Be alert but not alarmed, DNSSEC rollout completes 6am tomorrow!

mike-s · 4th May 2010, 6:38 PM

original article here

For those who can't be arsed reading the article (tl-dr if you will), the way DNS works on the internet is a-changing and your old router or firewall may not be able to take the change in behaviour.

This change isn't likely to affect residential users as it's likely to be filtered/made transparent by your isp. But for those of us in corporate-world DNS is changing. DNSSEC rollout is nearing completion and as of tomorrow all root dns servers will give out digital signatures with every DNS request. For some old devices (or the networks behind them) the immediate effect is that DNS might magically stop as the reply size will increase from a maximum of 512 bytes to a total of 2k. The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size.

Tomorrow may not affect you whatsoever, or it may be the day you realise you and your network are both up shit creek, you have been warned.

cs-cam · 4th May 2010, 7:23 PM

Quote:

Originally Posted by mike-s

The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size.

The reason is DNS currently used UDP for transport however with responses larger than 512 bytes (as of tomorrow, all of them) it falls back to TCP. If your firewall is only configured to allow UDP requests on port 53 then you're going to have problems. Anything else and you're fine.

evilasdeath · 4th May 2010, 9:34 PM

Changes will happen between 17:00 > 19:00 UTC

17:00:00 Wednesday May 5, 2010 in UTC converts to
03:00:00 Thursday May 6, 2010 in GMT+10

19:00:00 Wednesday May 5, 2010 in UTC converts to
05:00:00 Thursday May 6, 2010 in GMT+10

Thursdays the day in Australia

I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.

caironet16 · 4th May 2010, 10:44 PM

http://www.southparkstudios.com/clips/166182

But srsly, if this happens for real I will be super bored.

Doc-of-FC · 4th May 2010, 11:15 PM

Quote:

DNSSEC was developed in an attempt to thwart 'man in the middle' attacks,

muahahaha, i dare you to connect to my open wifi network called internet... no im not running dnsspoof, no im not running sslstrip and no im not logging my network to pcap files

mike-s · 5th May 2010, 8:03 AM

Quote:

Originally Posted by cs-cam

The reason is DNS currently used UDP for transport however with responses larger than 512 bytes (as of tomorrow, all of them) it falls back to TCP. If your firewall is only configured to allow UDP requests on port 53 then you're going to have problems. Anything else and you're fine.

I didn't realise there would be a whole fallback to tcp, you learn something new every day. Some people are going to be a whole new level of screwed,

Quote:

Originally Posted by evilasdeath

Thursdays the day in Australia

I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.

I'll blame my boss, he initially mentioned this as a problem that is going to happen today and i took his word on that *facepalm*

Quote:

Originally Posted by Doc-of-FC;

muahahaha, i dare you to connect to my open wifi network called internet... no im not running dnsspoof, no im not running sslstrip and no im not logging my network to pcap files

Cruel yet malicious, i kinda like it!

Falkor · 5th May 2010, 9:34 AM

So how do we properly prepare for this then?

Is there any info anywhere?

I've been looking around, but am probably looking in the wrong places

caironet16 · 5th May 2010, 10:31 AM

Quote:

Originally Posted by Falkor

So how do we properly prepare for this then?

Is there any info anywhere?

I've been looking around, but am probably looking in the wrong places

All you can do is hope for the best. Hopefully everything just works but judging by the sheer vastness of the internet there is bound to be problems imo.

For instance if someone was waiting to launch a DDoS attack on the root DNS servers, they would probably wait until some of them go down for the upgrade and then target the remaining ones.

Apart from that the odd DNS server will probably fall over.

Maybe have a list of backup IP's ready just incase.

Falkor · 5th May 2010, 11:20 AM

Ok Well. For anyone interested. We run Cisco ASA's and have an MS network so we have MS DNS Servers.

By default on the ASA's its set to a max DNS Packet size of 512 bytes. (Well mine were)
I changed there here:

policy-map type inspect dns
parameters
message-length maximum 2048

And our MS DNS Servers weren't enabled for EDNS, which is required for >512 Bytes. So I followed the instructions here to do that:
http://technet.microsoft.com/en-us/l...30(WS.10).aspx

I found the test tool in the ITNews article helpful

Doc-of-FC · 5th May 2010, 11:24 AM

Quote:

Originally Posted by caironet16

For instance if someone was waiting to launch a DDoS attack on the root DNS servers, they would probably wait until some of them go down for the upgrade and then target the remaining ones.

I'd wait till all servers were updated forcing all servers to generate 4x the previous amount of traffic and force the servers to use TCP in turn also increasing the network and processing overhead by the 3 step handshake + query.

if each zombie was designed to tarpit attack the server by waiting as long as possible before issuing a request this would again eat valuable resources across the root servers.

both attack methods can also be mitigated.

evilasdeath · 5th May 2010, 11:36 AM

Well i finally found some reading

http://www.root-dnssec.org/2010/05/03/status-update/

the 5th of may is just when J root starts handing out DURZ, every other name server has already been doing this for ages with no ill affects.

mike-s · 5th May 2010, 4:49 PM

The main reason this whole stink was being kicked up is that the last server that you could "fall back" to if the others didn't provide a satisfactory response for your system is now being upgraded to DNSSEC. Which means if you have network gear that is not compatible with the new format and some upstream equipment isn't providing a reverse translation for you, you're in the shit.

Iceman · 5th May 2010, 5:09 PM

I'd really like a test to confirm my server 2003 dns and firewall can handle this.. none of the ones I've found are particularly conclusive.

Falkor · 6th May 2010, 9:24 AM

Well the world didn't end, so I think we are ok!

gords · 6th May 2010, 9:55 AM

It might take some time to see the results of the changes due to cached DNS results though.

4th May 2010, 6:38 PM	#1
mike-s Member Join Date: Dec 2003 Location: Sydney, Australia Posts: 1,696	Be alert but not alarmed, DNSSEC rollout completes 6am tomorrow! original article here For those who can't be arsed reading the article (tl-dr if you will), the way DNS works on the internet is a-changing and your old router or firewall may not be able to take the change in behaviour. This change isn't likely to affect residential users as it's likely to be filtered/made transparent by your isp. But for those of us in corporate-world DNS is changing. DNSSEC rollout is nearing completion and as of tomorrow all root dns servers will give out digital signatures with every DNS request. For some old devices (or the networks behind them) the immediate effect is that DNS might magically stop as the reply size will increase from a maximum of 512 bytes to a total of 2k. The reason behind this is that originally it was assumed that the reply would never need to go above 512 bytes, so a lot of equipment automatically drops dns response packets that exceed that size. Tomorrow may not affect you whatsoever, or it may be the day you realise you and your network are both up shit creek, you have been warned. __________________ Successfull trades: RakOon, drfbro, mR_CaESaR, Spyfox If I've got crap for sale on ebay you like, click here. Old hardware giveaway thread here. Sony Vaio Club Member #21

5th May 2010, 9:34 AM	#7
Falkor Member Join Date: Jun 2001 Location: New York City Posts: 2,966	So how do we properly prepare for this then? Is there any info anywhere? I've been looking around, but am probably looking in the wrong places __________________ Save the whales, Collect the whole set! .:\|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1

5th May 2010, 11:20 AM	#9
Falkor Member Join Date: Jun 2001 Location: New York City Posts: 2,966	Ok Well. For anyone interested. We run Cisco ASA's and have an MS network so we have MS DNS Servers. By default on the ASA's its set to a max DNS Packet size of 512 bytes. (Well mine were) I changed there here: policy-map type inspect dns parameters message-length maximum 2048 And our MS DNS Servers weren't enabled for EDNS, which is required for >512 Bytes. So I followed the instructions here to do that: http://technet.microsoft.com/en-us/l...30(WS.10).aspx I found the test tool in the ITNews article helpful __________________ Save the whales, Collect the whole set! .:\|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1

5th May 2010, 4:49 PM	#12
mike-s Member Join Date: Dec 2003 Location: Sydney, Australia Posts: 1,696	The main reason this whole stink was being kicked up is that the last server that you could "fall back" to if the others didn't provide a satisfactory response for your system is now being upgraded to DNSSEC. Which means if you have network gear that is not compatible with the new format and some upstream equipment isn't providing a reverse translation for you, you're in the shit. __________________ Successfull trades: RakOon, drfbro, mR_CaESaR, Spyfox If I've got crap for sale on ebay you like, click here. Old hardware giveaway thread here. Sony Vaio Club Member #21 Last edited by mike-s; 5th May 2010 at 5:51 PM. Reason: grammar

5th May 2010, 5:09 PM	#13
Iceman Member Join Date: Jun 2001 Location: Brisbane (nth), Australia Posts: 6,304	I'd really like a test to confirm my server 2003 dns and firewall can handle this.. none of the ones I've found are particularly conclusive. __________________ _,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_¸,ø¤°`°¤ø,¸_ WTB: Cisco 1801-M PM me Please rehash my posts and pass them off as your own ideas! Triple points for doing it in the same page of the thread. Plagiarism is the sincerest form of copyright infringement.

4th May 2010, 9:34 PM	#3
evilasdeath Member Join Date: Jul 2004 Posts: 2,839	Changes will happen between 17:00 > 19:00 UTC 17:00:00 Wednesday May 5, 2010 in UTC converts to 03:00:00 Thursday May 6, 2010 in GMT+10 19:00:00 Wednesday May 5, 2010 in UTC converts to 05:00:00 Thursday May 6, 2010 in GMT+10 Thursdays the day in Australia I think it could be an awesome start to Thursday more so than Wednesday if shit hits the fan.

4th May 2010, 10:44 PM	#4
caironet16 Member Join Date: Mar 2002 Posts: 235	http://www.southparkstudios.com/clips/166182 But srsly, if this happens for real I will be super bored.

5th May 2010, 11:36 AM	#11
evilasdeath Member Join Date: Jul 2004 Posts: 2,839	Well i finally found some reading http://www.root-dnssec.org/2010/05/03/status-update/ the 5th of may is just when J root starts handing out DURZ, every other name server has already been doing this for ages with no ill affects.

6th May 2010, 9:24 AM	#14
Falkor Member Join Date: Jun 2001 Location: New York City Posts: 2,966	Well the world didn't end, so I think we are ok! __________________ Save the whales, Collect the whole set! .:\|:. Now faith is being sure of what we hope for and certain of what we do not see - Hebrews 11:1

6th May 2010, 9:55 AM	#15
gords Thread Killer Join Date: Aug 2001 Location: Sydney, Australia Posts: 6,141	It might take some time to see the results of the changes due to cached DNS results though. __________________ "Grace is God giving us what we do not deserve and mercy is God not giving us what we do deserve." "The beauty of grace is that it makes life not fair." - Relient K, Be My Escape "God shows his love for us in that while we were still sinners, Christ died for us." Romans 5:8