Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team

Slides:

Advertisements

Similar presentations

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Advertisements

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Module 5: Configuring Access to Internal Resources.

SSL Spoofing Man-In-The-Middle attack on SSL Duane Peifer.

Negotiating Unsolicited Connections to a Service Listening Behind a Firewall Ben Stroud CS525 Spring 10.

1 Integrating ISA Server and Exchange Server. 2 How works.

1 Enabling Secure Internet Access with ISA Server.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

Internet-Based Client Access

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

Practice 4 – traffic filtering, traffic analysis

Purpose Present Drivers and Context for Firewalls Define Firewall Technology Present examples of Firewall Technology Discuss Design Issues Discuss Service.

Web Server Apache PHP HTTP Request User types URL into browser Address resolved if nec. We use directly Most browsers request.

SharkFest ‘16 Computer History Museum June 13-16, 2016 SharkFest ‘16 Markers – Beacons in an Ocean of Packets Matthew York 15th June 2016 Performance &

Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos

Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service.

High performance recursive DNS solution

ArcGIS for Server Security: Advanced

A Quick Tour of Ceedo Safe Browsing and Remote Access Protection.

Installing TMG & Choosing a Client Type

Module 3: Enabling Access to Internet Resources

NET 536 Network Security Firewalls and VPN

Security in the layers 8: Network Security.

Security: Exploits & Countermeasures

Testing DNS resolvers (as) in real world

Secure Software Confidentiality Integrity Data Security Authentication

Secure Sockets Layer (SSL)

Killtest Palo Alto Networks PCNSE7 Exam

DNS Privacy: Problem and solutions

Securing the Network Perimeter with ISA 2004

Living on the Edge: (Re)focus DNS Efforts on the End-Points

XWN740 X-Windows Configuring and Using Remote Access

Implementing TMG Server Publishing

Introduction:. Vendor : Cisco Certifications : Next-Generation Firewall Express Security Engineer Exam Name : Cisco ASA Express Security Exam Code :

Free Exam Questions | New Microsoft Exam Dumps and Exam News

Welcome To : Group 1 VC Presentation

Chapter 19 Domain Name System (DNS)

Cyber Security of SCADA Systems

Traditional Internet Applications

Man-in-the-Middle Attacks

Cisco Real Exam Dumps IT-Dumps

CS4622: Computer Networking

Transport Protocols Relates to Lab 5. An overview of the transport protocols of the TCP/IP protocol suite. Also, a short discussion of UDP.

The Internet and HTTP and DNS Examples

Server-to-Client Remote Access and DirectAccess

A Web-based Integrated Console for Controlling a Set of Networks

TCP/IP Networking An Example

The world changes again

When you connect with DHCP, you are assigned a

A Programmer’s Guide to Secure Connections

Encrypting DNS traffic

Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.

Security: Exploits & Countermeasures

Security: Exploits & Countermeasures

Applications Layer Functionality & Protocols

Building Security into Your System

(DNS – Domain Name System)

DoH! Peter Van Roste GAC/ccNSO meeting - ICANN 64

Information Retrieval and Web Design

Web Servers (IIS and Apache)

Q/ Compare between HTTP & HTTPS? HTTP HTTPS

INTERNET SECURITY.

Introduction to Networking Security

Transport Layer Security

Presentation transcript:

Hackathon AIS’19 Measurement group DNS over HTTPS/TLS team Team name: Just DoH it! Kampala, 19-20 June 2019

Problem statement Traditional DNS queries and responses are sent over UDP or TCP without encryption. Vulnerable to eavesdropping and spoofing. Responses from recursive resolvers to clients are the most vulnerable to undesired/malicious changes, while communications between recursive resolvers and authoritative NS often incorporate additional protection such as DNSSEC. How to protect/secure clients to resolvers communication???

Motivation Run your own DoH and/or DoT server Increase user privacy and security by preventing eavesdropping and manipulation of DNS data.

REQUIREMENTS HTTP Server: Nginx for example Certbot/Let’s Encrypt to generate SSL certificates and integrate to the HTTP server. A resolver: Unbound is simple and perfect! Firewall rules for security: iptables/firewalld a browser: Firefox is fine! Wireshark or tcpdump to analyse the traffic Be patient and open your eyes!

Test your DoH server locally

Tcpdump on SSL port

Use your DoH using your client browser

Test your DoT server using getdnsapi Answer should be "status": GETDNS_RESPSTATUS_GOOD

Future improvements Implement a Windows client like Stubby so that the entire client OS DNS requests will be secured, not only the browser requests. Test on Android clients. …

Documentation Tutorial 1 to setup DoH: https://www.bentasker.co.uk/documentation/linux/407 -building-and-running-your-own-dns-over-https-server Tutorial 2 to setup DoH: https://www.aaflalo.me/2018/10/tutorial-setup-dns- over-https-server/ Tutorial to setup DoT: https://www.aaflalo.me/2019/03/dns-over-tls/ Test DNS over TLS: https://getdnsapi.net/query/

Typos in documentation In Tutorial 1 to setup DoH, installing Nginx, /etc/nginx/conf.d/doh.conf: “listen 80;” instead of “listen 80” In DoT configuration, /etc/nginx/nginx.conf : Append “include /etc/nginx/streams/*;” instead of stream { include /etc/nginx/streams/*; }