© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

INTERNET PROTOCOLS Class 9 CSCI 6433 David C. Roberts Entire contents copyright 2011, David C. Roberts, all rights reserved.
Review iClickers. Ch 1: The Importance of DNS Security.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Module 3 DNS Types.
Tony Kombol ITIS Who knows this? Who controls this? DNS!
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Troubleshooting.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Chapter 16 – The Domain Name System (DNS) Presented by Shari Holstege Tuesday, June 18, 2002.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License The details.
ISOC.NL SIP © 15 March 2007 Stichting NLnet Labs DNSSEC and ENUM Olaf M. Kolkman
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.
Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.
1 Internet Network Services. 2 Module - Internet Network Services ♦ Overview This module focuses on configuring and customizing the servers on the network.
1 Madison, Wisconsin 9 September14. 2 Security Overlays on Core Internet Protocols – DNSSEC and RPKI Mark Kosters ARIN Engineering.
Joint Techs, Albuquerque Feb © 8 Feb 2006 Stichting NLnet Labs DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.
1 CMPT 471 Networking II DNS © Janice Regan,
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.
Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Security Issues with Domain Name Systems
DNS Security.
Module 5: Resolving Host Names by Using Domain Name System (DNS)
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
IMPLEMENTING NAME RESOLUTION USING DNS
Configuring and Troubleshooting DNS
DNS Session 5 Additional Topics
DNS Cache Poisoning Attack
DNSSEC Basics, Risks and Benefits
A New Approach to DNS Security (DNSSEC)
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Presentation transcript:

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Introduction to DNS and its vulnerabilities Olaf M. Kolkman Olaf M. Kolkman

2 DNS and DNSSEC in a Nutshell D N S a n d D N S S E C i n a N u t s h e l l source:

3 Device queries Recursive Nameserver D e v i c e q u e r i e s R e c u r s i v e N a m e s e r v e r Recursive Nameserver Recurses over Authoritative nameservers R e c u r s i v e N a m e s e r v e r R e c u r s e s o v e r A u t h o r i t a t i v e n a m e s e r v e r s Results are cached R e s u l t s a r e c a c h e d The DNS is highly distributive T h e D N S i s h i g h l y d i s t r i b u t i v e DNS is implemented through 100s of thousands of machines D N S i s i m p l e m e n t e d t h r o u g h s o f t h o u s a n d s o f m a c h i n e s

4 Stub ResolverRecursive Nameservers Authoritative Nameservers A root.hints: location of the root servers referral: nl NS A referral: nlnetlabs.nl NS Answer: A www.nlnetlabs.nl ROOT NL NLnetLabs.N L A A

5 Attack Surface On the Wire or through Compromise O n t h e W i r e o r t h r o u g h C o m p r o m i s e Whoa, that looks bad!!! Who Uses This System? W h o a, t h a t l o o k s b a d ! ! ! W h o U s e s T h i s S y s t e m ? Compromise of systems C o m p r o m i s e o f s y s t e m s Bugs and implementation mistakes B u g s a n d i m p l e m e n t a t i o n m i s t a k e s

©2011 Stichting NLnet Labs Mail server Internet Recursive DNS enterprise

©2011 Stichting NLnet Labs Mail server Internet Recursive DNS enterprise

8 Recursive Nameserver Query: STUB Resolver Authoritative Nameserver Atacker Query: Query: Response: Answer: Response: Cache hit Response:

9 Recursive Nameserver Query: STUB Resolver Authoritative Nameserver Atacker Query: Query: Response: Answer: Response: Cache hit Response: Response: Success depends on legacy and speed of network. And on various properties that the attacher needs to match Query ID Source Port 0X200X20

10 TTL saves you?!? I dont think so.... Dan Kaminskys image from zdnet.com Security Popstar

11 Recursive Nameserver Query: asdf23sadf.webcam.com STUB Resolver Authoritative Nameserver Atacker Query: Response: Answer: Response: webcam.com NS ns1.webcam.com webcam.com NS ns1.webcam.co ns1.webcam.com A Query: asdf23sadf.webcam.com Response: asdf23sadf.webcam.com Query to asdf23sadf.webcam.com Query to Try Delegation s Abuse a 25 year old protocol requirement

12 Do attacks happen in practice? Would you tell? Would you notice?

13 Why would one attack the DNS? Do attacks happen in practice? While one could be doing other things

14 How to Protect?

15 Follow the Organizing your life Paying your Tax Your weekly security update Short-selling your stock Mon y Why would one attack the DNS?

16 Mon y Dont all these transactions use SSL and Certificates?

17 The role of a CA 3rd party trust broker SubjectRequestsSubjectRequests RA performs checks RA tells CA to sign Browser trusts CA signed certificates EV Extended Validation EV

18 However all these little men are a wee bit expensive AUTOMATE THE LOT

19 DV Domain Validation DV Subject: Please sign certificate for Example.com Example.com RA sends a mail to well When mail returned CA will sign

20 DV Domain Validation DV All these checks are based on information fetched from the DNS Hold that thought for Jakobs presentation Hold that thought for Jakobs presentation

21 Secondary DNS primary DNS Registrars & Registrants Registry Secondary DNS Server vulnarability Man in the Middle spoofing & Man in the Middle DNS System Vulnerabilities Vulnerabilities Provisioning Vulnarabilities

22 What can one do to protect... (skipping DNSSEC) What can one do to protect... (skipping DNSSEC)

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Taking Unbound as example Other servers might make other choices, but any modern resolver takes similar approaches

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Security Choices in Unbound In general, a modern paranoid resolver DNSSEC support. RFC 2181 support completely Fine grained. Keeps track of where RRSets came from and won't upgrade them into answers. Does not allow RRSets to be overridden by lower level rrsets

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Filtering Scrubber: Only in-bailiwick data is accepted in the answer The answer section must contain only answer CNAME, DNAME checked that chain is correct CNAME cut off and only the first CNAME kept Lookup rest yourself do not trust other server DNAME synthesize CNAME by unbound do not trust other server. Also cut off like above. DNAME from cache only used if DNSSEC-secure.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Filtering II No address records in authority, additional section unless relevant – i.e. mentioned in a NS record in the authority section. Irrelevant data is removed When the message only had preliminary parsing and has not yet been copied to the working region of memory

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Entropy Randomness protects against spoof Arc4random() (OpenBSD): crypto strong. May not be perfectly random, but predicting it is a cryptographical breakin. Real entropy from OS as seed Query id – all 16 bits used. Port randomisation – uses all 16bits there, goes out of its way to make sure every query gets a fresh port number

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Entropy II Destination address, and ipv4/ipv6. RTT band of 400msec (=everything). Its not the timewindow but the randomness Query aggregation – same queries are not sent out – unless by different threads Qname strict match checked in reply 0x20 option Harden-referral-path (my draft) option Can use multiple source interfaces! 4 outgoing IP address add +2 bits

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Other measures Not for the wire itself Heap function pointer protection (whitelisted) Chroot() by default User privileges are dropped (lots of code!) ACL for recursion No detection of attacks – assume always under attack version.bind hostname.bind can be blocked or configured what to return (version hiding) Disprefer recursion lame servers – they have a cache that can be poisoned

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Arms Race... Introducing DNSSEC

31 MetaphorMetaphor Metaphor

32 primary DNS Secondary DNS Registrars & Registrants Registry Secondary DNS End to End Security

33 All done using Public Key crypto DNSKEY: public key from the keypair RRSIG: Signatures made with a private key from the keypair NSEC and NSEC3 For pre-calculated Denial of Existence NSEC and NSEC3 For pre-calculated Denial of Existence DS For delegating Security DS

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License But more on that later Let us have a look at another cryptographic DNS protection mechanism

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Securing Host- Host Communication

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Secondary DNS primary DNS Registrars & Registrants Registry Secondary DNS Data flow through the DNS What should you protect... HOST Security TSIG TSIG (rarely)

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Transaction Signature: TSIG TSIG (RFC 2845) – Authorising dynamic updates and zone transfers – Authentication of caching forwarders – Independent from other features of DNSSEC One-way hash function – DNS question or answer and timestamp Traffic signed with shared secret key Used in configuration, NOT in zone file

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License SOA … SOA SIG: Master TSIG Example Slave KEY: AXFR Sig: SOA … SOA SIG: verification Query: AXFR Response: Zone AXFR Sig: AXFR Sig:

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License TSIG for Zone Transfers 1. Generate secret 2. Communicate secret 3. Configure servers 4. Test

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Importance of the Time Stamp TSIG/SIG(0) signs a complete DNS request / response with time stamp – To prevent replay attacks – Currently hardcoded at five minutes Operational problems when comparing times – Make sure your local time zone is properly defined – date -u will give UTC time, easy to compare between the two systems – Use NTP synchronisation!

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Authenticating Servers Using SIG(0) Alternatively, it is possible to use SIG(0) – Not yet widely used – Works well in dynamic update environment Public key algorithm – Authentication against a public key published in the DNS SIG(0) specified in RFC 2931

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Cool Application Use TSIG-ed dynamic updates to configure configure your laptops name My laptop is know by the name of aagje.secret-wg.org – howto.html – Mac OS users: there is a bonjour based tool.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.