Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin

Published bySteven Jackson Modified over 6 years ago

Similar presentations

Presentation on theme: "DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin"— Presentation transcript:

1 DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
and © 8 Feb 2006 Stichting NLnet Labs

2 DNSSEC evangineers of the day
Allison: Independent consultant Member of the Internet2 Tech. Advisory Comm. IETF Transport Area Director Member of ICANN’s SSAC Olaf: NLnet Labs ( DNS and DNSSEC research Protocol and software development (such as NSD, a lean and mean authoritative nameserver) Co-Chair of the IETF DNSEXT working group (Shinkuro is acknowledged for sponsoring our trip)

3 Why DNSSEC Good security is multi-layered
Multiple defense rings in physical secured systems

4 Bourtange, source Wikipedia

5 Why DNSSEC Good security is multi-layered DNS infrastructure
Multiple defense rings in physical secured systems Multiple ‘layers’ in the networking world DNS infrastructure Providing DNSSEC to raise the barrier for DNS based attacks Provides a security ‘ring’ around many systems and applications

6 The Problem DNS data published by the registry is being replaced on its path between the “server” and the “client”. This can happen in multiple places in the DNS architecture Some places are more vulnerable to attacks then others Vulnerabilities in DNS software make attacks easier (and there will always be software vulnerabilities)

7 Solution a Metaphor Compare DNSSEC to a sealed transparent envelope.
The seal is applied by whoever closes the envelope Anybody can read the message The seal is applied to the envelope, not to the message

8 DNS Architecture edu as ‘friend’ edu institution as ISP
Registrars/ Registrants edu as ‘friend’ secondary edu institution as ISP Cache server edu as DNS provider Registry DB primary client secondary Provisioning DNS Protocol

9 DNS Architecture Provisioning DNS Protocol Registrars Registrants
Server compromise Inter-server communication Cache Poisoning Registry DB Provisioning DNS Protocol

10 DNSSEC protection Provisioning DNS Protocol ‘envelope sealed’
Registrars Registrants ‘envelope sealed’ ‘Seal checked’ Registry DB Provisioning DNS Protocol ‘Seal checked’

11 Example: Unauthorized mail scanning
Subject: tenure Astrophysics Mail Server Central Admin Mail Server Where? There! DNS

12 Example: Unauthorized mail scanning
Subject: tenure Astrophysics Mail Server Central Admin Mail Server Where? Elsewhere DNS Bad Guy

13 Where Does DNSSEC Come In?
DNSSEC secures the name to address mapping Tranport and Application security are just other layers.

14 DNSSEC secondary benefits
DNSSEC provides an “independent” trust path The person administering “https” is most probably a different from person from the one that does “DNSSEC” The chains of trust are most probably different See acmqueue.org article: “Is Hierarchical Public-Key Certification the Next Target for Hackers?”

15 More benefits? With reasonable confidence perform opportunistic key exchanges SSHFP and IPSECKEY Resource Records With DNSSEC one could use the DNS for a priori negotiation of security requirements. “You can only access this service over a secure channel”

16 DNSSEC properties DNSSEC provides message authentication and integrity verification through cryptographic signatures Authentic DNS source No modifications between signing and validation It does not provide authorization It does not provide confidentiality

17 DNSSEC deployment practicalities
RIPE NCC deployed DNSSEC on the reverse tree 202.in-addr.arpa etc are now signed and you can get secure delegations We followed the architecture to plan the changes to our system You may want to follow the same steps when planning for local DNSSEC deployment

18 DNSSEC Architecture modifications
Zone signer DNS and input checks Provisioning DB Zone Creation Primary DNS DNSSEC aware servers Secondary DNS DNSSEC aware provisioning Customer interfaces

19 Server Infrastructure
Part of keeping up to date Your most recent version of BIND and NSD run DNSSEC Memory might be an issue Predictable (see RIPE352) Coordination with secondaries

20 Provisioning Realize that interaction with child is not drastically different. DS and NS have the same security properties You may need to respond a bit different to ‘child’ emergency cases Thinking “security” will make you notice “security”

21 Key Mastering and Signing
Key management and signing needs to be reliable Failure will lead to loss of service Cost factors: Automation and Education

22 How about the ‘client’ side
Set up your caching nameserver to perform validation and the infrastructure behind it is protected DNSSEC has not yet been pushed to the host or application Costs are in maintaining trust anchors There is no standard to automate against.

23 What’s keeping folk New technology; chicken and egg
Zone walking possibility Is this really an issue in your environment? Solutions are being engineered Automated key rollover and distribution

24 Why would you be a(n) (early) player
Keeping the commons clean EDU and international research nets are important parts of the commons Significant ‘hot spots’ of delegation EDU networks have ‘interesting’ properties for the black hats.

25 Early players Demonstrate the ability to self-regulate Lead by example
Before the guys up the hill force it down your throat Before a bad thing happens and you are woken up at 2 am Lead by example Break the egg

26 What you can do Deploy in your own domain
contains a myriad of information resources. Ask your registry and your registrar? Educause, ARIN, Verisign, CC-TLD registries, .gov etc. Ask your OS and network equipment and application vendors Microsoft, Cisco, Firewalls vendors, etc

27 This Week Get involved in an Internet2 pilot Get to our workshop
Charles Yun, Internet2 Security Program Director, organizing now Talk to him this week Get to our workshop Talk to your colleagues for bilateral pilots Talk to us.

28 Next Week Buy now... get one free
Deploying locally provides immediate security benefits Sign your own zone and configure your keys Buy now... get one free

29

30

31

32

33 Mitigate by Deploying SSL?
Claim: SSL is not the magic bullet (Neither is DNSSEC) Problem: Users are offered a choice Far too often Users are annoyed Implementation and use make SSL vulnerable Not the technology

34 Confused?

Download ppt "DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin"

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.

Security for the Internet’s Domain Name System DNSSEC Current State of Deployment Prepared for Internet2 BoF Amy Friedlander, Shinkuro, Inc. Based on a.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman

ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker

1 DNSSEC Deployment: Big Steps Forward; Several Steps to Go NANOG 32 Deployment D N S S E C Rob Austein Steve Crocker
DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Similar presentations

Ads by Google