Presentation is loading. Please wait.

Presentation is loading. Please wait.

Living on the Edge: (Re)focus DNS Efforts on the End-Points

Published byDavid Lucas Modified over 5 years ago

Similar presentations

Presentation on theme: "Living on the Edge: (Re)focus DNS Efforts on the End-Points"— Presentation transcript:

1 Living on the Edge: (Re)focus DNS Efforts on the End-Points
Benno Overeinder NLnet Labs RIPE 75, Dubai, UAE

2 Complexity at Core-Middle-Edge
moderate Authoritative . complex simple recursive resolver application ripe75.ripe.net stub Authoritative net OS Authoritative ripe e2e-ness complex e2e-ness moderate e2e-ness simple

3 From the ground-up security
… and now for something completely different

4 Customer–Web Portal Interaction
auth name servers com. acme. portal. full recursive resolver customer portal.acme.com host IP address browser web portal http server http/https IP address

5 DNS Spoofing DNS Spoofing by cache poisoning Man-in-the-middle attacks
attacker flood a DNS resolver with phony information with bogus DNS results by the law of large numbers, these attacks get a match and plant a bogus result into the cache Man-in-the-middle attacks redirect to wrong Internet sites to non-authorized server What risks? Misdirection of queries for an entire domain Response to non-existent domains MX hijacking Make a large domain (SLD or TLD) domain “disappear” from an ISP's cache – DoS Identity theft using SSL stripping attacks (banks, eGovernance) More fun stuff… A great illustrated guide

6 The “Too Many CAs” Problem
TLS clients have abundance of TAs modern web browsers have TAs any of them can issue certificate for example.com Most notable incidents are with Comodo RA (2011) and DigiNotar (2011). TLS client accepts both! credits

7 Customer–Web Portal Interaction
auth name servers com. acme. portal. full recursive resolver DNS spoofing customer portal.acme.com host IP address browser web portal too many CAs http server http/https CA pinning/HSTS? IP address

8 DNSSEC-Based Secure Customer–Web Portal Interaction
auth name servers DNSSEC com. acme. portal. full recursive resolver DNS spoofing customer portal.acme.com host IP address browser web portal DANE too many CAs http server http/https IP address

9 Resolver Hijack?! DNSSEC DANE web portal host
ARP, DHCP or routing tricks auth name servers DNSSEC com. acme. portal. portal.acme.com full recursive resolver DNS spoofing host browser web portal DANE too many CAs http server IP address http/https

10 Countering Resolver Hijack
DNSSEC on the stub DNS-over-TLS

11 Countering Resolver Hijack (cont’d)
DNS-over-TLS DNS-over-TLS TLS hijack of DNS-over-TLS Bootstrap the TLSA lookup with regular DNS? Chicken and egg problem.

12 DNSSEC Data Blob-over-TLS
TLSA record + the complete DNSSEC authentication chain embedded in a TLS extension TLS DNSSEC authentication to prevent “Too many CA’s” problem

13 DNS Privacy and Standards
DNS privacy requirements Capability Standard DNS-over-TLS RFC7858 Reuse/pipelining/OOOP RFC7766 TCP fast open RFC7413 ENDS0 keep alive RFC7828 ENDS0 padding RFC7830 PKIX support for authentication (various) DNSSEC support (for address lookup and authentication)

14 DNSSEC Roadblocks Consequences of living on the edge

15 DNSSEC Roadblocks Resolving DNSSEC (to cross the first mile) needs DNSSEC aware recursive resolver

16 DNSSEC Roadblock Avoidance
DNSSEC roadblock avoidance + full recursion capability

17 DNSSEC Roadblock Avoidance
DNSSEC roadblock avoidance + full recursion capability DNSSEC authentication chain extension

18 DNSSEC with DNS64 & NAT64 Jen Linkova’s “Let’s talk about IPv6 DNS64 & DNSSEC” With IPv6 prefix discovery, stub can do DNSSEC validation of A RR itself

19 DNSSEC with DNS64 & NAT64 IPv6 address synthesis prefix discovery + DNS64 capability

20 KSK Root Rollover More roadblocks ahead

21 RFC5011 for DNSSEC Validating Stubs
DNSSEC validating stub must do RFC5011 In-band RFC5011 tracking with DNSSEC auth chain TLS extension

22 KSK Root Rollover for Stub Library
A stub library for DANE runs with user’s privileges no system config bootstrap DNSSEC capabilities unbound-anchor functionality

23 DNSSEC Roadblocks and Standards
DNSSEC stubs capability requirements Capability Standard DNSSEC validation (various) DNSSEC roadblock avoidance RFC8027 IPv6 prefix discovery RFC7050 IPv6 address synthesis RFC6147 Automated trust anchor updates RFC5011 Automated initial trust anchor retrieval RFC7958

24 Living on the Edge “Final Thoughts”

25 Wrapping Up Stub resolver/library experience complex e2e-ness
at the edge of the network many kinds of roadblocks/brokenness DNS-based security from the ground up bootstraps with the stub Closing the gap in the last mile with ongoing work overview of RFCs and drafts most of discussed work is implemented in getdns and its stub resolver Stubby DNSSEC Authentication Chain Extension

Download ppt "Living on the Edge: (Re)focus DNS Efforts on the End-Points"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.

Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie. 2009.

What DNS is Not 0 Kylie Brown, Jordan Eberst, Danielle Franz Drew Hanson, Dennis Kilgore, Charles Newton, Lindsay Romano, Lisa Soros 0 Paul Vixie
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Rev 1.012010-06-03. Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.

Rev Mats Dufberg TeliaSonera, Sweden Resolving DNSsec.
Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
Naming March 8, 2001. 2 Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

FCC CSRIC III Working Group 5 DNSSEC Implementation Practices Steve Crocker CEO, Shinkuro, Inc. March 6, 2013 Working Group 5: DNSSEC.

Similar presentations

Ads by Google