http://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns en-us 40 code, musings and more <p>Went for dinner yesterday with a friend of mine at one of the <a href="http://www.iens.nl/english/restaurantsIn/DenHaag/restaurant.htms?a=Delft&amp;k=26&amp;r=3190">Indian restaurants</a> here in Delft. This place is marvelous. It has had a non-working phone number listed on its window for the past 8 years. The music is probably not agreeable even for people from India. The beer tends to taste a bit funny. The entrance is dark, and looks like it has been burgled repeatedly. The staff is clumsy. But the food! Oh my.</p> <p>Ate too much and went home a bit sleepy.</p> <h2>Surprise email</h2> <p>One of the interesting bits about authoring an open source program is that you know both a lot and nearly nothing about your customers. Sometimes PowerDNS users share everything with me and other developers. I&#8217;ve been mailed more root passwords than I care to remember (I have a fully functioning PGP key btw, please use it if you trust me with passwords!).</p> <p>On the other hand, there are a lot of &#8216;stealth users&#8217; who don&#8217;t come out of the closet. I tend to hear from them only if they hit a problem - which is rare. </p> <p>So imagine my surprise yesterday when one of the larger access providers in Europe, with a double digit market share in their large country, suddenly announced they&#8217;d switched all their nameservers to PowerDNS. 1.3 million additional homes served by my humble code.</p> <p>I can tell you, that rattles me. Especially since DNS is absolutely 100% vital to using the internet. </p> <p>So, that inspired me to take the last step in attempting to make PowerDNS the best recursor on the planet.</p> <h2>Spoofing</h2> <p>If you can fool DNS, you can fool a user. DNS is the phone book of the internet, if you manage to give out false data, browsers will head to the wrong servers. Same goes for email. All very bad.</p> <p>The worse news is that DNS is a breeze to &#8220;spoof&#8221;, in other words, it is easy to slip in bad data. I set up a somewhat contrived network here today and I was able to spoof both BIND 9 and PowerDNS in less than two seconds. I must admit that the conditions I tested under were highly ideal, but nothing that can&#8217;t be achieved in the real world with concerted effort. </p> <p>And given the huge number of people I now feel responsible for, this is unacceptable. </p> <p>One of the brightest people I know, <a href="http://cr.yp.to">Dan J. Bernstein</a>, also writes <a href="http://cr.yp.to/djbdns.html">nameservers</a>. He can be very stubborn and opinionated, but some of his ideas are first rate. You have him to thank (in part) for today&#8217;s <a href="http://cr.yp.to/export.html">more liberal</a> cryptography research climate as well. So, I took a lot of inspiration from his work. Read more below. </p> <p>To spoof a nameserver, one needs to know three things:</p> <ol> <li>Which questions the target nameserver (&#8216;spoofee&#8217;) is asking</li> <li>The exact network end-point it is expecting answers on</li> <li>The 16-bit ID of the question</li> </ol> <p>You can generally figure out 1) pretty easily, especially if you can force a nameserver to make queries. 2) is easy if the network end-point doesn&#8217;t change. 3) can be dealt with by scanning all 65536 ids.</p> <p>I reduced all three factors today:</p> <ol> <li><p>I made the <a href="http://wiki.powerdns.com/projects/trac/changeset/697">PowerDNS recursor default to not accepting questions from the internet at large</a>. This reduces the chances of a spoofer to force questions.</p></li> <li><p>I copied Dan J. Bernsteins system of using a new random network end-point for each question, which means you&#8217;ll have to try to guess this end-point too, just like you have to guess the ID. This does put a heavy load on the OS as we now have to listen to perhaps thousands of ports! So I made this optional, but on by default.</p></li> <li><p>If the recursor sees more than 20 failed guesses for the ID, it considers the whole query timed out. I spent a heap of time thinking <a href="http://wiki.powerdns.com/projects/trac/changeset/699">how to do this elegantly</a>, I had to lie down at one point and close my eyes briefly. This may look like a sinful mid-day nap but don&#8217;t let appearances fool you! The solution is to only do the accounting once a packet with a proper ID is in, and deal with it then, and not keep a list of failed guesses.</p></li> </ol> <p>This was literally the last major piece of PowerDNS that was not &#8216;best of breed&#8217;. Now all I need to do is clean up the code a tad and integrate full IPv6 support, and it should be Perfect.</p> <p>Wonder what I&#8217;ll do then though :-)</p> <h2>Mirjam</h2> <p>I haven&#8217;t mentioned my good friend and wife Mirjam enough, and she&#8217;s complained a bit. So for the record, Mirjam has been doing a fine job, or at least making a valliant attempt, at making me leave the computer every once in a while. And I think she still believes me a bit when I say PowerDNS is &#8216;nearly done&#8217;. Now I have to believe it too.</p> Fri, 14 Apr 2006 22:48:00 +0200 urn:uuid:6caba3ed-df18-411f-b8fc-520e95146d67 bert.hubert@netherlabs.nl (bert hubert) http://blog.netherlabs.nl/articles/2006/04/14/holy-cow-1-3-million-additional-ip-addresses-served-by-powerdns Linux PowerDNS Netherlabs Life http://blog.netherlabs.nl/articles/trackback/30