 Of course there's going to be this delay of me watching the screen seeing if it wakes up Yeah The swapping around works Okay, so welcome everybody we'll get started here in about a minute. I don't want to rush anybody How we can see it again good the stream seems to be live So for those of you asking where the live QA schedule is you should be able to see that on the DEF CON website for those of you who are ready to ask questions of our Amazing speakers one of whom is standing on a roof and the other is in a yellow room We will proceed Right now actually, so hello everyone. I'm fallible. I'm going to be one of your goons I get it's over here and we to have Shaw and Hadrian or Hadrian he didn't correct me earlier when I think I said both And he's fine. Any is fine. All right Go ahead and give us a moment actually tell us the name of your presentation and We'll just get in to asking some questions So the presentation is DNS section and I mean that's that's already quite quite good Yeah, it's a really good name. I got to say It's a you know, I love it when there's a nice pun, you know Presentation name. So thank you both very much for joining us for the Q&A portion. I For any of you looking for their presentation, you should be able to find that on the DEF CON YouTube page Let's get started with a pre Arranged question that you sent me because you were really really nice to us So which equipment slash tools do I need to perform this attack? Well, I guess I can answer this one Basically you only need your computer and the few tools we have presented in the talk So one to get hushers and one to break a hushers So just an insect free walker those hash cats is much enough to confront this attack Obviously if you have a big GPU it's much easier But even on the CPU you can use John's the repair to actually get quite a lot of DNS records so you can really do this at home and In fact, we've made a little challenge on the website on the website On the last slide so dnssection.ovh and if you want to try the tools specifically on our website and you can then send us the hash that you've been broken and we have a We will put up Some scores and see who's the best at it So anyone can try it easily at home, but it's much better with a big GPU. Oh, it's on now See, that's excellent. We'll make sure that we put that in the track one Chat here so people can access to that without having to guess So good And I love that that what you've come up with here is something that's very accessible for folks and it Looks to me like it's a good place for people to enter into doing this type of work There's a lot of presentations that go way over folks's heads if they're beginners or Having to set up a bunch of extra tools and it looks to me like you folks have done one that's Going to be very accessible. So thank you for that Um, so what did you do with all the data that you got and how much? How much did you get to pay? By insert evil company for the whole data set, but so what would you do with all this data? Perhaps I can answer this one Surprisingly, perhaps we have not done anything with it We we have the data and we didn't even exploit it to its fullest potential So we've been very nice and very kind That is very nice. You could have done so much interesting stuff Yes extend that a little bit then and help me understand if you wanted to be What would be the next step that somebody could take with it and not Get ourselves in trouble with the lawyers Well, you have already a lot you can do just by looking at the data itself That's part of what we've been doing and we've provided statistics about it In in the talk and in the slides, but really you can you can do much more than that You can compare the data that you got from this With data you've got from somewhere else either from I don't know some other We can't tool or from knowledge you've got from research or osint or whatever So really it's just one tool in the whole toolbox you can get to extract information and I wouldn't say that all the other tools are completely legal. I Wouldn't say that you wouldn't get into trouble by using the information you get that way So use that your risk and be very careful with it But it's public information is publicly displayed. It's just that the information itself is meant to be private It's meant to be hidden that it's on public display So I think I think that that's one way to answer your question It's you can you can really do a lot if you use that data and collate it with other sources of data and actually Input whatever you got from no email address addresses into a database of broken passwords and then you get access to that Email address for instance, and I think a dream may have other ideas as well. What to do with it? Oh Actually Legally over your ideas. I think you've pretty much said everything I Like the the restraint there that makes a lot of sense so Okay, that's useful to know. So how much did it cost for you to run this GPU attack? well In practice it did cost us absolutely nothing except basically some time to set up the things because We got access to some free GPU time But I did try to estimate how much it would have cost us if we had for example just a rented AWS GPU instance and I do estimate the cost of the attack between $1,000 and $2,000 however If like I did only use like maybe a tenth of the time we were able to use I think We will maybe I found at least 80% of the number of hashers we are able to find with 10 times more power So like even with your laptop we were laptop even without a GPU and only a simple laptop CPU I think you can get easily maybe Two-thirds of the hashers were able to crack with our big GPU. It was treating that classic 8020 rule then Yes, basically that pretty much That's we do have a couple questions from the chat if you'd like to so one is What are some additional examples of confidential information that are being stored in DNS? So the question is whether there were confidential information. I Think they're asking other than the emails that you were able to pull out Was there the other examples of information that that people would expect to be confidential that you were able to pull out? And we have perhaps you can we can say more about the kind of things we find well specifically on An OVH there was nothing else we were able to find and we did not really look much in For other kind of data. We are quite quite happy with what we found there But there are some other examples of Such private info for example If you take the domain key records Some people might know about this. It's one of the various Guinness records you put up to avoid the email spam and things like that There's a very recent article or blog post I forgot About someone mining for all these domain key records and finding out Which mailer different company use and who and like Which is an email partner so he was able to dig quite a lot of valuable information also for the use of the Guinness records and I'm pretty sure there are many other users of private info in Guinness data, but it's not so easy to find it And if I may add to this Although the email addresses may seem like it's a small thing It actually is the basis on top of which we could explore further find the names of people find new Hosts to target and even some private information about These people because the email addresses showed that they were working at the same company for instance So it's it's an email address, but even then you can say a lot from this So there was a follow-up question of whether you meant domain key As a deep DKM I am is that what you referring to I Think the K. I am and the main key is something different I'm not sure I forgot exactly. It's kind of the same thing. And if it's not the same, it's another protection for email Clearly in the DNS it shows up at something dot underscore domain key dot your domain and bad people use a Easily guessable something and good people use a long hash for the something and people who do use the long hash for something make it very difficult to find the domain key, but I I would need to check up for the domain key that versus the KM thing So I love this other question that came in as well from Angel Rain of what is the impact to me? the general internet user which is always a nice thing to be able to to encompass of How is this going to affect somebody who is just out there trying to do their job? Well, if you are an OVH customer, then you might have quite some issues and I would Like if you do have some private email projects direction, then I would suggest you to use one of the Mitigation we talk about in the In the talk if you're not an OVH customer. Well, I guess I would just log on to my cloud provider and Watch my DNS zone and see if there are some records. I was not expecting that and if they are well do submit the talk for DevCon next year Now that's good advice Okay Well, let's move on with one of the other questions that you've posted for us here So why does DNS sec only use old crypto? Perhaps I can take this one All script is not nice But it is it is a lot of The things you would see Some years ago on the internet and now most of the internet I mean the browsers and servers have moved on to other algorithms That are faster and some of them some of them I can consider more secure But DNS you have to understand in a sec works and a lot of constraints. It has to be Very very fast because it's used that scale So you cannot use all the algorithms you'd like you have to use the fastest ones and that's actually been a reason why Cryptography took a long time to to to get inside of DNS sec to the extent that it is now because even today we're deploying security extensions And we have to account for cryptographic operations taking time and latency You also have to account for compliance because some technologies are Constrained by laws in the different countries that you would be In and therefore if you want to use DNS, which of course you do worldwide You have to account for the fact that some technologies are not considered Legal or accepted in some places so you have to deal with a very Small subset of the possible algorithms and you have to have all the DNS Resorvers and all the DNS servers supporting these algorithms And you have to be fast So you are playing at a lot of different constraints and that reduces the set of possible Algorithms you can use to essentially two of them or three of them One is not usable at all. It's RSA was not really usable at all at scale And the other is ECDSA Which you can use to sign very fast, but it's on a fixed curve Which from a cryptographic standpoint is not ideal It means you cannot build on all the innovations of the 21st century To try and get the best performance and the best security are out of this So really that's that's the reason you need to do things fast at scale While keeping governments happy That's a rough combination of things to deal with if you're trying to future-proof your technology It has to be fast. So some of the methods that we have aren't going to immediately work there And you have to have compatibility with the the old stuff. So Interesting all right So another side question on this one, how did you find yourselves doing the testing on DNS sec in the first place? I Think I don't think I should answer this one well Actually, I think we explained that in the talk, but Sorry, it was nice. It happens that I am an OVH customer for like long actually since many many years and One day I just did add redirect on my domain just to test what it would do and then I did realize That well some to record has popped In the unit zone and from there. I just thought that maybe I'm not the only one to have such a behavior So I did try other fine domain first and same issue and then you guess What happened and then we see what happened? Yeah Hey, so I get you mentioned you might have another couple of questions you're welcome to drop those in whenever you might like to so other things that you've Can you give me any idea of where you would have gone with this research had you more time or had you more? Well, let's go with more Permissions if you had been told by somebody that you were allowed to is there Is there some space that you would have liked to have gone with this presentation? Well one thing like assuming I had all permission would have been to actually send an email to people we were able to find Data about and ask them first if they didn't know that their direction were almost perfect And other thing would be to ask them for the to tell us which redirect we did not find so we get a better idea of What kind of plain text we were not able to recover from our hushers? so two ideas which I Consider are not evil. It would be really be some research thing, but would have required more permission Let me any other idea When the more evil kind of things we could do of course As I mentioned earlier, we could collate this information with other information we have for instance all the hosts That people use to receive their emails. Well, most of them were Gmail. So it's it's not necessarily the most interesting things But some of them are not and we could look into these and we could try and see The proportion of email addresses that are self-hosted or that are hosted in known to be vulnerable domains That would also be extremely interesting As I also think we say in the talk we could look at Point email databases of point addresses of database to see how much of these redirects are actually directly usable by people in the know To get an account and to use so these are two things that would be curious to know about which are perhaps a bit less nice Good answers. All right, I like where you're heading on that one There was a follow-up question in the chat over here from overdrive Although there is an RFC to add EDS a to DNS sec. Why isn't it used more widely even though it ain't Maya, I'm talking here. Even if it answers all the caveats performance and security you talked about so Why isn't it used more widely? I Think I can answer this one You see this is being deployed. So it is at the time that we're talking. It's it's Widely deployed. It's getting almost there. It wasn't true a few years ago So really it's the question is more about what took so long before we started implementing easy DSA at scale and Perhaps I mean, I don't have the full answer to that but perhaps part of the reason is that it wasn't clear which Solution to zone walking should be implemented as we mentioned in the talk the issue of zone walking has been identified fairly early on and on and sec and So and sec 2 and and sec 3 have been proposed and sec 4 has been proposed as well and sec 5 has been proposed and the problem is and Most of them and sec 2 and sec 4 didn't see the light and sec 4 has not been finalized And set 5 has not finalized So people were waiting perhaps on a solution to emerge to be stable to support because again When you're doing DNS when you're doing back bono of the internet kind of things You want to support things very long term. So there was an expectation that some of the candidates would Happen to be the right one and that did not happen for a very long time. And in fact ECDSA is not the best candidate. It's just the best available candidate using existing technology It accomplishes enough of the the pieces and there's no better idea right now, huh? Interesting You gave me one final question over here, which seems like it's a little more fun So there was a slide with a locksmith on the DNS sec roll over session slides What is the story behind the slide with the locksmith? Okay, well so it's during a dead at sec rollover Key session so something that happens if I remember correctly maybe every three months and It's like a very scripted ceremony with many steps and Everyone getting things out of the safe the signing keys putting them back auditing everything and it happens and like maybe one day before the ceremony during a rehearsal they saw that one of the safe containing one of the Edgesons was jammed. So What you do? Well, you do have to crack the same open and so they had to hire a locksmith to Open it. I think like it took 28 hours to open it So a lot of work and so they had to pay everyone the two more hotel nights because they had to delay the Ceremony so even with photography you sometimes have to get back to your old locksmith and crack safes opened Physical security is never out of style is it? No, but at least since it took the last bit like 28 hours to open it I'm hoping that any bad people would have been detected before they were able to actually open the safe That is kind of the thing with the with the safe cracking right? You're always going to be able to get in you Just hope it takes long enough to be noticed fantastic, so as we I Think I think I already asked a part of this but we'll hit it again just to to make sure we cover our bases Where would you want somebody else who has a different set of skills or a different amount of time or a different? Background to do their own research on this subject Is there something that you would point someone towards if they were looking for a research subject a research topic of their own? I have a ton of that at the end may have another others as well Perhaps I can start by saying that As I hinted to DNS is something that has that has to be understood at the global scale and something that Should be understood is that although it's all virtual and it's all the internet It really is made of servers that have a physical implementation somewhere that under some jurisdiction somewhere and Something I would like people to look into is the geopolitics of how this whole Agreements and choice of algorithms and choice of position where you put the servers The latency as a function of geography all the interconnections between the backbone of the internet and the way most people use it make it transparent, but really it matters and the geopolitics so the influence of International agreements discussions not only economical, but also political that would be one thing I'd like people to look into ah, do you hear that all of you folks who are into international politics and Where the lines get drawn you have somebody who would like to work on you from the technical side Absolutely everything I think has many ideas as well On this very specific subject not so much actually the best idea I had was actually about the Domain key thing I just thought before but someone already did it like a two months ago. So very good. So It shows that I'm we're not the only one looking at the DNS recalls And then on my more general thing it's you could consider this leakage almost like some kind of Side-channel attack. So it's some kind of very low-tech side-channel attacks. And I'm pretty sure there are many other Areas where you could find public data where you're not expecting it at all just what it's a little hidden. So that's There's a little of luck you need because you need to first to find you need to find the first record But if one day you do find some public info that you are not supposed to find Well, try to dig up behind it and find out it is just one or if there are thousands of such info in the same place I also have a suggestion on for the more cryptography oriented people The way that the walking is mitigated is by using white lies So you would sign a lot of information and so you can force the server to produce a lot of signatures ECDSA is famously a brittle algorithm. And so if the implementation on the server is not absolutely perfect It's quite likely that by collecting millions billions of signatures You can actually obtain the private key With known techniques. So one thing that we didn't look into but you may want to check is okay Can I find DNS servers that have not the latest? Open SSL library say use known attacks against ECDSA and forcing the white light Vitalize mechanism to obtain the necessary signatures and then well perform a DNS spoof Something like this might be interesting That is a nice sequence of events there. I like where you're going. So it'll be neat to see if somebody To add on this I have already tried a few millions to get a few minute record and try non-series on it So the most basic ECDSA attack and it was not successful, but maybe some more advanced attack would actually work We will make sure that we have your contact information in the Track one Channel over here at the end of this so that people can ping you if they would like to talk about this further In fact now is probably a good time to make sure that is there a place that you would like for people to reach out to You if they have more questions or thoughts about the work that you've been doing DNS section of the age and you have all the contact info on this website. So That's the website to put on the chart perfect We'll get somebody to drop that in there for us so Say again, I don't want to just Bulldozer here if you have another thought for us right now, then if you have a question drop us with that before I do our close out so we do have one more question from the the audience It was asking about geopolitically. Where do you see? C8 providers fitting in say borders of countries that are have to be taken over Would you personally prefer a CA provider being further away from those border borders? Or do you think it matters at all? That's an excellent question for which I think there is no easy answer, but that's what makes a good question I think the borders are a huge a huge issue It does matter as you know, CA's are Generated usually they're using machines dedicated machines and whoever seizes them has the possibility to do whatever they want with it So yes indeed if you have CA's if you want to Have any kind of guarantee about the physical security of something put it as far away as you can from moving borders absolutely great, all right, so My last question that I like to hit people with is what would be your call to action not just something that you want people to research further but What would be the the the core of what you're attempting to get people to understand or to get interested in about the work that you're doing and Give people that leg up on moving forward That's a that's that's a complicated question I Think I think I've already put forward the notion that look around yourself look around the technology that we use every day The more we use it the less we ask about it the less we wonder about how it works and why it works and why it doesn't work and We we tend to be focused on getting work done What we do is exactly the opposite. We're trying to to stop and think about okay. It doesn't work. It's interesting It's like bugs, you know people try to kill bugs whenever they see a bug and we like more collecting them and and say oh well That's nice. This one has This one has wings and this one is eating some stuff. So we really Try to do that and to call for people to Focus on issues not to try and solve them But to try and look at issues for themselves as something that's interesting and that brings not only solutions But brings more Intelligence more more more ideas into the game, but that's my take on it and the empaths might have something more That's poetic to say No, actually, I do agree with you and even like My overall life I am a software engineer and what I do find the bug even something which is just changed But never happens again in other circumstances I always put it for a rainy Friday and try to look at exactly what happened and often More than just this this bug often shows some hidden secrets That's where we are really happy to fix before it actually goes for real. So And what are the facts just to look to look around you and Try as much as possible to get to the bottom of strength things to find out if it is only bidding or if there is a long story behind it I Appreciate those answers and I appreciate the two of you very much for coming to join us for this I also am very much entertained by the light mode dark mode thing we have going on with the you know Outside then you know in the dark. So this is cool Thank you so much for your presentation and for spending your time with us If anybody has any additional questions, they have posted Bolivia posted the DNS section oVH in the track one live QA so you can find that there Otherwise have a great rest of the convention and we hope to see more from you folks soon Thank you very much to all deaf congoons to have to be able to make this session what happened this year So thanks a lot to you too Cheers. Thank you. Bye everyone