Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNSSEC Iván González Montemayor A

Published byEustace Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "DNSSEC Iván González Montemayor A"— Presentation transcript:

1 DNSSEC Iván González Montemayor A00814653
Miguel Angel Banda Rodriguez A Héctor Ortiz Garza A MIGUEL

2 8 out 10 Americans use the Internet
Yet only 0.003% of Americans know that DNS is the reason the Internet continues to exist over 30 years later. Miguel

3 Background In the beginning, web surfers connected to other computers using IP addresses to describe themselves. This became troublesome very quickly because no one could remember all those numbers. The early “fathers and mothers” of the Internet developed a system to attribute a domain name to each of these IP addresses, the Domain Name System, or DNS for short. Miguel

4 What is DNS? DNS is basically the phone book of the Internet. It stores all the IP addresses (phone numbers) and domain names (people, places, and businesses). MIGUEL They maintain a directory of domain names and translate them to Internet Protocol.

5 The hostname would be: mail The domain name: itesm.mx
The domain in question has to be a Fully Qualified Domain Name (FQDN), which is the properly formatted name for a domain. That means that the domain has both a hostname and a domain name. Let’s say we’re trying to reach DNS ITESM mail servers, which are hypothetically located at mail.itesm.mx The hostname would be: mail The domain name: itesm.mx The query would be: mail.itesm.mx The response would be: MIGUEL To have a properly formatted name for a domain we need a hostname and domain name

6 DNS Server A DNS server is a computer server that contains a database of public IP addresses and their associated hostnames, and serves to resolve the names to IP addresses as requested. A DNS resolver is a local server that stores a central database of DNS nameservers and manages DNS requests for all the clients on the network. Hector

7 Hector When an end user types the people-friendly domain name WhatIs.com into a client’s browser, a program in the client’s operating system called a DNS resolver looks up WhatIs.com’s numerical IP address. First, the DNS resolver checks its own local cache to see if it already has the IP address for WhatIs.com. If it doesn’t have the address, the resolver then queries a DNS server to see if it knows the correct IP address for WhatIs.com. DNS servers are recursive, which simply means that they can query each other to either find another DNS server that knows the correct IP address or find the authoritative DNS server that stores the canonical mapping of the WhatIs.com domain name to its IP address. As soon as the resolver locates the IP address, it returns the IP address to the requesting program and caches the address for future use.

8 DNS Attacks

9 Although the DNS is quite robust, it was designed for usability, not security, and the types of DNS attacks in use today are numerous and quite complex, taking advantage of the communication back and forth between clients and servers. IVAN

10 DNS Poisoning and Spoofing
The attacker corrupts a DNS server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack. It’s also known as Cache poisoning Hector

11 Denial of Service An attack in which a malicious bot sends send more traffic to a targeted IP address than the programmers who planned its data buffers anticipated someone might send. The target becomes unable to resolve legitimate requests. Hector

12 DNS amplification DDoS attack in which the attacker exploits vulnerabilities in DNS servers that permit recursive lookups to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers. Hector

13 The Kaminsky Bug In July 2008, researcher Dan Kaminsky discovered a easy to exploit weakness in DNS This weakness would enable hackers to imitate any Web page by poisoning the DNS cache og Internet providers Biggest DNS security issue in the history of the Internet Bypassed TTL defense by targeting “sibling” names like “83.example.com”, since it had no entry in the cache and this no TTL Hector

14 DNSSEC

15 What is DNSSEC? Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) extensions that add security to the DNS Protocol. It allows for a DNS zone to be cryptographically signed. It provides origin authentication of DNS data. IVAN It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

16 History In 1990 Steve Bellovin discovered serious security flaws in DNS. Research into securing it began and dramatically increased in Plans were made to deploy DNSSEC based on RFC 2535. Unfortunately, the RFC 2535 specification had problems scaling up to the Internet. The IETF modified DNSSEC, which is called DNSSEC-bis when necessary to distinguish it from the original DNSSEC approach. IVAN The DNSSEC specifications (called DNSSEC-bis) describe the current DNSSEC protocol in great detail.

17 Root zone DNS translates domain names in stages:
The first place it 'looks' is the top level of the directory service - or "root zone". After it gets a response it then asks the directory service identified by the root where to find information on the second level Then it asks that directory service what the address for the third level is The full address is provided to your computer. Hector

18 Different entities manage each one of these directory services: google
Different entities manage each one of these directory services: google.com by Google, ".com" by VeriSign Corporation, and the root zone by ICANN. Hector

19 Why do we need to "sign the root"?
DNSSEC protects against attacks by digitally 'signing' data so you can be assured it is valid. Signing the root is a necessary step in this overall process. It does not encrypt data. It just attests to the validity of the address of the site you visit. Hector

20 How it works? When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A DNS Resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been manipulated. IVAN

21

22 DNS Record types DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. To facilitate signature validation, DNSSEC adds a few new DNS record types: RRSIG - Contains a cryptographic signature. DNSKEY - Contains a public signing key. DS - Contains the hash of a DNSKEY record. NSEC and NSEC3 - For explicit denial-of-existence of a DNS record. CDNSKEY and CDS - For a child zone requesting updates to DS record(s) in the parent zone. MIGUEL An RRSIG-record holds a DNSSEC signature for a record set (one or more DNS records with the same name and type). Resolvers can verify the signature with a public key stored in a DNSKEY-record. A DNSKEY-record holds a public key that resolvers can use to verify DNSSEC signatures in RRSIG-records. DNSKEY-records have the following data elements: - Flags: - Protocol: Fixed value of 3 (for backwards compatibility) - Algorithm: The public key's cryptographic algorithm. - Public key: DS-records are used to secure delegations (DNSSEC). A DS-record with the name of the sub-delegated zone is placed in the parent zone along with the delegating NS-records. This DS-record references a DNSKEY-record in the sub-delegated zone. An NSEC-record links to the next record name in the zone (in DNSSEC sorting order) and lists the record types that exist for the record's name. These records can be used by resolvers to verify the non-existence of a record name and type as part of DNSSEC validation. - Next domain name: The next record name in the zone (DNSSEC sorting order) - Record types

23 Resource record set (RRset)
The first step towards securing a zone with DNSSEC is to group all the records with the same type into a resource record set (RRset). It’s actually this full RRset that gets digitally signed, opposed to individual DNS records. MIGUEL For example, if you have three AAAA records in your zone, they would all be bundled into a single AAAA RRset.

24 Zone-Signing Keys Each zone in DNSSEC has a zone-signing key pair (ZSK). To enable DNSSEC, a zone operator creates digital signatures for each RRset using the private ZSK and stores them in their name server as RRSIG records. MIGUEL “These are my DNS records, they come from my server, and they should look like this.” A ZSK is a Zone Signing Key. A ZSK is a public/private key pair. The ZSK private key is used to generate a digital signature, known as a Resource Record Signature (RRSIG), for each of the resource record sets (RRSET) in a zone. The ZSK public key is stored in the DNS to authenticate an RRSIG. When a DNSSEC resolver requests a particular record type (e.g., AAAA), the name server also returns the corresponding RRSIG. The resolver can then pull the DNSKEY record containing the public ZSK from the name server. Together, the RRset, RRSIG, and public ZSK can validate the response.

25 RRSIG records are useless unless DNS resolvers have a way of verifying the signatures.
If we trust the zone-signing key in the DNSKEY record, we can trust all the records in the zone. What if the the zone-signing key was compromised? We need a way to validate the public ZSK. MIGUEL An authentication key that corresponds to a private key used to sign a zone.

26 Key-Signing Keys In addition to ZSK , DNSSEC also have key-signing keys (KSK) pair. It validates the DNSKEY record in exactly the same way that ZSK: It signs the public ZSK which is stored in DNSKEY record creating an RRSIG for the DNSKEY. The KSK private key is used to generate a digital signature for the ZSK. The KSK public key is stored in the DNS to be used to authenticate the ZSK IVAN A KSK stands for Key Signing Key. A KSK is a public/private key pair. The KSK private key is used to generate a digital signature for the ZSK. The KSK public key is stored in the DNS to be used to authenticate the ZSK

27 Validation for Resolvers
Request the desired RRset, which also returns the corresponding RRSIG record. Request the DNSKEY records containing the public ZSK and public KSK, which also returns the RRSIG for the DNSKEY RRset. Verify the RRSIG of the requested RRset with the public ZSK. Verify the RRSIG of the DNSKEY RRset with the public KSK. IVAN

28 The Chain of Trust (cache poisoning) *TLD - top level domain IVAN
DNSSEC OverviewJohn Wagnon gives an overview on DNSSEC and how F5's DNS services can help secure your domains in this episode of Lightboard Lessons.youtube.com SIGNED THE ROOT *TLD - top level domain

29 Bibliografía Microsoft. DNS Security Extensions (DNSSEC). Retrieved November 04, 2017, from ICANN. DNSSEC – What Is It and Why Is It Important? Retrieved November 04, 2017, from Cloudflare. How DNSSEC Works. Retrieved November 04, 2017, from Rampling, B., & Dalan, D. (2003). DNS for dummies:. New York, NY: Wiley.

Download ppt "DNSSEC Iván González Montemayor A"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.

Distributed Systems. Outline  Services: DNSSEC  Architecture Models: Grid  Network Protocols: IPv6  Design Issues: Security  The Future: World Community.
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.

1 DNSSEC for the.edu Domain Becky Granger Director, Information Technology and Member Services EDUCAUSE April 29, 2010.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

Similar presentations

Ads by Google