DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

COEN 350 Public Key Infrastructure. PKI Task: Securely distribute public keys. Certificates. Repository for retrieving certificates. Method for revoking.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

Security and Information Assurance for the DNS Dan Massey USC/ISI.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

Application Layer At long last we can ask the question - how does the user interface with the network?

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Data You Can Trust: The Key to Information Security Dr. Burt Kaliski, Jr. Senior Vice President and CTO, Verisign 25 th HP Information Security Colloquium.

Tony Kombol ITIS Who knows this? Who controls this? DNS!

CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

IIT Indore © Neminath Hubballi

ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.

DNS: Domain Name System

Test cases for domain checks – a step towards a best practice Mats Dufberg,.SE Sandoche Balakrichenan, AFNIC.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Andreas Steffen, , 12-DNSSEC.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

1 Is DNSSEC a Burden? Thus far, DNSSEC adoption has been slow –In part, immaturity of the standards has been a past issue –Many trials, and some signed.

1 Kyung Hee University Chapter 18 Domain Name System.

How to use DNS during the evolution of ICN? Zhiwei Yan.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

Zone State Revocation (ZSR) for DNSSEC Eric Osterweil (UCLA) Vasileios Pappas (IBM Research) Dan Massey (Colorado State Univ.) Lixia Zhang (UCLA)

Linux Operations and Administration

EMU and DANE Jim Schaad August Cellars. EMU TLS Issues Trust Anchor Matching PKIX cert to EMU Server Name Certificate Revocation Checking – CRLs – OCSP.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average

Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Networking Applications

DNS Security Advanced Network Security Peter Reiher August, 2014

Module 5: Resolving Host Names by Using Domain Name System (DNS)

DNS Cache Poisoning Attack

A New Approach to DNS Security (DNSSEC)

NET 536 Network Security Lecture 8: DNS Security

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Presentation transcript:

DNS Security Extension 1

Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No longer needs to wait for TTL to expire –The attacker can control when and what queries are issued –A complete domain may be hijacked Even TLD’s are vulnerable –Only needs 10 secs to succeed 2

Short-term mitigation Increase the brute-force search space –16 bits TXID is too small and can be easily brute-forced –Randomize source port number –Use other entropy in DNS messages e.g. Letter cases in URL 3

Long-term Solution: DNSSEC Use public-key signature to authenticate DNS messages –Domain names already form a hierarchy –Parent signs children’s public keys –Resolver only needs to know the root public key to authenticate DNS messages 4

5 Borrowed from slides of Prof. Dan Massey at Colorado State University l Basic Internet Database n Maps names to IP addresses n Also stores IPv6 addresses, mail servers, service locators, Enum (phone numbers), etc. l Data organized as tree structure. n Each zone is the authority for its local data. Root educomuk ciscousfcoibm cse The Domain Name System

6 Adapted from slides of Prof. Dan Massey at Colorado State University l Provides a “natural” PKI n Maps zones to their keys n Parent-zone sign child zones’ keys l Keys organized as tree structure. n Each zone is the authority for its local data. n A zone’s key is only effective for its zone Root educomuk ciscousfcoibm cse DNSSEC

DNS RR Review DNS Resource Record (RR) –Can be viewed as tuples of the form –types: A (IP address) MX (mail servers) NS (name servers) PTR (reverse look up) RRSIG (signature) DNSKEY(public key) … 7

Introduce a new data type: RRSIG name TTL class type value { IN A } name TTL class type covered_type { IN RRSIG A … … usf.edu. Base 64 encoding of signature} DNSSEC Records not after not before key name 8

Introduce a new data type: DNSKEY name TTL class type value { usf.edu IN DNSKEY Base 64 encodingusf.edu of public key} name TTL class type covered_type { usf.edu IN RRSIG DNSKEY …usf.edu … edu. Base 64 encoding of signature} DNSSEC Records not after not before key name 9

Authenticated Non-existence What if the usf.edu server is asked the IP address of a non-existent url (e.g. foo.usf.edu)? –Can’t sign non-existence on the fly because the server does not have the private key (why?) NSEC record –“The url after eng.usf.edu is global.usf.edu” –Order all the url’s in a zone and sign all the NSEC records ahead of time –Problem: enables zone enumeration –NSEC3 addresses this concern by using hashes of zone names instead of zone names themselves 10

PK usf2 Sig{PK usf } PK edu sign Key Management NS for.edu NS for usf.edu PK edu PK usf DS Record PK signing Do not need to notify parent if changed … PK usf2 Want to change PK usf to PK usf2 11

Potential Usage of DNSSEC If successfully deployed, DNSSEC can serve as a universal Public Key Infrastructure (PKI) –Sign public keys for web sites –Sign public keys for addresses Can this really be achieved? –Existing systems like X.509 have so far failed to provide a universal PKI –DNSSEC has a major difference from X.509 Key compromise at a node only affects a subdomain 12

SSL/TLS AliceBob E(PK B, s) K C, K M = h(s) PK B PK B is Bob’s public key I am Bob, inc I am Alice {m} K C || MAC K M (m)

DNS-based Authentication of Named Entities (DANE) Use DNSSEC to sign certain statements (DANE records) –The currently proposed DANE records address trust of TLS certificates TLSA DANE records –Yet another type of DNS resource record (RR) –Three types of statements CA Constraints Service Certificate Constraints Trust Anchor Assertion 14

Advantages of DANE compared with X.509 Real delegation of power –Better accountability –More flexibility –Better damage control Clearer semantics –X.509 certificate encompasses everything –DANE records only means that “this domain’s owner says…” 15

Problems of DNSSEC Key revocation –If a zone’s private key is compromised, the damage continues even after the key is replaced, until the parent’s cert on the key expires –Certificate revocation? All the revocation problems with public keys will apply –Issue short-term certificates instead? Then the upper-level zones will have to be more involved in maintaining the DNSSEC structure Against the initial design principles of DNS: autonomy of individual zones 16

Deployment Status Has been on-going for a number of years –Check status: maps/ Root domain signed July, 2010 –DNSSEC now deployed at key zones including net, com, gov, and edu “Almost” ready to use at the resolver level 17