DNS Security Advanced Network Security Peter Reiher August, 2014

Slides:



Advertisements
Similar presentations
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Advertisements

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Network security BGP and DNS Worms.
Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:
IIT Indore © Neminath Hubballi
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 11 Page 1 CS 136, Fall 2012 Network Security, Continued CS 136 Computer Security Peter Reiher November 6, 2012.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Lecture 18 Page 1 CS 236 Online Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
System Administration(SAD622S) Name of Presenter: Shadreck Chitauro Lecturer 18 July 2016 Faculty of Computing and Informatics.
Outline Routing security DNS security. Securing Key Internet Technologies Computer Security Peter Reiher March 14, 2017.
Understand Names Resolution
Key management issues in PGP
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Security Issues with Domain Name Systems
Comparing Communication Types
IT443 – Network Security Administration Instructor: Bo Sheng
DNS Security.
Chapter 9: Domain Name Servers
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
Domain Name System (DNS)
Principles of Computer Security
IMPLEMENTING NAME RESOLUTION USING DNS
Outline Basics of network security Definitions Sample attacks
Outline What does the OS protect? Authentication for operating systems
DNS Cache Poisoning Attack
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Outline What does the OS protect? Authentication for operating systems
DNS security.
The Issue We all depend on the Internet
Chapter 19 Domain Name System (DNS)
EE 122: Domain Name Server (DNS)
What DNSSEC Provides Cryptographic signatures in the DNS
Outline Basics of network security Definitions Sample attacks
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Outline Network characteristics that affect security
Advanced Computer Networks
Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

DNS Security Advanced Network Security Peter Reiher August, 2014

Outline Problems of DNS security DNSSec

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS also provides other similar services It wasn’t designed with security in mind

DNS Threats Threats to name lookup secrecy Definition of DNS system says this data isn’t secret Threats to DNS information integrity Very important, since everything trusts that this translation is correct Threats to DNS availability Potential to disrupt Internet service

What Could Really Go Wrong? DNS lookups could be faked Meaning packets go to the wrong place The DNS service could be subject to a DoS attack Or could be used to amplify one Attackers could “bug” a DNS server to learn what users are looking up

Where Does the Threat Occur? Unlike routing, threat can occur in several places At DNS servers But also at DNS clients Which is almost everyone Core problem is that DNS responses aren’t authenticated

The DNS Lookup Process lookup thesiger.cs.ucla.edu answer 131.179.191.144 ping thesiger.cs.ucla.edu If the answer is wrong, in standard DNS the client is screwed Should result in a ping packet being sent to 131.179.191.144

How Did the DNS Server Perform the Lookup? Leaving aside details, it has a table of translations between names and addresses It looked up thesiger.cs.ucla.edu in the table And replied with whatever the address was

Where Did That Table Come From? Ultimately, the table entries are created by those owning the domains On a good day . . . And stored at servers that are authoritative for that domain In this case, the UCLA Computer Science Department DNS server ultimately stored it Other servers use a hierarchical lookup method to find the translation when needed

Doing Hierarchical Translation DNS root server Where’s edu? lookup thesiger.cs.ucla.edu edu root server Where’s ucla.edu? Where’s cs.ucla.edu? Where’s thesiger.cs.ucla.edu? ucla.edu root server cs.ucla.edu root server

Where Can This Go Wrong? Someone can spoof the answer from a DNS server Relatively easy, since UDP is used One of the DNS servers can lie Someone can corrupt the database of one of the DNS servers

lookup thesiger.cs.ucla.edu The Spoofing Problem lookup thesiger.cs.ucla.edu answer 131.179.191.144 Unfortunately, most DNS stub resolvers will take the first answer answer 97.22.101.53

lookup thesiger.cs.ucla.edu DNS Servers Lying answer 97.22.101.53 lookup thesiger.cs.ucla.edu . . . thesiger.cs.ucla.edu 131.178.192.144 That wasn’t very nice of him!

DNS Database Corruption answer 97.22.101.53 lookup thesiger.cs.ucla.edu . . . 97.22.101.53 thesiger.cs.ucla.edu

The DNSSEC Solution Sign the translations Who does the signing? The server doing the response? Or the server that “owns” the namespace in question? DNSSEC uses the latter solution

Implications of the DNSSEC Solution DNS databases must store signatures of resource records There must be a way of checking the signatures The protocol must allow signatures to be returned

Checking the Signature Basically, use certificates to validate public keys for namespaces Who signs the certificates? The entity controlling the higher level namespace This implies a hierarchical solution

The DNSSEC Signing Hierarchy In principle, ICANN signs for itself and for top level domains (TLDs) Like .com, .edu, country codes, etc. Each TLD signs for domains under it Those domains sign for domains below them And so on down

An Example Who signs the translation for thesiger.cs.ucla.edu to 131.179.192.144? The UCLA CS DNS server How does someone know that’s the right server to sign? Because the UCLA server says so Securely, with signatures The edu server verifies the UCLA server’s signature Ultimately, hierarchical signatures leading up to ICANN’s attestation of who controls the edu namespace Where do you keep that information? In DNS databases

Using DNSSEC To be really secure, you must check signatures yourself Next best is to have a really trusted authority check the signatures And to have secure, authenticated communications between trusted authority and you

Status of DNSSEC Working implementations available In use in some places Heavily promoted First by DARPA Now by DHS Beginning to get out there

Status of DNSSEC Deployment ICANN has signed the root .com, .gov, .edu, .org, .net all signed at top level Not everyone below has signed, though Many “islands” of DNSSEC signatures Signing for themselves and those below them In most cases, just for themselves Utility depends on end machines checking signatures

Using DNSSEC Actually installing and using DNSSEC not quite as easy as it sounds Lots of complexities down in the weeds Particularly hard for domains with lots of churn in their namespace Every new name requires big changes to what gets signed

Other DNS Solutions Encrypt communications with DNS servers Prevents DNS cache poisoning But assumes that DNS server already has right record Ask multiple servers Majority rules or require consensus

Conclusions Name translation is vital to Internet security If compromised, users are silently taken off to the wrong site Securing DNS is primarily about integrity and authenticity Uses PK cryptography for signatures How the crypto is used is tricky and vital to get right

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.