Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by Mark Minasi 1 SESSION CODE: WSV333.

Published bySheila Thomas Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by Mark Minasi 1 SESSION CODE: WSV333."— Presentation transcript:

1 Presented by Mark Minasi help@minasi.com www.minasi.com 1 SESSION CODE: WSV333

2 2

3 3

4 why should you care? 4

5 5

6 6

7 7

8 I don't know; better ask bigfirm.com's DNS server! What's the IP for www.bigfirm.com? Your ISP's DNS server Internet 8

9 Your ISP's DNS server What's the IP address for www.bigfirm.com? Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. "Answer: 73.165.73.5" sent to port 3351, TXID 279 bigfirm.com'sDNS server 9

10 But nothing in standard DNS stops this from happening: 10

11 "Answer: 73.165.73.5" sent to port 3351, TXID 279 What's the IP address for www.bigfirm.com? Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. Sorry, pal, you lose (heh heh heh)! 11 bigfirm.com's DNS server Your ISP's DNS server Answer: 20.3.2.8 (sent to port 3351, TXID 279)

12 "Got it… the IP address is 20.3.2.8." 12 Your ISP's DNS server Bwahahahhah!!

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 By carefully randomizing both port and ID number, attackers have not a 1/65,536 chance but more like a 1/(65,536) 2 chance… … but they've still got a chance, and PKI can eliminate that 21

22 Crypto and signing to the rescue 22

23 23

24 24

25 25

26 26 First an A record, then its corresponding RRSIG; "A" says it refers to an A record, 44358 identifies the public key you'd use to verify the signature

27 27 Note the key tag value 44358. We'll see what "256 3 5" means later.

28 28

29 Our DNS server gathers and verifies information from bigfirm.com: 29 "A" (address) record "www.bigfirm.com is 73.165.73.5" RRSIG record contains encrypted hash of the A record DNSKEY record contains decryption key for RRSIG Bigfirm.com zone… (maybe!) retrieved hash of "A" record Decryption algorithm Hashing algorithm computed hash of "A" record They'd better be equal! InternetInternet

30 30

31 31

32 32 bigfirm.com zone DNSKEY Our DNS gets info and verifies DNSKEY: Internet.com zone DNSKEY bigfirm.com's DS minasi.com's DS google.com's DS. (root) zone DNSKEY.com's DS.net's DS.si's DS Hash algorithm =? Hash algorithm =? (preinstalled) =?

33 33

34 34

35 35 "A" record for BT1.bigfirm.com "A" record for CC.bigfirm.com "A" record for WWW.bigfirm.com Then we add NSEC records and it looks like this:

36 36 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for WWW.bigfirm.com NSEC record for WWW How's this help? Well, let's do a few queries:

37 37 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for WWW.bigfirm.com NSEC record for WWW

38 38 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for WWW.bigfirm.com NSEC record for WWW

39 39 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for WWW.bigfirm.com NSEC record for WWW

40 40 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for WWW.bigfirm.com NSEC record for WWW

41 41

42 42

43 43

44 44

45 45

46 What you need to do to enjoy DNSSEC's protection 46

47 47

48 48

49 49

50 50

51 51

52 52 root org se com apple acme bigfirm Trust anchors or "secure entry points" at.org,.se and bigfirm.com

53 53

54 54

55 55

56 56

57 57

58 Creating a DNSSEC-aware infrastructure (and including some specifics on signing your own zone for reference's sake) 58

59 59

60 60

61 61

62 62

63 63

64 64

65

66 66

67 67

68 68

69 69

70 70

71 71 In "Local Computer" under "MS-DNSSEC"

72 72

73 73

74 74

75 75

76 76

77 77

78 78

79 79

80 80

81 Use the 256 or 257 to see whether to check "Zone Signing Key" or "Secure Entry Point" You actually have no other options for Protocol and Algorithm 81

82 82

83 83

84 84

85 85

86 86

87 87

88 www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn

89

90 Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year

91

92

Download ppt "Presented by Mark Minasi 1 SESSION CODE: WSV333."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Steve Smith Senior Architect The Code Project SESSION CODE: DPR304.

Steve Smith Senior Architect The Code Project SESSION CODE: DPR304.
Kai Axford MBA, CPP, CISSP, ACE Manager, IT Security Services Accretive Solutions SESSION CODE: SIA339 Allyn Lynd Special.

Kai Axford MBA, CPP, CISSP, ACE Manager, IT Security Services Accretive Solutions SESSION CODE: SIA339 Allyn Lynd Special.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Death of Security: Breached Hosts/Stolen Data/IP Espionage

Death of Security: Breached Hosts/Stolen Data/IP Espionage
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
Jason Tolley Technical Director ROK Technology Pty Ltd SESSION CODE: WEM305.

Jason Tolley Technical Director ROK Technology Pty Ltd SESSION CODE: WEM305.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
The Network Files, Case #53: Diagnosing diseases of DNS Presented by Mark Minasi for newsletters, audio sets etc WSV313.

The Network Files, Case #53: Diagnosing diseases of DNS Presented by Mark Minasi for newsletters, audio sets etc WSV313.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Dan Holme Director of Training & Consulting Intelliem SESSION CODE: WSV301.

Dan Holme Director of Training & Consulting Intelliem SESSION CODE: WSV301.
Laura Chappell Author Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide wiresharkbook.com SESSION CODE: SIA336.

Laura Chappell Author Wireshark Network Analysis: The Official Wireshark Certified Network Analyst Study Guide wiresharkbook.com SESSION CODE: SIA336.
Presented by Mark Minasi SESSION CODE: SIA306.

Presented by Mark Minasi SESSION CODE: SIA306.
Sometimes it is the stuff you know that hinders true progress.

Sometimes it is the stuff you know that hinders true progress.
Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.

Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
Introduction to DNSSEC AROC Bamako, Mali, 2010. What is DNSSEC?

Introduction to DNSSEC AROC Bamako, Mali, What is DNSSEC?

Similar presentations

Ads by Google