DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

1 Securing BGP using DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Internet Infrastructure Protection May 23, 2006 Steve Crocker, ICANN Security and Stability Committee Shinkuro, Inc.

February 2003slideset 1 Introduction to the DNS system Olaf M. Kolkman

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Domain Name System Security Extensions (DNSSEC) Hackers 2.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

Peter Janssen, EURid.eu Ljubljana, RIPE 64, 2012 Peter Janssen, EURid.eu Ljubljana, RIPE 64, April

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 3 DNS Types.

Olaf M. Kolkman. Apricot 2003, February 2003, Amsterdam. /disi Steps towards a secured DNS Olaf M. Kolkman, Henk Uijterwaal, Daniel.

Advanced Module 3 Stealth Configurations.

DNSSEC Introduction to Concepts Bill Manning

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

IIT Indore © Neminath Hubballi

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

Welcome! APNIC DNS Workshop January 2004, Bangalore, India In conjunction with the SANOG III and the South Asian IPv6 Summit.

1 ESnet DNSSEC Update ESCC/Internet2 Joint Techs Workshop February 14, 2007 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

Configuring Name Resolution and Additional Services Lesson 12.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

How to use DNS during the evolution of ICN? Zhiwei Yan.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.

DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

WHAT IS DNS??????????.

AfNOG-2003 Domain Name System (DNS) Ayitey Bulley Setting up an Authoritative Name Server.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Welcome! APNIC DNS Workshop October 2004, Hong Kong Sponsored by HKedCity.

DNSSEC an introduction ccTLD workshop November 26-29th, 2007 Amman, Jordan Based on slides from RIPE NCC.

Security Issues with Domain Name Systems

Domain Name System: DNS

Module 5: Resolving Host Names by Using Domain Name System (DNS)

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

IMPLEMENTING NAME RESOLUTION USING DNS

Configuring and Troubleshooting DNS

DNS Session 5 Additional Topics

DNS Cache Poisoning Attack

Chapter 19 Domain Name System (DNS)

DNSSEC Basics, Risks and Benefits

A New Approach to DNS Security (DNSSEC)

Introduction to the DNS system

NET 536 Network Security Lecture 8: DNS Security

NET 536 Network Security Lecture 6: DNS Security

Introduction to the DNS system

Presentation transcript:

DNS Security Extension (DNSSEC)

Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing and corruption

Outline Introduction DNSSEC mechanisms –to authenticate servers (TSIG / SIG0) –to establish authenticity and integrity of data Quick overview New RRs Using public key cryptography to sign a single zone Delegating signing authority ; building chains of trust Key exchange and rollovers Conclusions

DNS: Known Concepts Known DNS concepts: –Delegation, Referral, Zone, RRs, label, RDATA, authoritative server, caching forwarder, stub and full resolver, SOA parameters, etc –Don’t know? Do ask!

Reminder: DNS Resolving Resolver Question: A A ? Caching forwarder (recursive) root-server A ? “go ask net X.gtld-servers.net” (+ glue) gtld-server A ? “go ask ripe ns.ripe.net” (+ glue) ripe-server A ? “ ” Add to cache TTL

DNS: Data Flow master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 345

DNS Vulnerabilities master Caching forwarder resolver Zone administrator Zone file Dynamic updates 12 slaves 3 Server protection 45 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Data protection

DNS Protocol Vulnerability DNS data can be spoofed and corrupted on its way between server and resolver or forwarder The DNS protocol does not allow you to check the validity of DNS data Exploited by bugs in resolver implementation (predictable transaction ID) Corrupted DNS data might end up in caches and stay there for a long time (TTL) How does a slave (secondary) knows it is talking to the proper master (primary)?

Motivation for DNSSEC DNSSEC protects against data spoofing and corruption DNSSEC (TSIG) provides mechanisms to authenticate servers DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data A secure DNS will be used as a public key infrastructure (PKI) –However it is NOT a PKI

DNSSEC Mechanisms to Authenticate Servers TSIG SIG0

TSIG Protected Vulnerabilities Zone file slaves master Caching forwarder resolver Zone administrator Dynamic updates Unauthorized updates Impersonating master

SOA … SOA Sig... Master AXFR TSIG example Slave KEY: %sgs!f23fv AXFR Sig... SOA … SOA Sig... Slave KEY: %sgs!f23fv verification Query: AXFR Response: Zone

Authenticating Servers Using SIG0 Alternatively its possible to use SIG0 –Not widely used yet –Works well in dynamic update environment Public key algorithm –Authentication against a public key published in the DNS

Questions?