Secure DNS / DNSsec. Dresden, May 8th, Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin
|
|
- Alexandrina Baker
- 7 years ago
- Views:
Transcription
1 Department of Computer Science Institute for System Architecture, Chair of Computer Networks Secure DNS / DNSsec Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin Dresden, May 8th, 2006
2 Outline 01 Motivation 02 DNSsec Mechanism 03 BIND TU Dresden, Secure DNS / DNSsec Folie 2 von XYZ
3 01 Motivation Outline Classic DNS Attacks on DNS DNS Cache Poisoning DNS spoofing Man-in-the-Middle-Attack Attacks on DNS-Server Attacks on Clients Is DNSsec already used? TU Dresden, Secure DNS / DNSsec Folie 3 von XYZ
4 01 Motivation Classic DNS DNS translates between domain names and IP addresses Quite old (more than 20 years) DNS does not have any built-in security TU Dresden, Secure DNS / DNSsec Folie 4 von XYZ
5 01 Motivation Classic DNS TU Dresden, Secure DNS / DNSsec Folie 5 von XYZ
6 01 Motivation Attacks on DNS DNS Cache Poisoning Aim: changing information in DNS server to link user to a compromised server Function: user clicks link to Z, DNS server does not know -> ask Z, Z answers and adds additional info. For example, that XY is an alias for Z. if user surfs to XY the DNS send him the IP of Z Problem: elementary errors in DNS TU Dresden, Secure DNS / DNSsec Folie 6 von XYZ
7 01 Motivation Attacks on DNS DNS Cache Poisoning TU Dresden, Secure DNS / DNSsec Folie 7 von XYZ
8 01 Motivation Attacks on DNS DNS spoofing Aim: changing information in DNS server to link user to a compromised server Function: Z asks A for himself, A knows his IP, sends it back, answer includes a QueryID! Z asks for XY, A does not know XY, asks B. in this time Z sends the wrong answer. if the QueryID is correct, A will accept and the cache of A is poisoned all requests to A for XY will be linked to Z Problem: no authentication, simple guessing of the QueryID TU Dresden, Secure DNS / DNSsec Folie 8 von XYZ
9 01 Motivation Attacks on DNS DNS spoofing TU Dresden, Secure DNS / DNSsec Folie 9 von XYZ
10 01 Motivation Attacks on DNS Man-in-the-Middle-Attack changing of DNS-pakets, which are going past for example with an attacked router Attacks on DNS-Server getting access to weak servers an manipulate the database Attacks on Clients attacker sends modified replies to spoofed requests and the server the correct reply. the client accept the first reply. TU Dresden, Secure DNS / DNSsec Folie 10 von XYZ
11 Attacks on Clients It s easy for the hacker to snoop UDP DNS query send to well known server on well known port PC2 www. pc1.tu-dresden.de? Hacker Local DNS Server Root Server tu-dresden.de Server The one, who sends it s response first, is the winner!!! pc1.tu-dresden.de Server IP for example TU Dresden, Secure DNS / DNSsec Folie 11 von XYZ
12 01 Motivation Is DNSsec already used? In October 2005 Sweden (.SE) enables DNSSEC in their zone. This make.se the first cctld to deploy DNSSEC. At the same time RIPE NCC (ripe.net) is in the process of deploying DNSSEC in the reverse zones. RIPE RIPE NCC cctld Réseaux IP Européens RIPE Network Coordination Center country code Top Level Domain TU Dresden, Secure DNS / DNSsec Folie 12 von XYZ
13 02 DNSsec Mechanism 1. New Resource Records 2. Setting up a Secure Zone (Zone Signing) 3. Authentication TU Dresden, Secure DNS / DNSsec Folie 13 von XYZ
14 02 DNSsec Mechanism New Resource Records DNSKEY: DNS Public Key Public key, needed for verifying a RRSIG RRSIG: Resource Record Signature Signature over RRset made using private key NSEC: Next Secure Indicates which name is the next one in the zone and which type codes are available for the current name DS: Delegation Signer Delegation Signer; Pointer for building chains of authentication TU Dresden, Secure DNS / DNSsec Folie 14 von XYZ
15 02 DNSsec Mechanism Setting up a Secure Zone (Zone Signing) 1. Generate keypair (public/private key) 2. Sign the zone Insert NSEC Records Insert RSIG Records Insert DS Records 3. Distribute the Public Key (DNSKEY) disi/dnssec_howto/ TU Dresden, Secure DNS / DNSsec Folie 15 von XYZ
16 02 DNSsec Mechanism Authentication The Public Key can verify the authenticity of signatures and check both integrity and authenticity of the data. disi/dnssec_howto/ TU Dresden, Secure DNS / DNSsec Folie 16 von XYZ
17 03 BIND Outline Introduction Securing DNS data Securing communication between Servers Configuring a recursive name server to verify answers /etc/named.conf Key Generation Signing Zones TU Dresden, Secure DNS / DNSsec Folie 17 von XYZ
18 03 BIND Introduction BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named) a Domain Name System resolver library tools for verifying the proper operation of the DNS server The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service. TU Dresden, Secure DNS / DNSsec Folie 18 von XYZ
19 03 BIND Securing DNS data 1. Configuring a recursive name server to verify answers 2. Securing a DNS zone 3. Delegating of signing authority; becoming globally secure 4. Rolling keys Securing communication between Servers 5. Securing zone transfers TU Dresden, Secure DNS / DNSsec Folie 19 von XYZ
20 03 BIND Configuring a recursive name server to verify answers TU Dresden, Secure DNS / DNSsec Folie 20 von XYZ
21 03 BIND /etc/named.conf example.net SOA +retry=1 +dnssec +multiline ; <<>> DiG 9.3.0beta3 example.net SOA +retry=1 +dnssec +multiline ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.net. IN SOA ;; ANSWER SECTION: example.net. 100 IN SOA ns.registry.tld. olaf.ripe.net. ( ; serial 100 ; refresh (1 minute 40 seconds) 200 ; retry (3 minutes 20 seconds) ; expire (1 week) 100 ; minimum (1 minute 40 seconds) ) example.net. 100 IN RRSIG SOA ( example.net. GMdIREMWV+LMuoDZvoVKyUobeEdeXTqzdV0MAUB9VSf7 gt+doba2tmysmg9onvujcbkbrzvlq56csgggqmeet8/q 8auCpFYiXiFri+9LitVKK+n3UvBIb6AL+/acyhUmUzbq 5mF1nuWUDiuIuv/fXFGIeS9V/6P7+ufXWqedhVY= ) ;; ADDITIONAL SECTION: example.net. 100 IN DNSKEY ( / / ) ;; Query time: 783 msec ;; SERVER: #53( ) ;; WHEN: Wed May 12 11:41: ;; MSG SIZE rcvd: 890 TU Dresden, Secure DNS / DNSsec Folie 21 von XYZ
22 03 BIND Key Generation Usage: dnssec-keygen -a alg -b bits -n type [options] name Version: Required options: -a algorithm: RSA RSAMD5 DH DSA RSASHA1 HMAC-MD5 -b key size, in bits: RSAMD5: [ ] RSASHA1: [ ] DH: [ ] DSA: [ ] and divisible by 64 HMAC-MD5: [1..512] -n nametype: ZONE HOST ENTITY USER OTHER name: owner of the key Other options: -c <class> (default: IN) -e use large exponent (RSAMD5/RSASHA1 only) -f keyflag: KSK -g <generator> use specified generator (DH only) -t <type>: AUTHCONF NOAUTHCONF NOAUTH NOCONF (default: AUTHCONF) -p <protocol>: default: 3 [dnssec] -s <strength> strength value this key signs DNS records with (default: 0) -r <randomdev>: a file containing random data -v <verbose level> -k : generate a TYPE=KEY key Output: K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private TU Dresden, Secure DNS / DNSsec Folie 22 von XYZ
23 03 BIND Signing Zones Usage: dnssec-signzone [options] zonefile [keys] Version: Options: (default value in parenthesis) -c class (IN) -d directory directory to find keyset files (.) -g: generate DS records from keyset files -s YYYYMMDDHHMMSS +offset: RRSIG start time - absolute offset (now - 1 hour) -e YYYYMMDDHHMMSS +offset "now"+offset]: RRSIG end time - absolute from start from now (now + 30 days) -i interval: cycle interval - resign if < interval from end ( (end-start)/4 ) -v debuglevel (0) -o origin: zone origin (name of zonefile) -f outfile: file the signed zone is written in (zonefile +.signed) -r randomdev: a file containing random data -a: verify generated signatures -p: use pseudorandom data (faster but less secure) -t: print statistics -n ncpus (number of cpus present) -k key_signing_key -l lookasidezone -z: ignore KSK flag in DNSKEYs Signing Keys: (default: all zone keys that have private keys) keyfile (Kname+alg+tag) TU Dresden, Secure DNS / DNSsec Folie 23 von XYZ
24 04 Bibliography RFCs RFC 4033 DNS Security Introduction and Requirements RFC 4034 Resource Records for the DNS Security Extensions RFC 4035 Protocol Modifications for the DNS Security Extensions TU Dresden, Secure DNS / DNSsec Folie 24 von XYZ
25 04 Bibliography URLs A short history of DNSSEC NIC-SE makes Internet safer using dnssec TU Dresden, Secure DNS / DNSsec Folie 25 von XYZ
DNS SECURITY TROUBLESHOOTING GUIDE
DNS SECURITY TROUBLESHOOTING GUIDE INTERNET DEPLOYMENT OF DNS SECURITY 27 November 2006 Table of Contents 1. INTRODUCTION...3 2. DNS SECURITY SPECIFIC FAILURE MODES...3 2.1 SIGNATURES...3 2.1.1 Signature
More informationDomain Name System Security
Abstract Domain Name System Security Ladislav Hagara hgr@vabo.cz Department of Automated Command Systems and Informatics Military Academy in Brno Brno, Czech Republic Domain Name System (DNS) is one of
More informationDNS at NLnet Labs. Matthijs Mekking
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
More informationInternet-Praktikum I Lab 3: DNS
Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans
More informationnetkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)
Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group netkit lab dns Version Author(s) E-mail Web Description 2.2 G. Di Battista, M. Patrignani, M.
More informationStep-by-Step DNSSEC-Tools Operator Guidance Document
Step-by-Step DNSSEC-Tools Operator Guidance Document Using the DNSSEC-Tools v1.0 distribution SPARTA, Inc. Table of Contents 1. Introduction... 1 Organization of this Document... 1 Key Concepts... 2 Zones
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation s Course,
More informationDNSSEC in your workflow
DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations
More informationPart 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology
SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2
More informationBenchmarking Zonemaster Sandoche Balakrichenan (Afnic) & Einar Lonn (IIS)
Benchmarking Zonemaster Sandoche Balakrichenan (Afnic) & Einar Lonn (IIS) 1 1 Health check je n'ai pas eu de retour, peut être que c'était trop sybillin 2 DNS Health check Connectivity Name Server DNSSEC
More informationDomain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin
Domain Name System: DNS Objective: map names to IP addresses (i.e., high level names to low level names) Original namespace was flat, didn t scale.. Hierarchical naming permits decentralization by delegating
More informationKAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10
KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10 Sincan 06935 Ankara, Turkey Version Table Manual Version/Date AAA/22.03.2011
More informationCreating a master/slave DNS server combination for your Grid Infrastructure
Creating a master/slave DNS server combination for your Grid Infrastructure When doing a Grid Infrastructure installation, a DNS server is needed to resolve addresses for the cluster- scan addresses. In
More informationHow-to: DNS Enumeration
25-04-2010 Author: Mohd Izhar Ali Email: johncrackernet@yahoo.com Website: http://johncrackernet.blogspot.com Table of Contents How-to: DNS Enumeration 1: Introduction... 3 2: DNS Enumeration... 4 3: How-to-DNS
More informationThales nshield HSM. Integration Guide for ISC BIND DNSSEC. www.thalesgroup.com/iss
Thales nshield HSM Integration Guide for ISC BIND DNSSEC www.thalesgroup.com/iss Version: 1.1 Date: 15 June 2011 Copyright 2011 Thales e-security Limited. All rights reserved. Copyright in this document
More informationWHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid
WHITE PAPER Best Practices DNSSEC Zone Management on the Infoblox Grid What Is DNSSEC, and What Problem Does It Solve? DNSSEC is a suite of Request for Comments (RFC) compliant specifications developed
More informationDNSSEC Deployment a case study
DNSSEC Deployment a case study Olaf M. Kolkman Olaf@NLnetLabs.nl RIPE NCCs Project Team: Katie Petrusha, Brett Carr, Cagri Coltekin, Adrian Bedford, Arno Meulenkamp, and Henk Uijterwaal Januari 17, 2006
More informationDNSSEC Applying cryptography to the Domain Name System
DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC
More informationDNSSEC. Introduction Principles Deployment
DNSSEC Introduction Principles Deployment Overview What we will cover The problems that DNSSEC addresses The protocol and implementations Things to take into account to deploy DNSSEC The practical problems
More informationGoal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationHow To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net
Surviving a DDoS Attack: What every host needs to know Maria Karaivanova, Business Development David Koston, Platform www.cloudflare.com DDoS Attacks are becoming massive, and easier to initiate!2 Major
More informationDomain Name System (DNS) Fundamentals
Domain Name System (DNS) Fundamentals Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International
More informationThe Domain Name System from a security point of view
The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security
More informationDNS Pharming Attack Lab
CNT 5410 - Fall 2014 1 DNS Pharming Attack Lab (This is a modified version of the exercise listed below. Modifications are to provide tighter configuration so as to minimize the risk of traffic leaving
More informationMotivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace
Motivation Domain Name System (DNS) IP addresses hard to remember Meaningful names easier to use Assign names to IP addresses Name resolution map names to IP addresses when needed Namespace set of all
More informationUnbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)
Unbound a caching, validating DNSSEC resolver UKUUG Spring 2011 Conference Leeds, UK March 2011 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr Do you trust your name server? DNS clients typically
More informationRough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. http://www.nlnetlabs.nl/ Universiteit van Amsterdam, Sep 2006.
page 2 Rough Outline An introduction to DNSSEC Olaf Kolkman 21 September 2006 Stichting (www.nlnetlabs.nl) Introduction Why DNSSEC DNSSEC Theory Famous last words page 3 DNSSEC evangineers of the day Olaf:
More informationDomain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley abulley@ghana.com
Domain Name System (DNS) Session-1: Fundamentals Ayitey Bulley abulley@ghana.com Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationCSE 127: Computer Security. Network Security. Kirill Levchenko
CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties
More informationNetworking Domain Name System
IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page
More informationDNS and LDAP persistent search
FreeIPA Training Series DNS and LDAP persistent search FreeIPA 3.0 and bind-dyndb-ldap 2.3 Petr Špaček 01-14-2013 FreeIPA DNS integration FreeIPA is able to store
More informationForouzan: Chapter 17. Domain Name System (DNS)
Forouzan: Chapter 17 Domain Name System (DNS) Domain Name System (DNS) Need System to map name to an IP address and vice versa We have used a host file in our Linux laboratory. Not feasible for the entire
More informationBuilding a Linux IPv6 DNS Server
Building a Linux IPv6 DS Server By David Gordon and Ibrahim Haddad Open Systems Lab Ericsson Research Corporate Unit This article presents a tutorial on building an IPv6 DS Linux server that provides IPv6
More informationTHE DOMAIN NAME SYSTEM DNS
Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace
More informationDNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)
DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is
More informationdnsperf DNS Performance Tool Manual
dnsperf DNS Performance Tool Manual Version 2.0.0 Date February 14, 2012 Copyright 2002-2012, Inc. - All Rights Reserved This software and documentation is subject to and made available pursuant to the
More informationResilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.
Resilient Networking 6: Attacks on DNS Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC SoSe 2014 Fachbereich Informatik Telecooperation Group
More informationGeorgia College & State University
Georgia College & State University Milledgeville, GA Domain Name Service Procedures Domain Name Service Table of Contents TABLE OF REVISIONS... 3 SECTION 1: INTRODUCTION... 4 1.1 Scope and Objective...
More informationDomain Name System Security Extensions... 3
Contents Domain Name System Security Extensions... 3 Introduction to DNSSEC... 3 What is DNSSEC?... 3 Why is DNSSEC important?... 3 DNS threats and security... 4 Spoofing... 4 Understanding DNSSEC in Windows...
More informationDNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper
DNSSEC - SECURE DNS FOR GOVERNMENT Whitepaper ii BlueCat Networks Use of this document Copyright This document and all information (in text, Graphical User Interface ( GUI ), video and audio forms), images,
More informationDNS Security: New Threats, Immediate Responses, Long Term Outlook. 2007 2008 Infoblox Inc. All Rights Reserved.
DNS Security: New Threats, Immediate Responses, Long Term Outlook 2007 2008 Infoblox Inc. All Rights Reserved. A Brief History of the Recent DNS Vulnerability Kaminsky briefs key stakeholders (CERT, ISC,
More informationRemote DNS Cache Poisoning Attack Lab
SEED Labs Remote DNS Cache Poisoning Attack Lab 1 Remote DNS Cache Poisoning Attack Lab Copyright c 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by the following
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationDefeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect
Defeating DNS Amplification Attacks Ralf Weber Senior Infrastructure Architect History DNS amplification attacks aren't new Periodically reemerge as attackers read history books J NANOG 56 Reports of unusual
More informationTable of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.
Table of Contents DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 154, 2015/09/14 10:44:10) Friday, September 11, 2015 DNS on the wire Encoding of domain names
More informationDNS zone transfers from FreeIPA to non-freeipa slave servers
FreeIPA Training Series DNS zone transfers from FreeIPA to non-freeipa slave servers FreeIPA 3.0 and bind-dyndb-ldap 2.3 Petr Špaček 01-03-2013 Text file based
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationDNSSEC. Zone Management. with ZKT
DNSSEC Zone Management with ZKT DENIC DNSSEC Testbed Wor kshop Fr ankfur t/main Ger many 26. Jan 2010 Holger.Zuleger@hznet.de 26. Jan 2010 Holger Zuleger 1/21 > c Agenda ZKT Over view Intro Key features
More informationFAQ (Frequently Asked Questions)
FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias
More informationLecture 2 CS 3311. An example of a middleware service: DNS Domain Name System
Lecture 2 CS 3311 An example of a middleware service: DNS Domain Name System The problem Networked computers have names and IP addresses. Applications use names; IP uses for routing purposes IP addresses.
More informationTanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System
Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma DNS The Domain Name System RFC 1034 Network Working Group P. Mockapetris Request for Comments: 1034 ISI Obsoletes: RFCs 882, 883, 973 November
More informationApplication Protocols in the TCP/IP Reference Model
Application Protocols in the TCP/IP Reference Model File Transfer E-Mail Network Management WWW Virtual Terminal Name Service File Transfer HTTP FTP Telnet SMTP DNS SNMP TFTP Internet protocols TCP UDP
More informationDNSSEC Practice Statement (DPS)
DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with
More informationInternet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at
Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will
More informationDomain Name System (DNS)
Chapter 18 CSC465 Computer Networks Spring 2004 Dr. J. Harrison These slides are based on the text TCP/IP Protocol Suite (2 nd Edition) Domain Name System (DNS) CONTENTS NAME SPACE DOMAIN NAME SPACE DISTRIBUTION
More informationApplication Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System
Application Protocols in the TCP/IP Reference Model Application Protocols in the TCP/IP Reference Model File Transfer E-Mail Network Management Protocols of the application layer are common communication
More informationDomain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org
Domain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org TCP/IP Protocol Suite Application Layer DHCP DNS SNMP HTTP SMTP POP Transport Layer UDP TCP ICMP IGMP Network Layer IP Link Layer ARP ARP
More informationDomain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works
More informationConfiguring DNS on Cisco Routers
Configuring DNS on Cisco Routers Document ID: 24182 Contents Introduction Prerequisites Requirements Components Used Conventions Setting Up a Router to Use DNS Lookups Troubleshooting You Can Ping a Web
More informationThe Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. <matthaeus.wander@uni-due.de> Duisburg, June 19, 2015
The Impact of DNSSEC on the Internet Landscape Matthäus Wander Duisburg, June 19, 2015 Outline Domain Name System Security problems Attacks in practice DNS Security Extensions
More informationBIND 9 DNS Security. Enterprise Applications Division of the Systems and Network Analysis Center (SNAC) Information Assurance Directorate
BIND 9 DNS Security Report # I733-004R-2010 Date: 02/14/2011 Enterprise Applications Division of the Systems and Network Analysis Center (SNAC) Information Assurance Directorate Author(s) I733 National
More informationDNSSEC Policy Statement Version 1.1.0. 1. Introduction. 1.1. Overview. 1.2. Document Name and Identification. 1.3. Community and Applicability
DNSSEC Policy Statement Version 1.1.0 This DNSSEC Practice Statement (DPS) conforms to the template included in RFC 6841. 1. Introduction The approach described here is modelled closely on the corresponding
More informationDNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS
AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys
More informationACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example Document ID: 113571 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationDNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers
DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers version 1.9., valid since 1 January 2010 Introduction This material lays out operational rules that govern the work of the CZ.NIC association
More informationDNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)
DNS Some advanced topics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.6, 2013/09/19 10:55:30) Friday, September 13, 2013 Karst Koymans (with Niels Sijm) (UvA)
More informationGood practices guide for deploying DNSSEC
Deploying DNSSEC January 10 Good practices guide Good practices guide for deploying DNSSEC About ENISA: The European Network and Information Security Agency (ENISA) is an EU agency created to advance the
More informationDRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014
DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist
More informationXN--P1AI (РФ) DNSSEC Policy and Practice Statement
XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...
More informationDNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008
DNSSEC Support in SOHO CPE OARC Workshop Ottawa 24 th September 2008 or: How not to write a DNS proxy Study Details What is the impact of DNSSEC on consumer-class broadband routers? Joint study between
More informationUse Domain Name System and IP Version 6
Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)
More information- Domain Name System -
1 Name Resolution - Domain Name System - Name resolution systems provide the translation between alphanumeric names and numerical addresses, alleviating the need for users and administrators to memorize
More informationDNS : Domain Name System
1/30 DNS : Domain Name System Surasak Sanguanpong nguan@.ac.th http://www...ac.th/~nguan Last updated: May 24, 1999 Outline 2/30 DNS basic name space name resolution process protocol configurations Why
More informationDNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.
Lab Exercise DNS Objective DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses. Step 1: Analyse the supplied DNS Trace Here we examine the supplied trace of a
More informationHow to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.
How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection. Table of Contents 1) Host, Guest and VBox version.... 2 2) Check your current Host and Guest Details... 3 3) Now
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationDNS. Computer Networks. Seminar 12
DNS Computer Networks Seminar 12 DNS Introduction (Domain Name System) Naming system used in Internet Translate domain names to IP addresses and back Communication works on UDP (port 53), large requests/responses
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationAmerican International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2
American International Group, Inc. DNS Practice Statement for the AIG Zone Version 0.2 1 Table of contents 1 INTRODUCTION... 6 1.1 Overview...6 1.2 Document Name and Identification...6 1.3 Community and
More informationEnabling DNS for IPv6 CSD Fall 2011
Enabling DNS for IPv6 CSD Fall 2011 Team members: Bowei Dai daib@kth.se 15 credits Elis Kullberg elisk@kth.se 18 credits Hannes Junnila haju@kth.se 15 credits Nur Mohammad Rashed nmrashed@kth.se 15 credits
More informationDNSSEC. Key Maintenance Analysis. by Jelte Jansen
DNSSEC Key Maintenance Analysis by Jelte Jansen DNSSEC Key Maintenance Analysis Jelte Jansen, NLnet Labs http://www.nlnetlabs.nl NLnet Labs document 2008-002 version 1.0 September 11, 2008 jelte@nlnetlabs.nl
More informationDNS Amplification Attacks as a DDoS Tool and Mitigation Techniques
DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques Klaus Steding-Jessen jessen@cert.br! Computer Emergency Response Team Brazil - CERT.br Network Information Center Brazil - NIC.br Brazilian
More informationSecuring an Internet Name Server
Securing an Internet Name Server Cricket Liu cricket@verisign.com Securing an Internet Name Server Name servers exposed to the Internet are subject to a wide variety of attacks: Attacks against the name
More informationCS 557 - Lecture 22 DNS Security
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses the Domain Name System (DNS). DNS database
More informationDNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014
DNS, DNSSEC and DDOS Geoff Huston APNIC February 2014 The Evolu3on of Evil It used to be that they sent evil packets to their chosen vic3m but this exposed the abacker, and limited the damage they could
More informationDNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .
Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name
More informationSome advanced topics. Karst Koymans. Friday, September 11, 2015
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 154, 2015/09/14 10:44:10) Friday, September 11, 2015 Karst Koymans (UvA) DNS Friday, September 11, 2015 1 /
More informationThe Use of DNS Resource Records
International Journal of Advances in Electrical and Electronics Engineering 230 Available online at www.ijaeee.com & www.sestindia.org/volume-ijaeee/ ISSN: 2319-1112 Simar Preet Singh Systems Engineer,
More informationPrepared by: National Institute of Standards and Technology SPARTA, Inc. Shinkuro, Inc.
Signing the Domain Name System Root Zone: Technical Specification Prepared for: Science and Technology Directorate US Department of Homeland Security Prepared by: National Institute of Standards and Technology
More informationDNSSEC Policy and Practice Statement.amsterdam
DNSSEC Policy and Practice Statement.amsterdam Contact T +31 26 352 55 00 support@sidn.nl www.sidn.nl Offices Meander 501 6825 MD Arnhem Mailing address Postbus 5022 6802 EA Arnhem May 24, 2016 Public
More informationDomain Name System Security
Domain Name System Security Guevara Noubir Network Security Northeastern University 1 Domain Name System DNS is a fundamental applica=on layer protocol Not visible but invoked every =me a remote site is
More informationCopyright 2012 http://itfreetraining.com
In order to find resources on the network, computers need a system to look up the location of resources. This video looks at the DNS records that contain information about resources and services on the
More informationDNS + DHCP. Michael Tsai 2015/04/27
DNS + DHCP Michael Tsai 2015/04/27 lubuntu.ova http://goo.gl/bax8b8 DNS + DHCP DNS: domain name < > IP address DHCP: gives you a IP + configuration when you joins a new network DHCP = Dynamic Host Configuration
More informationDNS. Computer networks - Administration 1DV202. fredag 30 mars 12
DNS Computer networks - Administration 1DV202 DNS History Who needs DNS? The DNS namespace How DNS works The DNS database The BIND software Server and client configuration The history of DNS RFC 882 and
More informationDNS Service on Linux. Supawit Wannapila CCNA, RHCE supawit.w@cmu.ac.th
DNS Service on Linux Supawit Wannapila CCNA, RHCE supawit.w@cmu.ac.th Host Name Resolution Common Host Name Service Files (/etc/hosts and /etc/networks) DNS (/etc/resolv.conf) Multiple client-side resolvers:
More informationOverview of DNSSEC deployment worldwide
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research conducted by EURid in cooperation with industry experts
More informationDNS based Load Balancing with Fault Tolerance
DNS based Load Balancing with Fault Tolerance by Kåre Presttun, Oslo, Norway Kare@Presttun.org Introduction There are several load-balancing systems on the market. They range from local switch based load
More information