Presentation is loading. Please wait.

Presentation is loading. Please wait.

TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

Published byAnissa Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)"— Presentation transcript:

1 TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)

2 Overview Day 1 Review DNS Exploit Types DNS SEC Public Key Infrastructure (PKI) DNS SEC Implementation Early DNS Fixes DNS SEC Proposals Which Is Best?

3 Day 1 Review DNS Bailiwick Dan Kaminski DNS Poisoning SSL & HTTPS

4 DNS Exploit Types Cache poisoning o Dan Kaminiski o HD Moore  Metasploit  10 seconds Client flooding o No other DNS responses are received o Denial-of-Service (DoS) Dynamic update o Everything freely available - no query required Hosts file o Malware attacks

5 DNS SEC Pros: o Can distribute public keys  email o IPs are distributed securely o Reliable o Robust Cons: o Rework of DNS infrastructure (UDP)  10x larger packets  100x more resources o Easier to run DoS attack o Unbroken zone signing all the way to the root

6 Public Key Infrastructure (PKI) 1. I ask the Certificate Authority (CA) to issue a certificate in my name 2. The CA validates my identity, then issues me a certificate 3. I present a certificate containing my identity to the user 4. The user doesn't know me, so they ask the CA to verify my identity 5. The CA checks that my certificate is valid: unaltered, unexpired, legitimate 6. The CA tells the user my certificate is valid 7. User now trusts me

7 PKI Example

8 DNS SEC Implementation "Report on the ccNSO’s DNSSEC Survey 2009," http://ccnso.icann.org/surveys/dnssec-survey-report-2009.pdf

9 Early DNS Fixes Transaction ID randomization Source port randomization

10 Evgeniy Polyakov Cracked full-patched BIND 9 o In 10 hrs o With gigabit Ethernet o Trojan horse could do this within network

11 De-Bouncing Double queries Pros o Verified DNS queries o Easy to implement Cons o Not enough bandwidth o Servers too busy o Easy to run DoS

12 Abandon UDP Make all DNS traffic TCP 3-way handshake to start 2 for question/answer 2 to shutdown Pros: o No information limit o Can use PKI Cons: o 7x more bandwidth o Need more hardware o Bridge UDP to TCP packeting

13 0x20 Case sensitivity Case is preserved in DNS query Pros: o Random case can be sent o Reply can be verified o Authoritative Name Servers need no update o No bandwidth increase o Easy to implement Cons: o Querying servers need update o Client update o Query servers need hardware

14 Domain Vouching Look-aside technology Pros: o Distributed load o One party maintains all DNS info Cons: o Bottleneck at voucher o Reliant on third-party service availability o DoS on third-party machine o URL redirection  example.com  example.voucher.com

15 U.S. Controls All Department of Homeland Security (DHS) controls DNS activity Pros: o Can we trust DHS? o One authority? o U.S. dominance of Internet Cons: o Politics  Any non-US government is opposed o Censorship o One authority o Trust

16 PGP Signing Model Proven example for PKI Pros: o Multiple non-governmental signers approve all keys  Peer approval  CA approval  Anyone approves o Create Root Key Set o Distribute Root Key Sets o Distributed load o No single point of failure Cons: o Someone has to approve your key o Some more hardware o Everyone has to do it

17 Which Is Best? Class Discussion

18 Summary Everything depends on DNS DNS SEC 9 yrs old Lots of proposals No perfect solution PGP model seems best right now Lots of work to do Without DNS SEC, we're in trouble

19 Questions

20 Vocabulary KSK - Key Signing Keys ZSK - Zone Signing Key RZM - Root Zone Maintainer RKO - Root Key Operator RZF - Root Zone File RKS - Root Key Set ZKS - Zone Key Set

Download ppt "TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
More Trick For Defeating SSL

More Trick For Defeating SSL
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.

DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved. 0-13-239227-5 Naming (2) DISTRIBUTED.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved Naming (2) DISTRIBUTED.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.

Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.
COS 461: Computer Networks

COS 461: Computer Networks
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Similar presentations

Ads by Google