Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

Published byPriscila Bramlett Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely."— Presentation transcript:

1 DNS Security Overview AROC Guatemala July 2010

2 What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely insecure… Only we didn’t know this. A couple of DNS experts had foreseen potential problems, so their software already had defenses against this security flaw - djbdns and PowerDNS. The flaw is formally known as DNS Cache Poisoning, but is now referred to as “The Kaminsky Bug.”

3 Dan Kaminsky’s Bug Dan Kaminsky In March of 2008 was said to have mumbled the words, “Oh sh_t, I just broke the Internet.” The only problem was – he had. http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html http://en.wikipedia.org/wiki/DNS_cache_poisoning http://www.wired.com/techbiz/people/magazine/16-12/ff_kaminsky?currentPage=1

4 An Emergency Meeting was Held… …in building Nine on the Microsoft campus at 10 am on March 31. Paul Vixie, an original author of BIND and president of the Internet Systems Consortium (isc.org) arranged the meeting and the attendees. Kaminsky presented and gave those present until August 6 to find a solution to the Cache Poisoning problem he had found. Secrecy around the issue was maintained until July 21 when a “security expert” leaked the flaw. The temporary solution is known as “source port randomization”. The permanent solution is known as DNSSEC.

5 DNS Cache Poisoning Conceptually quite simple: 1.Create a fake authoritative name server for an entire zone. 2.From attack machine ask a local DNS cache server for the IP address of a site in that zone not already in the cache. 3.Caching serving goes to authoritative server to ask for the site’s IP address. 4.Meanwhile attack box floods the DNS cache with fake responses for the site. Fake responses include information indicating "I don't know the answer, but you can ask over there” – i.e. authoritative information for the zone is contained. 5.If the attacking box can “guess” the query ID that the caching server is listening for on port 53, then it will accept the response, believe the new authority record and stop listening to the actual authoritative server for that zone! 6.There are, by default, 65535 potential query IDs, but with proper flooding techniques you can generally “guess” a query ID within 10 seconds on an unpatched Caching server.

6 Cache Poisoning: The Attack

7 Cache Poisoning: Post Attack

8 Source Port Randomization Rather than 65535 possible query IDs increase this number dramatically – between several hundred million and 4 billion. You can still poison the cache, but a concerted, longer-term attack is required. You must monitor your DNS boxes for this. If you have not patched your DNS software, then your DNS server can be owned in 10 seconds or less… Source port randomization does not solve the cache poisoning attack, it only puts a bandage on the issue…

9 DNS Security We need DNS Security to solve DNS Cache Poisoning attacks as well as generally: Authenticating DNS data Authenticate the denial of existence of domains. To ensure data integrity or – in “plain English” To be able to verifiably know that the reply to our DNS query is valid and has not been spoofed.

10 DNS Security Does Not… Encrypt the data Stop DDoS attacks on DNS Servers Encrypt DNS zone transfer data

11 Where is the DNS Vulnerable?

12 Implementing DNS Security As the Beatles might say, “This has been a long and winding road.” A few days ago the “.” was signed! A big deal: http://www.root-dnssec.org/ We had a celebrity in our midst… Trusted Community Representative (One of “the 14”) Crypto Officer for the US West Coast Facility http://www.root-dnssec.org/tcr/selection-2010/

13 How do we Secure DNS?

14

15

16 To secure the DNS against spoofing we start with 4 new Resource Records (RRs): DNSKEY: Public Key of RRSIG record. Used in zone signing operations. RRSIG: Resource Record set SIGnature NSEC/NSEC3: Next SECure record. Returned as verifiable evidence that the name and/or RR type does not exist. DS  See next slide… Complete list of DNS records: http://en.wikipedia.org/wiki/List_of_DNS_record_types

17 The DS Record Delegation Signer: Contains the hash of the public key used to sign the DNSKEY which itself will be used to sign the zone data. Follow DS RR's until a ”trusted” zone is reached (ideally the root). An excellent discussion of DNSSec by Geoff Houston: http://ispcolumn.isoc.org/2006-08/dnssec.html

18 RRset

19 DNSKEY Resource Record

20

21 Key Signing Key / Zone Signing Key

22 DNSSEC: RRSIG

23

24 DNSSEC: NSEC/NSEC3

25

26

27

28 DNSSEC: DS

29

30 DNSSEC: New Fields

31 What Does this Protect in the end?

32 Conclusion Next we’ll do some exercises and discuss issues. In addition – we have references to a large bibliography and a recent status update of DNSSEC deployments available linked on this classes web pages: http://localhost/trac/wiki/Agenda

Download ppt "DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Security and Information Assurance for the DNS Dan Massey USC/ISI.

Security and Information Assurance for the DNS Dan Massey USC/ISI.
1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.

1 Observations from the DNSSEC Deployment Dan Massey Colorado State University Joint work with Eric Osterweil and Lixia Zhang UCLA.
© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:

© Afilias Limitedwww.afilias.info SM Challenges of Deploying DNSSEC: Prepare your ccTLD with Secondary DNS services LACNIC Meeting May 2010 Presented by:
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #36 Dec 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

Similar presentations

Ads by Google