《DNS导论与安全问题》由会员分享,可在线阅读,更多相关《DNS导论与安全问题(11页珍藏版)》请在金锄头文库上搜索。
1、1台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterDNS導論與安全問題TWCERT/CC 魏銪志台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination Center什麼是DNSn DNS全名n Domain Name Systemn 領域名稱解析系統、網域名稱系統n 領域名稱(Domain Name)與IP位址的轉換n將較容易記憶的主機名稱,轉譯成IP 位址,可以不用強記IP位址。2台灣電腦網路危機處
2、理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterDNS的架構n DNS系統基本是採樹狀階層式(hierarchy)的架構n 分散管理n 分散儲存n 分散查詢台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterDNS的重要性n 沒有DNS,Internet沒有辦法將hostname轉換成IP位址n DNS系統所造成的影響是全面性的n 無法存取Web Server,並不會影響SMTP Server但如果DN
3、S有問題?n 部份的Firewall或Proxy系統使用hostname的ACL作為限制的依據,DNS有問題則防禦網可能崩潰3台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterDNS運作原理n Recursive(遞迴式)n 客戶端只丟出一個詢問給其所屬的DNS伺服器n DNS伺服器就會不斷地查詢,直到有結果為止n 最後把結果傳回來給客戶端n Iterative(交談式)n 詢問其他DNS伺服器是否知道結果n 如果沒有這個記錄,則會傳回一個參考位址,也許這個位址可以查到需要的資料。n 一般
4、來說Resolver對local DNS server 都是Recursive Query; 而DNS server 之間的查詢則多是Iterativen 大部份的DNS server 都可以接受Recursive 和Iterative 兩種查詢方式;但考量負載問題,Root name server 只接受Iterative查詢台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterDNS安全考量因素n 系統設定問題n Zone Transfern DNS實作問題n System Vulnera
5、bilityn DNS Spoofingn DNS ID hackingn DNS cache poisoningn DNS規劃與管理問題n Split Horizon DNSn Split-Service DNSn 將DNS安裝在專屬機器上n Information leakn DOS & DDOS4台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination Center.COM Zones Misconfiguredn 68.6% 的.COM 區域DNS設定有問題Domain Health Survey 2
6、002.11 http:/ Computer Emergency Response Team / Coordination CenterSingle Point of FailureSingle Point of Failure Percentage (N=5000) Change since Aug 02 Change since May 01 All name servers on the same subnet 28.1% +0.5 +2.6 Only one authoritative name server 6.6% -0.8 +0.6 Domain Health Survey 20
7、02.11http:/ Computer Emergency Response Team / Coordination CenterZone Transfer問題(1)Zone Transfer Results Percentage (N=5000) Change since Aug 02 Change since Nov 98 No server allowed zone transfer 38.6% -1.0 -24.96 Some server blocked zone transfer 6.0% +3.3 -0.36 All name servers allowed zone tran
8、sfer 55.3% -1.2 -24.0 Domain Health Survey 2002.11http:/ 使用者可透過此種方式,得知整個IP 位址或網域名稱的資料。台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterZone Transfer問題(2)n Hacker取得這些資訊的用途n 確認目標n 獲得相關資訊n How many hosts you haven What makes and models you haven What their names are n 可經由na
9、med.conf檔案中,設定限制對象或不啟動allow-transfer 選項,以防範這類的問題。6台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination Center避免SPOF的方法(1)n 不要把雞蛋放在同一個籃子裏!n 網路方面n Dont place all the DNS Servers in the same subnet with the single choke point or router.n Dont put all of the DNS servers behind a singl
10、e leased linen Always distribute the DNS Servers in different network in different routing paths.台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination Center避免SPOF的方法(2)n 主機方面n At least two different server hostsn Runningthe DNS on different platforms of hardware/OSn 管理的複雜度的增加!n Di
11、fferent versions of DNS Server Software Or Different DNS Servers Softwaren Choose other alternativesn Arrange Off-site slave name server7台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterSystem Vulnerability(1)n New vulnerabilities are found in DNS Server all the timen 可能
12、的原因n DsignPhasen Implementation Phasen Operation Phasen Human Naturen 可能的運用方式n Buffer Overflown Format Stringn Etc台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterSystem Vulnerability(2)n 可能造成的結果n Program Errorn Gain Privilegen Denial of Servicen Information Leakn Backdo
13、or/trojan8台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterSystem Vulnerability(3)n These vulnerabilities are usually patched quicklyn Stay current with the lastestrelease or patch updaten Join the mailing list that announces the lastestrelease or patch update to keep yo
14、u informed.n TWCERT/CC Advisoryn http:/www.cert.org.tw/document/advisory台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination CenterSplit Horizon DNSn 有時DNS提供太多的資訊,可以很明確的得知系統或網路結構n 有效隱蔽內部DNS結構n 將DNS Server區分為外部DNS與內部DNSn 內部必須以防火牆隔離,嚴防內部結構外洩9台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergenc
15、y Response Team / Coordination CenterSplit Service DNSn Consider creating two kinds of name server, eachoptimized for a particular function:n Advertising name servers:n Authoritative for zones to “advertise” to the Internetn Listed in parent zones NS recordsn Queried only by other name serversn Non-recursiven Resolving name servers:n Authoritative for “internal” zonesn Queried only by known resolvers(or forwarding nameservers)n Answer recursive queries from trusted sources台灣電腦網路危機處理中心暨協調中心Taiwan Computer Emergency Response Team / Coordination Center將D
