Encrypted DNS Request and Replies
Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so.
Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitiors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses. Currently there is no internet draft nor RFC covering this subject as far as I/we are aware, but that will be the next step for us from here. The actual code doesn't decode the DNS response, I have compared the responses to a normal response and they matched but my intention wasn't to re-invent the wheel only prove that encrypted and unencrypted DNS lookups could utilise the same name servers without too much trouble. DNS Encryption - e164.org Wiki If you really did want to do a dig replacement using this code it wouldn't be that difficult since most of the code is written, all you have to do is parse the information returned, then again I'm pondering about finishing the code simply so it can be easily integrated into things like FreePBX. I'll probably get yelled at by the DNS purists because I hacked it together and cheated a little in the process, but again my intent wasn't to do anything more than a simple proof of concept to prove that it could be done. I haven't designed the system to be ENUM specific and should be usable for any DNS although it's possibly not the best way to do things and I'd be open to further discussions on this topic. . |
Just a quick update on this, it seemed to me that DNS is a little bit complicated for most people and those most likely to make use of this, such as those using FreePBX etc, might need a little extra help implementation wise. In the current form it can only be used directly from the command line, but I'm willing to work with others to integrate this with their software.
That said I extended the proof of concept to be a full dig replacement, well more or less, it has a rather limited number of DNS types implemented, the same number that e164.org supports funnily enough :) The coding is done in the simplest way possible so that everyone should be able to pick it up and use it, obviously PHP code isn't the most efficient, at least when the code has to be started up over and over. If on the other hand it is being run as a daemon or fast-cgi/agi or as a module in something else then that is a different matter. So if anyone is the slightest bit curious for a fully working cryptographic DNS request/reply example, I have posted the full source to the wiki: DNS Encryption - e164.org Wiki |
I've also coded an AGI script for Asterisk, has IPv6 support, although this isn't 100% correct, and it would be better if it was a fastagi daemon instead of just a regular agi script that asterisk calls each time from the dial plan.
If it was a daemon ideally you would want to be able to track which DNS servers it was getting the quickest responses from and primarily favour making DNS requests to those servers first, not to mention disabling IPv6 requests if IPv6 lookups fail. It's a work in progress I suppose, and the more I do the more ideas I come up with. http://www.e164.org/enum2.phps I've also coded and submitted a patch for FreePBX: #2797 (Encrypted ENUM Lookups) - FreePBX - Trac |
Just because I like to be a gluten for punishment I've also made a proper Encrypted ENUM Lookup FastAGI PHP script. I had a look at a couple of other FastAGI scripts made in PHP and I couldn't find one that didn't cheat! They all used inetd or similar instead of containing any sockets and forking code of their own.
This is a pretty basic first crack at it, but it is a self contained daemon, you can you -v to prevent the main process from forking, but connections will still be forked to prevent locking while DNS lookups occur. The 128bit key is only generated once during start up, this is both good and bad, good because urandom won't get hammered, bad because the memory could get extracted by another user, maybe a config option to regenerate might be in order. It didn't occur to me that other enum lookup scripts we've produced didn't come with extension.conf examples too, so I've tried to document this script better. http://www.e164.org/enumlookup.fagi Bunch of todo stuff at the end of the top comment block, no doubt I have overlooked some thing or other, and there is sections that could be implemented better. I wonder if some people aren't taking me seriously because these proof of concepts were developed using PHP. |
Debian OpenSSL bug
Unfortunately the RSA key I generated for e164.org for use with encrypted DNS requests/replies was on a machine affected by the OpenSSL bug, which means it needed to be regenerated and the public key published previously is no longer valid.
The new key is: Code:
-----BEGIN PUBLIC KEY----- DNS Encryption - e164.org Wiki |
Just a quick update on this, I've made a start on an internet draft document which can be found Draft-groth-dns-encryption - Toronto Asterisk Users Group . As above I initially was only going to use RSA+AES encryption and skip public keys/certificates but the only way to get strong crypto then would be to get all name servers from . up to support it which is a little optimistic at best.
I briefly thought about X.509 and ended up settling on using GPG keys instead as this has the potential to offer more flexibility in this particular case. I almost have a working proof of concept, few little bugs to squash yet, but should be worked out soon I hope, once done the internet draft and the code examples should match up. |
Well I finally brought the code up to spec to match the internet draft being written: Draft-groth-dns-encryption - Toronto Asterisk Users Group
I produced a fastagi script that works in 1.4.x version of asterisk: http://www.e164.org/enumlookup-0.0.4.fagi The script doesn't currently verify or check cached certs or periodically check for revoked GPG keys, although this is all client side stuff and should be done if for no other reason than to have a complete working example. The internet draft needs some spit and polish and it also needs some paragraphs on how the PGP web of trust can be used as a defacto 'Certificate Authority' using the masses to verify the servers of the world etc. |
All times are GMT. The time now is 05:54 PM. |
Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.