PDF《Test Report:》

Test Report: DNSSEC Impact on Broadband Routers and Firewalls September,

2008 Ray Bellis Nominet UK ray.

[email protected] Lisa Phifer Core Competence [email protected] Executive Summary To assess potential impact of DNSSEC on broadband consumers, we tested two dozen residential Internet router and SOHO firewall devices commonly used with broadband services. In summary, we found that: ? All

24 units could route DNSSEC queries addressed to upstream resolvers (referred to herein as route mode) without size limitations. ?

22 units could proxy DNS queries addressed directly to them (referred to herein as proxy mode), with varying degrees of success. ?

6 of

22 DNS proxies had difficulty with DNSSEC-related flags and/or validated responses that effectively prevented DNSSEC use in proxy mode. ?

16 of

22 DNS proxies could successfully pass DNSSEC queries and return validated responses of some size. ?

18 DNS proxies limited responses over UDP to either

512 bytes or a size constrained by the MTU. Only

4 could return responses over UDP up to

4096 bytes, while just

1 could proxy DNS over TCP (no size limit). Such limits can interfere with returning longer DNSSEC responses. ? When deployed with factory defaults,

15 units are likely to be used as DNS proxies, while

3 always route DNS queries. The rest (6) vary over time, preferring to route DNS after being connected to a WAN. As a consequence, we conclude that just

6 units (25%) operate with full DNSSEC compatibility out of the box.

9 units (37%) can be reconfigured to bypass DNS proxy incompatibilities. Unfortunately, the rest (38%) lack reconfigurable DHCP DNS parameters, making it harder for LAN clients to bypass their interference with DNSSEC use. 25% 37% 38% These findings, their potential impact on DNSSEC use by broadband consumers, and implications for router/firewall manufacturers, are presented and analyzed in this report. Test Report: DNSSEC Impact on Broadband Routers and Firewalls September,

2008 Version 1.0 Page

2 Table of Contents Executive Summary

1 Table of Contents.2 1. Introduction

3 1.1 Objective.3 1.2 Background

3 1.3 Acknowledgements.3 2. Test Methodology.4 2.1 Test Cases

4 2.2 Test Beds

6 3. Test Results

7 3.1 Result Summary

7 3.2 Result Analysis

8 Out of the Box DNS Usage.8 Route DNS to Upstream Resolver.10 Proxy DNS over TCP

10 Proxy DNS over UDP - EDNS0 Compatibility.10 Request Flag Compatibility

12 DNSSEC OK Compatibility.12 Source Port Randomization.13 3.3 General Observations.13 4. Conclusions.15 4.1 Consumer Impacts and Mitigation Strategies.15 4.2 Recommendations for Manufacturers

16 Appendix A. Test Result Detail.18 Appendix B. Test Commands.22 Test Report: DNSSEC Impact on Broadband Routers and Firewalls September,

2008 Version 1.0 Page

3 1. Introduction During July and August 2008, Core Competence and Nominet collaborated to develop and conduct a series of tests, intended to assess the impact of DNSSEC on residential Internet router and SOHO firewall devices commonly used with broadband services. This report documents our findings. 1.1 Objective To assess router/firewall support for (or interference with) DNS queries pertaining to DNSSEC-signed domains, as well as DNSSEC queries on unsigned domains, we conducted lab tests to determine whether each unit correctly routes and/or proxies: ? DNS queries requiring TCP or EDNS0 to convey lengthy DNSSEC responses ? Non-DNSSEC queries on signed and unsigned domains ? Non-DNSSEC queries that set other DNSSEC-related request flags ? DNSSEC queries that request server-side validation ? DNSSEC queries that request no server-side validation 1.2 Background We started with tests originally developed by .SE and documented in DNSSEC Tests of Consumer Broadband Routers (February 2008, http://iis.se/docs/Routertester_en.pdf). Based on lessons learned from earlier efforts, we refined our tests to decouple testing of related features, examine DNSSEC handling more rigorously, increase test repeatability, and improve result reliability. The tests described in this report were executed in closed, controlled test beds to enable repeated, deterministic execution. Nominet tested units with xDSL WAN ports, while Core Competence tested units with 10/100 Ethernet WAN ports. Between us, we set out to test the broadband router/firewalls most commonly used today in the US and UK. To maximize coverage, we used published market research, broadband provider websites, and retail best seller lists to identify the most widely-deployed: ? Residential Internet routers supplied by broadband providers ? Residential Internet routers purchased by consumers ? Entry-level firewall appliances purchased by Small/Home Offices (SOHOs) To minimize duplication, we generally avoided Ethernet and xDSL variations of the same product, retesting products previously tested by .SE, or testing more than two products from the same family. 1.3 Acknowledgements Core Competence'