DNS (BIND, djbdns) JPNIC・JPCERT/CC Security Seminar PDF Free Download

DNS <minmin@jprs.co.jp> 2005 10 6 JPNIC JPCERT/CC Security Seminar 2005

DNS Pharming BIND djbdns 2

DNS

DNS (Domain Name System)? IP www.example.jp IP 172.16.37.65 http://www.example.jp/ - http://172.16.37.65/ - 4

DNS(Domain Name System) 5

WEB http://www.example.jp/ www.example.jp IP WEB PC IP DHCP www.example.jp IP WEB 6

www.example.jp IP NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp jp NS jp IP jp(5 ) jp example.jp example.jp NS example.jp IP example.jp www.example.jp IP NS PC IP 7

2 (1) www.example.jp IP 10.10.10.1 jp example.jp Authoritative Nameserver DNS 8

NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp NS jp IP jp(5 ) jp example.jp NS example.jp example.jp IP example.jp www.example.jp IP NS PC IP 9

2 (2) www.example.jp IP? IP 10.20.30.40? DHCP PPP PC PC 10

NS PC PC NS www.example.jp IP NS. ( ) IP.(13 ).. jp NS jp IP jp(5 ) jp example.jp NS example.jp example.jp IP example.jp www.example.jp IP NS PC IP 11

NS RR RR RR - Resource Record (example.jp JP ) (example.jp) 12

(Glue) RR NS RR RR A RR AAAA RR RR 13

NS NS PC.(13 ). jp(5 ) example.jp ( NS ) PC NS www.example.jp IP NS. ( ) IP. jp NS jp IP jp example.jp NS example.jp IP example.jp www.example.jp IP NS PC IP 14

NS ( ) NS ( ). DNS RR 15

. NS RR ( ns.example.net) IP 16

DNS 17

NS RR DNS NS RR ) NS RR ns0 ns1 ns0 ns1 ns1 ns0 ns1 18

NS 1 19

example.jp example.net 100% example.net example.jp example.net MX RR, CNAME RR RR 20

Pharming ( )

Pharming Phishing ( ) fishing( ) Pharming ( ) farming( ) ( ) Phishing 22

Pharming DNS ( ) hosts DNS hosts ID 23

Cache Poisoning ( ) DNS Pharming www.example.jp A www.example.jp A 192.168.100.1 Root servers JP DNS servers www.example.jp A 192.168.100.1 example.jp 24

Cache Poisoning example.gr.jp example.jp dig @< > www.example.gr.jp 25

Cache Poisoning BIND 8 or 4 Windows 2000 SP2 http://support.microsoft.com/default.aspx?scid=kb;ja;jp241352 26

(forwarder) Cache2 Cache1 PC.(13 ). jp(5 ) example.jp Cache1 Cache2 Cache2 Cache2 BIND 8 or 4 Cache1 Windows DNS BIND 9 27

DNS IPA 2005 6 27 http://www.ipa.go.jp/security/vuln/20050627_dns.html Pharming 28

IPA (1) 1 (or ) ) example.jp example.net example.net dns1.example.net 29

IPA (2) DNS ns1.example.jp example.jp example.jp example.net example.net dns1.example.net 30

IPA (3) example.jp dns1.example.net example.jp www.example.jp Pharming ( 50%) 31

IPA (4) example.net example.net provider.dom 25% example.jp. 32

IPA (5) ( ) l k IP 10.10.10.10 10.10.19.10 10.10.19.10 33

DNS Squish DNS Checker http://www.squish.net/dnscheck/ DNS Report http://www.dnsreport.com/ Zone Check http://www.zonecheck.fr/ 34

BIND named 1 Windows DNS djbdns tinydns dnscache NSD 36

BIND ( ) 37

BIND 8 (4 ) BIND 9 38

TIPS BIND 39

(BIND 8) (DoS) 40

Cache Poisoning ( ) 41

LAN Man in the Middle Attack Pharming www.example.jp A www.example.jp A www.example.jp A 192.168.100.1 Root servers JP DNS servers example.jp 43

LAN LAN 44

DNS ARP Poisoning 3 (A,B,C) A B C ARP Spoofing 45

ARP Poisoning (1/4) 3 A( B( ) GW( ) 46

ARP Poisoning (2/4) B root B ARP A 10.10.10.1 MACaddr 0:3:3:3:3:3 GW 10.10.10.2 MACaddr 0:3:3:3:3:3 A GW ARP B 47

ARP Poisoning (3/4) B IP Layer2 B A B GW ARP Poisoning 48

ARP Poisoning (3/4) ARP Poisoning OS ARP syslog 49

ARP Poisoning ARP 50

DNS ( ) RR ID (Query ID) Query ID 16bit RR ID UDP DNS 53 51

ID (1) Cache Poisoning Pharming 52

ID (2) RR ID 16bit BIND named DNS 53 ID Cache Poisoning 1/2 16 53

ID (3) dnscache(djbdns ) 1/2 32 DNS 54

DNS SSH SSL/TLS RFC3833 Threat Analysis of the Domain Name System (DNS) DNSSEC 55

DNSSEC DNS Security Extension RFC4043,4044,4045 DNS DNS DNS 56

BIND

BIND?? BIND? 58

BIND named.conf recursion no; fetch-glue no; BIND9 no hint (zone. ) zone options { } ;... recursion no; fetch-glue no;... zone "example.jp" { } ; type master ; file "example.jp.zone" ; 59

BIND recursion yes; fetch-glue no; hint allow-query 127.0.0.1 (localhost) ::1 options {... recursion yes; fetch-glue no; allow-query { 10.0.0.0/8 ; 127.0.0.1 ; };... }; zone "." { type hint; file "named.root"; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "localhost.rev"; }; 60

1 (1/3) named 2 /etc/named.conf options {... recursion no; fetch-glue no; listen-on { 10.10.10.1 ; } ;... } ; listen-on IP 61

1 (2/3) /etc/cache.conf named c /etc/cache.conf options {... pid-file "/var/run/cache-named.pid" ; listen-on { 127.0.0.1 ; } ;... }; /etc/resolv.conf nameserver 127.0.0.1 127.0.0.1 62

1 (3/3) listen-on controls dump-file statistics-file 2 named 63

BIND 8 DoS BIND 9 BIND 8 options {... allow-transfer { 10.10.10.10 ; };... } ; zone "example.jp" { type master ; file "example.jp.zone" ; allow-transfer {... } ; } ; 64

BIND 9 BIND 8 options {... max-cache-size 100M;... } ; 65

dig @10.10.10.1 example.jp ns ;; flags: qr aa rd ra; recursion yes ; dig @10.10.10.1 < > dig @127.0.0.1 < > 66

named (1) root named named u <user> /var/run/named.pid 67

named (2) named chroot named t <chroot > BIND9 http://www.unixwiz.net/techtips/bind9-chroot.html djbdns chroot 68

BIND 4 8 9 8 : : 4 8 9 69

djbdns

djbdns BIND (1) tinydns dnscache dnscache 71

djbdns BIND (2) chroot 72

dnscache root/ip "/" root/ip/10 10.0.0.0/8 root/ip/10.20 10.20.0.0/16 root/ip/10.20.30 10.20.30.0/24 10.20.30.32/29 8 root/ip/10.20.30.32 root/ip/10.20.30.39 73

djbdns BIND 74

Q & A 75

DNS (BIND, djbdns) JPNIC・JPCERT/CC Security Seminar 2005