You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
276 lines
9.6 KiB
276 lines
9.6 KiB
Private DNS
|
|
|
|
Summary
|
|
|
|
Private DNS is an extension to standard Wide Area Bonjour that allows
|
|
for secure, encrypted, and authorized communications. Private data sent
|
|
from a client to a DNS server is encrypted using Transport Layer
|
|
Security (TLS), ensuring that the data is hidden from prying eyes, and
|
|
contains Transaction Signatures (TSIG), so the server can authorize the
|
|
request. TSIGs are typically associated with Dynamic Updates; we are
|
|
using them for standard and long-lived queries as well. Private DNS also
|
|
protects Dynamic Updates from eavesdropping, by wrapping the update in a
|
|
TLS communication channel if the server has been configured appropriately.
|
|
|
|
Architectural Overview
|
|
|
|
mDNSResponder has been modified to automatically issue a private query
|
|
when necessary. After receiving an NXDOMAIN error, mDNSResponder checks
|
|
in the system keychain to see if the user has a DNS query key (TSIG key)
|
|
for the name in question, or for a parent of that name. If a suitable
|
|
key is found, mDNSResponder looks up the zone data associated with the
|
|
name of the question. After determining the correct name server,
|
|
mDNSResponder looks up an additional SRV record "_dns-private._tcp". If
|
|
it finds this record, mDNSResponder will re-issue the query privately.
|
|
If either there is no _dns-private._tcp record, or there is no secret
|
|
key, the call fails as it initially did, with an NXDOMAIN error.
|
|
|
|
Once the secret key is found and the SRV record is looked up, mDNSResponder
|
|
opens a TLS connection to the server on the port specified in the SRV
|
|
record just looked up. After the connection succeeds, mDNSResponder
|
|
can proceed to use that communication channel to make requests of
|
|
the server. Every private packet must also have a TSIG record;
|
|
the DNS server uses this TSIG record to allow access to its data.
|
|
|
|
When setting up a long-lived query over TCP (with or without TLS)
|
|
TCP's standard three-way handshake makes the full four-packet LLQ setup
|
|
exchange described in <http://files.dns-sd.org/draft-sekar-dns-llq.txt>
|
|
unnecessary. Instead, when connecting over TCP, the client simply sends
|
|
a setup message and expects to receive ACK + Answers. The setup message
|
|
sent is formatted as described in the LLQ document, however there is
|
|
an additional TSIG' resource record added to the end of it. The TSIG
|
|
resource records looks and acts exactly as it does in a secure update.
|
|
So when the server receives an LLQ (or a standard query), it looks to
|
|
see if the zone that is being referenced is public or private. If it's
|
|
private, then it makes sure that the client is authorized to query that
|
|
zone (by using the TSIG signature) and returns the appropriate data.
|
|
When a zone is configured as private, the server will do this type of
|
|
authorization checking for every query except those queries that are
|
|
looking for SOA and NS records.
|
|
|
|
Implementation Issues
|
|
|
|
dnsextd
|
|
|
|
dnsextd has been modified to behave much like a DNS firewall. The "real"
|
|
DNS server is configured to listen on non-standard ports on the loopback
|
|
interface. dnsextd then listens on the standard DNS ports (TCP/UDP port
|
|
53) and intercepts all DNS traffic. It is responsible for determining
|
|
what zone a DNS request is associated with, determining whether the
|
|
client is allowed access to that zone, and returning the appropriate
|
|
information back to the caller. If the packet is allowed access, dnsextd
|
|
forwards the request to the "real" nameserver, and returns the result to
|
|
the caller.
|
|
|
|
It was tempting to use BIND9's facility for configuring TSIG enabled
|
|
queries while doing this work. However after proceeding down that path,
|
|
enough subtle interaction problems were found that it was not practical
|
|
to pursue this direction, so instead dnsextd does all TSIG processing
|
|
for queries itself. It does continue to use BIND9 for processing TSIG
|
|
enabled dynamic updates, though one minor downside with this is that
|
|
there are two configuration files (named.conf or dnsextd.conf) that have
|
|
the same secret key information. That seems redundant and error-prone,
|
|
and moving all TSIG processing for both queries and updates into dnsextd
|
|
would fix this.
|
|
|
|
All private LLQ operations are TSIG-enabled and sent over a secure
|
|
encrypted TLS channel. To accommodate service providers who don't want
|
|
to have to keep open a large number of TLS connections to a large number
|
|
of client machines, the server has the option of dropping the TLS
|
|
connection after initial LLQ setup and sending subsequent events and
|
|
refreshes using unencrypted UDP packets. This results in less load on
|
|
the server, at the cost of slightly lower security (LLQs can only be set
|
|
up by an authorized client, but once set up, subsequent change event
|
|
packets sent over unencrypted UDP could be observed by an eavesdropper).
|
|
A potential solution to this deficiency might be in using DTLS, which is
|
|
a protocol based on TLS that is capable of securing datagram traffic.
|
|
More investigation needs to be done to see if DTLS is suitable for
|
|
private DNS.
|
|
|
|
It was necessary to relax one of the checks that dnsextd performs during
|
|
processing of an LLQ refresh. Prior to these changes, dnsextd would
|
|
verify that the refresh request came from the same entity that setup the
|
|
LLQ by comparing both the IP Address and port number of the request
|
|
packet with the IP Address and port number of the setup packet. Because
|
|
of the preceding issue, a refresh request might be sent over two
|
|
different sockets. While their IP addresses would be the same, their
|
|
port numbers could potentially differ. This check has been modified to
|
|
only check that the IP addresses match.
|
|
|
|
When setting up a semi-private LLQ (where the request and initial answer
|
|
set is sent over TLS/TCP, but subsequent change events are sent over
|
|
unencrypted UDP), dnsextd uses the port number of the client's TCP
|
|
socket to determine the UDP event port number. While this eliminates the
|
|
need to pass the UDP event port number in the LLQ setup request
|
|
(obviating a potential data mismatch error), I think it does more harm
|
|
than good, for three reasons:
|
|
|
|
1) We are relying that all the routers out there implement the Port
|
|
Mapping Protocol spec correctly.
|
|
|
|
2) Upon setup every LLQ must NAT map two ports. Upon tear down every LLQ
|
|
must tear down two NAT mappings.
|
|
|
|
3) Every LLQ opens up two sockets (TCP and UDP), rather than just the
|
|
one TCP socket.
|
|
|
|
All of this just to avoid sending two bytes in the LLQ setup packet
|
|
doesn't seem logical. The approach also necessitates creating an
|
|
additional UDP socket for every private LLQ, port mapping both the TCP
|
|
socket as well as the UDP socket, and moderately increasing the
|
|
complexity and efficiency of the code. Because of this we plan to allow
|
|
the LLQ setup packet to specify a different UDP port for change event
|
|
packets. This will allow mDNSResponder to receive all UDP change event
|
|
packets on a single UDP port, instead of a different one for each LLQ.
|
|
|
|
Currently, dnsextd is buggy on multi-homed hosts. If it receives a
|
|
packet on interface 2, it will reply on interface 1 causing an error in
|
|
the client program.
|
|
|
|
dnsextd doesn't fully process all of its option parameters.
|
|
Specifically, it doesn't process the keywords: "listen-on",
|
|
"nameserver", "private", and "llq". It defaults to expecting the "real"
|
|
nameserver to be listening on 127.0.0.1:5030.
|
|
|
|
|
|
mDNSResponder
|
|
|
|
Currently, mDNSResponder attempts to issue private queries for all
|
|
queries that initially result in an NXDOMAIN error. This behavior might
|
|
be modified in future versions, however it seems patently incorrect to
|
|
do this for reverse name lookups. The code that attempts to get the zone
|
|
data associated with the name will never find the zone for a reverse
|
|
name lookup, and so will issue a number of wasteful DNS queries.
|
|
|
|
mDNSResponder doesn't handle SERV_FULL or STATIC return codes after
|
|
setting up an LLQ over TCP. This isn't a terrible problem right now,
|
|
because dnsextd doesn't ever return them, but this should be fixed so
|
|
that mDNSResponder will work when talking to other servers that do
|
|
return these error codes.
|
|
|
|
|
|
Configuration:
|
|
|
|
Sample named.conf:
|
|
|
|
//
|
|
// Include keys file
|
|
//
|
|
include "/etc/rndc.key";
|
|
// Declares control channels to be used by the rndc utility.
|
|
//
|
|
// It is recommended that 127.0.0.1 be the only address used.
|
|
// This also allows non-privileged users on the local host to manage
|
|
// your name server.
|
|
|
|
//
|
|
// Default controls
|
|
//
|
|
controls
|
|
{
|
|
inet 127.0.0.1 port 54 allow { any; } keys { "rndc-key"; };
|
|
};
|
|
|
|
options
|
|
{
|
|
directory "/var/named";
|
|
/*
|
|
* If there is a firewall between you and nameservers you want
|
|
* to talk to, you might need to uncomment the query-source
|
|
* directive below. Previous versions of BIND always asked
|
|
* questions using port 53, but BIND 8.1 uses an unprivileged
|
|
* port by default.
|
|
*/
|
|
|
|
forwarders
|
|
{
|
|
65.23.128.2;
|
|
65.23.128.3;
|
|
};
|
|
|
|
listen-on port 5030 { 127.0.0.1; };
|
|
recursion true;
|
|
};
|
|
|
|
//
|
|
// a caching only nameserver config
|
|
//
|
|
zone "." IN
|
|
{
|
|
type hint;
|
|
file "named.ca";
|
|
};
|
|
|
|
zone "localhost" IN
|
|
{
|
|
type master;
|
|
file "localhost.zone";
|
|
allow-update { none; };
|
|
};
|
|
|
|
zone "0.0.127.in-addr.arpa" IN
|
|
{
|
|
type master;
|
|
file "named.local";
|
|
allow-update { none; };
|
|
};
|
|
|
|
zone "hungrywolf.org." in
|
|
{
|
|
type master;
|
|
file "db.hungrywolf.org";
|
|
allow-update { key hungrywolf.org.; };
|
|
};
|
|
|
|
zone "157.23.65.in-addr.arpa" IN
|
|
{
|
|
file "db.65.23.157";
|
|
type master;
|
|
};
|
|
|
|
zone "100.255.17.in-addr.arpa" IN
|
|
{
|
|
file "db.17.255.100";
|
|
type master;
|
|
};
|
|
|
|
zone "66.6.24.in-addr.arpa" IN
|
|
{
|
|
file "db.24.6.66";
|
|
type master;
|
|
};
|
|
|
|
key hungrywolf.org.
|
|
{
|
|
algorithm hmac-md5;
|
|
secret "c8LWr16K6ju6KMO5zT6Tyg==";
|
|
};
|
|
|
|
logging
|
|
{
|
|
category default { _default_log; };
|
|
|
|
channel _default_log
|
|
{
|
|
file "/Library/Logs/named.log";
|
|
severity info;
|
|
print-time yes;
|
|
};
|
|
};
|
|
|
|
|
|
Sample dnsextd.conf:
|
|
|
|
options { };
|
|
|
|
key "hungrywolf.org."
|
|
{
|
|
secret "c8LWr16K6ju6KMO5zT6Tyg==";
|
|
};
|
|
|
|
zone "hungrywolf.org."
|
|
{
|
|
type private;
|
|
allow-query { key hungrywolf.org.; };
|
|
};
|