Open Discussion

22

Ensuring it is working

When deciding if we use classful or classless IP assignment we should consider DDNS
If we use DHCP for IP Assignment we can use DHCP for DDNS on behalf of clients.

This has a strong advantage as when client lease time ends, records are cleaned up
Client are great at adding records, not so good at clean up

Returns that NAT64 IPv6 Address to the client

DeepDive�Networking

23 of 33

Section End

23

Thank you for bearing with me.

Any Questions?

DeepDive�Networking

24 of 33

24

DNS Security Considerations

DeepDive�Networking

25 of 33

Varietals of DNS Attacks

25

DeepDive�Networking

26 of 33

Cache Poisoning

IPv6 doesn’t help or hurt with Cache poisoning

26

DeepDive�Networking

27 of 33

Solution: DNSSEC

The DNS Security Extensions, or DNSSEC, use asymmetric cryptography to allow

Administrators to “sign” zone data
Recursive name servers to validate signed zone data

This provides

Authentication of DNS zone data
Integrity checking of DNS zone data

27

DeepDive�Networking

28 of 33

Authoritative Attacks

DDoS Attacks Often Use DNS Servers
Why?

Because name servers make surprisingly good amplifiers��

28

This one goes to eleven…

DeepDive�Networking

29 of 33

DDoS Illustrated

29

Open recursive name servers

Evil resolver

Target

Response

to spoofed

address

DeepDive�Networking

30 of 33

Amplification: They Go Past Eleven…

Query for isc.org/ANY

44 bytes sent, 4077 bytes received

~93x amplification!

30

$ dig @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec

-

; <<>> DiG 9.9.1-P1 <<>> @sfba.sns-pb.isc.org. any isc.org. +norec +dnssec

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34036

;; flags: qr aa; QUERY: 1, ANSWER: 26, AUTHORITY: 0, ADDITIONAL: 15

-

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 4096

;; QUESTION SECTION:

;isc.org. IN ANY

-

;; ANSWER SECTION:

isc.org. 7200 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013090300 7200 3600 24796800 3600

isc.org. 7200 IN RRSIG SOA 5 2 7200 20131002233248 20130902233248 50012 isc.org. hUfqnG5gKbygAeVRHjP5As31lsheMKNPD7g9MJlWZTrmD2de6Z/eCwUX kQxRT5TV0lFWjtGFuA0a4svbCZ1qHS9d/rhWc7IMziu2u+L9tbho+c4j szvGAJ9kYvalNbgpmkHdm+wmOHWmiY3cYKcl5Ps8gs5N0Q1JdkaCARPF HQs=

isc.org. 7200 IN NS sfba.sns-pb.isc.org.

isc.org. 7200 IN NS ns.isc.afilias-nst.info.

isc.org. 7200 IN NS ams.sns-pb.isc.org.

isc.org. 7200 IN NS ord.sns-pb.isc.org.

isc.org. 7200 IN RRSIG NS 5 2 7200 20131002233248 20130902233248 50012 isc.org. Fdfb5ND2XUlnk/nPcPOaNBCK6307LdrhC/dqdS+TMtBjKMmXU2NJBl0h D8fOnOdKbzlwNk1JLPXq25znMNBw+ZdjMekctR2r2jTO2Xm9mT+su4ff 8r1pMcUGhpsq73V6NjIbgA3LT6zfv4gWyFdos60Ma/Bsq26SmpECQFNA RpI=

isc.org. 60 IN A 149.20.64.69

isc.org. 60 IN RRSIG A 5 2 60 20131002233248 20130902233248 50012 isc.org. CkSV2VzLktJGH2PXEJl1QssxeyyUYM5pALjb06NMW0BC5vcFyuQYng2l NE/Z0J1XIHflWwGo9Gv1YZ0u/K6rGPXwgWmkl/6t0T8uNtk9u3XDhaMx QBg2P2ZAp1NEg6r3ccznGu9y+Q71g/IxcK+5Ok7gI8L18hBTi+vpCAKY q6A=

isc.org. 7200 IN MX 10 mx.pao1.isc.org.

isc.org. 7200 IN RRSIG MX 5 2 7200 20131002233248 20130902233248 50012 isc.org. fiALi/ebGauXvqfL4vHt5YzgIY/X0kh2WNE37wICVU6BYKkqDuWF2h5T 4ry2TmdcKj4pqVOJVSDF/A7zzRPkcpcwibTM8h5yDEMJzELAsSimj2mX BFsqTgFGtDXIGV9IU7qryFkVMrDlj9gcLkTlg1EZpyxwQH2y2XCT5BhA bQA=

isc.org. 7200 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"

isc.org. 7200 IN TXT "$Id: isc.org,v 1.1845 2013-08-16 16:16:50 dmahoney Exp $"

isc.org. 7200 IN RRSIG TXT 5 2 7200 20131002233248 20130902233248 50012 isc.org. J0UV7iIvQn7Pzu/itUN1JH4hLg8bjQo/73kBef/T/yzx/P8t6VX+MYDC ysyXNigSi1JPoWfYt7qu6eXcALQEwJ/Z156Rebefjls4R18wr+BttzWF ICb+zJ7K7o4meckc7ZQr12gIAXjij09dr9omYoObWo6/IH76S6N3Er4i xdg=

isc.org. 60 IN AAAA 2001:4f8:0:2::69

isc.org. 60 IN RRSIG AAAA 5 2 60 20131002233248 20130902233248 50012 isc.org. OBWafw6hmgueTvaL06Q3zzpKODW3OIWKxHr3Z30mag1vJW5ECwlkK3xI lPr4A1Rg6SZiJp78yewBWkDB0436cY1uCJ0yzsk9YWlLW/5hScy1ueaH s2tfymZD7UdOh0FuLs05gunsxK2Of3DCG3Zh3cD4FMnu8ju1CuLD2+dU W1U=

isc.org. 7200 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org.

isc.org. 7200 IN RRSIG NAPTR 5 2 7200 20131002233248 20130902233248 50012 isc.org. s9cuc6O0e2kgBNffd6dyJyJH1Zm5Wd0pRO1q5aKMc7UsiKFUI7MI7Q8N VzTqwM/zWh2VzvtV/w1O3IHuSiXBN9k51Loy4WGHJSDcXs865PWjHJwJ jRqfz1bE+LsW/aZD2Ud/iGyhCoQPeZIOcqB6plB+keIf3mGR0bHkdjV+ Zw4=

isc.org. 3600 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF

isc.org. 3600 IN RRSIG NSEC 5 2 3600 20131002233248 20130902233248 50012 isc.org. K3/RL0nn54FkFvcPnaecG26JjQVCZL1g41zB02YssxZnE/3lX9X4O8uk DrONRdvKEeMq51YUy8NBljWAlPOIRYD0lWUMrXuSNHMyGIFwHFIZqNrN CuQUl+24oPQXi3/wWX0TGH5XW9XF2IB+Dc1zdP/5qRHiKCjAnYDNE384 PAQ=

isc.org. 7200 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhCeFvAZih7yJHf8ZGfW6hd38hXG/xylYCO6Krpbdojwx8YMXLA5/kA+ u50WIL8ZR1R6KTbsYVMf/Qx5RiNbPClw+vT+U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB yBNsO70aEFTd

isc.org. 7200 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pXWdeAaRU=

isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 12892 isc.org. ioYDVytf4YoAHCVxdz6U/fuQCaH2f2XVUExEexo48e55vLVSre5GkBG1 Wyn/4FeWLOUVWm5HElbL/hK2QEResp0csAwTnllU7W8fM65aS7pIO9JZ QWMvkPxQjsTYzEP1P2GA8NVGRUhz17RMLLSFgAJS9aEI7xK0fMwsd9U4 Az+B9J8xVz5GGMb8FStEXMYauE9r8Z5G4ZzRZUv619lXYH+Uhha5QUfq IcVYvtOt+QLlwdWV4Kt3fp3m6KveBAnIiorPSjOd40PfWZD3CQ4GqVIc EyYai55bKN1hVgtFRhL8MqGexvbPvU49RKekeJihf7pzfM6nlo5+Xqvj WBe+EQ==

isc.org. 7200 IN RRSIG DNSKEY 5 2 7200 20131002230127 20130902230127 50012 isc.org. HFc6EpppK8DieQnYccCLEMuP3uhCFENhY9pwbqcwYh9fVOMMeEim/XSy QIk9FsVGZnXw2SgC946gSXnTkLdaogwibOZLq2oJ0UGbsF2+4SreLIx0 nv6EyJh1WSxfQrh7DCFtuMSBUMBleJjOfPC12zTzFetu2qgNM4hCov8p 3vA=

isc.org. 7200 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04F8::0/32 ip6:2001:500:60::65/128 ~all"

isc.org. 7200 IN RRSIG SPF 5 2 7200 20131002233248 20130902233248 50012 isc.org. enxTFXMYwtZW9rmS2eZ0svQwlaRJn3whFCblQ2mpqjtT3BxuqpGcvlbC jwjLxNhn89x2Y2//pkN1EPvgwr2yd7lIBoLV9X/VnGCH/sBlNaRtckk2 SE75cuH2L7jkR1D6JCHCwLnQHpiHbYeLWWzW18yifj33TOrRU7HwUrha aN0=

;; ADDITIONAL SECTION:

ams.sns-pb.isc.org. 7200 IN A 199.6.1.30

ams.sns-pb.isc.org. 7200 IN AAAA 2001:500:60::30

ord.sns-pb.isc.org. 7200 IN A 199.6.0.30

ord.sns-pb.isc.org. 7200 IN AAAA 2001:500:71::30

sfba.sns-pb.isc.org. 7200 IN A 149.20.64.3

sfba.sns-pb.isc.org. 7200 IN AAAA 2001:4f8:0:2::19

mx.pao1.isc.org. 3600 IN A 149.20.64.53

mx.pao1.isc.org. 3600 IN AAAA 2001:4f8:0:2::2b

asterisk.isc.org. 300 IN A 149.20.32.15

ams.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. EyCDObCGhMVQeLsZEFsK6k72FT0Y0Ps3XhiZmusKDz/yl7K8eclF3+Zd y7u61A9nSEHbeLR7t3IbXuQgXOsBaYYEQBZ+YXwdpMQoSL02TbUsCa8t Qtap2EK9xJDajbfTR4kEYjCg6PtneOKGVCvQcC3Le2QEuM+aviEkWU6h Feo=

ams.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. RFpmtA/CAZOExrl8Pc6tDW38Eoc/xXxtuoS634xllKoM77zhGLx6vLRR wiH3Ny1gW++hyj6b6LMDVbBEm7vAMVxrOQVYM5fWtYCF/cN4IHVlti33 /Hgiuk2SSdsZEgeAu57FgxgZIMaO0TsB6YkpI3cgb1H6usISSEE3Cgng 6gU=

ord.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. N/zYhIB9XSungjF+TaCdjtOnN5K8FCuRwMb3cjlr9DRU4hVJjFJOi8LP aNlBJQlWQKCirYsFqPw1/K0U9djvkEyU3W7JsdkE89Ep/4QX9M4Jt++w 9ZTFQO+e9SNPimQdjjEC5FbRYYfls7KX0V79gL9vG9dxqGMDNtGNJaFU NOE=

ord.sns-pb.isc.org. 7200 IN RRSIG AAAA 5 4 7200 20131002233248 20130902233248 50012 isc.org. H5eByfYUHm4c8V12auNIl1QhQL4UA9MV9w1wQPJiU/Rtxbfvvrl3rlVj ulUP6v4R5NVO3lad7bsNPb9xMou1qOC5FL9fn0MVFqU+qCwQ7GIRxyA6 fQaFKBNrOL6iiVbC6LbE+2uZPR6Z0HTD8L7pgAaNJ9YmrVZCU/F5pHy9 cso=

sfba.sns-pb.isc.org. 7200 IN RRSIG A 5 4 7200 20131002233248 20130902233248 50012 isc.org. sr0nh5ZbxmbnGaduo4ri1tHpPR4+D0Mf4WpEjzu21+iEBkgc3M1XdYCT gCpd8JRCEcz+gIu8wXQI5+29mUrK3QwPCIWJNx/AKol7TbIPxrYoKCiv pZv7yTwO2bC1SGfcNXZAm5UuKU0jl7jeIe2oIkHMrlPVFd2E6XKG9iWL ngA=

;; Query time: 35 msec

;; SERVER: 2001:4f8:0:2::19#53(2001:4f8:0:2::19)

;; WHEN: Wed Sep 4 11:14:01 2013

;; MSG SIZE rcvd: 4077

DeepDive�Networking

31 of 33

A Little Math

Say each bot has a measly 1 Mbps connection to the Internet

It can send 1Mbps/44B =~ 2909 qps
That generates 2909 pps * 4077B =~ 93 Mbps

So 11 bots > 1 Gbps

31

DeepDive�Networking

32 of 33

DNS Reflection/DDoS Attacks/Amplification�

32

DeepDive�Networking

A Reflection attack is usually through a recursive server, also adopting amplification, to direct the attack by spoofing the source address of the target. In this way lots of small queries are sent by the attacker, that then get sent to the spoofed address.

DNS traffic is easy to spoof as it is UDP based. In this example, the attacker is using sending spoofed DNS Queries to third party authoritative recursive DNS servers on the internet. The DNS responses are sent to the target, not the attacker. The attacket uses amplification to generate large responses to small queries. Amplification is used to generate a significant amount of bandwidth consuming traffic, by sending a DNS query (which has a small packet size) for a resource record that has a large response. e.g. a large TXT record or DNSSEC signed record.

Attackers send queries to multiple open recursive servers—sometimes thousands of servers at a time. Each query is designed to elicit a large response, and send an overwhelming amount of data to the victim’s IP address. When a victim is hit by the DRoS attack, it can cause slow performance or site outages that can shut down important business processes.

33 of 33

Section End

33

Thank you for bearing with me.

Any Questions?

DeepDive�Networking