Thursday, January 5, 2017

enforcing DNSSEC client validation with FAUCET

DNSSEC is considered very important, because it provides a way for a DNS client to validate results.

However, not all DNS servers, will perform this validation on behalf of their clients (or the clients may be configured to use the wrong resolvers).

Using FAUCET with some NFV, though, you can force clients to use a validating DNS server.

First, you'll need to provide an NFV'd DNS server that performs validation. There is a guide for BIND - it boils down to a couple of extra configuration settings.

Then, you'll need to configure FAUCET to intercept DNS requests, and output them to the NFV port where the DNS server is. Here is a FAUCET config snippet that does that:

In this example, we force DNS requests, UDP and TCP, to go out port 1, VLAN 2001, which is where the NFV'd DNS server is running.

acls:
    2001:
    # Force DNS
        - rule:
            dl_type: 0x800
            nw_proto: 17
            tp_dst: 53
            actions:
                output:
                    vlan_vid: 2001
                    port: 1
        - rule:
            dl_type: 0x800
            nw_proto: 6
            tp_dst: 53
            actions:
                output:
                    vlan_vid: 2001
                    port: 1
        - rule:
            actions:

                allow: 1
...

        interfaces:
            1:
                tagged_vlans: [2001,2002,2003]
                name: "port1.0.1"
                description: "windscale"
            2:
                native_vlan: 2001
                name: "port1.0.2"
                description: "vek-x"
                acl_in: 2001


Next, we configure the NFV host to intercept those DNS requests. This can be done with iptables - for example (the NFV host's IP, is 192.168.1.1).

-A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to-destination 192.168.1.1

Any client on port 2 is now compelled to use that DNS server (and only that DNS server). For example, they can visit a test site which will verify that DNSSEC is being used.

You might imagine using the same technique to force proxy other protocols, such HTTP, etc.



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.