Presentation is loading. Please wait.

Presentation is loading. Please wait.

DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC 101 Kevin Miller.

Published byEmily Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC 101 Kevin Miller."— Presentation transcript:

1 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC 101 Kevin Miller

2 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Underpins Everything Email Web Enterprise Systems VoIP IM CMS

3 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Underpins Everything Email Web Enterprise Systems VoIP IM CMS Inbound Email Volume Received Email Spam, virus filtering using DNS Received Email Spam, virus filtering using DNS 10+ DNS Queries Per Message 10+ DNS Queries Per Message

4 DUKE UNIVERSITY WWW.OIT.DUKE.EDU Risks from DNS Attacks Impersonate your web site Redirect your phone calls Man-in-the-middle (password theft) Reroute or block your email Disrupt your network, application services Attack vectors for malware (data theft) Denial of service Diagram source: Internet Storm Center

5 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Attack: Cache Poisoning Where is website.com? Answer: 67.11.23.9 Also, www.bank.com – 12.1.2.3 Answer: 67.11.23.9 Also, www.bank.com – 12.1.2.3

6 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Attack: Forgery Where is educause.edu? Answer: 198.59.61.65 Answer: 12.1.2.3

7 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Attack: Indirection Where is educause.edu? Answer: 12.1.2.3

8 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNS Attack: Amplification 60 byte request 4000 byte response 4000 byte response

9 DUKE UNIVERSITY WWW.OIT.DUKE.EDU Software Defects Buffer overflow Other vectors Buffer overflow Other vectors

10 DUKE UNIVERSITY WWW.OIT.DUKE.EDU Risk Reduction To Date Improving weaknesses in DNS software – Patching software defects – Limiting cache poisoning opportunities Improve operational best practices – Restrict access to DNS recursers – Install anti-IP spoofing filters Improve host security – Anti-virus, anti-malware defenses Photo source: BCP38

11 DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC Cryptographically sign DNS records – Also the absence of records Maintains DNS architecture – Hierarchical, distributed signatures Significant risk reduction, if used widely – Protects you (www.school.edu) – Protects your users (www.bank.com)www.bank.com

12 DUKE UNIVERSITY WWW.OIT.DUKE.EDU What Can Be Done Now? Discover local implications – How do you manage DNS? What tools are used? – What impact would DNSSEC have? – Do your vendors support it? – Can you servers handle DNSSEC overhead? Begin building expertise, experience – Sign a test zone – Deploy a test DNSSEC recurser Deployment – Sign your zones – Utilize DNSSEC-enabled recurser with DLV

13 DUKE UNIVERSITY WWW.OIT.DUKE.EDU Additional Resources http://www.dnssec.net http://www.bind9.net http://www.dnsreport.com http://www.dnssec-deployment.org/ http://www.uoregon.edu/~joe/port53wars/port 53wars.pdf http://www.uoregon.edu/~joe/port53wars/port 53wars.pdf http://www.nanog.org/mtg-0606/damas.html

Download ppt "DUKE UNIVERSITY WWW.OIT.DUKE.EDU DNSSEC 101 Kevin Miller."

Similar presentations

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.

Design Aspects. User Type the URL address on the cell phone or web browser Not required to login.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.

Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Similar presentations

Ads by Google