Presentation is loading. Please wait.

Presentation is loading. Please wait.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver (192.168.1.1) DNS Caching Server Client I want to access www.example.com.

Published byAbel Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver (192.168.1.1) DNS Caching Server Client I want to access www.example.com."— Presentation transcript:

1

2 DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver (192.168.1.1) DNS Caching Server Client I want to access www.example.com 1 QID=64571 2 QID=64569 QID=64570 QID=64571 www.example.com 192.168.1.1 match! www.example.com 192.168.1.99 3 3 Root/GTLD QID=64571

3 RISKS  Misdirection of queries for an entire domain(Cache Poisoning) – Response to non-existent domains – MX hijacking – Make a large domain (SLD or TLD) domain “disappear” from an ISP's cache – DoS – Identity theft using SSL stripping attacks (banks, eGovernance)  Many more

4 DNS DOS Attack  DNS amplification  A type of reflection attack combined with amplification Source of attack reflected off another machine  Traffic received is bigger (amplified) than the traffic sent by the attacker UDP packet’s source address is spoofed Eg: (Spamhaus Attack)  DNS query floods  “flood of legitimate-seeming queries sent to target DNS server for a domain”  Uses botnet that automatically sends a significant number of queries  Difficult to differentiate between a standard and malicious query

5

6 Open Resolvers  DNS servers that answer recursive queries from any host on the Internet  http://openresolverproject.org/  Check if you’re running open resolvers  http://dns.measurement-factory.com/cgi- bin/openresolvercheck.pl  More statistics at  http://dns.measurement- factory.com/surveys/openresolvers/ASN reports/latest.html

7 Good DNS Practices  Enter the correct e-mail address of the responsible person for each zone you add to or manage on a DNS server.  Do not combine authoritative and recursive nameserver functions -- have each function performed by separate server sets.  Run multiple, distributed authoritative servers, avoiding single points of failure in critical resource paths. A variety of strategies are available (including anycast and load-balancing) to ensure robust geographic and network diversity in your deployment.

8 Securing NameServers  Run the most recent version of the DNS software  Apply the latest patch  Hide version  Restrict queries  Allow-query { acl_match_list; };  Prevent unauthorized zone transfers  Allow-transfer { acl_match_list; };  Run BIND with the least privilege (use chroot)  Use TSIG and DNSSEC

9 DNS: Data Flow master Caching forwarder Zone administrator Zone file Dynamic updates 12 slaves 345 resolver

10 DNS Vulnerabilities master Caching forwarder Zone administrator Zone file Dynamic updates 12 slaves 345 resolver Server protection Data protection Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing

11 TSIG Protected Vulnerabilities master Caching forwarder Zone administrator Zone file Dynamic updates slaves resolver Impersonating master Unauthorized updates

12 What is TSIG - Transaction Signature?  A mechanism for protecting a message from a primary to secondary and vice versa  A keyed-hash is applied (like a digital signature) so recipient can verify message  DNS question or answer  and the timestamp  Based on a shared secret - both sender and receiver are configured with it

13 Transaction Signatures (TSIG)  TSIG is most-commonly used to authenticate slave servers to master servers during zone transfers  Protects against impersonating master and unauthorized updates  Master and slave servers:  share a common secret key & agree on key name  Synchronized clocks (NTP)  The shared information (key) is used to authenticate a client to a server  Remember to change the key periodically

14 What is TSIG - Transaction Signature?  TSIG (RFC 2845)  authorizing dynamic updates & zone transfers  authentication of caching forwarders  Used in server configuration, not in zone file

15 TSIG steps  Generate secret dnssec-keygen -a -b -n host  Communicate secret scp @ :  Configure servers key { algorithm...; secret...;} server x { key...; } Test dig @ AXFR -k

16 DNS Security Extensions (DNSSEC) Protects the integrity of data in the DNS by establishing a chain of trust Uses public key cryptography – each link in the chain has a public/private key pair A form of digitally signing the data to attest its validity Standard is defined in RFC4033, RFC4034, and RFC4035 Guarantees – Authenticity – Integrity – Non-existence of a domain

17 DNSSEC Concepts  Changes DNS trust model from one of ”open” and ”trusting” to one of ”verifiable”  Use of public key cryptography to provide:  Authentication of origin  Data integrity  Authenticated denial of existence  No attempt to provide confidentiality (NO encryption)  DNSSEC does not normally place computational load on the authoritative servers ( != those signing the zone)  No modifications to the core protocol.

18 DNSSEC Concepts  Build a chain of trust using the existing delegation-based model of distribution that is the DNS.

19 DNSSEC Concepts  Don't sign the entire zone, sign a RRset  Note: the parent DOES NOT sign the child zone.  The parent signs a pointer (hash) to the key used to sign the data of child zone (DS record).  Always on the master server.  Check if slaves are receiving the signed zones.

20 DNSSEc: new RRs  RRSIG = Signature over RRset made using private key  DNSKEY = Public key, needed for verifying a RRSIG  DS = Delegation Signer; ‘Pointer’ for building chains of authentication  NSEC = Returned as verifiable evidence that the name and/or RR type does not exist  DS record provides a mechanism to delegate trust to public keys of third parties

21 Types of Keys  Zone Signing Key (ZSK)  Sign the RRsets within the zone  Public key of ZSK is defined by a DNSKEY RR  Key Signing Key (KSK)  Signed the keys which includes ZSK and KSK and may also be used outside the zone

22 Signing the zone (using the BIND tools) 1. Generate keypairs 2. Include public DNSKEYs in zone file 3. Sign the zone using the secret key ZSK 4. Publishing the zone 5. Push DS record up to your parent(how?) (Note:signing always done in Master and validation in resolver)

23 Key Generation # Generate ZSK dnssec-keygen [-a rsasha1 -b 1024] -n ZONE myzone # Generate KSK dnssec-keygen [-a rsasha1 -b 2048] -n ZONE -f KSK myzone  Signing Of Zone:dnssec-signzone myzone

24 KEY MANAGEMENT  Need to implement secure key storage, management procedures  Need to sign your zones  Registries need to accept DS records from users (how?)  Need to publish DS records to parents (how?)  Manual Signing: Key RollOvers  Key Never expires. Need to resign  Automated Signing: Opendnssec or inline signing.

25 Inline Signing  Dnssec Signing made easy.(automatic signing and key rollovers)  Requires Bind Version 9.9 and above.  Enabled by the "inline-signing yes;" statement in named.conf  Create zsk and ksk but sign using inline and resign using (auto-dnssec maintain).  Check if it’s signing.  Check logs.  $ dig @localhost mytld NS +dnssec(to check if dnssec is working, for manual also)  $ sudo named-checkzone -D -f raw -o - mytld mytld.signed | less  how do we update the zone and resign it ?  Problem:Doesn’t generate keys in some distro,use “”haveged”.

Download ppt "DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver (192.168.1.1) DNS Caching Server Client I want to access www.example.com."

Similar presentations

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
DNS Security Overview AROC Guatemala July 2010. What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.

DNS Security Overview AROC Guatemala July What’s the Problem? Until July of 2008 the majority of authoritative DNS servers worldwide were completely.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.

DNS Security A.Lioy, F.Maino, M. Marian, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Marius Marian.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.

DNS Security Extension (DNSSEC). Why DNSSEC? DNS is not secure –Applications depend on DNS ►Known vulnerabilities DNSSEC protects against data spoofing.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.

RNDC & TSIG. What is RNDC? Remote Name Daemon Controller Command-line control of named daemon Usually on same host, can be across hosts –Locally or remotely.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Similar presentations

Ads by Google