0

This is pretty much DNS spoofing on local network including DNSSEC, but I believe it should be somehow possible since I'm the legitimate owner of the domain.

I'm planning to provide a service during 1-2 day events. The service will be available to visitors on a local wifi network, which, however, can't be connected to the Internet. I'd like it to be available using a domain (let's use example.com.), but I'd also like to achieve that if you connect to that domain from outside (e.g. mobile data by accident), it shows a different, cloud-hosted web page.

This is my thought how it should be possible, but I'm new to DNSSEC, so I'd like to verify if I'm not missing something.

  1. I create a single Key-signing key, which I use to create public DNS records hosted at (ns.example.com). Via my registrar, I upload the NS record, DS record and glue records with the IP of the public nameserver to the com. registry.

  2. I host my own DNS server on the local network.

  3. I configure the DHCP server on the local network to provide the IP address of that local DNS server as the default DNS resolver.

  4. Before the event, I populate the DNS server config with fresh "partial" zone files of root and com. (by making queries for needed records and saving the outputs)

  5. Finally, I create and upload a set of DNS records for example.com. to be used in the local network, signed with the same KSK as the public records.

Questions:

  1. Am I making some big mistake in my thought process above? Would this setup work? Can I host authoritative-like zones on a different nameserver than the SOA/NS specify?

  2. Is it unsafe/bad to modify the NS records in "parent zones" (com. IN NS in root zone, example.com. IN NS in com. zone)? They aren't signed, they are only signed in "themselves"

  3. What about glue records (A record for ns.example.com. in the com. zone to prevent circular dependency)? Those don't seem to be signed either

  4. What all records do I need to fetch in pt. 4? Obviously SOA, DS, and respective RRSIGs for com./example.com., but anything else?

  5. (Bonus question): Are there DNS hosting services allowing uploading custom private keys/RRSIGs, or do I need to setup my own nameserver in pt. 1? (It seems that the public records don't need to be hosted on ns.example.com. - the NS record for example.com. in com. zone isn't signed, so I can replace it and add a glue record. Then the self-NS record in example.com. can be changed as I have the key for the zone)

M. Volf
  • 109
  • 2
  • "The service will be available to visitors on a local wifi network" What is the added value you see in DNSSEC for that specific case? If you want your users to be tied to your DNS service they have to trust it anyway, putting a signature does not add anything security wise. – Patrick Mevzek Feb 09 '21 at 22:50
  • As for "but I'd also like to achieve that if you connect to that domain from outside (e.g. mobile data by accident)" any nameserver software should have the concept of "split view" where you can basically serve completely different zonefiles to different clients, based on their IP address. I fail to understand however how on one side your network is not connected ot the Internet and on the other it has to reply from outside queries. Maybe simpler just to have different nameservers, external ones being advertised as normally, internal ones being forced at the recursive service your users have – Patrick Mevzek Feb 09 '21 at 22:51
  • 1
    "What about glue records"..."Those don't seem to be signed either". Per design. DNSSEC does not sign data at the parent sign the child is authoritative. Glue records are just to help resolution, they are at parent, which is not authoritative on them. – Patrick Mevzek Feb 09 '21 at 22:52
  • @PatrickMevzek thanks for your remarks. as for your q1: my thought was that when I use DNSSEC on the public domain, I need to use it on the internal domain too (as clients could be suspecting "why did I get a dnssec response before, but not now?"). As for 2), it doesn't reply to outside queries. The idea was to host a info site publicly, and some notice like "connect to our wifi to access our systems". And 3) - yes, I know, I just wanted to make sure it's fully safe to replace them – M. Volf Feb 09 '21 at 23:09
  • "why did I get a dnssec response before, but not now?" Besides the DNS caches and TTL, as it it completely valid for a domain to go from DNSSEC to no DNSSEC, such transition don't trigger any alarm. It could/should in the grand scheme of the universe but if that happens it means the attacker is at least capable of changing answers from the parent nameservers (for the `DS` queries), which is a completely different pattern of problems. In short, I still think you are creating a far more to complicated setup for a 1 or 2 days events. Loosely related look at RFCs 3258, 7706, and RFC 8767. – Patrick Mevzek Feb 09 '21 at 23:33
  • Look at `dnsmasq` for an easy case of recursive nameserver injecting authoritative data. Or `unbound` with `local-zone`/ `local-data` configuration items. – Patrick Mevzek Feb 09 '21 at 23:34
  • But if I wanted to not deal with DNSSEC, it would require not using DNSSEC on the public "side" of the domain either: in the local network 1. i don't provide any signatures for the domain 2. oh wait, but there is the DS record in `com.` zone saying that `example.com` zone is signed. ok, I'll just strip that 3. but DNSSEC spec requires providing a NSEC3 record, which I can't make up, because I don't have the key for `com.` zone (see `dig +dnssec @a.ns.nic.cz google.cz ns` vs `dig +dnssec @a.ns.nic.cz seznam.cz ns`. Yes, I admit this all is overcomplication, but it should be possible – M. Volf Feb 11 '21 at 16:39
  • Just use 2 different names or a subdomain (the parent can be signed, but not the child), that would make your life far simpler, for something lasting 2 days it seems not useful to overengineer this. Or just have a single zonefile no matter the access and let the application (not the DNS), differ in its results based on the source. – Patrick Mevzek Feb 11 '21 at 16:47

0 Answers0