Presented by Mark Minasi 1 SESSION CODE: WSV333

2

3

why should you care? 4

5

6

7

I don't know; better ask bigfirm.com's DNS server! What's the IP for Your ISP's DNS server Internet 8

Your ISP's DNS server What's the IP address for Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. "Answer: " sent to port 3351, TXID 279 bigfirm.com'sDNS server 9

But nothing in standard DNS stops this from happening: 10

"Answer: " sent to port 3351, TXID 279 What's the IP address for Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. Sorry, pal, you lose (heh heh heh)! 11 bigfirm.com's DNS server Your ISP's DNS server Answer: (sent to port 3351, TXID 279)

"Got it… the IP address is " 12 Your ISP's DNS server Bwahahahhah!!

13

14

15

16

17

18

19

20

By carefully randomizing both port and ID number, attackers have not a 1/65,536 chance but more like a 1/(65,536) 2 chance… … but they've still got a chance, and PKI can eliminate that 21

Crypto and signing to the rescue 22

23

24

25

26 First an A record, then its corresponding RRSIG; "A" says it refers to an A record, identifies the public key you'd use to verify the signature

27 Note the key tag value We'll see what " " means later.

28

Our DNS server gathers and verifies information from bigfirm.com: 29 "A" (address) record " is " RRSIG record contains encrypted hash of the A record DNSKEY record contains decryption key for RRSIG Bigfirm.com zone… (maybe!) retrieved hash of "A" record Decryption algorithm Hashing algorithm computed hash of "A" record They'd better be equal! InternetInternet

30

31

32 bigfirm.com zone DNSKEY Our DNS gets info and verifies DNSKEY: Internet.com zone DNSKEY bigfirm.com's DS minasi.com's DS google.com's DS. (root) zone DNSKEY.com's DS.net's DS.si's DS Hash algorithm =? Hash algorithm =? (preinstalled) =?

33

34

35 "A" record for BT1.bigfirm.com "A" record for CC.bigfirm.com "A" record for Then we add NSEC records and it looks like this:

36 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW How's this help? Well, let's do a few queries:

37 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW

38 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW

39 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW

40 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW

41

42

43

44

45

What you need to do to enjoy DNSSEC's protection 46

47

48

49

50

51

52 root org se com apple acme bigfirm Trust anchors or "secure entry points" at.org,.se and bigfirm.com

53

54

55

56

57

Creating a DNSSEC-aware infrastructure (and including some specifics on signing your own zone for reference's sake) 58

59

60

61

62

63

64

66

67

68

69

70

71 In "Local Computer" under "MS-DNSSEC"

72

73

74

75

76

77

78

79

80

Use the 256 or 257 to see whether to check "Zone Signing Key" or "Secure Entry Point" You actually have no other options for Protocol and Algorithm 81

82

83

84

85

86

87

Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year