Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS.

Published byJordan Peters Modified over 6 years ago

Similar presentations

Presentation on theme: "DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS."— Presentation transcript:

1 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS also provides other similar services It wasn’t designed with security in mind

2 DNS Threats Threats to name lookup secrecy
Definition of DNS system says this data isn’t secret Threats to DNS information integrity Very important, since everything trusts that this translation is correct Threats to DNS availability Potential to disrupt Internet service

3 What Could Really Go Wrong?
DNS lookups could be faked Meaning packets go to the wrong place The DNS service could be subject to a DoS attack Or could be used to amplify one Attackers could “bug” a DNS server to learn what users are looking up

4 Where Does the Threat Occur?
Unlike routing, threat can occur in several places At DNS servers But also at DNS clients Which is almost everyone Core problem is that DNS responses aren’t authenticated

5 The DNS Lookup Process lookup thesiger.cs.ucla.edu answer ping thesiger.cs.ucla.edu If the answer is wrong, in standard DNS the client is screwed Should result in a ping packet being sent to

6 How Did the DNS Server Perform the Lookup?
Leaving aside details, it has a table of translations between names and addresses It looked up thesiger.cs.ucla.edu in the table And replied with whatever the address was

7 Where Did That Table Come From?
Ultimately, the table entries are created by those owning the domains On a good day . . . And stored at servers that are authoritative for that domain In this case, the UCLA Computer Science Department DNS server ultimately stored it Other servers use a hierarchical lookup method to find the translation when needed

8 Doing Hierarchical Translation
DNS root server Where’s edu? lookup thesiger.cs.ucla.edu edu root server Where’s ucla.edu? Where’s cs.ucla.edu? Where’s thesiger.cs.ucla.edu? ucla.edu root server cs.ucla.edu root server

9 Where Can This Go Wrong? Someone can spoof the answer from a DNS server Relatively easy, since UDP is used One of the DNS servers can lie Someone can corrupt the database of one of the DNS servers

10 lookup thesiger.cs.ucla.edu
The Spoofing Problem lookup thesiger.cs.ucla.edu answer Unfortunately, most DNS stub resolvers will take the first answer answer

11 lookup thesiger.cs.ucla.edu
DNS Servers Lying answer lookup thesiger.cs.ucla.edu . . . thesiger.cs.ucla.edu That wasn’t very nice of him!

12 DNS Database Corruption
answer lookup thesiger.cs.ucla.edu . . . thesiger.cs.ucla.edu

13 The DNSSEC Solution Sign the translations Who does the signing?
The server doing the response? Or the server that “owns” the namespace in question? DNSSEC uses the latter solution

14 Implications of the DNSSEC Solution
DNS databases must store signatures of resource records There must be a way of checking the signatures The protocol must allow signatures to be returned

15 Checking the Signature
Basically, use certificates to validate public keys for namespaces Who signs the certificates? The entity controlling the higher level namespace This implies a hierarchical solution

16 The DNSSEC Signing Hierarchy
In principle, ICANN signs for itself and for top level domains (TLDs) Like .com, .edu, country codes, etc. Each TLD signs for domains under it Those domains sign for domains below them And so on down

17 An Example Who signs the translation for thesiger.cs.ucla.edu to ? The UCLA CS DNS server How does someone know that’s the right server to sign? Because the UCLA server says so Securely, with signatures The edu server verifies the UCLA server’s signature Ultimately, hierarchical signatures leading up to ICANN’s attestation of who controls the edu namespace Where do you keep that information? In DNS databases

18 Using DNSSEC To be really secure, you must check signatures yourself
Next best is to have a really trusted authority check the signatures And to have secure, authenticated communications between trusted authority and you

19 A Major Issue When you look up something like cs.ucla.edu, you get back a signed record What if you look up a name that doesn’t exist? How can you get a signed record for every possible non-existent name?

20 The DNSSEC Solution Names are alphabetically orderable
Between any two names that exist, there are a bunch of names that don’t Sign the whole range of non-existent names If someone looks one up, give them the range signature

21 For Example, > host last.cs.ucla.edu
lasr.cs.ucla.edu You get authoritative information that the name isn’t assigned lbsr.cs.ucla.edu – pd.cs.ucla.edu NOT ASSIGNED pelican.cs.ucla.edu toucan.cs.ucla.edu pelican.cs.ucla.edu toucan.cs.ucla.edu Foils spoofing attacks > host last.cs.ucla.edu

22 Status of DNSSEC Working implementations available
In use in some places Heavily promoted First by DARPA Now by DHS But not really successful That may be changing

23 Problems With DNSSEC Deployment
The DNS root hasn’t deployed DNSSEC ICANN runs this root Overall PKI based on root signing for everyone directly below ICANN reluctant to add responsibilities Particularly those giving it more control Around 4597 “islands” of DNSSEC signatures Signing for themselves and those below them In most cases, just for themselves

Download ppt "DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS."

Similar presentations

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
20101 The Application Layer Domain Name System Chapter 7.

20101 The Application Layer Domain Name System Chapter 7.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Network security BGP and DNS Worms.

Network security BGP and DNS Worms.
Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:

Issues in Internet Security. Securing the Internet How does the internet hold up security-wise? How does the internet hold up security-wise? Not well:
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.

Security Through Publicity Eric Osterweil Dan Massey Batsukh Tsendjav Beichuan Zhang Lixia Zhang.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.

Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Lecture 11 Page 1 CS 136, Fall 2012 Network Security, Continued CS 136 Computer Security Peter Reiher November 6, 2012.

Lecture 11 Page 1 CS 136, Fall 2012 Network Security, Continued CS 136 Computer Security Peter Reiher November 6, 2012.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Similar presentations

Ads by Google