DNSSEC. Matthäus Wander. Erlangen, April 20, and the Hassle of Negative Responses.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "DNSSEC. Matthäus Wander. Erlangen, April 20, 2015. and the Hassle of Negative Responses. <matthaeus.wander@uni-due.de>"

Transcription

1 DNSSEC and the Hassle of Negative Responses Matthäus Wander Erlangen, April 20, 2015

2 Security Goal of DNSSEC Query: www? ftp mail ns1 www Matthäus Wander 2

3 Security Goal of DNSSEC Query: www? www A ftp mail ns1 www Matthäus Wander 3

4 Security Goal of DNSSEC Query: www? www A www A ftp mail ns1 www Matthäus Wander 4

5 Security Goal of DNSSEC Query: www? www A www A ftp mail ns1 www Data integrity and authenticity Signatures over resource records (data sets) Matthäus Wander 5

6 End-to-End Security DNS zone Stub Resolver Recursive Resolver Recursive Resolver Authoritative Name server Matthäus Wander 6

7 End-to-End Security DNS zone Stub Resolver Recursive Resolver Recursive Resolver Authoritative Name server End-to-end security principle Between validator and signer Offline signing Pre-generate all signatures Matthäus Wander 7

8 Public Key Distribution Public keys distributed in-band Authenticated by parent domain. Public key net: key fingerprint Public key net. example.net: key fingerprint Resolver has copy of root public key Public key example.net. Domain data Matthäus Wander 8

9 RESEARCH WORK NEGATIVE RESPONSES ATTACKING NSEC3 Matthäus Wander 9

10 Research Work Measurement analysis DNS injection DNSSEC adoption Server-side: signed domains Client-side: validators Attack methods on NSEC3 privacy goal Matthäus Wander 10

11 Research Work Measurement analysis DNS injection DNSSEC adoption Server-side: signed domains Client-side: validators Attack methods on NSEC3 privacy goal Matthäus Wander 11

12 Research Work Measurement analysis DNS injection DNSSEC adoption Server-side: signed domains Client-side: validators Attack methods on NSEC3 privacy goal Matthäus Wander 12

13 Client Validation Ratio per Country Matthäus Wander 13

14 Research Work Measurement analysis DNS injection DNSSEC adoption Server-side: signed domains Client-side: validators Attack methods on NSEC3 privacy goal Matthäus Wander 14

15 RESEARCH WORK NEGATIVE RESPONSES ATTACKING NSEC3 Matthäus Wander 15

16 Secure Denial of Existence: NSEC Query: test? ftp mail ns1 Not found www Query name: x Matthäus Wander 16

17 Secure Denial of Existence: NSEC Query: test? ftp mail ns1 Not found www Query name: x NSEC Matthäus Wander 17

18 Secure Denial of Existence: NSEC Query: test? ns1 NSEC www ftp mail ns1 Query name: Response: x Not found (r 1,r2 ) with r1 x r2 www NSEC Matthäus Wander 18

19 Zone Enumeration Copy DNSSEC zone by crawling NSEC records Nominet (.uk) position: Zone file enumeration is a show-stopper for us that will prevent us from fully implementing DNSSEC. DENIC (.de) position: In conflict with Germany s Federal Data Protection Act Matthäus Wander 19

20 Secure Denial of Existence: NSEC3 Query: test? ftp mail ns1 Not found www NSEC Matthäus Wander 20

21 Secure Denial of Existence: NSEC3 Query: test? ftp mail ns1 3a45 78a1 8e5d Not found Hash query name: h(x) www NSEC b105 NSEC3 Matthäus Wander 21

22 Secure Denial of Existence: NSEC3 Query: test? 78a1 NSEC3 8e5d Not found ftp mail ns1 www 3a45 78a1 8e5d b105 Hash query name: Response: h(x) NSEC NSEC3 (h(r1 ), h(r2 )) with h(r1 ) h(x) h(r2 ) Matthäus Wander 22

23 NSEC3 Definition domain name salt h(x, s, 0 ) SHA1( x s ) h(x, s, i) SHA1( h(x,s,i 1) s ), for i 0 additional iterations Repeated SHA1 computation Salt is identical for all names in a DNSSEC zone Matthäus Wander 23

24 NSEC vs. NSEC3 NSEC: Discloses domain name database Compatible with offline signing NSEC3: Privacy: Protects from zone enumeration Compatible with offline signing CPU: overhead on server for hashing query names Network: 40-50% larger response sizes How well does NSEC3 prevent zone enumeration? Matthäus Wander 24

25 RESEARCH WORK NEGATIVE RESPONSES ATTACKING NSEC3 Matthäus Wander 25

26 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 26

27 GPU Computing Matthäus Wander 27

28 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 28

29 Hash Crawling Retrieve NSEC3 hashes from name server Send queries for random non-existing names M8eZcl8.com? 78a1 NSEC3 8e5d Not found Check hash before sending query NSEC3 gap NSEC3 gap NSEC3 gap Matthäus Wander 29

30 May 2014 Crawling 345,000 Hashes from.com 1e+12 1e+10 1e+08 1e Hashing attempts Gaps in use 00:00 02:00 04:00 06:00 08:00 10:00 12:00 Time in hours Matthäus Wander 30

31 ATTACKING NSEC3 1. Collect hashes 2. Reverse hashes Matthäus Wander 31

32 Hash Breaking Methods Brute-force attack Exhaustive search (aaa, aab, aac, ) Dictionary attack Read candidate names from file Markov attack Derive candidate names from language model Matthäus Wander 32

33 Brute-Force Attack 1 to 8 characters 9 characters Matthäus Wander 33

34 Dictionary Attack Effectiveness depends on dictionary quality Good public lists (Alexa, Quantcast) 7.1 mio candidate names Generate more candidates by inserting strings Insert most common 200,000 n-grams (with 1 n 15) candidate names foo.com. e efoo.com. feoo.com. foeo.com. fooe.com. Matthäus Wander 34

35 Dictionary Attack Matthäus Wander 35

36 Effectiveness of Insertion Wordlist Matthäus Wander 36

37 Markov Attack Some strings are more probable than others th more common in English than tx Model language with 1 st order Markov chains Markov attack requires training Use hits from brute-force and dictionary attacks Markov model derived from names found Enumerate most probable names Omit others (with given time frame) Matthäus Wander 37

38 Markov Attack Matthäus Wander 38

39 Countermeasure: Adjust Iterations Iterations increase workload linearly For attacker and server operator Unlike e.g. ciper key length Attacker Server operator Matthäus Wander 39

40 Adjusting iterations Iterations increase workload linearly For attacker and server operator Unlike e.g. ciper key length Attacker Server operator Matthäus Wander 40

41 Adjusting iterations Iterations increase workload linearly For attacker and server operator Unlike e.g. ciper key length Attacker Server operator Matthäus Wander 41

42 Efficiency of CPU vs. GPU Matthäus Wander 42

43 Conclusions DNSSEC authenticates domain name data Negative responses with NSEC/NSEC3 NSEC discloses domain database NSEC3 incurs additional server costs Break NSEC3 hashes efficiently with GPUs Best method: dictionary with inserted n-grams Reversed 65%.com NSEC3 hashes in 5 days Increasing iterations is not economical Matthäus Wander 43

NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014. <matthaeus.wander@uni-due.

NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014. <matthaeus.wander@uni-due. GPU-based NSEC3 Hash Breaking Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014 Cambridge, August 22, 2014 NSEC3 FUNDAMENTALS Matthäus Wander

More information

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. <matthaeus.wander@uni-due.de> Duisburg, June 19, 2015

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. <matthaeus.wander@uni-due.de> Duisburg, June 19, 2015 The Impact of DNSSEC on the Internet Landscape Matthäus Wander Duisburg, June 19, 2015 Outline Domain Name System Security problems Attacks in practice DNS Security Extensions

More information

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology

Part 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2

More information

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys

More information

DNS security: poisoning, attacks and mitigation

DNS security: poisoning, attacks and mitigation DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain

More information

Verteilte Systeme - Overview

Verteilte Systeme - Overview - Overview Prof. Dr.-Ing. Torben Weis Building BC, 4 th Floor, Room 407 http://www.vs.uni-due.de Scientific Staff Christopher Boelmann Sebastian Schuster Matthäus Wander Working Areas Networked systems

More information

DNSSEC Applying cryptography to the Domain Name System

DNSSEC Applying cryptography to the Domain Name System DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

THE MASTER LIST OF DNS TERMINOLOGY. First Edition THE MASTER LIST OF DNS TERMINOLOGY First Edition DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To

More information

DNSSEC and DNS Proxying

DNSSEC and DNS Proxying DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for

More information

Internet Measurement Research

Internet Measurement Research Internet Measurement Research Matthäus Wander Kassel, October 1, 2013 Overview How to get measurement data? Research projects Case studies of past projects Ideas and inspiration

More information

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System

Lecture 2 CS 3311. An example of a middleware service: DNS Domain Name System Lecture 2 CS 3311 An example of a middleware service: DNS Domain Name System The problem Networked computers have names and IP addresses. Applications use names; IP uses for routing purposes IP addresses.

More information

Internet-Praktikum I Lab 3: DNS

Internet-Praktikum I Lab 3: DNS Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans

More information

DNS Response Modification

DNS Response Modification DNS Response Modification David Piscitello Senior Security Technologist ICANN 1 Intended web experience Type a URL: http://www.example.com/index.htm Browser asks DNS to find IP address of this host If

More information

DNSSEC for Everybody: A Beginner s Guide

DNSSEC for Everybody: A Beginner s Guide DNSSEC for Everybody: A Beginner s Guide San Francisco, California 14 March 2011 4:00 to 5:00 p.m. Colonial Room The Schedule 2 This is Ugwina. She lives in a cave on the edge of the Grand Canyon... This

More information

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0 THE MASTER LIST OF DNS TERMINOLOGY v 2.0 DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To help people

More information

DNS at NLnet Labs. Matthijs Mekking

DNS at NLnet Labs. Matthijs Mekking DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the

More information

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In) DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is

More information

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you

More information

Ordinary DNS: www.google.com A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30. Client's Resolver

Ordinary DNS: www.google.com A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30. Client's Resolver Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30 k.root-servers.net Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30

More information

DNSSEC in your workflow

DNSSEC in your workflow DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations

More information

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010 Presented by Greg Lindsay Technical Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group April 7, 2010 Windows 7 DNS client DNS devolution Security-awareness:

More information

The Domain Name System from a security point of view

The Domain Name System from a security point of view The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security

More information

The Domain Name System (DNS)

The Domain Name System (DNS) The Domain Name System (DNS) Each Internet host is assigned a host name and an IP address Host names are structured character strings, e.g., www.cs.iastate.edu IP addresses are 32 bit integers, e.g., 129.186.3.6

More information

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. . Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name

More information

Computer Networks: Domain Name System

Computer Networks: Domain Name System Computer Networks: Domain Name System Domain Name System The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com

More information

DNSSEC Practice Statement (DPS)

DNSSEC Practice Statement (DPS) DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with

More information

Attack and Defense Techniques

Attack and Defense Techniques Network Security Attack and Defense Techniques Anna Sperotto (with material from Ramin Sadre) Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Attacks! Many different

More information

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015 Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems

More information

DNS/DNSSEC Tutorial. Rick Lamb & Champika Wijayatunga Kathmandu Nepal 27 January 2016 In conjunction with SANOG27

DNS/DNSSEC Tutorial. Rick Lamb & Champika Wijayatunga Kathmandu Nepal 27 January 2016 In conjunction with SANOG27 DNS/DNSSEC Tutorial Rick Lamb & Champika Wijayatunga Kathmandu Nepal 27 January 2016 In conjunction with SANOG27 2 Brief Overview of DNS The World s Network the Domain Name System + Internet Protocol numbers

More information

Use Domain Name System and IP Version 6

Use Domain Name System and IP Version 6 Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)

More information

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol

More information

Domain Name System (DNS)

Domain Name System (DNS) Domain Name System (DNS) Instructor: Anirban Mahanti Office: ICT 745 Email: mahanti@cpsc.ucalgary.ca Class Location: ICT 121 Lectures: MWF 12:00 12:50 Notes derived from Computer Networking: A Top Down

More information

Networking Domain Name System

Networking Domain Name System IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page

More information

DNSSEC. Introduction Principles Deployment

DNSSEC. Introduction Principles Deployment DNSSEC Introduction Principles Deployment Overview What we will cover The problems that DNSSEC addresses The protocol and implementations Things to take into account to deploy DNSSEC The practical problems

More information

Large-scale DNS and DNSSEC data sets for network security research

Large-scale DNS and DNSSEC data sets for network security research Large-scale DNS and DNSSEC data sets for network security research Roland van Rijswijk-Deij 1,2, Anna Sperotto 1, and Aiko Pras 1 1 Design and Analysis of Communication Systems (DACS), University of Twente,

More information

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How does the DNS work? A typical DNS query The

More information

Authenticated Denial of Existence in the DNS

Authenticated Denial of Existence in the DNS CC BY-SA 3.0 SIDN Labs 2011/0x01-v2 Authenticated Denial of Existence in the DNS Miek Gieben, miek.gieben@sidn.nl, SIDN Matthijs Mekking, matthijs@nlnetlabs.nl, NLnet Labs January 2012 Abstract Authenticated

More information

Reliable Strong Cache and Security for the Domain Name System

Reliable Strong Cache and Security for the Domain Name System Reliable Strong Cache and Security for the Domain Name System S. Pari Elavarasan #1, K. Sampath Kumar *2 # Department of Computer Science and Engineering, PGP College of Engineering and Technology, Namakkal,

More information

Deploying DNSSEC: From End-Customer To Content

Deploying DNSSEC: From End-Customer To Content Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical

More information

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace Motivation Domain Name System (DNS) IP addresses hard to remember Meaningful names easier to use Assign names to IP addresses Name resolution map names to IP addresses when needed Namespace set of all

More information

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SECURITY EXTENSIONS DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions

More information

The Domain Name System

The Domain Name System Internet Engineering 241-461 Robert Elz kre@munnari.oz.au kre@coe.psu.ac.th http://fivedots.coe.psu.ac.th/~kre DNS The Domain Name System Kurose & Ross: Computer Networking Chapter 2 (2.5) James F. Kurose

More information

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management (DDI) market

More information

Detecting and Refactoring Operational Smells within the Domain Name System

Detecting and Refactoring Operational Smells within the Domain Name System Detecting and Refactoring Operational Smells within the Domain Name System Graphs as Models (GaM) Workshop, European Joint Conferences on Theory and Practice of Software (ETAPS-15) 11,12 April 2015 Queen

More information

EDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network

EDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah February 2nd 2010 1 DNSSEC DNS Security Extensions A system

More information

Understand Names Resolution

Understand Names Resolution Understand Names Resolution Lesson Overview In this lesson, you will learn about: Domain name resolution Name resolution process steps DNS WINS Anticipatory Set 1. List the host name of 4 of your favorite

More information

Domain Name System Richard T. B. Ma

Domain Name System Richard T. B. Ma Domain Name System Richard T. B. Ma School of Computing National University of Singapore CS 3103: Compute Networks and Protocols Names Vs. Addresses Names are easier for human to remember www.comp.nus.edu.sg

More information

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming Names & Addresses CS 9: Distributed Systems: Naming Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 970-77 What is a?

More information

CS 557 - Lecture 22 DNS Security

CS 557 - Lecture 22 DNS Security CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses the Domain Name System (DNS). DNS database

More information

Public Key Validation for the DNS Security Extensions

Public Key Validation for the DNS Security Extensions Public Key Validation for the DNS Security Extensions Daniel Massey USC/ISI masseyd@isi.edu Ed Lewis Network Associates, Inc. lewis@tislabs.com Russ Mundy Network Associates, Inc. mundy@tislabs.com Allison

More information

Flexible Training Options to Make the Most of Your IPAM Deployment

Flexible Training Options to Make the Most of Your IPAM Deployment Training Services Flexible Training Options to Make the Most of Your IPAM Deployment BlueCat offers a full curriculum of technical training to provide your staff with the knowledge and skills they need

More information

Using the Domain Name System for System Break-ins

Using the Domain Name System for System Break-ins Using the Domain Name System for System Break-ins Steven M. Bellovin Presented by: Thomas Repantis trep@cs.ucr.edu CS255-Computer Security, Winter 2004 p.1/37 Overview Using DNS to spoof a host s name

More information

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS

Agenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS Agenda Network Services Domain Names & DNS Domain Names Domain Name System Internationalized Domain Names Johann Oberleitner SS 2006 Domain Names Naming of Resources Problems of Internet's IP focus IP

More information

Domain Name System. CS 571 Fall 2006. 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved

Domain Name System. CS 571 Fall 2006. 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved Domain Name System CS 571 Fall 2006 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved DNS Specifications Domain Names Concepts and Facilities RFC 1034, November 1987 Introduction

More information

DNS Security FAQ for Registrants

DNS Security FAQ for Registrants DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of

More information

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org

DNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be

More information

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC. Resilient Networking 6: Attacks on DNS Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC SoSe 2014 Fachbereich Informatik Telecooperation Group

More information

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications

Hushmail Express Password Encryption in Hushmail. Brian Smith Hush Communications Hushmail Express Password Encryption in Hushmail Brian Smith Hush Communications Introduction...2 Goals...2 Summary...2 Detailed Description...4 Message Composition...4 Message Delivery...4 Message Retrieval...5

More information

IPv6 support in the DNS

IPv6 support in the DNS IPv6 support in the DNS How important is the DNS? Getting the IP address of the remote endpoint is necessary for every communication between TCP/IP applications Humans are unable to memorize millions of

More information

A Best Practices Architecture for DNSSEC

A Best Practices Architecture for DNSSEC WHITEPAPER A Best Practices Architecture for DNSSEC Cricket Liu, Vice President of Architecture Background The Domain Name System is the Internet s standard naming service. DNS is responsible for mapping

More information

XN--P1AI (РФ) DNSSEC Policy and Practice Statement

XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...

More information

Enabling Secure On-line DNS Dynamic Update

Enabling Secure On-line DNS Dynamic Update Enabling Secure On-line DNS Dynamic Update Xunhua Wand, Yih Huang, David Rine Department of Computer Science George Meson University Yvo Desmdt Department of Computer Science Florida State University by

More information

One year of DANE Tales and Lessons Learned. sys4.de

One year of DANE Tales and Lessons Learned. sys4.de One year of DANE Tales and Lessons Learned sys4.de DANE secures Security Why secure Security? Encryption Models Opportunistic Encryption > Expect anything > Proceed if absent > Try if offered > Proceed

More information

DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015

DNS Abuse Handling. Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015 DNS Abuse Handling Champika Wijayatunga APRICOT2015 Fukuoka Japan Feb 2015 Acknowledgements Dave Piscitello Vice President, Security and ICT Coordination ICANN 2 2 Agenda 1 2 3 Brief Overview of DNS Defining

More information

DNSSEC Deployment a case study

DNSSEC Deployment a case study DNSSEC Deployment a case study Olaf M. Kolkman Olaf@NLnetLabs.nl RIPE NCCs Project Team: Katie Petrusha, Brett Carr, Cagri Coltekin, Adrian Bedford, Arno Meulenkamp, and Henk Uijterwaal Januari 17, 2006

More information

THE DOMAIN NAME SYSTEM DNS

THE DOMAIN NAME SYSTEM DNS Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace

More information

Domain Name System DNS

Domain Name System DNS CE443 Computer Networks Domain Name System DNS Behnam Momeni Computer Engineering Department Sharif University of Technology Acknowledgments: Lecture slides are from Computer networks course thought by

More information

INSTALLATION OF BLOGGING PLATFORM

INSTALLATION OF BLOGGING PLATFORM INSTALLATION OF BLOGGING PLATFORM & Configuration of DNSSEC Enabled Name Server Katja Andreeva, Marco Johns SERVER (KAMMIO.KUTOMO.NET) SERVER (KAMMIO.KUTOMO.NET) Virtual Private Server (VPS) from Linode.com

More information

Snow Agent System Pilot Deployment version

Snow Agent System Pilot Deployment version Pilot Deployment version Security policy Revision: 1.0 Authors: Per Atle Bakkevoll, Johan Gustav Bellika, Lars, Taridzo Chomutare Page 1 of 8 Date of issue 03.07.2009 Revision history: Issue Details Who

More information

DNSSEC Overview. NANOG 51 Tutorial" Matt Larson! Vice President, DNS Research" Verisign Labs" Version: "

DNSSEC Overview. NANOG 51 Tutorial Matt Larson! Vice President, DNS Research Verisign Labs Version: DNSSEC Overview NANOG 51 Tutorial" Matt Larson! Vice President, DNS Research" Verisign Labs" Version: 2010-01-30" DNS Security! DNS has no security One UDP packet for query, one UDP packet for response

More information

DNSSEC update TF Mobility, Vienna

DNSSEC update TF Mobility, Vienna DNSSEC update TF Mobility, Vienna Roland van Rijswijk roland.vanrijswijk [at] surfnet.nl February 18th 2010 Overview - Introduction - DNSSEC validation on resolvers - Update on what we ve learned so far

More information

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,

More information

SIDN Server Measurements

SIDN Server Measurements SIDN Server Measurements Yuri Schaeffer 1, NLnet Labs NLnet Labs document 2010-003 July 19, 2010 1 Introduction For future capacity planning SIDN would like to have an insight on the required resources

More information

Chapter 23 The Domain Name System (DNS)

Chapter 23 The Domain Name System (DNS) CSC521 Communication Protocols 網 路 通 訊 協 定 Chapter 23 The Domain Name System (DNS) 吳 俊 興 國 立 高 雄 大 學 資 訊 工 程 學 系 Outline 1. Introduction 2. Names For Machines 3. Flat Namespace 4. Hierarchical Names 5.

More information

ICS 351: Today's plan. DNS WiFi

ICS 351: Today's plan. DNS WiFi ICS 351: Today's plan DNS WiFi Domain Name System Hierarchical system of names top-level domain names include.edu,.org,.com,.net, and many country top-level domains root is just "." so the fully qualified

More information

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, Email, Web, DNS, and Network Management. Maximum Points: 60

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, Email, Web, DNS, and Network Management. Maximum Points: 60 EE 7376: Introduction to Computer Networks Homework #3: Network Security, Email, Web, DNS, and Network Management Maximum Points: 60 1. Network security attacks that have to do with eavesdropping on, or

More information

Internet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at

Internet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will

More information

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic

DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic Yizheng Chen, Manos Antonakakis, Roberto Perdisci, Yacin Nadji, David Dagon, and Wenke Lee Domain Name System Machine-level

More information

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014 DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist

More information

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/

The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ The story of dnsdist - or - Do we need a DNS Delivery Controller? http://dnsdist.org/ PowerDNS Very briefly so you know where we come from Open source nameserver, around since 2000, open source since 2002,

More information

Secure DNS / DNSsec. Dresden, May 8th, Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin

Secure DNS / DNSsec. Dresden, May 8th, Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin Department of Computer Science Institute for System Architecture, Chair of Computer Networks Secure DNS / DNSsec Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin Dresden,

More information

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt 1 Lecture 10: Application Layer 2 Application Layer Where our applications are running Using services provided by

More information

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University

Implementation and Comparison of Various Digital Signature Algorithms. -Nazia Sarang Boise State University Implementation and Comparison of Various Digital Signature Algorithms -Nazia Sarang Boise State University What is a Digital Signature? A digital signature is used as a tool to authenticate the information

More information

The Use of DNS Resource Records

The Use of DNS Resource Records International Journal of Advances in Electrical and Electronics Engineering 230 Available online at www.ijaeee.com & www.sestindia.org/volume-ijaeee/ ISSN: 2319-1112 Simar Preet Singh Systems Engineer,

More information

CS3250 Distributed Systems

CS3250 Distributed Systems CS3250 Distributed Systems Lecture 4 More on Network Addresses Domain Name System DNS Human beings (apart from network administrators and hackers) rarely use IP addresses even in their human-readable dotted

More information

Resilient Networking. Thorsten Strufe. Module 5: Name Resolution / DNS

Resilient Networking. Thorsten Strufe. Module 5: Name Resolution / DNS Resilient Networking Thorsten Strufe Module 5: Name Resolution / DNS Disclaimer: This module prepared in cooperation with Mathias Fischer, Michael Roßberg, and Günter Schäfer Dresden, SS 15 Module Outline

More information

Security of the DNS Protocol

Security of the DNS Protocol Security of the DNS Protocol Implementation and Weaknesses Analyses of DNSSEC Kaouthar Chetioui, Ghizlane Orhanou, Said El Hajji, Abdelmajid Lakbabi Laboratoire Mathématiques, Informatique et Applications

More information

Attack Frameworks and Tools

Attack Frameworks and Tools Network Architectures and Services, Georg Carle Faculty of Informatics Technische Universität München, Germany Attack Frameworks and Tools Pranav Jagdish Betreuer: Nadine Herold Seminar Innovative Internet

More information

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Domain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works

More information

ECE 4321 Computer Networks. Network Programming

ECE 4321 Computer Networks. Network Programming ECE 4321 Computer Networks Network Programming Name Space System.Net Domain Name System (DNS) To resolve computer naming Host database is split up and distributed among multiple systems on the Internet

More information

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary Chapter 9: Name Services 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary Learning objectives To understand the need for naming systems in distributed systems To be familiar

More information

How to set up the Integrated DNS Server for Inbound Load Balancing

How to set up the Integrated DNS Server for Inbound Load Balancing How to set up the Integrated DNS Server for Introduction Getting Started Peplink Balance has a built-in DNS server for inbound link load balancing. You can delegate a domain s NS/SOA records, e.g. www.mycompany.com,

More information

Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski pxk@cs.rutgers.edu

Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski pxk@cs.rutgers.edu Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski pxk@cs.rutgers.edu 1 Motivation Serving web content from one location presents problems Scalability Reliability Performance Flash

More information

3. The Domain Name Service

3. The Domain Name Service 3. The Domain Name Service n Overview and high level design n Typical operation and the role of caching n Contents of DNS Resource Records n Basic message formats n Configuring/updating Resource Records

More information

Q3 State of DNS Report DNSSEC Deployment in.gov

Q3 State of DNS Report DNSSEC Deployment in.gov Q3 State of DNS Report DNSSEC Deployment in.gov September 22, 2010 Major findings 38% of federal.gov domains have been signed with DNSSEC as of mid- September 2010 36% of federal.gov domains are fully

More information

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago High-speed cryptography and DNSCurve D. J. Bernstein University of Illinois at Chicago Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address,

More information

CS640: Computer Networks. Naming /ETC/HOSTS

CS640: Computer Networks. Naming /ETC/HOSTS CS640: Computer Networks Aditya Akella Lecture 17 Naming and the DNS Naming Need naming to identify resources Once identified, resource must be located How to name resource? Naming hierarchy How do we

More information

Alternatives and Enhancements to CAs for a Secure Web

Alternatives and Enhancements to CAs for a Secure Web Alternatives and Enhancements to CAs for a Secure Web Ben Wilson Digicert, Inc. - CA/Browser Forum Eran Messeri Google Session Classification: Intermediate Current Web PKI System OS / Browsers have Managed

More information

Domain Name System E-mail WWW. Application Layer. Mahalingam Ramkumar Mississippi State University, MS. September 15, 2014.

Domain Name System E-mail WWW. Application Layer. Mahalingam Ramkumar Mississippi State University, MS. September 15, 2014. Application Layer Mahalingam Mississippi State University, MS September 15, 2014 Outline 1 DNS Records DNS Components 2 Message Transfer Fetching Emails 3 Applications We will focus on 3 applications DNS

More information