Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Approach to DNS Security (DNSSEC)

Published byLudo Bachmeier Modified over 5 years ago

Similar presentations

Presentation on theme: "A New Approach to DNS Security (DNSSEC)"— Presentation transcript:

1 A New Approach to DNS Security (DNSSEC)
Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao

2 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

3 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

4 What is the DNS Domain Name System
Distributed ‘database’ to resolve domain names Labels translate to Resource Records Address (A) Mail hosts (MX) Text (TXT) and much more…. Resource records stored in zones Highly scalable

5 A DNS tree . root domain top level .net .com .money.net .kids.net
.os.net zone mac.os.net nt.os.net corp.money.net unix.os.net dop.kids.net marnick.kids.net

6 DNS data Example Zone file
dacht.net 7200 IN SOA ns.ripe.net. olaf.ripe.net.( ; Serial ; Refresh 12 hours ; Retry 4 hours ; Expire 4 days 7200 ; Negative cache 2 hours ) dacht.net IN NS ns.ripe.net. dacht.net IN NS ns.high5.net. pinkje.dacht.net IN A host25.dacht.net IN A Label ttl class type rdata

7 Common Resource Records
RECORD TYPE DESCRIPTION USAGE A An address record Maps FQDN into an IP address PTR A pointer record Maps an IP address into FQDN NS A name server record Denotes a name server for a zone SOA A Start of Authority record Specifies many attributes concerning the zone, such as the name of the domain (forward or inverse), administrative contact, the serial number of the zone, refresh interval, retry interval, etc. CNAME A canonical name record Defines an alias name and maps it to the absolute (canonical) name MX A Mail Exchanger record Used to redirect for a given domain or host to another host

8 DNS resolving Question: www.cnn.com . resolver stub resolver .com
A ? dns.cs.umass.edu lab.cs.umass.edu resolver ask .com server the ip address of .com server stub resolver A ? xxx.xxx.xxx.xxx A ? .com ask cnn.com server the ip address of cnn.com server add to cache A ? xxx.xxx.xxx.xxx cnn.com

9 DNS Data flow Zone file master resolver slaves Dynamic updates
Zone administrator Zone file master resolver slaves Dynamic updates stub resolver

10 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

11 DNS Vulnerabilities master resolver Zone file Dynamic updates slaves
Cache impersonation Corrupting data Impersonating master Zone administrator master resolver Zone file Dynamic updates slaves stub resolver Cache pollution by Data spoofing Unauthorized updates Data Protection Server Protection

12 Why DNSSEC DNSSEC protects against data spoofing and corruption
DNSSEC also provides mechanisms to authenticate servers and requests DNSSEC provides mechanisms to establish authenticity and integrity

13 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

14 PK-DNSSEC (Public Key)
The DNS servers sign (digitally encrypt)the hash of resource record set with its private keys Resouce record set: The set of resource records of the same type. Public KEYs can be used to verify the SIGs The authenticity of public KEYs is established by a SIGnature over the keys with the parent’s private key In the ideal case, only one public KEY needs to be distributed off-band (the root’s public KEY)

15 DNSSEC new RRs 2 Public key related RRs
SIG signature over RRset made using private key KEY public key, needed for verifying a SIG over a RRset, signed by the parent’s private key One RR for internal consistency (authenticated denial of data) NXT RR to indicate which RRset is the next one in the zone For non DNSSEC public keys: CERT RFC 2535 discusses these RRs in detail. CERT RR is outside the scope of this course.

16 SIG RRs Cover each resource record set with a public-key signature which is stored as a resource record called SIG RR SIG RRs are computed for every RRset in a zone file and stored Add the corresponding pre-calculated signature for each RRset in answers to queries Must include the entire RRset in an answer, otherwise the resolver could not verify the signature

17 SIG(0) Use public-key signature to sign the whole message each time the server responses the queries Provide integrity protection and authentication of the whole message Can be scaled to provide authentication of query requests Not be practical to use on a large scale environment

18 Compare SIG RRs with SIG(0)
More computation on DNS server caused by SIG(0) More network traffic caused by SIG RRs More storage need by SIG RRs

19 Verifying the tree Question: www.cnn.com . (root) stub resolver
A ? dns.cs.umass.edu lab.cs.umass.edu resolver ask .com server SIG(the ip address and PK of .com server) by its private key stub resolver A ? xxx.xxx.xxx.xxx A ? .com transaction signatures ask cnn.com server SIG(the ip address and PK of cnn.com server) by its private key add to cache slave servers A ? SIG(xxx.xxx.xxx.xxx) by its private key transaction signatures cnn.com

20 Verifying Verify a SIG over data using the public KEY
DNS data is signed with the private key Verify the SIG with the KEY mentioned in the SIG record The key can be found in the DNS or can be locally configured

21 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

22 SK-DNSSEC (Symmetric Certificates)
The usage of symmetric ciphers through AES or Blowfish in CBC mode. The usage of symmetric signatures via MAC functions. Combine encryption techniques with MAC functions as Ek(m, MACl(m)). Each message contains a nonce to avoid replay attack. A nonce is pair of a random number and a timestamp.

23 SK-DNSSEC (cont.) Given the DNS tree of domains, each node shares a key with its parent, called master key The root domain has an asymmetric key pair(public and private key) as well as its own master key that is not shared with any others The resolvers must have an authentic copy of root’s public key

24 Notation

25 DNS Root Certificate

26 DNS Request to Root Info(Pxy) has to minimally contain the identity strings Ix and Iy. Inception and expiration dates, details about the encryption and authentication algorithms employed, certificate and key unique identifiers, and the identity of the creator of the certificate

27 DNS Request to Intermediate Server

28 DNS Request to Authoritative Server

29 For mutual authentication
For any 0  i  n

30 The problem of PK and SK DNSSEC
In SK-DNSSEC, the root servers need to decrypt the message encrypted by the public key In PK-DNSSEC, the potential increase of network traffic due to larger DNS messages In PK-DNSSEC, the high cost of verifying the public-key digital signatures at the resolvers side

31 Hybrid Approach The root servers use PK-DNSSEC
The top-level domains use SK-DNSSEC

32 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

33 Efficiency PK-DNSSEC with SIG RR. For each RRset in the answer, a pre-calculated SIG RR is included PK-DNSSEC with SIG(0). DNS messages do not contain SIG RRs, but are rather signed as a whole by SIG(0)-type signature. SK-DNSSEC. DNS messages are secured by symmetric signatures and encryption.

34 Performance (800M HZ)

35 Performance (cont.)

36 Network Traffic

37 Storage

38 Outline Overview of DNS Motivation PK-DNSSEC SK-DNSSEC
Comparison with PK-DNSSEC Usage of DNSSEC

39 Public-key Distribution System
Global real time availability Easy access to DNS Scalability Hierarchical organization Globally unique names Globally unique host name Cryptographic binding of name and key KEY RR binds DNS names with keys

40 Q&A Thank You!

Download ppt "A New Approach to DNS Security (DNSSEC)"

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.

Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.

Reverse DNS. Overview Principles Creating reverse zones Setting up nameservers Reverse delegation procedures.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.

Domain Names System The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Domain Name System HISTORY File hosts (the size of Internet became more than 1000.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Domain Name System HISTORY File hosts (the size of Internet became more than 1000.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.

Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.

Similar presentations

Ads by Google