The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS...
Transcript of The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS...
![Page 1: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/1.jpg)
The Current State of DNS Resolvers and RPKI Protection
By Erik Dekker and Marius Brouwer
1
![Page 2: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/2.jpg)
2
Motivation
�Why is this research important?
![Page 3: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/3.jpg)
3
Motivation
�BGP is old
�First RFC was published in 1989 (RFC 1105)
�BGP was developed in times when security problems were less prevalent
�And is vulnerable for certain attacks
�For example, BGP is prone to IP Prefix Hijacks
![Page 4: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/4.jpg)
4
BGP IP Prefix Hijack
AS666 8.0.0.0/24C
1.0.0.0/24A
AS1
AS5
AS3 AS4 8.0.0.0/24B
AS2
![Page 5: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/5.jpg)
5
Resource Public Key Infrastructure
� RPKI comes to the rescue!
� Documented in RFC 6480
� But also in RFC 6481,6482, 6483, 6484, 6485, 6486, 6487, 6488, 6489, 6490, 6491, 6492, and 6493
![Page 6: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/6.jpg)
6
How does RPKI work?
� RIRs assign IP prefixes to network operators
� For example RIPE assigns prefixes to SURFnet
� RPKI allows network operators to sign their assigned IP prefixes
� To prove that they have the right to originate this prefix
� The RIRs host the Trust Anchors
� This results in a Route Origin Authorization (ROA) record
� Which contains the AS number, Prefix(es) and optionally prefix length
� Routers can validate ROA records (Route Origin Validation)
� ROV == RPKI filtering
![Page 7: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/7.jpg)
7
BGP IP Prefix Hijack with RPKI
AS1 AS2 AS3
AS666
8.0.0.0/24B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
AS5
![Page 8: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/8.jpg)
8
DNS
� What does this have to do with DNS resolvers?
![Page 9: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/9.jpg)
9
BGP IP Prefix Hijack
AS1 AS2 AS3
AS666
8.0.0.0/24B
8.0.0.0/24C
1.0.0.0/24A
Invalid
validROV ROA
AS4
9.0.0.0/24D
DNS Server
DNS Server
9.0.0.1
AS5
Resolver
![Page 10: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/10.jpg)
10
Example
� Amazon Route 53 BGP Hijack
� All traffic directed to MyEtherWallet was hijacked
![Page 11: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/11.jpg)
11
Research question
� Main question:
� “What is the state of RPKI filtering on DNS resolvers?”
� Sub questions:
� How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection?
� How does anycast influence the protection of DNS resolvers?
![Page 12: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/12.jpg)
12
Scope
�No DNSSEC
�No IPv6
![Page 13: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/13.jpg)
13
Method –test setup
�RIPE Atlas Probes
�Can send DNS queries to their resolvers
�Who query our authoritative DNS servers
�Beacon
�TCPdump of all the queries
�Made a BGP dump
![Page 14: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/14.jpg)
14
Method – experiment
1. $id.invalid.valid4.rootcanary.net
6. $id.invalid4.rootcanary.net
2. $id.invalid.valid4.rootcanary.net
3. $id.invalid4.rootcanary.net
4. $id.invalid4.rootcanary.net
5. $id.invalid4.rootcanary.net
1. A record2. A record3. Synthesized CNAME4. A record5. Answer6. Answer
Valid
Invalid
![Page 15: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/15.jpg)
Results
15
![Page 16: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/16.jpg)
Results –Probe RPKI Coverage
16
2500
5000
7500
10000
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Num
ber o
f Pro
bes
Probe ProtectionStatus
Total ProbesUnprotectedPartiallyFully
![Page 17: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/17.jpg)
Results –Probe/Resolver RPKI Coverage
17
5000
10000
15000
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Prob
e/R
esol
ver P
airs
RPKI StatusTotalUnprotectedProtected
![Page 18: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/18.jpg)
18
Results – Top 10 AS
0
1000
2000
3000
4000
5000
1516
913
335
3669
242 88
8179
2268
3033
2012
322
3215
AS
Que
ries
RPKI StatusProtectedUnprotected
![Page 19: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/19.jpg)
19
Results – Top 19 AS highest filtering ASes
0
1000
2000
3000
4000
1333
512
32232
6570
1871
32 553
8473
1303
021
1928
6012
39247
3933
0169
3917
4112
4117
5948
0215
943
AS
Que
ries
RPKI StatusProtectedUnprotected
![Page 20: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/20.jpg)
20
Results – Influence of Cloudflare anycast
40
80
120
160
2020−0
1−23
2020−0
1−24
2020−0
1−25
2020−0
1−26
2020−0
1−27
2020−0
1−28
2020−0
1−29
2020−0
1−30
2020−0
1−31
2020−0
2−01
2020−0
2−02
2020−0
2−03
Date
Clou
dfla
re P
refix
esRPKI Status
TotalUnprotectedProtected
![Page 21: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/21.jpg)
21
Results – Influence of AS path length
0.00
0.25
0.50
0.75
1.00
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ry R
atio
RPKI StatusUnprotectedProtected
![Page 22: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/22.jpg)
22
Results – Influence of AS path length
0
100,000
200,000
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ries
![Page 23: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/23.jpg)
23
Results – Influence of AS path length
0
100,000
200,000
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ries
0.00
0.25
0.50
0.75
1.00
2 3 4 5 6 7 8 9 10 11AS Path Length
Que
ry R
atio
RPKI StatusUnprotectedProtected
![Page 24: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/24.jpg)
24
Conclusions
Main Research Question:“ What is the state of RPKI filtering on DNS resolvers? ”
• How does the length of the AS path between resolver and authoritative DNS server influence the level of RPKI protection?
•How does anycast influence the protection of DNS resolvers?
![Page 25: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/25.jpg)
25
Discussion
• RPKI query coverage ≠ RPKI protected clients• Atlas probe AS could still be hijacked.• Small amount of ASes are fully protected• Expectation: Longer AS path more RPKI protection
• Based on reverse path• Influence of anycast DNS relatively high and growing• Population of experiment is western oriented and geek biased
![Page 26: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/26.jpg)
26
Future Work
• Take DNS forwarders into account in future research• Make use of another query generator other than RIPE Atlas for a different population• Place more beacons in different regions/AS• Focus on specific open DNS resolvers e.g. Cloudflare and Verisign Public DNS• Longitudinal study of ongoing data capture• Analyze which DNS resolvers are aided by filtering along the path.
![Page 27: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/27.jpg)
27
Acknowledgements
![Page 28: The Current State of DNS Resolvers and RPKI Protection · 2020-02-15 · Which contains the AS number, Prefix(es) and optionally prefix length Routers can validate ROA records (Route](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f0f1d2e7e708231d4428f29/html5/thumbnails/28.jpg)
Questions?
28