Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Published byPhoebe Fletcher Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu."— Presentation transcript:

1 Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 –DNS also provides other similar services It wasn’t designed with security in mind

2 Lecture 18 Page 2 CS 236, Spring 2008 DNS Threats Threats to name lookup secrecy –Definition of DNS system says this data isn’t secret Threats to DNS information integrity –Very important, since everything trusts that this translation is correct Threats to DNS availability –Potential to disrupt Internet service

3 Lecture 18 Page 3 CS 236, Spring 2008 What Could Really Go Wrong? DNS lookups could be faked –Meaning packets go to the wrong place The DNS service could be subject to a DoS attack –Or could be used to amplify one Attackers could “bug” a DNS server to learn what users are looking up

4 Lecture 18 Page 4 CS 236, Spring 2008 Where Does the Threat Occur? Unlike routing, threat can occur in several places –At DNS servers –But also at DNS clients Which is almost everyone Core problem is that DNS responses aren’t authenticated

5 Lecture 18 Page 5 CS 236, Spring 2008 The DNS Lookup Process ping thesiger.cs.ucla.edu Should result in a ping packet being sent to 131.179.191.144 lookup thesiger.cs.ucla.edu answer 131.179.191.144 If the answer is wrong, in standard DNS the client is screwed

6 Lecture 18 Page 6 CS 236, Spring 2008 How Did the DNS Server Perform the Lookup? Leaving aside details, it has a table of translations between names and addresses It looked up thesiger.cs.ucla.edu in the table And replied with whatever the address was

7 Lecture 18 Page 7 CS 236, Spring 2008 Where Did That Table Come From? Ultimately, the table entries are created by those owning the domains –On a good day... And stored at servers that are authoritative for that domain In this case, the UCLA Computer Science Department DNS server ultimately stored it Other servers use a hierarchical lookup method to find the translation when needed

8 Lecture 18 Page 8 CS 236, Spring 2008 Doing Hierarchical Translation lookup thesiger.cs.ucla.edu DNS root server Where’s edu? edu root server Where’s ucla.edu? ucla.edu root servercs.ucla.edu root server Where’s thesiger.cs.ucla.edu? Where’s cs.ucla.edu?

9 Lecture 18 Page 9 CS 236, Spring 2008 Where Can This Go Wrong? Someone can spoof the answer from a DNS server –Relatively easy, since UDP is used One of the DNS servers can lie Someone can corrupt the database of one of the DNS servers

10 Lecture 18 Page 10 CS 236, Spring 2008 The Spoofing Problem lookup thesiger.cs.ucla.edu answer 97.22.101.53 answer 131.179.191.144 Unfortunately, most DNS stub resolvers will take the first answer

11 Lecture 18 Page 11 CS 236, Spring 2008 DNS Servers Lying lookup thesiger.cs.ucla.edu... answer 97.22.101.53 That wasn’t very nice of him! thesiger.cs.ucla.edu 131.178.192.144

12 Lecture 18 Page 12 CS 236, Spring 2008 DNS Database Corruption lookup thesiger.cs.ucla.edu 97.22.101.53. thesiger.cs.ucla.edu... answer 97.22.101.53

13 Lecture 18 Page 13 CS 236, Spring 2008 The DNSSEC Solution Sign the translations Who does the signing? –The server doing the response? –Or the server that “owns” the namespace in question? DNSSEC uses the latter solution

14 Lecture 18 Page 14 CS 236, Spring 2008 Implications of the DNSSEC Solution DNS databases must store signatures of resource records There must be a way of checking the signatures The protocol must allow signatures to be returned

15 Lecture 18 Page 15 CS 236, Spring 2008 Checking the Signature Basically, use certificates to validate public keys for namespaces Who signs the certificates? –The entity controlling the higher level namespace This implies a hierarchical solution

16 Lecture 18 Page 16 CS 236, Spring 2008 The DNSSEC Signing Hierarchy In principle, ICANN signs for itself and for top level domains (TLDs) –Like.com,.edu, country codes, etc. Each TLD signs for domains under it Those domains sign for domains below them And so on down

17 Lecture 18 Page 17 CS 236, Spring 2008 An Example Who signs the translation for thesiger.cs.ucla.edu to 131.179.192.144? The UCLA CS DNS server How does someone know that’s the right server to sign? Because the UCLA server says so –Securely, with signatures The edu server verifies the UCLA server’s signature Ultimately, hierarchical signatures leading up to ICANN’s attestation of who controls the edu namespace Where do you keep that information? –In DNS databases

18 Lecture 18 Page 18 CS 236, Spring 2008 Using DNSSEC To be really secure, you must check signatures yourself Next best is to have a really trusted authority check the signatures –And to have secure, authenticated communications between trusted authority and you

19 Lecture 18 Page 19 CS 236, Spring 2008 A Major Issue When you look up something like cs.ucla.edu, you get back a signed record What if you look up a name that doesn’t exist? How can you get a signed record for every possible non-existent name?

20 Lecture 18 Page 20 CS 236, Spring 2008 The DNSSEC Solution Names are alphabetically orderable Between any two names that exist, there are a bunch of names that don’t Sign the whole range of non-existent names If someone looks one up, give them the range signature

21 Lecture 18 Page 21 CS 236, Spring 2008 For Example, lasr.cs.ucla.edu131.179.192.136 pelican.cs.ucla.edu131.179.128.17 131.179.128.16toucan.cs.ucla.edu pelican.cs.ucla.edu131.179.128.17 131.179.128.16toucan.cs.ucla.edu lbsr.cs.ucla.edu – pd.cs.ucla.edu NOT ASSIGNED > host last.cs.ucla.edu You get authoritative information that the name isn’t assigned Foils spoofing attacks

22 Lecture 18 Page 22 CS 236, Spring 2008 Status of DNSSEC Working implementations available In use in some places Heavily promoted –First by DARPA –Now by DHS But not really successful

23 Lecture 18 Page 23 CS 236, Spring 2008 Problems With DNSSEC Deployment The DNS root hasn’t deployed DNSSEC –ICANN runs this root –Overall PKI based on root signing for everyone directly below –ICANN reluctant to add responsibilities Particularly those giving it more control Around 650 “islands” of DNSSEC signatures –Signing for themselves and those below them –In most cases, just for themselves

Download ppt "Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
20101 The Application Layer Domain Name System Chapter 7.

20101 The Application Layer Domain Name System Chapter 7.
Domain Name System: DNS

Domain Name System: DNS
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
DNS-centric PKI Sean Turner Russ Housley Tim Polk.

DNS-centric PKI Sean Turner Russ Housley Tim Polk.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #35 Dec 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.

PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.

CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Similar presentations

Ads by Google