Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Session 5 Additional Topics

Published byKarin Lambert Modified over 6 years ago

Similar presentations

Presentation on theme: "DNS Session 5 Additional Topics"— Presentation transcript:

1 DNS Session 5 Additional Topics
Joe Abley AfNOG 2006, Nairobi, Kenya

2 Upgrading BIND

3 Why Upgrade? Almost all software has bugs
Although BIND 9 is much more conservative than previous versions, it is not immune to software defects Better performance New features

4 Where to Find BIND http://www.isc.org/sw/bind/
ftp://ftp.isc.org/isc/bind9/ Today, the recommended version to run is BIND 9.3.2 Maybe 0.01% of people have a reason to run BIND 8 instead of BIND 9 Nobody has a reason to run BIND 4

5 Warning! Many operating systems come with BIND built-in
If you compile your own, you may end up with two copies of BIND on the same server confusing annoying

6 Securing Nameservers

7 Host Security Your authority servers contain valuable data
If intruders can change the records in your zones, this could spell trouble phishing denial-of-service Long TTLs can make changes hard to back out (why?)

8 Restricting Recursion
Why control which clients can perform recursive lookups? cache poisoning server load network load reflection attacks

9 Separate Recursive and Authority Servers
Avoid serving stale zones authoritatively Avoiding exposing nameservers to cache poisoning attacks is even more important when the potential client population is large, and the answers are marked authoritative

10 Host Local Zones Locally
Avoid leaking queries for private zones Avoid unnecessary query loads on the root servers, or on the AS112 servers Avoid calling ISC complaining that prisoner.iana.org is attacking you on port 53

11 By the Way... Encourage people who run your network to read and understand BCP 38 Preventing source spoofing helps reduce the opportunity for many attacks, including Reflection Attacks

12 Restricting AXFR/IXFR
People can extract information about you and your customers by reading your zones hosts to try and attack (e.g. ssh brute force attacks) mail servers to exploit (e.g. relay attempts, dictionary attacks) cache poisioning opportunities

13 Transaction Signatures (TSIG)
Master and slave servers: share a common secret key agree on the key name have clocks which are approximately in sync (e.g. they both use NTP) (why?) The shared information is used to authenticate a client to a server

14 Zone Transfers TSIG is most-commonly used to authenticate slave servers to master servers during zone transfers alternative to using source IP address ACLs better than IP address ACLs (why?)

15 Secrets, Secrets If you don’t run the slave servers and the mater servers yourself, you need a way to distribute the secret key to the slave server operator how? You also probably want to change the key every now and then (why?)

16 DNS Security

17 DNS Insecurity? How can you trust answers you get from a cache?
How can a cache trust the answers it gets from authority servers? How do you know that the address you obtained is genuine?

18 DNSSEC DNSSEC is a 10+ year effort to introduce security into the DNS
Secures the data in the DNS, not the transport Provides a way for clients to be able to judge the security of data they extract from the DNS

19 General Concepts Public Key Cryptography
Clients obtain a trusted copy of a public key used to sign the root zone Each zone includes a signed copy of the public key of each signed daughter zone All resource records in a signed zones are signed by a zone-signing key

20 Detailed Description Ha ha, not here! Maybe if you have a spare week!

21 Questions?

Download ppt "DNS Session 5 Additional Topics"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.

DNS. Introduction What is DNS? –Hierarchy or Tree –Dot used as a separator.
Advanced Module 3 Stealth Configurations.

Advanced Module 3 Stealth Configurations.
1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.

1 DNSSEC at ESnet ESCC/Internet2 Joint Techs Workshop July 19, 2006 R. Kevin Oberman Network Engineer Lawrence Berkeley National Laboratory.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.

October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
DNS Security Pacific IT Pros Nov. 5, 2013. Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Tony Kombol ITIS 3110. DNS! overview history features architecture records name server resolver dnssec.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

Similar presentations

Ads by Google