ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

School of Electrical Engineering and Computer Science, 2004 Slide 1 Autonomic DNS Experiment Architecture, Symptom and Fault Identification.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

1.ORG DNSSEC Testbed Deployment Edmon Chung Creative Director Afilias Perth, AU 2 March, 2006.

An Engineering Approach to Computer Networking

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

The Domain Name System Overview Introduction DNS overview How DNS helps us? Summary.

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 2: Name Resolution and DNS.

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Domain Name System (DNS) largely based on slides from D. Comer.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

1 DNS,NFS & RPC Rizwan Rehman, CCS, DU. Netprog: DNS and name lookups 2 Hostnames IP Addresses are great for computers –IP address includes information.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Module 3 DNS Types.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

CSUF Chapter 6 1. Computer Networks: Domain Name System 2.

IIT Indore © Neminath Hubballi

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.

CcTLD Best Practices Michuki Mwangi AfriNIC5 - INET/AfTLD Meeting, Balaclava, Mauritius 30th Nov 2006.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Chapter 13 Microsoft DNS Server n DNS server: A Microsoft service that resolves computer names to IP addresses, such as resolving the computer name Brown.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

Status report on Lame Delegations (work in progress) George Michaelson DB SIG APNIC17/APRICOT 2004 Feb KL, Malaysia.

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

DNS Antidote Abhishek Madav( ) Suhas Tikoo( ) Urjit Khadilkar( )

Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Session 5 Additional Topics Joe Abley AfNOG 2006, Nairobi, Kenya.

Business Continuity Management Rikus Matthyser Executive: Telkom Business Integration Services.

Information-Centric Networks Section # 3.2: DNS Issues Instructor: George Xylomenos Department: Informatics.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

MojaveFS Lookup Vlad Dascalu, 351C3 – U.P. Bucharest Jason Hickey, Cristian Ţăpuş, David Noblet California Institute of Technology.

1 CMPT 471 Networking II DNS © Janice Regan,

1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.

Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.

Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Domain Name System (DNS) The Technology Context – B101 Coursework 2 The Technology Context – B101.

Troubleshooting. Why Troubleshoot? What Can Go Wrong? –Misconfigured zone –Misconfigured server –Misconfigured host –Misconfigured network.

Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Security Issues with Domain Name Systems

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

IMPLEMENTING NAME RESOLUTION USING DNS

DNS Session 5 Additional Topics

NET 536 Network Security Lecture 8: DNS Security

Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.

Presentation transcript:

ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities

2 RATIONALE Health-check on DNS infrastructure > Now becoming a critical national resource Attacks on DNS servers becoming more common > October 2002 DDoS attack against the Internet root servers Objective is not to “name and shame” > Get a snapshot of where things stand today > Try to help fix the problems

3 THE GOLDEN RULE OF DNS NO SINGLE POINT OF FAILURE > Monocultures are bad… No one hardware and OS platform No one DNS implementation No single network No single ISP/carrier No one location or co-lo facility No single organisation > Avoid procedural and administrative failures

4 METHODOLOGY Used a Nominum system at LINX > Checked all ccTLDs Delegation mistakes Zone transfers Recursive name servers DNS software Name server location Found 787 name servers for 243 ccTLDs

5 DELEGATION ERRORS Unresolvable names > 18 names (~2.5%) of ccTLD name servers could not be resolved! > ccTLDs are telling the world’s name servers to look for servers that the ccTLD should know can’t be found > Not critical but disconcerting Illegal Names > Using IP addresses instead of host names One ccTLD does this for 3 out if its 4 name servers > 10 name servers listed as CNAMEs, not hostnames Illegal according to the DNS protocol

6 MORE DELEGATION ERRORS Disagreement between parent and child The parent zone (i.e. the root) and the child zone (the ccTLD) should agree on the set of name servers for the delegation (TLD) > Not true for 155 ccTLDs: 65% > Mismatches are serious but not critical There’s always an overlap ccTLD’s name servers sometimes a superset of the root > Shouldn’t happen for any important zone in the DNS

7 LAME DELEGATIONS Very serious problem Name server that should be authoritative isn’t > In DNS jargon, such servers are lame Causes failed lookups > Lame server gets queried and can’t answer Survey results startling: > 43 ccTLDs had at least one lame server > 2 had all their servers lame > Another 8 had half or more of their servers lame No excuses for this > Caused by administrator error, failure to use checking and reporting tools

8 RECURSIVE SERVERS Service queries from end clients and query other name servers > Can be made to query any name server for any name > Will believe what they are told, which may be lies > Will cache those answers and return them to clients An obvious evil for a ccTLD > Also has performance and resource penalties > No need at all for ccTLD servers to enable recursion % - of the ccTLD name servers have recursion enabled > They are vulnerable to cache poisoning attacks

9 ZONE TRANSFERS Tried to take a complete copy of the zone from each ccTLD name server Succeeded for 140 ccTLDs > Inconsistent policies Some ccTLD name servers reject zone transfer requests but not all of them Why this is bad: > Resource drain (bandwidth & server) > Privacy/data protection concerns > Helps cybersquatters

10 FINGERPRINTING Identified the name server software in use BIND Servers 47% BIND Servers 34% BIND 4 42 Servers 5% UltraDNS 10 Servers 1.3% 144 using old versions of BIND8 - security concerns? BIND 4 is effectively dead > Some not even running latest (last?) version of BIND4 BIND 8 is “in the departure lounge” > Not under active development

11 NAME SERVER CODE DIVERSITY Code diversity in ccTLDs could be better: 1 DNS Implementation - 42 ccTLDs 2 DNS Implementations - 97 ccTLDs 3 DNS Implementations - 88 ccTLDs 4 or more: 16 ccTLDs

12 LOCATION ANALYSIS Harder than first thought > Difficult to automate > No tools yet for linking AS numbers to IP netmasks Checked by hand for common address prefixes > => suggest single routing table entries 13 ccTLDs have all their name servers in one net 36 ccTLDs have at least 50% of their name servers in one net Loss of network route => no access to name servers => no access to ccTLD

13 FURTHER CONCERNS Agreements with slave server providers > SLAs, response times, monitoring, fault escalation Protection against DDoS attacks > Happens all the time to the root servers > Only a question of time for ccTLD infrastructure Improved monitoring of ccTLD servers > Already done for the root name servers

14 CONCLUSIONS High incidence of basic DNS administrative errors is surprising > Shouldn’t happen for important zones like ccTLDs > Easy to prevent: tools & procedures Recursive servers for ccTLDs are very bad > Needless exposure to cache poisoning More work needed on > Monitoring > Service Level Agreements > Defence against Distributed Denial of Service Attacks