DNS设定上常见的错误及注意事项

DNS設定上常見的錯誤及注意事項陳昌盛交通大學計算機與網路中心2002.04.10Outline•Introduction•CommonDNSProblems•CommonDNSConfigurationErrors•Examples&CasesStudy•Discussions&Concludingremarks•References•Appendix1.Introduction•DNSandtheInternet–SoftwareInfrastructurefortheInternet•Poorly-performedDNSservereverywhere–ThehierarchicalanddistributednatureofDNSmakesithardforordinaryadministratorstogainexpertise–Configuredonceandpossiblyusedforalongtime•ASampleStatisticsfromMOECC•BackgroundknowledgeDNSTrafficProfiling,sourcedatafromTW-MOECCNewsletter,•DNSBasics–AsimpleDNSworkingmodel–HierarchicalStructure•DNS-relatedIssuesforStudy–Correctness,Availability,Performance,Security•DNSrelatedprograms–client,proxy,server•DNSserverprogram(e.g.BIND/named,…)•DNSdebuggingtools(e.g.nslookup,dig,…)•DNSConfigurationtoolsDNSBasics•DNS(DomainNameSystem)–DomainNameSpace•DistributedandhierarchicalNamingStructure–tree-structurevs.DAG-structure–Geographicalvs.organizationalnamingprinciples–DomainNameServer(serverside)•BIND/named,...–DomainNameResolver(clientside)•Typeofservers–Master,slave,caching,forwarding,…•Typeofzones–Forward,reverse,…Fig.2ATypicalWorkingExampleQ::localDNSserverDr:remoteDNSserver•140.113.1.1Dr1(Q)4(R)2(Q)3(R)D1•140.111.1.20•140.113.7.123ASimpleWorkingModel(cont.)com,org,netcn,hk,..cn,hk,..twgov,milArpain-addrINTIP6rootservers140orgorggov,milgov,miledunctucomcomnetnethchchchshchs=140.113.6.2....mailmail192...NSAP..Fig.3HierarchicalArchitectureoftheDNSSystem2.CommonDNSProblems•Commonconfigurationerrorsorattacks?–SimpleClassificationofCommonDNSProblems•HowcanIfigureoutwhat'swrong?–Toolsforidentifyingtheproblems•Dig,nslookup,etc•Tcpdump•Aguri,mrtgTable1.SimpleClassificationofCommonDNSProblemsCategoryDescriptions1.ConfigurationerrorsoftheSystemadministratorsDomainZoneDelegation,etc.2.ImplementationerrorsofsomeDNSsoftwarepackagesDNS-spoofing,improperdefaults(dynamicupdate,WINS/DNSforwarding,etc),etc.3.AttackstotheDNSsystemsDDoS,forwardingstorm,etc4.InappropriateDesignandPlanningPoorDNSperformanceCommonTypeofDoSAttackstoDNSServers•NetworkLayerDoSattacks–Ping-of-death(Smurf,…)–UDP,ICMP•ApplicationLayerDoSAttacks–UDP•LamerServer,DNSforwardingstorm,unknownSPAMMail,directattacks(mal-functionclient/server)–TCPDst-port=53IgnoreNNRejectYMRTG-n(n=2,3,4)EndStart•FindeffectiveDNSqueriesandratioYSrc-port=137Fig.4FindeffectiveDNSqueriesandratioFig.5Anomalytrafficrecordedduringthe18:00to20:00intervalinpreviousday.Daily'Graph(5MinuteAverage)`Weekly'Graph(30MinuteAverage)3.ConfigurationerrororAttacks?•Majorproblems–LameServer–BogusDNSqueries–CName•NSRR’spointedtoCnameRR’s•MXRR’spointedtoCnameRR’s–DNSforwardingStorm–Indirectintrusion(PTR)ConfigurationerrororAttacks?(cont.)•Minorproblems–NATProxy+SplitDNSScheme–SPAMattacks(forwardzones)–DynamicUpdate(DHCP,Windows2000,..)–Mismatchdataintherelatedforward&reversedomainzones–…•ExamplesWhatis“LameServer”?•MaliciousAssignedLameServer–Mal-function(ornon-working)masterDNSserver–Improperly(orevenmaliciously)assignedslaveNSserver•OtherTriggeringmechanisms–HugevolumeofSPAMmailsinjectedtothepublicInternet•forwardDNSqueries(NS,A,MX,CNAME)•reverseDNSqueries(PTR)NoSlaveServer(onlymaster)inconsistencybetweenupper-andlower-levelSysAdmin.improperlyassignedslaveserver(s)bythelower-levelSysAdmin.(e.g.ISP/Customer)LameServerDomainZoneDelegationAllmasters(noslave)LameserverRegisteredauthoritiveserverStealthSlave(e.g.noaccesscontrolonthemaster)UnregisteredauthoritativeserverDataSyncronizationDynamicupdateauthoritativeFig.6CommonProblemsabouttheAuthorityofDomainZones•19:26:07.368496203.67.XXX.YYY.4943140.113.1.1.53:60236+A?dns.ERR.com.tw.(37)•19:26:07.368940140.113.1.1.53203.67.XXX.YYY.4943:60236-0/3/0(95)•19:26:07.381742203.67.XXX.YYY.4945140.113.1.1.53:60237+A?dns.ERR.com.tw.(37)•19:26:07.382164140.113.1.1.53203.67.XXX.YYY.4945:60237-0/3/0(95)•19:26:07.432408203.67.XXX.YYY.4946140.113.1.1.53:60238+A?dns.ERR.com.tw.(37)•19:26:07.432831140.113.1.1.53203.67.XXX.YYY.4946:60238-0/3/0(95)•19:26:07.445972203.67.XXX.YYY.4948140.113.1.1.53:60239+A?dns.ERR.com.tw.(37)•19:26:07.446420140.113.1.1.53203.67.XXX.YYY.4948:60239-0/3/0(95)•[deleted]Ex.1LameServerattacks–EndlessqueriesforthesamenamenotrelatedtolocalDNSserverrfc1918queriesfromhostsinRFC1918privateaddressspace•src=private-IP,routingissuesrfc1918?queriesforthehostnameofanRFC1918address•q=private-IP,DNSA+IPquerieswithIPaddresstargetinsteadofahostname•MSbugorVirus-infectedTLDqueriesforarecordinaninvalidtopleveldomainwindowsqueriesaboutmicrosoftdocumentsystemnames(.msdcs.)top10src/querypairsintrace,repeatedquerybugs1/minqueriesrepeatedmorethanonceaminuteTable2.