Click Here To Visit SIP Broker  

Go Back   Voxalot / SIP Broker Support Forums > ENUM.164 > e164.org Support

e164.org Support Support forum for the e164.org ENUM directory

 
 
Reply
Thread Tools Display Modes
Unread 04-19-2008, 08:22 AM   #1
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default Encrypted DNS Request and Replies

Unlike most DNS services ENUM requests contain the sort of information that the NSA and telcos were caught up in the previous couple of years. Of late we have implemented our own name server software so we felt compelled to extend this to encrypt DNS requests and replies. We can only assume the only reason that the NSA is the only government spy agency that has made the news is because they were the only ones to get caught, not because they are the only ones doing it, or if others aren't doing it now they most likely will be within the next decade or so.

Besides the obvious government spy efforts, even if you have nothing to hide from any government, at least at this point in time, that doesn't mean you don't want to hide or conceal your personal information from your neighbours, employers, employees, your business competitiors or whoever the list can really go on and is unique to our own situations and what it is we're doing that we don't want others to know we're doing. No matter what you are doing there is bound to be someone you don't want sticking their nose into your business. After all, if we weren't worried about everyone knowing everything occurring in our lives we wouldn't put curtains up in our houses.

Currently there is no internet draft nor RFC covering this subject as far as I/we are aware, but that will be the next step for us from here.

The actual code doesn't decode the DNS response, I have compared the responses to a normal response and they matched but my intention wasn't to re-invent the wheel only prove that encrypted and unencrypted DNS lookups could utilise the same name servers without too much trouble.

DNS Encryption - e164.org Wiki

If you really did want to do a dig replacement using this code it wouldn't be that difficult since most of the code is written, all you have to do is parse the information returned, then again I'm pondering about finishing the code simply so it can be easily integrated into things like FreePBX.

I'll probably get yelled at by the DNS purists because I hacked it together and cheated a little in the process, but again my intent wasn't
to do anything more than a simple proof of concept to prove that it could be done.

I haven't designed the system to be ENUM specific and should be usable for any DNS although it's possibly not the best way to do things and I'd be open to further discussions on this topic.

.
evilbunny is offline   Reply With Quote
Unread 04-23-2008, 09:51 AM   #2
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default

Just a quick update on this, it seemed to me that DNS is a little bit complicated for most people and those most likely to make use of this, such as those using FreePBX etc, might need a little extra help implementation wise. In the current form it can only be used directly from the command line, but I'm willing to work with others to integrate this with their software.

That said I extended the proof of concept to be a full dig replacement, well more or less, it has a rather limited number of DNS types implemented, the same number that e164.org supports funnily enough

The coding is done in the simplest way possible so that everyone should be able to pick it up and use it, obviously PHP code isn't the most efficient, at least when the code has to be started up over and over. If on the other hand it is being run as a daemon or fast-cgi/agi or as a module in something else then that is a different matter.

So if anyone is the slightest bit curious for a fully working cryptographic DNS request/reply example, I have posted the full source to the wiki:
DNS Encryption - e164.org Wiki
evilbunny is offline   Reply With Quote
Unread 04-23-2008, 09:52 AM   #3
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default

I've also coded an AGI script for Asterisk, has IPv6 support, although this isn't 100% correct, and it would be better if it was a fastagi daemon instead of just a regular agi script that asterisk calls each time from the dial plan.

If it was a daemon ideally you would want to be able to track which DNS servers it was getting the quickest responses from and primarily favour making DNS requests to those servers first, not to mention disabling IPv6 requests if IPv6 lookups fail.

It's a work in progress I suppose, and the more I do the more ideas I come up with.

http://www.e164.org/enum2.phps

I've also coded and submitted a patch for FreePBX:

#2797 (Encrypted ENUM Lookups) - FreePBX - Trac
evilbunny is offline   Reply With Quote
Unread 04-23-2008, 09:53 AM   #4
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default

Just because I like to be a gluten for punishment I've also made a proper Encrypted ENUM Lookup FastAGI PHP script. I had a look at a couple of other FastAGI scripts made in PHP and I couldn't find one that didn't cheat! They all used inetd or similar instead of containing any sockets and forking code of their own.

This is a pretty basic first crack at it, but it is a self contained daemon, you can you -v to prevent the main process from forking, but connections will still be forked to prevent locking while DNS lookups occur.

The 128bit key is only generated once during start up, this is both good and bad, good because urandom won't get hammered, bad because the memory could get extracted by another user, maybe a config option to regenerate might be in order.

It didn't occur to me that other enum lookup scripts we've produced didn't come with extension.conf examples too, so I've tried to document this script better.

http://www.e164.org/enumlookup.fagi

Bunch of todo stuff at the end of the top comment block, no doubt I have overlooked some thing or other, and there is sections that could be implemented better. I wonder if some people aren't taking me seriously because these proof of concepts were developed using PHP.
evilbunny is offline   Reply With Quote
Unread 05-14-2008, 12:56 AM   #5
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default Debian OpenSSL bug

Unfortunately the RSA key I generated for e164.org for use with encrypted DNS requests/replies was on a machine affected by the OpenSSL bug, which means it needed to be regenerated and the public key published previously is no longer valid.

The new key is:

Code:
-----BEGIN PUBLIC KEY-----
MIICAjANBgkqhkiG9w0BAQEFAAOCAe8AMIIB6gKCAeEAorGbkc81xGWePkinYXbLM
f/rDwepU/etd2ycfwsToxwnt6iHf7hO9ycjOmYpYG4uMG0PmYISaBiwWd55qpUUgI
nhwVFMGX8KOe6c3nreQ9iKQWYu47A2QVk81qX3k5UvjY+Ab63Mg63GtA/DQ7ScI+S
MJuPCkVlXaUy82xeR7zs1eGYI20/mcNoB/nM5OcSpkSJ0dPXFSTmC9DKLd0emUZX9
PdTfz7iKzjWYSg5DOlJwnggeErzDeTHVPoHOa+jT5JkVHzX5wSR2oyN65/s5rswCf
gjqi8lyO+zCSZiu9ZdtvFeLHcmDAkKh610iTdH8WeHt4HSp61yppQ/wnVqrguDms1
ER5lNt70pB+qIZStyB4DXjlXK4PkEAWTwJRV8E0Ix7hbcJ9IuwVxUUbTqyCWRFVed
dSVoMN9yI6eHKoGzFXRojncBRK0Rtq9F1yEKnP7lz1QB3XUdZ28ipW1Flg2zsWsKL
PbKoyn5A0Q8TJRiXDpEkBhwwWaoaxDR1xy8UDOIWt/9Rf0sgjfjmN649gXqAnaysr
WcpPO130W4u5SOyRZnQhGk2Jw+4hEub9c1/Fcf3la1BaMlMIzIJqfUwoTMRlakBFE
faMmgFGT57Kfng+c7gb5ecipKVrMRXbjNdAgMBAAE=
-----END PUBLIC KEY-----
and I've updated the php code on the wiki:

DNS Encryption - e164.org Wiki
evilbunny is offline   Reply With Quote
Unread 06-26-2008, 05:32 PM   #6
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default

Just a quick update on this, I've made a start on an internet draft document which can be found Draft-groth-dns-encryption - Toronto Asterisk Users Group . As above I initially was only going to use RSA+AES encryption and skip public keys/certificates but the only way to get strong crypto then would be to get all name servers from . up to support it which is a little optimistic at best.

I briefly thought about X.509 and ended up settling on using GPG keys instead as this has the potential to offer more flexibility in this particular case.

I almost have a working proof of concept, few little bugs to squash yet, but should be worked out soon I hope, once done the internet draft and the code examples should match up.
evilbunny is offline   Reply With Quote
Unread 06-28-2008, 07:44 AM   #7
evilbunny
Senior Member
 
Join Date: Feb 2006
Posts: 176
Thanks: 0
Thanked 14 Times in 10 Posts
evilbunny is on a distinguished road
Default

Well I finally brought the code up to spec to match the internet draft being written: Draft-groth-dns-encryption - Toronto Asterisk Users Group

I produced a fastagi script that works in 1.4.x version of asterisk: http://www.e164.org/enumlookup-0.0.4.fagi

The script doesn't currently verify or check cached certs or periodically check for revoked GPG keys, although this is all client side stuff and should be done if for no other reason than to have a complete working example.

The internet draft needs some spit and polish and it also needs some paragraphs on how the PGP web of trust can be used as a defacto 'Certificate Authority' using the masses to verify the servers of the world etc.
evilbunny is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 06:40 AM.


Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.