2 DNS and DNSSEC in a Nutshell D N S a n d D N S S E C i n a N u t s h e l l source: http://upload.wikimedia.org/wikipedia/commons/b/b7/KoreanPineSeeds.jpg http://upload.wikimedia.org/wikipedia/commons/b/b7/KoreanPineSeeds.jpg
3 Device queries Recursive Nameserver D e v i c e q u e r i e s R e c u r s i v e N a m e s e r v e r Recursive Nameserver Recurses over Authoritative nameservers R e c u r s i v e N a m e s e r v e r R e c u r s e s o v e r A u t h o r i t a t i v e n a m e s e r v e r s Results are cached R e s u l t s a r e c a c h e d The DNS is highly distributive T h e D N S i s h i g h l y d i s t r i b u t i v e DNS is implemented through 100s of thousands of machines D N S i s i m p l e m e n t e d t h r o u g h 1 0 0 s o f t h o u s a n d s o f m a c h i n e s
4 Stub ResolverRecursive Nameservers Authoritative Nameservers www.nlnetlabs.nl A root.hints: location of the root servers referral: nl NS www.nlnetlabs.nl A referral: nlnetlabs.nl NS Answer: www.nlnetlabs.nl A 188.8.131.52www.nlnetlabs.nl ROOT NL NLnetLabs.N L www.nlnetlabs.nl A 184.108.40.206 www.nlnetlabs.nl A 220.127.116.11
5 Attack Surface On the Wire or through Compromise O n t h e W i r e o r t h r o u g h C o m p r o m i s e Whoa, that looks bad!!! Who Uses This System? W h o a, t h a t l o o k s b a d ! ! ! W h o U s e s T h i s S y s t e m ? Compromise of systems C o m p r o m i s e o f s y s t e m s Bugs and implementation mistakes B u g s a n d i m p l e m e n t a t i o n m i s t a k e s
9 Recursive Nameserver Query: STUB Resolver Authoritative Nameserver Atacker Query: Query: Response: Answer: Response: Cache hit Response: Response: Success depends on legacy and speed of network. And on various properties that the attacher needs to match Query ID Source Port 0X200X20
10 TTL saves you?!? I dont think so.... Dan Kaminskys image from zdnet.com Security Popstar
11 Recursive Nameserver Query: asdf23sadf.webcam.com STUB Resolver Authoritative Nameserver Atacker Query: www.webcam.com Response: www.webcam.com Answer: Response: webcam.com NS ns1.webcam.com webcam.com NS ns1.webcam.co ns1.webcam.com A 10.6.6.6 Query: asdf23sadf.webcam.com Response: asdf23sadf.webcam.com Query to 10.6.6.6 asdf23sadf.webcam.com Query to 10.6.6.6 www.webcam.com Try Delegation s Abuse a 25 year old protocol requirement
12 Do attacks happen in practice? Would you tell? Would you notice?
13 Why would one attack the DNS? Do attacks happen in practice? While one could be doing other things
15 Follow the Organizing your life Paying your Tax Your weekly security update Short-selling your stock Mon y Why would one attack the DNS?
16 Mon y Dont all these transactions use SSL and Certificates?
17 The role of a CA 3rd party trust broker SubjectRequestsSubjectRequests RA performs checks RA tells CA to sign Browser trusts CA signed certificates EV Extended Validation EV
18 However all these little men are a wee bit expensive AUTOMATE THE LOT
19 DV Domain Validation DV Subject: Please sign certificate for Example.com Example.com RA sends a mail to well known address @example.com @example.com When mail returned CA will sign
20 DV Domain Validation DV All these checks are based on information fetched from the DNS Hold that thought for Jakobs presentation Hold that thought for Jakobs presentation
21 Secondary DNS primary DNS Registrars & Registrants Registry Secondary DNS Server vulnarability Man in the Middle spoofing & Man in the Middle DNS System Vulnerabilities Vulnerabilities Provisioning Vulnarabilities
22 What can one do to protect... (skipping DNSSEC) What can one do to protect... (skipping DNSSEC)
32 primary DNS Secondary DNS Registrars & Registrants Registry Secondary DNS End to End Security
33 All done using Public Key crypto DNSKEY: public key from the keypair RRSIG: Signatures made with a private key from the keypair NSEC and NSEC3 For pre-calculated Denial of Existence NSEC and NSEC3 For pre-calculated Denial of Existence DS For delegating Security DS