DNSSEC on pfSense
-
Hey guys,
Just saw a pretty interesting piece on the actual safety of DNSSEC as opposed to it's actual safety.
Since this thread resolves around the usage and implementation of DNSSEC, this might be relevant to your interests.From 10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them
The greatest DOS attack of all time, and how to stop it forever
Among hackers, University of Chicago computer scientist and crypto expert Dan Bernstein (often known by his handle DJB) is a legend. He's written some of the most secure code known to humanity (just try to fuck with qmail - you can't), and has lobbied ceaselessly - and snarkily - for the eradication of broken security systems online. He gave a mad genius presentation where he revealed that the oft-touted network security system DNSSEC is actually so badly-designed that it would make the perfect denial-of-service attack tool. And then he proposed a mindblowing, futuristic system of sending data over the Web that would make it nearly impossible to launch a DOS attack - and would prevent bad guys from sending your secure data to mobsters instead of your bank. The cool part about DJB's new system, based on encryption tools he calls DNSCurve and CurveCP, is that it could be implemented now, on top of the Web as we know it. And the best part? It's lightning fast. Listening to DJB's talk gave me hope for the future of the Web - and his devastating takedown of DNSSEC was the best example of smartypants trolling you'll hear this year.Note - to watch the video, just skip past the first several minutes, where the organizers were setting up the talk and getting everybody seated.
And the video.
-
"allow_snoop is not a valid ACL Action. Please select one of the four actions defined in the list."
I picked it from the list ;) hehehe
tut tut - I must have missed that one. Thanks johnpoz, will sort that out.
-
Hey guys,
Just saw a pretty interesting piece on the actual safety of DNSSEC as opposed to it's actual safety.
Since this thread resolves around the usage and implementation of DNSSEC, this might be relevant to your interests.From 10-devious-new-ways-that-computer-hackers-can-control-your-machines-or-fix-them
The greatest DOS attack of all time, and how to stop it forever
Among hackers, University of Chicago computer scientist and crypto expert Dan Bernstein (often known by his handle DJB) is a legend. He's written some of the most secure code known to humanity (just try to fuck with qmail - you can't), and has lobbied ceaselessly - and snarkily - for the eradication of broken security systems online. He gave a mad genius presentation where he revealed that the oft-touted network security system DNSSEC is actually so badly-designed that it would make the perfect denial-of-service attack tool. And then he proposed a mindblowing, futuristic system of sending data over the Web that would make it nearly impossible to launch a DOS attack - and would prevent bad guys from sending your secure data to mobsters instead of your bank. The cool part about DJB's new system, based on encryption tools he calls DNSCurve and CurveCP, is that it could be implemented now, on top of the Web as we know it. And the best part? It's lightning fast. Listening to DJB's talk gave me hope for the future of the Web - and his devastating takedown of DNSSEC was the best example of smartypants trolling you'll hear this year.Note - to watch the video, just skip past the first several minutes, where the organizers were setting up the talk and getting everybody seated.
And the video.
There are so many different conflicting views scattered around the web. Have a look at http://www.isc.org/community/blog/201002/whither-dnscurve for Paul Vixie's take and then various other opinions here http://www.dnssec.net/why-deploy-dnssec
-
There are so many different conflicting views scattered around the web.
Thank you for those links, it is very interesting to see the debate on which next-generation dns protocol to use.
However, if it is true that dnssec functions as a 30x multiplier for udp packets and the replies can be reflected to a different address, then that would be Very Bad Indeed.
Or am I mistaken in assuming this? -
Thank you for those links, it is very interesting to see the debate on which next-generation dns protocol to use.
However, if it is true that dnssec functions as a 30x multiplier for udp packets and the replies can be reflected to a different address, then that would be Very Bad Indeed.
Or am I mistaken in assuming this?Not at all wrong - its debatable on how much network traffic increase it will have but it definitely will increase. The larger size of DNSSEC responses does mean that it wont always fit into the normal UDP DNS traffic. So some of the 'older' DNS servers who are limited to 512bytes might switch to TCP for resolving. This obviously has impact on servers and bandwidth usage. I remember seeing a figure of around an estimated 2% in increase of traffic.
I am by no means an expert on the subject and still learning :)
-
-
Also did that update now. Config stays the same, except the interface problem I also have. Just one of my normally three selected interfaces (LAN) was active for the usage of Unbound…
Please reinstall and test - it works for me now on the latest commit.
-
Yep, worked after my latest firmware update. Thanks!
-
-
OK so I updated my snap, and now its showing my domain overrides.
Domain overrides
stub-zone:
name: "test.ip"
stub-addr: 192.168.1.4
stub-prime: noBut I agree its not working like it should.. So there is a server at 192.168.1.4 running bind with a zone for test.ip
see – if I query it directly authoritative for the host3 record I created.
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.4 host3.test.ip
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:
;host3.test.ip. IN A;; ANSWER SECTION:
host3.test.ip. 21600 IN A 192.168.1.101;; AUTHORITY SECTION:
test.ip. 21600 IN NS p4-28g.local.lan.;; ADDITIONAL SECTION:
p4-28g.local.lan. 21600 IN A 192.168.1.4;; Query time: 5 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Mon Jan 10 23:32:39 2011
;; MSG SIZE rcvd: 93
Now if I ask the pfsense box that has an override set to ask 192.168.1.4 for the domain test.ip it also gives me back servfail
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 host3.test.ip
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;host3.test.ip. IN A;; Query time: 11 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Jan 10 23:40:03 2011
;; MSG SIZE rcvd: 31
So seems domain override is not working??
Currently running
2.0-BETA5 (i386)
built on Mon Jan 10 13:14:45 EST 2011Ok I managed to get time to simulate this. I see the answer is returned however Unbound is still returning a SERVFAIL. Will investigate further as to why… :-\
-
OK so I updated my snap, and now its showing my domain overrides.
Domain overrides
stub-zone:
name: "test.ip"
stub-addr: 192.168.1.4
stub-prime: noBut I agree its not working like it should.. So there is a server at 192.168.1.4 running bind with a zone for test.ip
see – if I query it directly authoritative for the host3 record I created.
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.4 host3.test.ip
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:
;host3.test.ip. IN A;; ANSWER SECTION:
host3.test.ip. 21600 IN A 192.168.1.101;; AUTHORITY SECTION:
test.ip. 21600 IN NS p4-28g.local.lan.;; ADDITIONAL SECTION:
p4-28g.local.lan. 21600 IN A 192.168.1.4;; Query time: 5 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Mon Jan 10 23:32:39 2011
;; MSG SIZE rcvd: 93
Now if I ask the pfsense box that has an override set to ask 192.168.1.4 for the domain test.ip it also gives me back servfail
; <<>> DiG 9.7.2-P3 <<>> @192.168.1.253 host3.test.ip
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49426
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;host3.test.ip. IN A;; Query time: 11 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Mon Jan 10 23:40:03 2011
;; MSG SIZE rcvd: 31
So seems domain override is not working??
Currently running
2.0-BETA5 (i386)
built on Mon Jan 10 13:14:45 EST 2011Ok I managed to get time to simulate this. I see the answer is returned however Unbound is still returning a SERVFAIL. Will investigate further as to why… :-\
Ok sorted - fix committed. Reinstall package and let me know how it goes.
thx