DNS SEC confusion and frustration

Given my post about the difficulty of using encryption for queries between internal DNS servers and Internet-based DNS servers, I probably need to pursue moving to configuration 3, despite my fears.

Below are some things I have learned during the research phase.

DNS host names with known behaviors

• www.dnssec-failed.org is a canary which should always fail DNS SEC signature checking.
• Sites with DNS SEC signatures are not easy to find.
  pir.org is a DNS name that has DNS SEC configured correctly and should always validate.   I know nothing about the site, but I found the reference on a post that seemed to be from the site owner.
• Finding sites that do not use DNS SEC is pretty easy.   I used www.ford.com for some of my tests.

Forwarder selection

Because signature problems cause a ServFail error, traffic is not automatically blocked.   A client will try all available servers before giving up, so  you want to ensure that all forwarders are DNS-SEC aware.   As long as this is the case, even obsolete systems like XP will be protected from invalid results.  I discovered that my ISP has not enabled DNS SEC on any of its DNS servers, so I am removing their servers from my configuration, at both work and home.  Instead I will be using Neustar Public DNS and Quad9, as both of these provide bad-destination filtering as well as DNS SEC signature checking.

Utilities

Windows NSLOOKUP does not return any information about the AD bit because it is based on code from ISC.ORG, which has deprecated the utility.  The provide (free) downloads of BIND 9 for many platforms, including Windows.   You can install tools only, to obtain DIG as a replacement for NSLOOKUP.    You can also install BIND 9 as a full DNS server.

Windows implementation status

• XP / Server 2003 - Are DNS-Unaware (DO=0)
• Windows 7 and later desktops, and presumably Server 2008/2008R2 are DNS Aware as a stub resolver (DO=0 with CD=0)
• Server 2012 has full support for DNS SEC.   By default, signature checking is off.   You have to use PowerShell to do your own signature checking (CD=1)
• Server 2016 and later add support for signing internal domains, including signatures for DHCP-issued names and signature enforcement for internal domains, such as *.local, that do not have a parent structure to hold a trust anchor.

DNS Filtering options

There are multiple ways to implement filtering of high-risk DNS Names. 

• Quad9 returns NXDOMAIN (no such host name).   This causes the client to get an immediate failure, and no other DNS servers will be attempted.
  
  
• Neustar DNS returns an IP address for a web landing page on their servers.  Non-web traffic will receive a host-not-reachable error.  Web queries will receive a warning page.  In either case, the client will get an immediate result.  HTTPS sites will get a certificate error, so the landing page will only be displayed if the user clicks past the certificate error.  This approach is only viable if the blacklisted site is not DNS SEC signed, which is likely to be true but cannot be assured.   I have not determined how they behave if a domain is both signed and blacklisted.   However, I have used the canary hostname to confirm that if a site is incorrectly signed and not blacklisted, they return ServFail as expected.
  
  
• UTM IPS blocks the DNS reply for blacklisted host names.  This eventually causes a timeout, which eventually be detected as a ServFail by the client.   The client will then return any other available DNS servers.   If UTM is filtering all outbound traffic, UTM IPS can be expected to block all of the retries, causing the client to finally quit trying.   This is the slowest possible solution to DNS filtering, and provides no feedback to the user.  If UTM IPS does not filter all DNS traffic, the requester will eventually find the query path that is not blocked, and the request will succeed even though UTM attempted to block it.

Given my post about the difficulty of using encryption for queries between internal DNS servers and Internet-based DNS servers, I probably need to pursue moving to configuration 3, despite my fears.

Below are some things I have learned during the research phase.

DNS host names with known behaviors

• www.dnssec-failed.org is a canary which should always fail DNS SEC signature checking.
• Sites with DNS SEC signatures are not easy to find.
  pir.org is a DNS name that has DNS SEC configured correctly and should always validate.   I know nothing about the site, but I found the reference on a post that seemed to be from the site owner.
• Finding sites that do not use DNS SEC is pretty easy.   I used www.ford.com for some of my tests.

Forwarder selection

Because signature problems cause a ServFail error, traffic is not automatically blocked.   A client will try all available servers before giving up, so  you want to ensure that all forwarders are DNS-SEC aware.   As long as this is the case, even obsolete systems like XP will be protected from invalid results.  I discovered that my ISP has not enabled DNS SEC on any of its DNS servers, so I am removing their servers from my configuration, at both work and home.  Instead I will be using Neustar Public DNS and Quad9, as both of these provide bad-destination filtering as well as DNS SEC signature checking.

Utilities

Windows NSLOOKUP does not return any information about the AD bit because it is based on code from ISC.ORG, which has deprecated the utility.  The provide (free) downloads of BIND 9 for many platforms, including Windows.   You can install tools only, to obtain DIG as a replacement for NSLOOKUP.    You can also install BIND 9 as a full DNS server.

Windows implementation status

• XP / Server 2003 - Are DNS-Unaware (DO=0)
• Windows 7 and later desktops, and presumably Server 2008/2008R2 are DNS Aware as a stub resolver (DO=0 with CD=0)
• Server 2012 has full support for DNS SEC.   By default, signature checking is off.   You have to use PowerShell to do your own signature checking (CD=1)
• Server 2016 and later add support for signing internal domains, including signatures for DHCP-issued names and signature enforcement for internal domains, such as *.local, that do not have a parent structure to hold a trust anchor.

DNS Filtering options

There are multiple ways to implement filtering of high-risk DNS Names. 

• Quad9 returns NXDOMAIN (no such host name).   This causes the client to get an immediate failure, and no other DNS servers will be attempted.
  
  
• Neustar DNS returns an IP address for a web landing page on their servers.  Non-web traffic will receive a host-not-reachable error.  Web queries will receive a warning page.  In either case, the client will get an immediate result.  HTTPS sites will get a certificate error, so the landing page will only be displayed if the user clicks past the certificate error.  This approach is only viable if the blacklisted site is not DNS SEC signed, which is likely to be true but cannot be assured.   I have not determined how they behave if a domain is both signed and blacklisted.   However, I have used the canary hostname to confirm that if a site is incorrectly signed and not blacklisted, they return ServFail as expected.
  
  
• UTM IPS blocks the DNS reply for blacklisted host names.  This eventually causes a timeout, which eventually be detected as a ServFail by the client.   The client will then return any other available DNS servers.   If UTM is filtering all outbound traffic, UTM IPS can be expected to block all of the retries, causing the client to finally quit trying.   This is the slowest possible solution to DNS filtering, and provides no feedback to the user.  If UTM IPS does not filter all DNS traffic, the requester will eventually find the query path that is not blocked, and the request will succeed even though UTM attempted to block it.