Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

Similar presentations

Presentation on theme: "Security and Information Assurance for the DNS Dan Massey USC/ISI."— Presentation transcript:

1 Security and Information Assurance for the DNS Dan Massey USC/ISI

2 13 May l Virtually every application uses the Domain Name System (DNS). l DNS database maps: n Name to IP address = n And many other mappings (mail servers, IPv6, reverse…) l Data organized as tree structure. n Each zone is authoritative for its local data. Root edumilcom darpaisiicc2003usmc nge quantico The Domain Name System

3 13 May Current State: Data Availability l Original DNS design focused on data availability n DNS zone data is replicated at multiple servers. n A DNS zone works as long as one server is available. –DDoS attacks against the root must take out 13 root servers. l But the DNS design included no authentication. n Any DNS response is generally believed. n No attempt to distinguish valid data from invalid. –Just one false root server could disrupt the entire DNS.

4 13 May Limitations of Availability Caching DNS Server Manu’s Laptop First response wins! Root DNS Server com DNS Server DNS Server Dan’s Laptop Easy to observe UDP DNS query sent to well known server on well known port. Second response is silently dropped.

5 13 May New Approach: Add Authentication l Each DNS zone signs its data using a private key. n Recommend signing done offline in advance l Query for a particular record returns: n The requested resource record set. n A signature (SIG) of the requested resource record set. l Resolver authenticates response using public key. n Public key is pre-configured or learned via a sequence of key records in the DNS heirarchy.

6 13 May “Secure” DNS Query and Response Caching DNS Server End-user = Plus (RSA) signature by Attacker can not forge this answer without the private key. Authoritative DNS Servers DNS Security Extensions: add public key signatures to the protocol manage/learn DNS public keys

7 13 May So Why Aren’t We There Yet l Deployment in Existing Infrastructure is Hard n Strengthen some aspects, but add stress to existing weak points (ex: NS record consistency in DNS) l Original Design (RFC 2535) was fatally flawed n Key management was an after thought. n Operations must be simple if hope to deploy. n Ignored operations and business model issues. l Cryptography alone is not the answer. n Adds new DoS due to crypto errors & attacks –Must first ensure data availability n View as one fence that enables other services.

8 13 May Questions Cryptography is like magic fairy dust, we just sprinkle it on our protocols and its makes everything secure - See IEEE Security and Privacy Magazine, Jan 2003

Download ppt "Security and Information Assurance for the DNS Dan Massey USC/ISI."

Similar presentations

Ads by Google