DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Slides:

Advertisements

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Advertisements

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name Services Oakton Community College CIS 238.

DNS Domain Name Systems Introduction 1. DNS DNS is not needed for the internet to work IP addresses are all that is needed The internet would be extremely.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

DUKE UNIVERSITY DNSSEC 101 Kevin Miller.

Basic DNS Course Lecturer: Ron Aitchison. Module 1 DNS Theory.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

DNS: Domain Name System

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

14 DNS : The Domain Name System. 14 Introduction - Problem Computers are used to work with numbers Humans are used to work with names ==> IP addresses.

Chapter 17 Domain Name System

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

Domain Name System CH 25 Aseel Alturki

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

1 Kyung Hee University Chapter 18 Domain Name System.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

How to use DNS during the evolution of ICN? Zhiwei Yan.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.

TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Domain Name System INTRODUCTION to Eng. Yasser Al-eimad

WHAT IS DNS??????????.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security Advanced Network Security Peter Reiher August, 2014

IMPLEMENTING NAME RESOLUTION USING DNS

DNS Session 5 Additional Topics

Unit 5: Providing Network Services

DNS Cache Poisoning Attack

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Chapter 19 Domain Name System (DNS)

Chapter 25 Domain Name System

Chapter 25 Domain Name System

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Presentation transcript:

DNS Security Extensions (DNSSEC) Ryan Dearing

Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

Terminology Zone – contains resource records Resource Record – Record with a name and value, (e.g → IP) Authoritative Server – server that can definitively answer queries for a zone (non-caching) Master Server – Authoritative server that contains primary copy of the zone and pushes to slave/secondary server Slave Server – Authoritative server that gets zone information from master server (also called secondary server) Recursive/Caching Server – server that caches query responses

Domain Name System Created in 1983 by Paul Mockapetris Minimal Changes to the core protocol since 1987 Has scaled very well ~190 million domains

DNS Hierarchy and Protocol DNS uses a hierarchical model Root Servers, TLD Servers, Domain Servers Small Efficient UDP Packets  No State Caching locally and at recursive Servers Serial number is incremented when zone information changes

DNS Stats Verisign hosts DNS servers for.com and.net Receives 52 billion queries per day Peak at 61 billion queries per day 48% Yearly growth 13 Nameservers listed for.com and.net, but most likely hundreds with load balancing

Security DNS uses a trust model, popular in the 80s when the Internet was small and computing power was low If attacker manages to impersonate an authoritative server, they can poison the cache of recursive caching servers  Suddenly BankOfAmerica.com is going to Nigeria

DNSSEC DNSSEC adds signing to a zone's information Allows DNS responses to be validated all the way from the root Increases zone and packet size considerably Already implemented on the root servers Only useful when zones start using it

DNSSEC Validation google. com Request information from root server for.com, verify response based on public key (publicly distributed). Returns key for.com Request information from.com server for google.com, verify response using key returned from the root. Returns key for google.com Request information from google.com server, verify with key returned from the.com server.

DNSSEC Validation

DNSSEC Complexities Must tell parent zone when key is changed Changing key must be done very carefully, both keys are used for a period of time due to caching Must be careful about zone enumeration Servers will require more memory for holding additional information (keys, response signatures) More bandwidth utilization Larger packets (network equipment blocking)

DNSSEC Deployment Status All root servers now use DNSSEC as of May 5.com and.net by Q1 of 2011, requires upgrades for scalability.org already deployed with DNSSEC.gov already deployed with DNSSEC Big zones will need to deploy it too (google.com, yahoo.com, etc) Large DNS providers need to deploy too (NeustarDNS, Markmonitor, etc)

Questions?