What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009.

Slides:

Advertisements

Similar presentations

Internet Applications INTERNET APPLICATIONS. Internet Applications Domain Name Service Proxy Service Mail Service Web Service.

Advertisements

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

1 DNSSEC From a protocol bug to a security advantage Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

CS 6401 The Domain Name System Outline Domain Name System.

The Internet Useful Definitions and Concepts About the Internet.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Mohammed Saiyeedur Rahman.  E-commerce is buying and selling goods over the internet. This could include selling/buying mobile phones, clothes or DVD’s.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

IT 210 The Internet & World Wide Web introduction.

Information-Centric Networks03a-1 Week 3 / Paper 1 What DNS is not –Paul Vixie –CACM, December 2009, vol. 52, no. 12 Main point –“DNS is many things to.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.

{ Content Distribution Networks ECE544 Dhananjay Makwana Principal Software Engineer, Semandex Networks 5/2/14ECE544.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.

DNS: Domain Name System

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Web Page Design I Basic Computer Terms “How the Internet & the World Wide Web (www) Works”

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

Prohibiting Redirection & Synthesized DNS Responses in Top Level Domains Mar 2010 Kuala Lumpur APTLD Meeting.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

The Internet TCIP/IP  TCP/IP stands for Transmission Control Protocol/Internet Protocol, which is a set of networking protocols that allows two or more.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Internet Presentation. What is the Internet? The worlds largest computer network. A collection of local, regional and national computer networks linked.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

DNS Hijack Demonstration (Diverting User Application via DNS) Giovanni Marzot, Ólafur Guðmundsson,

OV Copyright © 2005 Element K Content LLC. All rights reserved. Hardening Internetwork Devices and Services  Harden Internetwork Connection Devices.

TCP/IP (Transmission Control Protocol / Internet Protocol)

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Computer Networks Fall, 2007 Prof Peterson. CIS 235: Networks Fall, 2007 Western State College How’s it going??

CHAPTER 7 THE INTERNET AND INTRANETS 1/11. What is the Internet? 2/11 Large computer network ARPANET (Dept of Defense) It is international and growing.

UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Information-Centric Networks Section # 3.2: DNS Issues Instructor: George Xylomenos Department: Informatics.

Information-Centric Networks Section # 3.1: DNS Issues Instructor: George Xylomenos Department: Informatics.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.

1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.

Domain Name System INTRODUCTION to Eng. Yasser Al-eimad

The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.

John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c

High performance recursive DNS solution

Security Issues with Domain Name Systems

3.02H Publishing a Website 3.02 Develop webpages..

Chapter 2 Interacting with the Customer

WJEC GCSE Computer Science

Presentation transcript:

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie What DNS Is Not. Queue volume 7, issue 10.

DNS: An Overview Companion Paper o DNS Complexity - Published in ACM's Queue, Volume 5 Issue 3, April DNS Complexity o

DNS: An Overview GIANT Database DNS translates a domain name into an IP address. Why is this hard? o Billions of IP addresses in use o Billions of daily DNS requests o Constantly changing Human Convenience

How Does DNS Work? Example: Request for IP address sent to your web browser o Cached if you have visited recently If not, a search begins.

How Does DNS Work? The search process starts at the root name servers. The root servers refer the resolver to the.COM name servers. Request IP addresses for the Facebook name server Request IP address of from the Facebook name servers. Web browser caches IP address

What DNS is Not: Overview Misuses of DNS o DNS is not a routing protocol o DNS is not a tool to monetize typos o DNS is not a directory system This paper talks about different properties that allow DNS to be misused, the common practices of misuse, and the consequences of misuse.

Stupid DNS Tricks

DNS is not a routing protocol Content Distribution Networks (CDNs) often use DNS queries as an opportunity to route user requests. o E.g., Akamai, Cisco DistributedDirector Users are routed to an appropriate content server based on their geographic / network proximity and content server load. Problems o This scheme requires limiting caching (i.e., low TTL) and increases load on DNS infrastructure. o Most end-users are using their ISP's recursive name servers. This hides the user's original location and decreases the accuracy of DNS-based routing.

NXDOMAIN Remapping

Expected Causes of NXDOMAIN: Typo (e.g., Broken Link Hardware or Software Error What should happen: Browser catches bad domain name: “Error page” - “bounced ” NXDOMAIN Remapping

What you should see Googler.com

What you usually see Bestbuyt.com

Many major ISPs' DNS servers (e.g., Comcast) and some public DNS servers (e.g., OpenDNS) redirect users to these spammy search pages. VeriSign example (2006): Added a wild card on top of the.com zone Prevented NXDOMAIN returns. Any non-existent domain, regardless of DNS servers used, was redirected to SiteFinder's website. A Growing Problem

NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security o Many sites, like Google, use wildcard cookies so users can maintain sessions over sub domains (Google Docs, Google Sites, etc). o If sdfgaj.google.com. is redirected to a search page, web browsers will send user cookies.

NXDOMAIN is important. Some things depend on accurate negative results. 1. Web security, continued o In 2008, Dan Kaminsky found a cross-site scripting vulnerability in Earthlink's search page. o Earthlink customers were vulnerable to HTML or Javascript injection on arbitrary domain names because of NXDOMAIN hijacking.

NXDOMAIN is important. Some things depend on accurate negative results. 2. (SMTP) o If a MX (mail exchange) lookup returns no results, a SMTP server will fall back to a standard A record lookup. 1 o These DNS requests are indistinguishable from, say, web browsers' requests. The request will be redirected to a search page. o SMTP server will attempt to send to the wrong IP address. 1 See RFC 5321, section 5.1.

Standard Bad Practices In 2009, there was an effort by national cable companies to standardize DNS redirection services. 2 The standard outlines an opt-out DNS redirect search engine / malware filter and a "Legally-Mandated DNS Redirect Domain List" for "illegal domains." 2 "Recommended Configuration and Use of DNS Redirect by Service Providers"

Solution: DNSSEC

A Rescue Being Thought of DNSSEC is a set of protocol enhancements for DNS. Allows zones to be signed and verified by public-key encryption and signed using private keys by zone editors. All query responses, including NXDOMAIN, are signed. This prevents man-in-the-middle attacks. But, right now, most resolvers are configured to accept unsigned responses. DNSSEC needs wider adoption.

A Rescue Being Thought of DNSSEC won't prevent CDNs' DNS-based routing schemes as it is possible to have a collection of signed, authortative responses.

Directory Services

Some web browsers attempt to auto-complete DNS queries as a user types in the URL bar. If a user types " >.cn is the ccTLD for China, so this is a valid domain >.co is the ccTLD for Columbia. This causes unnecessary traffic to and cnn.co name servers. Domains are not in an ideal format for these directory lookups. E.g.,.com.cnn.www