Presented by Mark Minasi 1 SESSION CODE: WSV333
2
3
why should you care? 4
5
6
7
I don't know; better ask bigfirm.com's DNS server! What's the IP for Your ISP's DNS server Internet 8
Your ISP's DNS server What's the IP address for Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. "Answer: " sent to port 3351, TXID 279 bigfirm.com'sDNS server 9
But nothing in standard DNS stops this from happening: 10
"Answer: " sent to port 3351, TXID 279 What's the IP address for Send it to my port 3351 and specify transaction ID (TXID) 279 when you do. Sorry, pal, you lose (heh heh heh)! 11 bigfirm.com's DNS server Your ISP's DNS server Answer: (sent to port 3351, TXID 279)
"Got it… the IP address is " 12 Your ISP's DNS server Bwahahahhah!!
13
14
15
16
17
18
19
20
By carefully randomizing both port and ID number, attackers have not a 1/65,536 chance but more like a 1/(65,536) 2 chance… … but they've still got a chance, and PKI can eliminate that 21
Crypto and signing to the rescue 22
23
24
25
26 First an A record, then its corresponding RRSIG; "A" says it refers to an A record, identifies the public key you'd use to verify the signature
27 Note the key tag value We'll see what " " means later.
28
Our DNS server gathers and verifies information from bigfirm.com: 29 "A" (address) record " is " RRSIG record contains encrypted hash of the A record DNSKEY record contains decryption key for RRSIG Bigfirm.com zone… (maybe!) retrieved hash of "A" record Decryption algorithm Hashing algorithm computed hash of "A" record They'd better be equal! InternetInternet
30
31
32 bigfirm.com zone DNSKEY Our DNS gets info and verifies DNSKEY: Internet.com zone DNSKEY bigfirm.com's DS minasi.com's DS google.com's DS. (root) zone DNSKEY.com's DS.net's DS.si's DS Hash algorithm =? Hash algorithm =? (preinstalled) =?
33
34
35 "A" record for BT1.bigfirm.com "A" record for CC.bigfirm.com "A" record for Then we add NSEC records and it looks like this:
36 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW How's this help? Well, let's do a few queries:
37 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW
38 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW
39 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW
40 "A" record for BT1.bigfirm.com NSEC record for BT1 "A" record for CC.bigfirm.com NSEC record for CC "A" record for NSEC record for WWW
41
42
43
44
45
What you need to do to enjoy DNSSEC's protection 46
47
48
49
50
51
52 root org se com apple acme bigfirm Trust anchors or "secure entry points" at.org,.se and bigfirm.com
53
54
55
56
57
Creating a DNSSEC-aware infrastructure (and including some specifics on signing your own zone for reference's sake) 58
59
60
61
62
63
64
66
67
68
69
70
71 In "Local Computer" under "MS-DNSSEC"
72
73
74
75
76
77
78
79
80
Use the 256 or 257 to see whether to check "Zone Signing Key" or "Secure Entry Point" You actually have no other options for Protocol and Algorithm 81
82
83
84
85
86
87
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31 st You can also register at the North America 2011 kiosk located at registration Join us in Atlanta next year