DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

SSH Secure Login Connections over the Internet

DNS Workbench Update DNS-OARC Workshop Phoenix, Arizona, USA Sat Oct 5, Jelte Jansen, Antoin Verschuren.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Phil Regnauld Hervey Allen 15 June 2009 Papeete, French Polynesia DNSSEC Tutorial: Bibliography.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

Application Services COM211 Communications and Networks CDA College Theodoros Christophides

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

Security Issues with Domain Name Systems

DNS Security Advanced Network Security Peter Reiher August, 2014

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Principles of Computer Security

DNS Session 5 Additional Topics

DNS Cache Poisoning Attack

DNSSEC Iván González Montemayor A

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

(DNS – Domain Name System)

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Presentation transcript:

DNS Security Overview AROC Guatemala July 2010

What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely insecure… Only we didn’t know this. A couple of DNS experts had foreseen potential problems, so their software already had defenses against this security flaw - djbdns and PowerDNS. The flaw is formally known as DNS Cache Poisoning, but is now referred to as “The Kaminsky Bug.”

Dan Kaminsky’s Bug Dan Kaminsky In March of 2008 was said to have mumbled the words, “Oh sh_t, I just broke the Internet.” The only problem was – he had

An Emergency Meeting was Held… …in building Nine on the Microsoft campus at 10 am on March 31. Paul Vixie, an original author of BIND and president of the Internet Systems Consortium (isc.org) arranged the meeting and the attendees. Kaminsky presented and gave those present until August 6 to find a solution to the Cache Poisoning problem he had found. Secrecy around the issue was maintained until July 21 when a “security expert” leaked the flaw. The temporary solution is known as “source port randomization”. The permanent solution is known as DNSSEC.

DNS Cache Poisoning Conceptually quite simple: 1.Create a fake authoritative name server for an entire zone. 2.From attack machine ask a local DNS cache server for the IP address of a site in that zone not already in the cache. 3.Caching serving goes to authoritative server to ask for the site’s IP address. 4.Meanwhile attack box floods the DNS cache with fake responses for the site. Fake responses include information indicating "I don't know the answer, but you can ask over there” – i.e. authoritative information for the zone is contained. 5.If the attacking box can “guess” the query ID that the caching server is listening for on port 53, then it will accept the response, believe the new authority record and stop listening to the actual authoritative server for that zone! 6.There are, by default, potential query IDs, but with proper flooding techniques you can generally “guess” a query ID within 10 seconds on an unpatched Caching server.

Cache Poisoning: The Attack

Cache Poisoning: Post Attack

Source Port Randomization Rather than possible query IDs increase this number dramatically – between several hundred million and 4 billion. You can still poison the cache, but a concerted, longer-term attack is required. You must monitor your DNS boxes for this. If you have not patched your DNS software, then your DNS server can be owned in 10 seconds or less… Source port randomization does not solve the cache poisoning attack, it only puts a bandage on the issue…

DNS Security We need DNS Security to solve DNS Cache Poisoning attacks as well as generally: Authenticating DNS data Authenticate the denial of existence of domains. To ensure data integrity or – in “plain English” To be able to verifiably know that the reply to our DNS query is valid and has not been spoofed.

DNS Security Does Not… Encrypt the data Stop DDoS attacks on DNS Servers Encrypt DNS zone transfer data

Where is the DNS Vulnerable?

Implementing DNS Security As the Beatles might say, “This has been a long and winding road.” A few days ago the “.” was signed! A big deal: We had a celebrity in our midst… Trusted Community Representative (One of “the 14”) Crypto Officer for the US West Coast Facility

How do we Secure DNS?

To secure the DNS against spoofing we start with 4 new Resource Records (RRs): DNSKEY: Public Key of RRSIG record. Used in zone signing operations. RRSIG: Resource Record set SIGnature NSEC/NSEC3: Next SECure record. Returned as verifiable evidence that the name and/or RR type does not exist. DS  See next slide… Complete list of DNS records:

The DS Record Delegation Signer: Contains the hash of the public key used to sign the DNSKEY which itself will be used to sign the zone data. Follow DS RR's until a ”trusted” zone is reached (ideally the root). An excellent discussion of DNSSec by Geoff Houston:

RRset

DNSKEY Resource Record

Key Signing Key / Zone Signing Key

DNSSEC: RRSIG

DNSSEC: NSEC/NSEC3

DNSSEC: DS

DNSSEC: New Fields

What Does this Protect in the end?

Conclusion Next we’ll do some exercises and discuss issues. In addition – we have references to a large bibliography and a recent status update of DNSSEC deployments available linked on this classes web pages: