Information Security

Blogroll

AMol NAik
Andrew Case
Andre M. DiMino
Attila Axt
Bruce Schneier
Didier Stevens
Eric Romang
Francois Ropert
Gal Badishi
Gianluca Brindisi
Haroon Meer
Krzysztof Kotowicz
Lvdeijk
Michael Ligh
Mila Parkour
Miroslav Stampar
Pedro Vilaca
Rich Lundeen
Rob Fuller

Creative Commons License


Best view with Chromium devel without JavaScript enabled

27th July 2012

Post

Playing With DNSCrypt

What we should know :

• TOR encrypts DNS requests, but they are decrypted at the exit node

• DNSCrypt Proxy is not DNS cache

• OpenDNS resolver uses random ports.

• DNSCrypt Proxy build with stack Canary support, full RELRO, NX/PaX and PIE enabled

• DNSCrypt Proxy is not enough for best DNS security

So, every Sysadmin know Unbound more responsive but i choose Dnsmasq for better security

% sudo dnscrypt-proxy -a 127.0.0.2 -u nobody -r 208.67.222.222 -d

% cat /etc/dnsmasq.conf

listen-address=127.0.0.1
server=127.0.0.2
no-hosts
no-dhcp-interface=lo
bind-interfaces
bogus-priv
no-resolv
stop-dns-rebind
rebind-localhost-ok
domain-needed
cache-size=1337
proxy-dnssec

% sudo dnsmasq

note: you must run dnscrypt-proxy(bind 127.0.0.2) before run dnsmasq or you will get output Address already in use.

If you are using dhcp

% cat /etc/dhclient.conf
supersede domain-name-servers 127.0.0.1;

or forbid dhclient changing resolv.conf

% sudo chattr -i /etc/resolv.conf (not working for reiserfs)

messages

dnscrypt-proxy[2804]: Generating a new key pair
dnscrypt-proxy[2804]: Done
dnscrypt-proxy[2804]: Server certificate #1323392947 received
dnscrypt-proxy[2804]: This certificate looks valid
dnscrypt-proxy[2804]: Server key fingerprint is E07C:5F90:03C2:D764:A9FC:9A1E:6633:632A:0FE0:B1C5:5EF9:894A:FC7A:BA18:4A62:462E
dnscrypt-proxy[2804]: Proxying from 127.0.0.2:53 to 208.67.220.220:443
dnsmasq[2819]: started, version 2.57 cachesize 1337
dnsmasq[2819]: compile time options: IPv6 GNU-getopt no-DBus I18N DHCP TFTP IDN
dnsmasq[2819]: using nameserver 127.0.0.2#53
dnsmasq[2819]: cleared cache

now, how to check it works

% python dnspredict.py
Starting DNS queries.
Finishing DNS queries (26.1 seconds)
Resolver analysis: Unknown Resolver (ext: 67.215.80.17)
Queries: 255
Port Statistics: StdDev: 26948 GOOD (random)
Qid Statistics: StdDev: 27241 GOOD (random)

% host 67.215.80.17
17.80.215.67.in-addr.arpa domain name pointer m7.sin.opendns.com.

or simple just go to http://www.honeyd.org/ and we can see “Your DNS Resolver uses random ports.”

syslog

dnsmasq[2819]: possible DNS-rebind attack detected: 86.osd.honeyd.org

scapy (geek mode)

»> sniff(filter=”udp and port 53”,count=1337, prn=lambda x: x.show())

—*snip*—

###[ Ethernet ]###
  dst= 00:00:00:00:00:00
  src= 00:00:00:00:00:00
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 153
     id= 54967
     flags=
     frag= 0L
     ttl= 64
     proto= udp
     chksum= 0xa599
     src= 127.0.0.2
     dst= 127.0.0.1
     \options\
###[ UDP ]###
        sport= domain
        dport= 31473
        len= 133
        chksum= 0xfe99
###[ DNS ]###
           id= 59144
           qr= 1L
           opcode= QUERY
           aa= 0L
           tc= 0L
           rd= 1L
           ra= 1L
           z= 0L
           rcode= name-error
           qdcount= 1
           ancount= 0
           nscount= 1
           arcount= 1
           \qd\
            |###[ DNS Question Record ]###
            |  qname= ‘4.44.6.66.in-addr.arpa.’
            |  qtype= PTR
            |  qclass= IN
           an= None
           \ns\
            |###[ DNS Resource Record ]###
            |  rrname= ‘44.6.66.in-addr.arpa.’
            |  type= SOA
            |  rclass= IN
            |  ttl= 60
            |  rdlen= 62
            |  rdata= ‘\x03ns1\x03p03\x06dynect\x03net\x00\tops-infra\x06tumblr\x03com\x00G\xf5U\x18\x00\x00\x0e\x10\x00\x00\x02X\x00\t:\x80\x00\x00\x00<’
           \ar\
            |###[ DNS Resource Record ]###
            |  rrname= ”
            |  type= 41
            |  rclass= 4096
            |  ttl= 0
            |  rdlen= 0
            |  rdata= ”
—*snip*—

source 127.0.0.2, destination 127.0.0.1, destination port 31473 and random.

Stream

—*snip*—

Ether / IP / UDP / DNS Ans “a118-214.191-60.deploy.akamaitechnologies.com.”
0000   00 00 00 00 00 00 00 00  00 00 00 00 08 00 45 00   …………..E.
0010   00 84 00 00 40 00 40 11  3C 67 7F 00 00 01 7F 00   ….@.@.<g……
0020   00 01 00 35 A0 04 00 70  FE 83 86 D7 81 80 00 01   …5…p……..
0030   00 01 00 00 00 00 02 36  30 03 31 39 31 03 32 31   …….60.191.21
0040   34 03 31 31 38 07 69 6E  2D 61 64 64 72 04 61 72   4.118.in-addr.ar
0050   70 61 00 00 0C 00 01 02  36 30 03 31 39 31 03 32   pa……60.191.2
0060   31 34 03 31 31 38 07 69  6E 2D 61 64 64 72 04 61   14.118.in-addr.a
0070   72 70 61 00 00 0C 00 01  00 00 B3 A9 00 2E 61 31   rpa………..a1
0080   31 38 2D 32 31 34 2E 31  39 31 2D 36 30 2E 64 65   18-214.191-60.de
0090   70 6C 6F 79 2E 61 6B 61  6D 61 69 74 65 63 68 6E   ploy.akamaitechn
00a0   6F 6C 6F 67 69 65 73 2E  63 6F 6D 2E               ologies.com.
WARNING: DNS RR prematured end (ofs=8485, len=20)
—*snip*—

warning means your DNS encrypted

% host a118-214.191-60.deploy.akamaitechnologies.com
a118-214.191-60.deploy.akamaitechnologies.com has address 67.215.65.132
Host a118-214.191-60.deploy.akamaitechnologies.com not found: 3(NXDOMAIN)
% host 67.215.65.132
132.65.215.67.in-addr.arpa domain name pointer hit-nxdomain.opendns.com.

satisfied ?

nope, here udp.bpf

{ 0x28, 0, 0, 0x0000000c },
{ 0x15, 0, 3, 0x00000800 },
{ 0x30, 0, 0, 0x00000017 },
{ 0x15, 0, 1, 0x00000011 },
{ 0x6, 0, 0, 0xffffffff },
{ 0x6, 0, 0, 0x00000000 },

BPF

 L0: ldh [12]
 L1: jeq #0x800, L2, L5
 L2: ldb [23]
 L3: jeq #0x11, L4, L5
 L4: ret #0xffffffff
 L5: ret #0x0

in action

—*snip*—

> 1 76 1344537519.806103
 [ Eth MAC (00:00:00:00:00:00 => 00:00:00:00:00:00), Proto (0x0800, IPv4) ]
 [ Vendor (XEROX CORPORATION => XEROX CORPORATION) ]
 [ IPv4 Addr (127.0.0.1 => 127.0.0.1), Proto (17), TTL (64), TOS (0), Ver (4), IHL (5), Tlen (62), ID (34483), Res (0), NoFrag (1), MoreFrag (0), FragOff (0), CSum
   (0xb5f9) is ok ]
 [ UDP Port (40112 => 53 (domain)), Len (42 Bytes, 34 Bytes Data), CSum (0xfe3d) ]
 [ chr 5…………s3.amazonaws.com….. ]
 [ hex  35 e6 01 00 00 01 00 00 00 00 00 00 02 73 33 09 61 6d 61 7a 6f 6e 61 77 73 03 63 6f 6d 00 00 01 00 01 ]

—*snip*—

make sure

% sudo lsof -i udp

dnscrypt- 2804   nobody    8u  IPv4  14355      0t0  UDP 127.0.0.2:domain
dnscrypt- 2804   nobody    9u  IPv4  14356      0t0  UDP *:53041 
dnsmasq   2819 nobody    4u  IPv4  11971      0t0  UDP localhost:domain
dnsmasq   2819 nobody    9u  IPv4 113846      0t0  UDP *:19047 
dnsmasq   2819 nobody   10u  IPv4 112937      0t0  UDP *:15398 
dnsmasq   2819 nobody   11u  IPv4 113865      0t0  UDP *:42949 
dnsmasq   2819 nobody   12u  IPv4 108364      0t0  UDP *:44120 
dnsmasq   2819 nobody   13u  IPv4 112936      0t0  UDP *:59192 
dnsmasq   2819 nobody   14u  IPv4 108354      0t0  UDP *:63709

Tagged: EncryptionGeekHoneypotNetwork SecuritySecurity Information and Event ManagementSystem V

() 

ABOUT THE AUTHOR
            
Teguh is an idealist pwner living encrypted in Indonesia.
He is passionate about security and currently defeating the CWE top 25.
He also can be found on Google+, Twitter, GitHub, Shelfari and your libc.