DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Network Attacks Mark Shtern.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 Internet Networking Spring 2006 Tutorial 8 DNS and DHCP as UDP applications.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Domain Name System (DNS) Network Information Center (NIC) : HOSTS.TXT.
Domain Name System: DNS
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
Reliable Distributed Systems Naming (Communication Basics Part II) Slide set based on one by Prof. Paul Francis, Cornell University. Updated by Bina Ramamurthy.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
Module 12: Domain Name System (DNS)
Application Layer. Domain Name System Domain Name System (DNS) Problem – Want to go to but don’t know the IP addresswww.google.com Solution.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #2 DNS and DHCP.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
CS426Fall 2010/Lecture 341 Computer Security CS 426 Lecture 34 DNS Security.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
IIT Indore © Neminath Hubballi
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 17 Domain Name System (DNS)
CS526Topic 19: DNS Security1 Information Security CS 526 Topic 19: DNS Security.
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
By Chris Racki. Outline  Introduction  How DNS works  A typical DNS lookup  Caching for later  Vulnerabilities of DNS  Anatomy of a cache poisoning.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
Chapter 17 Domain Name System
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
COMT 6251 Network Layers COMT Overview IP and general Internet Operations Address Mapping ATM LANs Other network protocols.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
Domain Name System CH 25 Aseel Alturki
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
1 Kyung Hee University Chapter 18 Domain Name System.
Configuring Name Resolution and Additional Services Lesson 12.
Chapter 19 Binding Protocol Addresses (ARP) A frame transmitted across a physical network must contain the hardware address of the destination. Before.
How to use DNS during the evolution of ICN? Zhiwei Yan.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
DNS Security Extension 1. Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No.
DNS Cache Poisoning – The Next Generation by Joe Stewart, GCIH Presented by Stephen Karg CS510, Advanced Security Portland State University Oct. 24, 2005.
Linux Operations and Administration
Web Server Administration Chapter 4 Name Resolution.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
Internet infrastructure 1. Infrastructure Security r User expectations  Reliable service  Reliable endpoints – although we know of spoofing and phishing.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
Ip addressing: dhcp & dns
Understand Names Resolution
Networking Applications
DNS Security.
DNS Security Issues SeongHo Cho DPNM Lab., POSTECH
IMPLEMENTING NAME RESOLUTION USING DNS
DNS Cache Poisoning Attack
Information Security CS 526 Omar Chowdhury
Chapter 19 Domain Name System (DNS)
CS4622: Computer Networking
NET 536 Network Security Lecture 8: DNS Security
NET 536 Network Security Lecture 6: DNS Security
Ip addressing: dhcp & dns
COMPUTER NETWORKS PRESENTATION
Windows Name Resolution
Presentation transcript:

DNS Security 1

Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it work, than on how to prevent abuses –Initial environment mostly consisted of research institutions---assumption on the benign behaviors of users Fundamental security problem of current network technology: –Has no way of telling whether the resource is located “correctly,” or the information is transferred “correctly” –Has no data authentication and confidentiality protection 2

Example Security Problems by Incorrect Resource Location DNS poisoning BGP routing vulnerabilities ARP poisoning –ARP (Address Resolution Protocol) is used to query for the MAC address associated with an IP address –Any device attached physically to a subnet can claim to be the “owner” of the IP IP Spoofing –Routers typically do not check source IP addresses –A packet can claim to be coming from any IP address Spam 3

Fundamental Problems of TCP/IP No authentication for received messages No encryption for transmitted messages Applying cryptographic techniques can help –But must engineer very carefully

5 Borrowed from slides of Prof. Dan Massey at Colorado State University l Basic Internet Database n Maps names to IP addresses n Also stores IPv6 addresses, mail servers, service locators, Enum (phone numbers), etc. l Data organized as tree structure. n Each zone is the authority for its local data. Root educomuk ciscousfcoibm www The Domain Name System

Domain Name Service Provides binding between URL and IP address –Both forward and reverse mapping –Divide URL space into zones; Each name server handles mapping in its zone DNS Resource Record (RR) –Can be viewed as tuples of the form –types: A (IP address) MX (mail servers) NS (name servers) PTR (reverse look up) 6

DNS Protocol ISP ISP’s DNS Resolver NS Server for edu ( ) NS Server for usf.edu ( ) What is the IP address of Go ask What is the IP address of root Server What is the IP address of Go ask

Example Response from the.edu NS server ;; QUESTION SECTION: ; ;; AUTHORITY SECTION: usf.edu INNSmother.usf.edu. usf.edu INNSziggy.usf.edu. usf.edu INNSclemson-ns1.usf.edu. ;; ADDITIONAL SECTION: mother.usf.edu INA ziggy.usf.edu INA clemson-ns1.usf.edu INA … Delegation of authority Glue records 8

DNS Security Problems A DNS resolver has no way to determine if the response of a query does come from the legitimate server It will accept a response if –The port number matches the source port of the request –Has the correct Transaction ID (TXID). It will accept all RR’s that are in the queried server’s bailiwick –The bailiwick is the domain in which the server has authority according to the referral path 9

Classical DNS Poisoning ISP Recursive DNS resolver NS Server for usf.edu What is the IP address of DoS flooding DNS queries recursive query faked responses 10

Conditions for classical DNS poisoning attacks Must guess right the correct source-port number Must guess right the correct TXID (16 bits) The fake response must arrive before the legitimate response If any of the above fails, the attack fails and there will be no chance to attack again until the TTL expires 11

Kaminsky Attack (2008) ISP Recursive DNS resolver NS Server for usf.edu What is the IP address of foo.usf.edu? No such url What is the IP address of foo.usf.edu? usf.edu. NS A

Implication of Kaminsky Attack Dramatically reduces the complexity and increases the effectiveness of DNS cache poisoning –No longer needs to wait for TTL to expire –The attacker can control when and what queries are issued –A complete domain may be hijacked Even TLD’s are vulnerable –Only needs 10 secs to succeed 13