DNSSEC Iván González Montemayor A00814653 Miguel Angel Banda Rodriguez A00816758 Héctor Ortiz Garza A01032773 MIGUEL
8 out 10 Americans use the Internet Yet only 0.003% of Americans know that DNS is the reason the Internet continues to exist over 30 years later. Miguel
Background In the beginning, web surfers connected to other computers using IP addresses to describe themselves. This became troublesome very quickly because no one could remember all those numbers. The early “fathers and mothers” of the Internet developed a system to attribute a domain name to each of these IP addresses, the Domain Name System, or DNS for short. Miguel
What is DNS? DNS is basically the phone book of the Internet. It stores all the IP addresses (phone numbers) and domain names (people, places, and businesses). MIGUEL They maintain a directory of domain names and translate them to Internet Protocol.
The hostname would be: mail The domain name: itesm.mx The domain in question has to be a Fully Qualified Domain Name (FQDN), which is the properly formatted name for a domain. That means that the domain has both a hostname and a domain name. Let’s say we’re trying to reach DNS ITESM mail servers, which are hypothetically located at mail.itesm.mx The hostname would be: mail The domain name: itesm.mx The query would be: mail.itesm.mx The response would be: 10.200.150.201 MIGUEL To have a properly formatted name for a domain we need a hostname and domain name
DNS Server A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and serves to resolve the names to IP addresses as requested. A DNS resolver is a local server that stores a central database of DNS nameservers and manages DNS requests for all the clients on the network. Hector
Hector When an end user types the people-friendly domain name WhatIs.com into a client’s browser, a program in the client’s operating system called a DNS resolver looks up WhatIs.com’s numerical IP address. First, the DNS resolver checks its own local cache to see if it already has the IP address for WhatIs.com. If it doesn’t have the address, the resolver then queries a DNS server to see if it knows the correct IP address for WhatIs.com. DNS servers are recursive, which simply means that they can query each other to either find another DNS server that knows the correct IP address or find the authoritative DNS server that stores the canonical mapping of the WhatIs.com domain name to its IP address. As soon as the resolver locates the IP address, it returns the IP address to the requesting program and caches the address for future use.
DNS Attacks
Although the DNS is quite robust, it was designed for usability, not security, and the types of DNS attacks in use today are numerous and quite complex, taking advantage of the communication back and forth between clients and servers. IVAN
DNS Poisoning and Spoofing The attacker corrupts a DNS server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. It’s also known as Cache poisoning Hector
Denial of Service An attack in which a malicious bot sends send more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests. Hector
DNS amplification DDoS attack in which the attacker exploits vulnerabilities in DNS servers that permit recursive lookups to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers. Hector
The Kaminsky Bug In July 2008, researcher Dan Kaminsky discovered a easy to exploit weakness in DNS This weakness would enable hackers to imitate any Web page by poisoning the DNS cache og Internet providers Biggest DNS security issue in the history of the Internet Bypassed TTL defense by targeting “sibling” names like “83.example.com”, since it had no entry in the cache and this no TTL Hector
DNSSEC
What is DNSSEC? Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) extensions that add security to the DNS Protocol. It allows for a DNS zone to be cryptographically signed. It provides origin authentication of DNS data. IVAN It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.
History In 1990 Steve Bellovin discovered serious security flaws in DNS. Research into securing it began and dramatically increased in 1995. Plans were made to deploy DNSSEC based on RFC 2535. Unfortunately, the RFC 2535 specification had problems scaling up to the Internet. The IETF modified DNSSEC, which is called DNSSEC-bis when necessary to distinguish it from the original DNSSEC approach. IVAN The DNSSEC specifications (called DNSSEC-bis) describe the current DNSSEC protocol in great detail.
Root zone DNS translates domain names in stages: The first place it 'looks' is the top level of the directory service - or "root zone". After it gets a response it then asks the directory service identified by the root where to find information on the second level Then it asks that directory service what the address for the third level is The full address is provided to your computer. Hector
Different entities manage each one of these directory services: google Different entities manage each one of these directory services: google.com by Google, ".com" by VeriSign Corporation, and the root zone by ICANN. Hector
Why do we need to "sign the root"? DNSSEC protects against attacks by digitally 'signing' data so you can be assured it is valid. Signing the root is a necessary step in this overall process. It does not encrypt data. It just attests to the validity of the address of the site you visit. Hector
How it works? When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A DNS Resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been manipulated. IVAN
DNS Record types DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. To facilitate signature validation, DNSSEC adds a few new DNS record types: RRSIG - Contains a cryptographic signature. DNSKEY - Contains a public signing key. DS - Contains the hash of a DNSKEY record. NSEC and NSEC3 - For explicit denial-of-existence of a DNS record. CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone. MIGUEL An RRSIG-record holds a DNSSEC signature for a record set (one or more DNS records with the same name and type). Resolvers can verify the signature with a public key stored in a DNSKEY-record. A DNSKEY-record holds a public key that resolvers can use to verify DNSSEC signatures in RRSIG-records. DNSKEY-records have the following data elements: - Flags: - Protocol: Fixed value of 3 (for backwards compatibility) - Algorithm: The public key's cryptographic algorithm. - Public key: DS-records are used to secure delegations (DNSSEC). A DS-record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS-records. This DS-record references a DNSKEY-record in the sub-delegated zone. An NSEC-record links to the next record name in the zone (in DNSSEC sorting order) and lists the record types that exist for the record's name. These records can be used by resolvers to verify the non-existence of a record name and type as part of DNSSEC validation. - Next domain name: The next record name in the zone (DNSSEC sorting order) - Record types
Resource record set (RRset) The first step towards securing a zone with DNSSEC is to group all the records with the same type into a resource record set (RRset). It’s actually this full RRset that gets digitally signed, opposed to individual DNS records. MIGUEL For example, if you have three AAAA records in your zone, they would all be bundled into a single AAAA RRset.
Zone-Signing Keys Each zone in DNSSEC has a zone-signing key pair (ZSK). To enable DNSSEC, a zone operator creates digital signatures for each RRset using the private ZSK and stores them in their name server as RRSIG records. MIGUEL “These are my DNS records, they come from my server, and they should look like this.” A ZSK is a Zone Signing Key. A ZSK is a public/private key pair. The ZSK private key is used to generate a digital signature, known as a Resource Record Signature (RRSIG), for each of the resource record sets (RRSET) in a zone. The ZSK public key is stored in the DNS to authenticate an RRSIG. When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public ZSK from the name server. Together, the RRset, RRSIG, and public ZSK can validate the response.
RRSIG records are useless unless DNS resolvers have a way of verifying the signatures. If we trust the zone-signing key in the DNSKEY record, we can trust all the records in the zone. What if the the zone-signing key was compromised? We need a way to validate the public ZSK. MIGUEL An authentication key that corresponds to a private key used to sign a zone.
Key-Signing Keys In addition to ZSK , DNSSEC also have key-signing keys (KSK) pair. It validates the DNSKEY record in exactly the same way that ZSK: It signs the public ZSK which is stored in DNSKEY record creating an RRSIG for the DNSKEY. The KSK private key is used to generate a digital signature for the ZSK. The KSK public key is stored in the DNS to be used to authenticate the ZSK IVAN A KSK stands for Key Signing Key. A KSK is a public/private key pair. The KSK private key is used to generate a digital signature for the ZSK. The KSK public key is stored in the DNS to be used to authenticate the ZSK
Validation for Resolvers Request the desired RRset, which also returns the corresponding RRSIG record. Request the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset. Verify the RRSIG of the requested RRset with the public ZSK. Verify the RRSIG of the DNSKEY RRset with the public KSK. IVAN
The Chain of Trust (cache poisoning) *TLD - top level domain IVAN DNSSEC OverviewJohn Wagnon gives an overview on DNSSEC and how F5's DNS services can help secure your domains in this episode of Lightboard Lessons.youtube.com SIGNED THE ROOT *TLD - top level domain
Bibliografía Microsoft. DNS Security Extensions (DNSSEC). Retrieved November 04, 2017, from https://technet.microsoft.com/es-es/library/ee683904(v=ws.10).aspx ICANN. DNSSEC – What Is It and Why Is It Important? Retrieved November 04, 2017, from https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en Cloudflare. How DNSSEC Works. Retrieved November 04, 2017, from https://www.cloudflare.com/dns/dnssec/how-dnssec-works/ Rampling, B., & Dalan, D. (2003). DNS for dummies:. New York, NY: Wiley.