NET 536 Network Security Lecture 8: DNS Security

Slides:



Advertisements
Similar presentations
Chapter 14 – Authentication Applications
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
DNS Domain Name Systems Introduction 1. DNS DNS is not needed for the internet to work IP addresses are all that is needed The internet would be extremely.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Name Resolution Domain Name System.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
IIT Indore © Neminath Hubballi
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 17 Domain Name System
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Internet and Intranet Protocols and Applications Lecture 5 Application Protocols: DNS February 20, 2002 Joseph Conron Computer Science Department New York.
1 Kyung Hee University Chapter 18 Domain Name System.
Configuring Name Resolution and Additional Services Lesson 12.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
Linux Operations and Administration
BZUPAGES.COM. Presented to: Sir. Muizuddin sb Presented by: M.Sheraz Anjum Roll NO Atif Aneaq Roll NO Khurram Shehzad Roll NO Wasif.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
System Administration(SAD622S) Name of Presenter: Shadreck Chitauro Lecturer 18 July 2016 Faculty of Computing and Informatics.
Understand Names Resolution
Security Issues with Domain Name Systems
Networking Applications
DNS Security Advanced Network Security Peter Reiher August, 2014
DNS Security.
Module 5: Resolving Host Names by Using Domain Name System (DNS)
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
DNS.
SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH
Understand Networking Services
DNS Cache Poisoning Attack
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
Working at a Small-to-Medium Business or ISP – Chapter 7
DNSSEC Iván González Montemayor A
Net 323 D: Networks Protocols
Chapter 19 Domain Name System (DNS)
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 6: DNS Security
DNS: Domain Name System
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Domain Name System: DNS
COMPUTER NETWORKS PRESENTATION
(DNS – Domain Name System)
Windows Name Resolution
Computer Networks Presentation
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.
Domain Name Server Presented By: Mahesh Venkat Adusumelli
Presentation transcript:

NET 536 Network Security Lecture 8: DNS Security Networks and Communication Department Lecture 8: DNS Security

Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security DNSSEC DNSSEC Objective DNSSEC Scope DNSSEC Resource Records How DNSSEC works ? Reference: http://compsec101.antibozo.net/papers/dnssec/dnssec.html 31-Dec-18 Networks and Communication Department

Part I: DNS 31-Dec-18 Networks and Communication Department

Introduction The DNS provides a mechanism that resolves Internet host names into IP addresses and vise versa. The DNS also supports other Internet directory-like lookup capabilities to retrieve information relating to DNS Name Servers, Canonical Names* , Mail Exchangers, etc. Many security weaknesses surround IP and the protocols carried by IP & The DNS is not immune to these security weaknesses. Lack authenticity and integrity checking of the data held within the DNS make it not secure. * Canonical name (CNAME) is a record in the DNS database that indicates the true host name of a computer associated with its aliases. 31-Dec-18 Networks and Communication Department

Overview of DNS DNS provides Internet lookup that maps the names of computer systems to their respective numerical IP network addresses. The DNS not only supports host name to network address resolution, known as forward resolution, but it also supports network address to host name resolution, known as inverse resolution. Without it, the only way to reach other computers on the Internet is to use the numerical network address. forward inverse 31-Dec-18 Networks and Communication Department

The Domain Name Space 31-Dec-18 Networks and Communication Department

The Inverse Domain Name Space When the DNS is used to map an IP address back into a host name (inverse resolution), the DNS makes use of the same notion of labels from left to right (most specific to least specific) when writing the IP address. This is in contrast to the typical representation of an IP address whose dotted decimal notation from left to right is least specific to most specific. To handle this, IP addresses in the DNS are typically represented in reverse order. IP addresses fall under a special DNS top level domain (TLD), known as the in-addr.arpa domain. By doing this, using IP addresses to find DNS host names are handled just like DNS host name lookups to find IP addresses 31-Dec-18 Networks and Communication Department

DNS Component Major Components: Resource Records (RRs): Database: DNS tree and Resource Records. Name Servers: Authoritative for one or more zones – Answers queries. Clients: Software library, called resolver, sends queries to name servers. Resource Records (RRs): Address (A) [Maps Host name into an IP address] www.abc.com. A 10.1.0.52 Pointer (PTR) [Maps an IP address into hostname] 52.0.1.10.IN-ADDR.ARPA. PTR www.abc.com. 31-Dec-18 Networks and Communication Department

DNS Transaction Name Server (NS) [Denotes a name server for a zone] www2.abc.com. NS dns.www.abc.com. Canonical Name (CNAME) [Defines an alias name and maps it to the absolute (canonical) name] abc.com. CNAME www.abc.com Two most common transactions DNS zone transfers: the secondary server retrieves a new copy of the zone , if the primary server has a more recent version. DNS queries/responses: A DNS query is answered by a DNS response. 31-Dec-18 Networks and Communication Department

Attack on DNS DNS Cache Poisoning DNS ID Spoofing Client Flooding DNS Dynamic Update Vulnerabilities Information Leakage Compromise of DNS server’s authoritative data 31-Dec-18 Networks and Communication Department

DNS Cache Poisoning DNS Cache Poisoning DNS A receives a query that it does not have an answer to, so it asks DNS B. DNS B replies with wrong information DNS A accepts the response of DNS B without performing 31-Dec-18 Networks and Communication Department

DNS Cache Poisoning Attack An attacker use his rogue name server and intentionally formulating misleading information. This bogus information is sent as either the answer or as just a helpful hint and gets cached by the unsuspecting DNS server. One way to coerce a susceptible server into obtaining the false information is for the attacker to send a query to a remote DNS server requesting information pertaining to a DNS zone for which the attacker’s DNS server is authoritative. Having cached this information, the remote DNS server is likely to misdirect legitimate clients it serves . 31-Dec-18 Networks and Communication Department

DNS Cache Poisoning Attack Attack Objective : Denial of service. Negative response could be a message that the requested name could not be resolved ( while it can be) so that the client can't get the website he wants Negative response could be incorrect resolved name that direct the user to a website he doesn’t need. 31-Dec-18 Networks and Communication Department

Client Flooding Client sends a DNS query. Attacker send thousands of responses made to appear as if originating from the DNS server. Client accepts responses because it lacks the capability to verify the response origin. 31-Dec-18 Networks and Communication Department

DNS Dynamic Update Vulnerabilities An attacker using IP spoofing of a trusted server may launch a DoS attack by deleting RRs, or malicious redirection by changing an IP of a RR in an update. 31-Dec-18 Networks and Communication Department

Attacks Information Leakage Zone transfers can leak information concerning internal networks Or an attacker can query one by one every IP address in a domain space to learn unassigned IP addresses. 31-Dec-18 Networks and Communication Department

Compromise of DNS server’s authoritative data DNS server has some vulnerabilities not related to DNS. Attacker gets administrative privileges on DNS Server. Attacker modifies zone information for which the DSN server is authoritative. 31-Dec-18 Networks and Communication Department

Part II: DNS Security DNSSEC 31-Dec-18 Networks and Communication Department

Introduction DNSSEC is a security extensions to the DNS protocol in response to the security issues surrounding the DNS. a new set of RRs are defined to hold the security information that provides strong security to DNS zones wishing to implement DNSSEC. These new RR types are used in conjunction with existing types of RRs. This allows answers to queries for DNS security information belonging to a zone that is protected by DNSSEC to be supported through non-security aware DNS servers. 31-Dec-18 Networks and Communication Department

DNSSEC Objective To assure authentication and integrity to DNS services. However: DNSSEC doesn’t provide access control and confidentiality services Authentication and integrity of information held within DNS zones is provided by using digital signature. Although DNSSEC doesn't provide confidentiality to DNS transactions, it supports confidentiality as a worldwide public key distribution mechanism. 31-Dec-18 Networks and Communication Department

DNSSEC Scope DNSSEC provides three services: key distribution data origin authentication transaction and request authentication. 31-Dec-18 Networks and Communication Department

DNSSEC Scope : Key Distribution The retrieval of the public key of a DNS name to verify the authenticity of the DNS zone data. Provides a mechanism through which any key associated with a DNS name can be used for purposes other than DNS. The public key distribution service supports several different types of keys and several different types of key algorithms. 31-Dec-18 Networks and Communication Department

DNSSEC Scope : Data Origin Authentication Data origin authentication is the core of the design of DNSSEC. It mitigates such threats as cache poisoning and zone data compromise on a DNS server. The RRSets within a zone are signed to assert to resolvers and servers that the data just received can be trusted. The digital signature contains the encrypted hash of the RRSet. The hash is signed using a private key usually belonging to the corresponding zone. The recipient of the RRSet can then check the digital signature against the data in the RRSet just received. 31-Dec-18 Networks and Communication Department

DNSSEC Scope :DNS Transaction and Request Authentication Service 1: It provides the ability to authenticate DNS requests and DNS message headers. This guarantees that : the answer is in response to the original query the response came from the server for which the query was intended. To assure this Part of the information, returned in a response to a query from a security aware server, is a signature. This signature is produced from the concatenation of the query and the response. This allows a security aware resolver to perform any necessary verification concerning the transaction. 31-Dec-18 Networks and Communication Department

DNSSEC Scope :DNS Transaction and Request Authentication Service 2 : DNS Dynamic Updates. Without DNSSEC DNS Dynamic Update does not provide a mechanism that stop any system with access to a DNS authoritative server from updating zone information. With DNSSEC Secure DNS Dynamic provides strong authentication for systems allowed to dynamically manipulate DNS zone information on the primary server 31-Dec-18 Networks and Communication Department

DNSSEC Resource Records Introduces new RR types: KEY: used for storing a public key that is associated with a DNS name. SIG: Digital signature. The SIG RR provides authentication for a RRSet and the signature’s validity time. 31-Dec-18 Networks and Communication Department

DNSSEC Resource Records Introduces new RR types: NXT: NXT RRs are used to indicate a range of DNS names that are unavailable or a range of RR types that are unavailable for an existing DNS name. WHY ? The DNS provides the ability to cache negative responses. A negative response means that a corresponding RRSet does not exist for the query. DNSSEC provides signatures for these nonexistent RRSets so that their nonexistence in a zone can be authenticated. 31-Dec-18 Networks and Communication Department

How DNSSEC works Each RRSet has an associated SIG RR which is a digital signature of the RRSet using the private key of the zone. If a security aware resolver reliably learns a public key of the zone, it can authenticate signed data read from that zone. A security aware server will attempt to return, with RRs retrieved, the corresponding SIGs. 31-Dec-18 Networks and Communication Department

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.