Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security.

Published byFerdinand Walton Modified over 6 years ago

Similar presentations

Presentation on theme: "DNS Security."— Presentation transcript:

1 DNS Security

2 Fundamental Problems of Network Security
Internet was designed without security in mind Initial design focused more on how to make it work, than on how to prevent abuses Initial environment mostly consisted of research institutions---assumption on the benign behaviors of users Fundamental security problem of current network technology: Has no way of telling whether the resource is located “correctly,” or the information is transferred “correctly” Has no data authentication and confidentiality protection

3 Example Security Problems by Incorrect Resource Location
DNS poisoning BGP routing vulnerabilities ARP poisoning ARP (Address Resolution Protocol) is used to query for the MAC address associated with an IP address Any device attached physically to a subnet can claim to be the “owner” of the IP IP Spoofing Routers typically do not check source IP addresses A packet can claim to be coming from any IP address Routers have no good way to check IP addresses either

4 The Domain Name System Basic Internet Database
Maps names to IP addresses Also stores IPv6 addresses, mail servers, service locators, Enum (phone numbers), etc. Data organized as tree structure. Each zone is the authority for its local data. Root edu com uk usf cisco ibm co www Adapted from slides of Prof. Dan Massey at Colorado State University

5 Domain Name Service Provides binding between URL and IP address
Both forward and reverse mapping Divide URL space into zones; Each name server handles mapping in its zone DNS Resource Record (RR) Can be viewed as tuples of the form <name, TTL, class, type, data> types: A (IP address) MX (mail servers) NS (name servers) PTR (reverse look up)

6 DNS Protocol ISP What is the IP address of www.usf.edu? root Server
Go ask What is the IP address of ISP NS Server for edu ( ) What is the IP address of Go ask What is the IP address of ISP’s DNS Resolver NS Server for usf.edu ( )

7 Example Response from the .edu NS server Delegation of authority
;; QUESTION SECTION: ; IN A ;; AUTHORITY SECTION: usf.edu IN NS mother.usf.edu. usf.edu IN NS ziggy.usf.edu. usf.edu IN NS clemson-ns1.usf.edu. ;; ADDITIONAL SECTION: mother.usf.edu IN A ziggy.usf.edu IN A clemson-ns1.usf.edu IN A Glue records

8 DNS Security Problems A DNS resolver has no way to determine if the response of a query does come from the legitimate server It will accept a response if The port number matches the source port of the request Has the correct Transaction ID (TXID). It will accept all RR’s that are in the queried server’s bailiwick The bailiwick is the domain in which the server has authority according to the referral path

9 Classical DNS Poisoning
DoS flooding DNS queries ISP faked responses What is the IP address of What is the IP address of recursive query Recursive DNS resolver NS Server for usf.edu

10 Conditions for classical DNS poisoning attacks
Must guess right the correct source-port number Must guess right the correct TXID (16 bits) The fake response must arrive before the legitimate response If any of the above fails, the attack fails and there will be no chance to attack again until the TTL expires

11 Kaminsky Attack (2008) What is the IP address of foo.usf.edu? usf.edu NS A ISP What is the IP address of foo.usf.edu? No such url Recursive DNS resolver NS Server for usf.edu

12 Implication of Kaminsky Attack
Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning No longer needs to wait for TTL to expire The attacker can control when and what queries are issued A complete domain may be hijacked Even TLD’s are vulnerable Only needs 10 secs to succeed

13 Short-term mitigation
Increase the brute-force search space 16 bits TXID is too small and can be easily brute-forced Randomize source port number Use other entropy in DNS messages e.g. Letter cases in URL

14 Long-term Solution: DNSSEC
Use public-key signature to authenticate DNS messages Domain names already form a hierarchy Parent signs children’s public keys Resolver only needs to know the root public key to authenticate DNS messages

15 The Domain Name System Basic Internet Database
Maps names to IP addresses Also stores IPv6 addresses, mail servers, service locators, Enum (phone numbers), etc. Data organized as tree structure. Each zone is the authority for its local data. Root edu com uk usf cisco ibm co www Adapted from slides of Prof. Dan Massey at Colorado State University

16 DNSSEC Provides a “natural” PKI Keys organized as tree structure.
Maps zones to their keys Parent-zone sign child zones’ keys Keys organized as tree structure. Each zone is the authority for its local data. A zone’s key is only effective in its zone Root edu com uk usf cisco ibm co www Adapted from slides of Prof. Dan Massey at Colorado State University

17 DNS RR Review DNS Resource Record (RR)
Can be viewed as tuples of the form <name, TTL, class, type, data> types: A (IP address) MX (mail servers) NS (name servers) PTR (reverse look up) RRSIG (signature) DNSKEY(public key)

18 DNSSEC Records Introduce a new data type: RRSIG
name TTL class type value { IN A } name TTL class type covered_type { IN RRSIG A … … usf.edu. Base 64 encoding of signature} not after not before key name

19 DNSSEC Records Introduce a new data type: DNSKEY
name TTL class type value { usf.edu IN DNSKEY Base 64 encoding of public key} name TTL class type covered_type { usf.edu IN RRSIG DNSKEY … … edu. Base 64 encoding of signature} not after not before key name

20 Authenticated Non-existence
What if the usf.edu server is asked the IP address of a non-existent url (e.g. foo.usf.edu)? Can’t sign non-existence on the fly because the server does not have the private key (why?) NSEC record “The url after eng.usf.edu is health.usf.edu” Order all the url’s in a zone and sign all the NSEC records ahead of time Problem: enables zone enumeration NSEC3 addresses this concern by using hashes of zone names instead of zone names themselves

21 Key Management PKedu PKusf PKusf2 PKusf2 Sig{PKusf }PKedu PKsigning
DS Record NS for .edu Want to change PKusf to PKusf2 PKusf PKusf2 PKusf2 sign Sig{PKusf }PKedu PKsigning Do not need to notify parent if changed NS for usf.edu

22 Potential Usage of DNSSEC
If successfully deployed, DNSSEC can serve as a universal PKI Sign public keys for web sites Sign public keys for addresses

23 SSL/TLS I am Alice I am Bob, inc PKB is Bob’s public key PKB
E(PKB , s) {m}KC || MACKM(m) Alice Bob KC, KM = h(s)

24 DNS-based Authentication of Named Entities (DANE)
Use DNSSEC to sign certain statements (DANE records) The currently proposed DANE records address trust of TLS certificates TLSA DANE records Yet another type of DNS resource record (RR) Three types of statements CA Constraints Service Certificate Constraints Trust Anchor Assertion CA Constraints: The client should only accept certificates issued under a specific CA. Service Certificate Constraints: The client should only accept a specific certificate. Trust Anchor Assertion: The client should use a domain-provided trust anchor to validate certificates for that domain.

25 Advantages of DANE compared with X.509
Real delegation of power Better accountability More flexibility Better damage control Clearer semantics DANE records only means that “this domain’s owner says…”

26 Problems of DNSSEC Key revocation
If a zone’s private key is compromised, the damage continues even after the key is replaced, until the parent’s cert on the key expires Certificate revocation? All the revocation problems with digital signatures will apply Issue short-term certificates instead? Then the upper-level zones will have to be more involved in maintaining the DNSSEC structure Against the initial design principles of DNS: autonomy of individual zones

27 Deployment Status Has been on-going for a number of years
Check Root domain signed July, 2010 DNSSEC now deployed at key zones including net, com, gov, and edu. “Almost” ready to use at the resolver level

Download ppt "DNS Security."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.

CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.

October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 17 Domain Name System

Chapter 17 Domain Name System

Similar presentations

Ads by Google