Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Published byHarry Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment."— Presentation transcript:

1 DNS Security Extensions (DNSSEC) Ryan Dearing

2 Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

3 Terminology Zone – contains resource records Resource Record – Record with a name and value, (e.g www.google.com → IP) www.google.com Authoritative Server – server that can definitively answer queries for a zone (non-caching) Master Server – Authoritative server that contains primary copy of the zone and pushes to slave/secondary server Slave Server – Authoritative server that gets zone information from master server (also called secondary server) Recursive/Caching Server – server that caches query responses

4 Domain Name System Created in 1983 by Paul Mockapetris Minimal Changes to the core protocol since 1987 Has scaled very well ~190 million domains

5 DNS Hierarchy and Protocol DNS uses a hierarchical model Root Servers, TLD Servers, Domain Servers Small Efficient UDP Packets  No State Caching locally and at recursive Servers Serial number is incremented when zone information changes

6 DNS Stats Verisign hosts DNS servers for.com and.net Receives 52 billion queries per day Peak at 61 billion queries per day 48% Yearly growth 13 Nameservers listed for.com and.net, but most likely hundreds with load balancing

7 Security DNS uses a trust model, popular in the 80s when the Internet was small and computing power was low If attacker manages to impersonate an authoritative server, they can poison the cache of recursive caching servers  Suddenly BankOfAmerica.com is going to Nigeria

8 DNSSEC DNSSEC adds signing to a zone's information Allows DNS responses to be validated all the way from the root Increases zone and packet size considerably Already implemented on the root servers Only useful when zones start using it

9 DNSSEC Validation google. com Request information from root server for.com, verify response based on public key (publicly distributed). Returns key for.com Request information from.com server for google.com, verify response using key returned from the root. Returns key for google.com Request information from google.com server, verify with key returned from the.com server.

10 DNSSEC Validation

11 DNSSEC Complexities Must tell parent zone when key is changed Changing key must be done very carefully, both keys are used for a period of time due to caching Must be careful about zone enumeration Servers will require more memory for holding additional information (keys, response signatures) More bandwidth utilization Larger packets (network equipment blocking)

12 DNSSEC Deployment Status All root servers now use DNSSEC as of May 5.com and.net by Q1 of 2011, requires upgrades for scalability.org already deployed with DNSSEC.gov already deployed with DNSSEC Big zones will need to deploy it too (google.com, yahoo.com, etc) Large DNS providers need to deploy too (NeustarDNS, Markmonitor, etc)

13 Questions?

Download ppt "DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
DNS Domain Name Systems Introduction 1. DNS DNS is not needed for the internet to work IP addresses are all that is needed The internet would be extremely.

DNS Domain Name Systems Introduction 1. DNS DNS is not needed for the internet to work IP addresses are all that is needed The internet would be extremely.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC 101 Kevin Miller.

DUKE UNIVERSITY DNSSEC 101 Kevin Miller.
Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Similar presentations

Ads by Google