Living on the Edge: (Re)focus DNS Efforts on the End-Points

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

How to use DNS during the evolution of ICN? Zhiwei Yan.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Why Dane? Geoff Huston Chief Scientist, APNIC. Security on the Internet How do you know that you are going to where you thought you were going to?

High performance recursive DNS solution

Geoff Huston Chief Scientist, APNIC

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Security Issues with Domain Name Systems

Attacking DNS Slides adapted from Olaf Kolkman, RIPE Lecture 18

SaudiNIC Riyadh, Saudi Arabia May 2017

DNS Security Advanced Network Security Peter Reiher August, 2014

DNS Team IETF 99 Hackathon.

DNS Operation And Security Protection

DNSSEC Deployment Challenges

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

DNS Privacy: Problem and solutions

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

The Importance of Being an Earnest stub

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

Unit 5: Providing Network Services

DNS Cache Poisoning Attack

CZ.NIC in a nutshell Domain, DNSSEC, Turris Project and others

The Last Link in the DNSSEC Chain of Trust

DNS Hijacking – KL Tech Meet-up - May 2015

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DANE: The Future of Transport Layer Security (TLS)

DNSSEC Basics, Risks and Benefits

Providing Network Services

TRA, UAE May 2017 DNSSEC Introduction TRA, UAE May 2017

Who am I talking to?.

Measuring KSK Roll Readiness

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

DNS: Domain Name System

Internet2 DNSSEC Pilot Shumon Huque University of Pennsylvania

Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

FTP, SMTP and DNS 2: Application Layer.

(DNS – Domain Name System)

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team

Presentation transcript:

Living on the Edge: (Re)focus DNS Efforts on the End-Points Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE

Complexity at Core-Middle-Edge moderate Authoritative . complex simple recursive resolver application ripe75.ripe.net stub Authoritative net 193.0.19.34 OS Authoritative ripe e2e-ness complex e2e-ness moderate e2e-ness simple

From the ground-up security … and now for something completely different

Customer–Web Portal Interaction auth name servers com. acme. portal. full recursive resolver customer portal.acme.com host IP address browser web portal http server http/https IP address

DNS Spoofing DNS Spoofing by cache poisoning Man-in-the-middle attacks attacker flood a DNS resolver with phony information with bogus DNS results by the law of large numbers, these attacks get a match and plant a bogus result into the cache Man-in-the-middle attacks redirect to wrong Internet sites email to non-authorized email server What risks? Misdirection of queries for an entire domain Response to non-existent domains MX hijacking Make a large domain (SLD or TLD) domain “disappear” from an ISP's cache – DoS Identity theft using SSL stripping attacks (banks, eGovernance) More fun stuff… A great illustrated guide http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

The “Too Many CAs” Problem TLS clients have abundance of TAs modern web browsers have 1300+ TAs any of them can issue certificate for example.com Most notable incidents are with Comodo RA (2011) and DigiNotar (2011). TLS client accepts both! credits wes.hardaker@parsons.com

Customer–Web Portal Interaction auth name servers com. acme. portal. full recursive resolver DNS spoofing customer portal.acme.com host IP address browser web portal too many CAs http server http/https CA pinning/HSTS? IP address

DNSSEC-Based Secure Customer–Web Portal Interaction auth name servers DNSSEC com. acme. portal. full recursive resolver DNS spoofing customer portal.acme.com host IP address browser web portal DANE too many CAs http server http/https IP address

Resolver Hijack?! DNSSEC DANE web portal host ARP, DHCP or routing tricks auth name servers DNSSEC com. acme. portal. portal.acme.com full recursive resolver DNS spoofing 6.6.6.1 host browser web portal DANE too many CAs http server IP address http/https

Countering Resolver Hijack DNSSEC on the stub DNS-over-TLS

Countering Resolver Hijack (cont’d) DNS-over-TLS DNS-over-TLS TLS hijack of DNS-over-TLS Bootstrap the TLSA lookup with regular DNS? Chicken and egg problem.

DNSSEC Data Blob-over-TLS TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension TLS DNSSEC authentication to prevent “Too many CA’s” problem https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension

DNS Privacy and Standards DNS privacy requirements Capability Standard DNS-over-TLS RFC7858 Reuse/pipelining/OOOP RFC7766 TCP fast open RFC7413 ENDS0 keep alive RFC7828 ENDS0 padding RFC7830 PKIX support for authentication (various) DNSSEC support (for address lookup and authentication)

DNSSEC Roadblocks Consequences of living on the edge

DNSSEC Roadblocks Resolving DNSSEC (to cross the first mile) needs DNSSEC aware recursive resolver

DNSSEC Roadblock Avoidance DNSSEC roadblock avoidance + full recursion capability https://tools.ietf.org/html/rfc8027

DNSSEC Roadblock Avoidance DNSSEC roadblock avoidance + full recursion capability https://tools.ietf.org/html/rfc8027 DNSSEC authentication chain extension

DNSSEC with DNS64 & NAT64 Jen Linkova’s “Let’s talk about IPv6 DNS64 & DNSSEC” https://blog.apnic.net/2016/06/09/lets-talk-ipv6-dns64-dnssec/ With IPv6 prefix discovery, stub can do DNSSEC validation of A RR itself

DNSSEC with DNS64 & NAT64 IPv6 address synthesis prefix discovery + DNS64 capability https://tools.ietf.org/html/rfc7050 https://tools.ietf.org/html/rfc6147

KSK Root Rollover More roadblocks ahead

RFC5011 for DNSSEC Validating Stubs DNSSEC validating stub must do RFC5011 In-band RFC5011 tracking with DNSSEC auth chain TLS extension

KSK Root Rollover for Stub Library A stub library for DANE runs with user’s privileges no system config bootstrap DNSSEC capabilities https://tools.ietf.org/html/rfc7958 unbound-anchor functionality

DNSSEC Roadblocks and Standards DNSSEC stubs capability requirements Capability Standard DNSSEC validation (various) DNSSEC roadblock avoidance RFC8027 IPv6 prefix discovery RFC7050 IPv6 address synthesis RFC6147 Automated trust anchor updates RFC5011 Automated initial trust anchor retrieval RFC7958

Living on the Edge “Final Thoughts”

Wrapping Up Stub resolver/library experience complex e2e-ness at the edge of the network many kinds of roadblocks/brokenness DNS-based security from the ground up bootstraps with the stub Closing the gap in the last mile with ongoing work overview of RFCs and drafts most of discussed work is implemented in getdns and its stub resolver Stubby DNSSEC Authentication Chain Extension https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension