Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian."— Presentation transcript:

1 DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian

2 What is DNS? n A replicated, hierarchical, distributed system that provides: n name IP address translation n mail handling information n DNS can use either UDP or TCP protocols n DNS major components: n the domain name space described by the resource records (RR) (e.g., SOA, NS, A, MX,...) n name servers n resolvers

3 Name resolution process User program Name resolver Local machine System call Resolver’s response Primary name server Cache Refreshes Recursive query References Response Name server Name server Iterative query Response Iterative query Referral

4 DNS standard message format DNS query DNS response Header Question Answer Authority Additional Header Question Answer Authority Additional

5 Why is DNS security important? n Used extensively by INTERNET applications! n DNS security problems: n name servers can be easily spoofed and are vulnerable to many types of attacks (DoS, buffer overrun, replay, a.s.o.) n resolvers can be lead into trusting false information n security measures (e.g., ACLs) and mechanisms (e.g., credibility) make spoofing more difficult but not impossible! n June 1997, Eugene Kashpureff (Alternic founder) redirected the internic.net domain to alternic.net by caching bogus information on the Internic name server

6 DNS cache poisoning attack 1. anyhost.evil.com? 2. anyhost.evil.com? evil.com 3. Store query ID ns.evil.com A.B.C.D Attacker host broker.com any.broker.com cache 4. anyhost.evil.com=A.B.C.E ns.broker.com 6. www.bank.com? 7. www.bank.com 5. anyhost.evil.com=A.B.C.E 8. www.bank.com=A.B.C.D flooding false responses to name server bank.com ns.bank.com 9.www.bank.com= A.B.C.D 10.www.bank.com? 12. wrong connection to the attacker’s host 11.wrong response from cache

7 DNSSEC definition n DNS security extensions (RFC 2535 - 2537): n SIG- stores digital signatures (asymmetric keys) n KEY- stores public keys n NXT- authenticates the non-existence of names or types of RRs in a domain n DNSSEC deals with RR sets (same label, type and class, different data), not singular RRs! n DNSSEC intends to provide: n data origin authentication and data integrity n key distribution n on a smaller scale - transaction and request authentication

8 DNSSEC characteristics (1) n KEY RR specifies n the type of key (zone, host, user), n the protocol (DNSSEC, IPSEC, TLS, etc.), n the algorithm (RSA/MD5, DSA, etc.), n SIG RR specifies n the RR type covered (SOA, A, NS, MX, etc.), n the algorithm (RSA/MD5, DSA, etc.), n the inception & expiration times, n the signer key footprint

9 DNSSEC characteristics (2) n NXT RR specifies n the next name in the zone n all the RR types covered by the current name n The private key is kept off-line and is used to sign the RR sets of the zone file n The public key is published in the KEY RR n The public key of a zone is signed by the parent zone private key n The parent zone signature on the zone’s public key is added to the zone file

10 DNS and DNSSEC zone files foo.com.SOA… foo.com.NS… a.foo.com.A… d.foo.com. A... foo.com. SOA… foo.com. SIG SOA… foo.com. SIG AXFR… foo.com. NS… foo.com. SIG NS… foo.com. KEY… foo.com. SIG KEY… foo.com. NXT a.foo.com. SOA AXFR NS KEY SIG foo.com. SIG NXT… a.foo.com. A… a.foo.com. SIG A … a.foo.com. NXT d.foo.com. A SIG a.foo.com. SIG NXT… d.foo.com. A… d.foo.com. SIGA… d.foo.com. NXTfoo.com. A SIG d.foo.com. SIGNXT…

11 DNSSEC chain of trust Root name server of the DNS tree com. Local name server. foo.com. name server host.foo.com. 131.195.21.25 host.foo.com. ? It receives the RRs: A, SIG, KEY KEY for com. ? It receives KEY, SIG RRs of com. The public key of root domain is pre - trusted by all the name servers! it. polito.it.

12 DNS transaction security n Transaction Signature (TSIG) is another security extension using shared secret keys - still an Internet draft! n A better solution - to have communication security between name servers and resolvers n TSIG authenticates DNS queries and responses n TKEY is a meta RR containing the secret key n TSIG, TKEY - not stored in the zone files/cache n PROBLEM: storage of the shared secret! n HMAC/MD5 provides authentication and integrity checking for transactions

13 DNS as a public key infrastructure n DNS with these security extensions can become the first implementation of a PKI world wide available n DNSSEC “chain of trust” is a model of certification n For storing certificates a new RR is added to DNS - the CERT RR defined in RFC 2538 n CERT can store PGP, X.509, SPKI certificates n RFC 2538 recommends that the size of certificates should be reduced at maximum - if possible, no extensions at all!

14 Remarks on DNSSEC n In the DNS, cryptography is used for authen- tication/ integrity, not for confidentiality n Attention must be paid to key generation, key storage and key lifetime - (RFC 2541) n Special care for root and TLD’s pair of keys! n Secure resolvers must be configured with some pre-trusted on-line public key (root) n The size of zone files grows up dramatically n Augments the data transferred, the messages (hence, TCP instead of UDP), also the number of computations (CPU cycles) n The responsibility of the administrators increases!

15 State of the Art n 1998, first prototype of a DNSSEC package based on BIND v4.9.4 produced by TIS Labs (Trusted Information Systems) n The new BIND v9 (ISC) will be a major rewrite of the underlying DNS architecture and will provide support for DNSSEC, TSIG and CERT n RSA Co. provides the DNSsafe cryptographic library for BIND v9

16 Conclusions n The security extensions provide: n protection of Internet-wide transfers: n the data is signed with public keys (SIG, KEY) n the absence of DNS data is notified (NXT) n protection of local DNS transfers: n the messages between name server and resolver are authenticated (TSIG) n zone transfers between primary/secondary name servers n public key infrastructure: n distribution of public keys for other security aware protocols (KEY) n distribution of different types of certificates (CERT)

Download ppt "DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian."

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,

Who’s watching your network DNS Security Extensions Presentation to 19th NANOG meeting Albuquerque, NM Edward Lewis NAI Labs June 11-13,
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 3 DNS Types.

Module 3 DNS Types.
Tony Kombol ITIS 3110. www.teacherstalk.com Who knows this? Who controls this? DNS!

Tony Kombol ITIS Who knows this? Who controls this? DNS!
Identity Management and DNS Services Tianyi XING.

Identity Management and DNS Services Tianyi XING.

Similar presentations

Ads by Google