The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015
|
|
- Daniella Lambert
- 8 years ago
- Views:
Transcription
1 The Impact of DNSSEC on the Internet Landscape Matthäus Wander Duisburg, June 19, 2015
2 Outline Domain Name System Security problems Attacks in practice DNS Security Extensions (DNSSEC) Protection and new problems Adoption in practice Matthäus Wander 2
3 DOMAIN NAME SYSTEM Matthäus Wander 3
4 Domain Name System (DNS) Stub Resolver Recursive Resolver Recursive Resolver Distributed Database Hierarchical Namespace Authoritative Name Servers Resolve domain names to data (e.g. IP address) Data sets: resource records Matthäus Wander 4
5 DNS Spoofing Attacks Stub Resolver Recursive Resolver Recursive Resolver Attacker Goals: Divert application to another server Deny service Authoritative Name Servers Matthäus Wander 5
6 DNS Spoofing Attacks Stub Resolver Recursive Resolver Recursive Resolver On-path attacker: Sees query, spoofs response (e.g. public WiFi) Authoritative Name Servers Off-path attacker: Predicts query, spoofs response (anywhere in the Internet) Matthäus Wander 6
7 Man-in-the-Middle Attack Stub Resolver Recursive Resolver Recursive Resolver Man-in-the-middle (MITM) attacker: Sees query, spoofs response Authoritative Name Servers Filtering of resolver users Matthäus Wander 7
8 Man-in-the-Middle Attack Stub Resolver Recursive Resolver Man-in-the-middle (MITM) attacker: Sees query, spoofs response Authoritative Name Servers Filtering of resolver users Matthäus Wander 8
9 Man-in-the-Middle Attack Stub Resolver ISP Router Recursive Resolver MITM attack on IP router: Deep Packet Inspection of DNS traffic Router sees query, spoofs response Authoritative Name Servers Effective filtering of all DNS queries in network Matthäus Wander 9
10 Cumulated responses Probing for DNS Injectors Published in: IEEE Access, 2014 Responses for facebook.com Vantage point Round-trip time [s] Matthäus Wander 10
11 DNS Injection over Time Published in: IEEE Access, 2014 Responses for facebook.com Matthäus Wander 11
12 Impact Assessment on Third Parties Published in: IEEE Access, 2014 Unrelated third party routed through censored country Matthäus Wander 12
13 Open Resolver Measurement Published in: IEEE Access, 2014 Worldwide impact of Chinese DNS injection Top-level domains 1144 name servers Multiple vantage points 255k open resolvers worldwide Sender Open Resolver IN A? Destination: TLD server Matthäus Wander 13
14 Affected resolvers Affected resolvers Open Resolver Results Published in: IEEE Access, k resolvers (6%) affected by Chinese DNS injection 14k affected when contacting e.dns.kr Country Matthäus Wander 14 Destination name server
15 .kr Top-Level Domain Servers Published in: IEEE Access, 2014 Matthäus Wander 15
16 Impact Assessment on Third Parties Published in: IEEE Access, 2014 Unrelated third party routed through censored country into Matthäus Wander 16
17 DNSSEC Matthäus Wander 17
18 Concept DNS zone Stub Resolver Recursive Resolver Recursive Resolver Authoritative Name Server Security goals: data integrity and authenticity Signatures pre-generated over DNS data sets End-to-end security between validator and signer Matthäus Wander 18
19 Public Key Distribution. Public key net: key fingerprint net. Public key verteiltesysteme.net: key fingerprint Resolver has copy of root public key verteiltesysteme.net. Public key Signed resource records Matthäus Wander 19
20 Trust Model DNSSEC Root Zone Top-level 2nd level Authority limited to subnamespace Powerful root authority Matthäus Wander 20
21 Cache Lock-in Stub Resolver Recursive Resolver Recursive Resolver Authoritative Name Server CD=1 CD=1 DNS zone Cache Cache Cache End-to-end security: validation on end host Independent of validation failures on intermediate resolvers Request response without DNSSEC validation Problem: cache lock-in Matthäus Wander 21
22 Cache Lock-in Stub Resolver Recursive Resolver Recursive Resolver Authoritative Name Server CD=1 CD=1 DNS zone Cache Cache Cache Omit intermediate resolvers Effectiveness of intermediate caching? Matthäus Wander 22
23 Trace-driven Simulation of Cache Effectiveness Cache Clients Recursive Resolver Cache collection point Authoritative Name Servers Cache Cache Cache models: Shared cache in front of 10k clients 10k independent caches Matthäus Wander 23
24 Queries per 10-min bucket Bandwidth Overhead Internal External (shared) External (10k) External traffic: Shared cache: 2.44 GBytes 10k caches: 7.55 GBytes Sep 19 Sep 21 Sep Universität 23 SepDuisburg-Essen Sep Matthäus Wander 24
25 Latency Overhead Matthäus Wander 25
26 Latency Overhead Q 0, ms Q 0,9 +74 ms Utilize intermediate DNS caches Q 0,5 +11 ms Fall back to autonomous resolution on failure Matthäus Wander 26
27 Privacy and Confidentiality Published in: IEEE NCA, 2014 Client: no privacy improvement Cleartext DNSSEC messages Server: discloses hash values of zone contents Server proves non-existence Client queries h( test )=80a1 DNS zone Server database Hashing supposed to hide names 78a1 NSEC3 8e5d Break NSEC3 hash values with GPU-based attacks One GPU reveals 65%.com hash values in 5 days Matthäus Wander 27
28 ADOPTION OF DNSSEC Matthäus Wander 28
29 Signed Top-Level Domains Matthäus Wander 29
30 Signed Second-Level Domains DNS zone Server database TLD Domains 1. nl 2,279, br 566, cz 448, com 426, se 349, eu 320, fr 205, no 119, be 92, net 81, org 46, ovh 29, nu 21, de 20,004 Total: 5,146,705 signed domains Matthäus Wander 30
31 Algorithms and Key Sizes Algorithm Survey of 3.4M domains Domains RSA/MD5 0 DSA/SHA-1 2,176 RSA/SHA-1 1,547,782 RSA/SHA-256 1,869,157 RSA/SHA-512 1,100 GOST R ECDSA P-256/SHA ECDSA P-384/SHA >99% use RSA RSA Key Size Domains , ,152, , , ,135 Shortest RSA key per domain Result Domains No DNSKEY (dangling DS) 17,751 No trusted DNSKEY (dangling DS) Matthäus Wander 31 1,066 No RRSIG for trusted DNSKEY 238 Signature expired 2,138 Signature verify failure 5 Validation failure 21,198 Validation success 3,416,700 0,6% domains fail validation
32 Measuring Validating Clients Published in: LNCS PAM, Invisible 1px images SigOk SigFail DNSKEY Recursive Resolver Authoritative Name Server Matthäus Wander 32
33 DNSSEC Validation Published in: LNCS PAM, k test results from 557k distinct IP addresses Matthäus Wander 33
34 DNSSEC Validation per Country Published in: LNCS PAM, Median per country: 1% Matthäus Wander 34
35 DNSSEC Validation per Country Median per country: 20% Matthäus Wander 35
36 Conclusions (1/2) DNS spoofing used for Internet filtering 6% resolvers worldwide affected by Chinese DNS injection Evidence of router-based DNS injection in Iran Political changes in DNS filtering observable from outside DNS caching causes lock-in on bogus data Trace-driven simulation shows moderate benefit of caching Suggestion: omit DNS caches on DNSSEC validation failure Matthäus Wander 36
37 Conclusions (2/2) DNSSEC secures data integrity and authenticity Hashing is ineffective for protecting the DNS database First-time survey of all DNSSEC signed domains 5M signed domains: >99% use RSA, 0.6% are broken 3-year measurement of validating clients Worldwide increase of DNSSEC adoption Varies by country (median 20%) Matthäus Wander 37
38 Referenced Publications M. Wander, T. Weis: Measuring Occurrence of DNSSEC Validation, Passive and Active Measurement (PAM), LNCS Springer, M. Wander, C. Boelmann, L. Schwittmann, T. Weis: Measurement of Globally Visible DNS Injection, IEEE Access, M. Wander, L. Schwittmann, C. Boelmann, T. Weis: GPU-based NSEC3 Hash Breaking, IEEE NCA, Awarded best student paper. Matthäus Wander 38
NSEC3 Hash Breaking. GPU-based. Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014. <matthaeus.wander@uni-due.
GPU-based NSEC3 Hash Breaking Matthäus Wander, Lorenz Schwittmann, Christopher Boelmann, Torben Weis IEEE NCA 2014 Cambridge, August 22, 2014 NSEC3 FUNDAMENTALS Matthäus Wander
More informationDNSSEC. Matthäus Wander. Erlangen, April 20, 2015. and the Hassle of Negative Responses. <matthaeus.wander@uni-due.de>
DNSSEC and the Hassle of Negative Responses Matthäus Wander Erlangen, April 20, 2015 Security Goal of DNSSEC Query: www? ftp mail ns1 www Matthäus Wander 2 Security Goal of
More informationInternet Measurement Research
Internet Measurement Research Matthäus Wander Kassel, October 1, 2013 Overview How to get measurement data? Research projects Case studies of past projects Ideas and inspiration
More informationPart 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology
SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2
More informationDNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)
DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is
More informationDNSSEC Applying cryptography to the Domain Name System
DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC
More informationInternet-Praktikum I Lab 3: DNS
Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans
More informationDNS at NLnet Labs. Matthijs Mekking
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
More informationEECS 489 Winter 2010 Midterm Exam
EECS 489 Winter 2010 Midterm Exam Name: This is an open-book, open-resources exam. Explain or show your work for each question. Your grade will be severely deducted if you don t show your work, even if
More informationPresented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010
Presented by Greg Lindsay Technical Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group April 7, 2010 Windows 7 DNS client DNS devolution Security-awareness:
More informationDNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS
AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys
More informationUse Domain Name System and IP Version 6
Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationMonitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015
Monitoring the DNS Gustavo Lozano Event Name XX XXXX 2015 Agenda 1 2 3 Components of the DNS Monitoring gtlds Monitoring other components of the DNS 4 5 Monitoring system Conclusion 2 Components of the
More informationDNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008
DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you
More informationNetwork Infrastructure Under Siege
Network Infrastructure Under Siege Char Sample Security Engineer, CERT Information Security Decisions TechTarget Disclaimer Standard Disclaimer - This talk represents the opinions and research of the presenter
More informationComputer Networks: Domain Name System
Computer Networks: Domain Name System Domain Name System The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com
More informationThe Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends
3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine
More informationLesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division
Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation
More informationDNSSEC for Everybody: A Beginner s Guide
DNSSEC for Everybody: A Beginner s Guide San Francisco, California 14 March 2011 4:00 to 5:00 p.m. Colonial Room The Schedule 2 This is Ugwina. She lives in a cave on the edge of the Grand Canyon... This
More informationDNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!
DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come! Amir Herzberg and Haya Shulman Dept. of Computer Science Bar Ilan University 8/1/2013 About us Bar Ilan University
More informationBEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource. Without
More informationWhere is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011
The Internet is for Everyone. Become an ISOC Member. Cyber Security Symposium 2011 Where is Hong Kong in the secure Internet infrastructure development Warren Kwok, CISSP Internet Society Hong Kong 12
More informationpage 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs
page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl page 2 One slide DNS Root www.nlnetlabs.nl A Referral: nl NS www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A www.nlnetlabs.nl A 213.154.224.1
More informationResilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.
Resilient Networking 6: Attacks on DNS Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC SoSe 2014 Fachbereich Informatik Telecooperation Group
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationOverview of DNSSEC deployment worldwide
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research conducted by EURid in cooperation with industry experts
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015
Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationDNSSEC and DNS Proxying
DNSSEC and DNS Proxying DNS is hard at scale when you are a huge target 2 CloudFlare DNS is big 3 CloudFlare DNS is fast 4 CloudFlare DNS is always under attack 5 CloudFlare A secure reverse proxy for
More informationDNSSEC. Introduction Principles Deployment
DNSSEC Introduction Principles Deployment Overview What we will cover The problems that DNSSEC addresses The protocol and implementations Things to take into account to deploy DNSSEC The practical problems
More informationQ3 State of DNS Report DNSSEC Deployment in.gov
Q3 State of DNS Report DNSSEC Deployment in.gov September 22, 2010 Major findings 38% of federal.gov domains have been signed with DNSSEC as of mid- September 2010 36% of federal.gov domains are fully
More informationCS 557 - Lecture 22 DNS Security
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses the Domain Name System (DNS). DNS database
More information2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008
2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How does the DNS work? A typical DNS query The
More informationDRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014
DRDoS Attacks: Latest Threats and Countermeasures Larry J. Blunk Spring 2014 MJTS 4/1/2014 Outline Evolution and history of DDoS attacks Overview of DRDoS attacks Ongoing DNS based attacks Recent NTP monlist
More informationDNSSEC in stats. GC-SEC Global Cyber Security Center. Andrea Rigoni. CENTR Bruxelles, 7th October 2010. Global Cyber Security Center Director General
Global Cyber Security Center DNSSEC in stats CENTR Bruxelles, 7th October 2010 Andrea Rigoni Global Cyber Security Center Director General andrea.rigoni@gcsec.org On the 7 th of May 2010 Poste Italiane
More informationThe Collateral Damage of Internet Censorship by DNS Injection
The Collateral Damage of Internet Censorship by DNS Injection Anonymous presented by Philip Levis 1 Basic Summary Great Firewall of China injects DNS responses to restrict access
More informationThis is the author manuscript, before publisher editing. The original publication is available at www.springerlink.com.
c 2013 Springer-Verlag Berlin Heidelberg. This is the author manuscript, before publisher editing. The original publication is available at www.springerlink.com. Digital Object Identifier: 10.1007/978-3-642-36516-4
More informationXN--P1AI (РФ) DNSSEC Policy and Practice Statement
XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...
More informationThe Survey Report on DNS Cache & Recursive Service in China Mainland
The Survey Report on DNS Cache & Recursive Service in China Mainland Wei WANG, Chinese Academy of Sciences Zhiwei YAN, China Internet Network Information Center Motivation Improve the traditional recursive
More informationDNSSEC in your workflow
DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations
More informationA Security Evaluation of DNSSEC with NSEC3
A Security Evaluation of DNSSEC with NSEC3 Jason Bau Stanford University Stanford, CA, USA jbau@stanford.edu Abstract Domain Name System Security Extensions (DNSSEC) with Hashed Authenticated Denial of
More informationOutline. 15-744: Computer Networking. Narrow Waist of the Internet Key to its Success. NSF Future Internet Architecture
Outline 15-744: Computer Networking L-15 Future Internet Architecture 2 Motivation and discussion Some proposals: CCN Nebula Mobility First XIA XIA overview AIP Scion 2 NSF Future Internet Architecture
More informationIntroduction to Network Operating Systems
As mentioned earlier, different layers of the protocol stack use different kinds of addresses. We can now see that the Transport Layer (TCP) uses port addresses to route data to the correct process, the
More informationA Case for Comprehensive DNSSEC Monitoring and Analysis Tools
A Case for Comprehensive DNSSEC Monitoring and Analysis Tools Casey Deccio Sandia National Laboratories ctdecci@sandia.gov Jeff Sedayao and Krishna Kant Intel Corporation {jeff.sedayao,krishna.kant}@intel.com
More informationHosting more than one FortiOS instance on. VLANs. 1. Network topology
Hosting more than one FortiOS instance on a single FortiGate unit using VDOMs and VLANs 1. Network topology Use Virtual domains (VDOMs) to divide the FortiGate unit into two or more virtual instances of
More informationNames & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming
Names & Addresses CS 9: Distributed Systems: Naming Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley, CA 970-77 What is a?
More informationThe Domain Name System from a security point of view
The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security
More informationDNS SECURITY TROUBLESHOOTING GUIDE
DNS SECURITY TROUBLESHOOTING GUIDE INTERNET DEPLOYMENT OF DNS SECURITY 27 November 2006 Table of Contents 1. INTRODUCTION...3 2. DNS SECURITY SPECIFIC FAILURE MODES...3 2.1 SIGNATURES...3 2.1.1 Signature
More informationDefending against DNS reflection amplification attacks
University of Amsterdam System & Network Engineering RP1 Defending against DNS reflection amplification attacks February 14, 2013 Authors: Thijs Rozekrans Javy de Koning
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationICS 351: Today's plan. DNS WiFi
ICS 351: Today's plan DNS WiFi Domain Name System Hierarchical system of names top-level domain names include.edu,.org,.com,.net, and many country top-level domains root is just "." so the fully qualified
More informationAmerican International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2
American International Group, Inc. DNS Practice Statement for the AIG Zone Version 0.2 1 Table of contents 1 INTRODUCTION... 6 1.1 Overview...6 1.2 Document Name and Identification...6 1.3 Community and
More informationDNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper
DNSSEC - SECURE DNS FOR GOVERNMENT Whitepaper ii BlueCat Networks Use of this document Copyright This document and all information (in text, Graphical User Interface ( GUI ), video and audio forms), images,
More informationSecuring DNS Infrastructure Using DNSSEC
Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February 28, 2009 Agenda Getting Started Finding out what DNS does for you What Can Go Wrong A Survival
More informationEDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network
EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah February 2nd 2010 1 DNSSEC DNS Security Extensions A system
More informationTHE MASTER LIST OF DNS TERMINOLOGY. v 2.0
THE MASTER LIST OF DNS TERMINOLOGY v 2.0 DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To help people
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationDNSSEC Practice Statement (DPS)
DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with
More informationAn Intrusion Detection System for Kaminsky DNS Cache poisoning
An Intrusion Detection System for Kaminsky DNS Cache poisoning Dhrubajyoti Pathak, Kaushik Baruah Departement of CSE, IIT Guwahati drbj153@alumni.iitg.ernet.in, b.kaushik@iitg.ernet.in Abstract : Domain
More informationBlocking DNS Messages is Dangerous
Blocking DNS Messages is Dangerous Florian Maury, Mathieu Feuillet October 5-6, 2013 F Maury, M Feuillet Blocking DNS Messages is Dangerous October 5-6, 2013 1/25 ANSSI Created in 2009, the ANSSI is the
More informationDomain Name Service (DNS) Training Division, NIC New Delhi
Domain Name Service (DNS) Training Division, NIC New Delhi Domain Name Service (DNS) I. History of DNS II. DNS structure and its components III. Functioning of DNS IV. Replicating DNS V. Dynamic update
More informationNetworking Domain Name System
IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page
More informationDefending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>
Defending your DNS in a post-kaminsky world Paul Wouters Vendor and NGO's involved Two phase deployment First release a generic fix for the Kaminsky attack that does not leak information
More informationDistributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski pxk@cs.rutgers.edu
Distributed Systems 19. Content Delivery Networks (CDN) Paul Krzyzanowski pxk@cs.rutgers.edu 1 Motivation Serving web content from one location presents problems Scalability Reliability Performance Flash
More informationGeorgia College & State University
Georgia College & State University Milledgeville, GA Domain Name Service Procedures Domain Name Service Table of Contents TABLE OF REVISIONS... 3 SECTION 1: INTRODUCTION... 4 1.1 Scope and Objective...
More informationChapter 25 Domain Name System. 25.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 25 Domain Name System 25.1 Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 25.2 Figure 25.1 Example of using the DNS service 25-1 NAME SPACE To be unambiguous,
More informationDNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers
DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers version 1.9., valid since 1 January 2010 Introduction This material lays out operational rules that govern the work of the CZ.NIC association
More informationA Best Practices Architecture for DNSSEC
WHITEPAPER A Best Practices Architecture for DNSSEC Cricket Liu, Vice President of Architecture Background The Domain Name System is the Internet s standard naming service. DNS is responsible for mapping
More informationCS 348: Computer Networks. - DNS; 22 nd Oct 2012. Instructor: Sridhar Iyer IIT Bombay
CS 348: Computer Networks - DNS; 22 nd Oct 2012 Instructor: Sridhar Iyer IIT Bombay Domain Name System Map between host names and IP addresses People: many identifiers: name, Passport #, Internet hosts:
More informationThe secret life of a DNS query. Igor Sviridov <sia@nest.org> 20120522
The secret life of a DNS query Igor Sviridov 20120522 Preface Nowadays, when we type URL (or is it a search string? ;-) into a browser (or mobile device) many things happen. While most of
More informationDNS. Spring 2016 CS 438 Staff 1
DNS Spring 2016 CS 438 Staff 1 Host Names vs. IP addresses Host names Mnemonic name appreciated by humans Variable length, full alphabet of characters Provide little (if any) information about physical
More informationWindows 2008 Server. Domain Name System Administración SSII
Windows 2008 Server Domain Name System Administración SSII Contenidos Introducción Configuración DNS Transferencia de zona Herramientas DNS Introducción Domain Name System is a hierarchical distributed
More informationComputer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System
Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol
More informationA Very Incomplete Diagram of Network Attacks
A Very Incomplete Diagram of Network Attacks TCP/IP Stack Reconnaissance Spoofing Tamper DoS Internet Transport Application HTTP SMTP DNS TCP UDP IP ICMP Network/Link 1) HTML/JS files 2)Banner Grabbing
More informationDistributed Systems. 23. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2015
Distributed Systems 23. Content Delivery Networks (CDN) Paul Krzyzanowski Rutgers University Fall 2015 November 17, 2015 2014-2015 Paul Krzyzanowski 1 Motivation Serving web content from one location presents
More informationTHE MASTER LIST OF DNS TERMINOLOGY. First Edition
THE MASTER LIST OF DNS TERMINOLOGY First Edition DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To
More informationCMPE 80N: Introduction to Networking and the Internet
CMPE 80N: Introduction to Networking and the Internet Katia Obraczka Computer Engineering UCSC Baskin Engineering Lecture 11 CMPE 80N Spring'10 1 Announcements Guest lecture on intellectual property and
More informationHow To Understand The Effect Of A Domain Name Extension On A Network Attack On A Domain Names Server (Dns)
DNSSEC and Its Potential for DDoS Attacks A Comprehensive Measurement Study Roland van Rijswijk-Deij University of Twente and SURFnet bv r.m.vanrijswijk@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl
More informationCS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.
CS 355 Computer Networking Wei Lu, Ph.D., P.Eng. Chapter 2: Application Layer Overview: Principles of network applications? Introduction to Wireshark Web and HTTP FTP Electronic Mail: SMTP, POP3, IMAP
More informationDomain Name System Security
Domain Name System Security Guevara Noubir Network Security Northeastern University 1 Domain Name System DNS is a fundamental applica=on layer protocol Not visible but invoked every =me a remote site is
More informationDNS traffic analysis -- Issues of IPv6 and CDN --
DNS traffic analysis -- Issues of IPv6 and CDN -- Kazunori Fujiwara ^, Akira Sato, Kenichi Yoshida University of Tsukuba ^Japan Registry Services Co., Ltd (JPRS) July 29, 2012 IEPG meeting at Vancouver
More informationARP and DNS. ARP entries are cached by network devices to save time, these cached entries make up a table
ARP and DNS Both protocols do conversions of a sort, but the distinct difference is ARP is needed for packet transfers and DNS is not needed but makes things much easier. ARP Address Resolution Protocol
More informationVerteilte Systeme - Overview
- Overview Prof. Dr.-Ing. Torben Weis Building BC, 4 th Floor, Room 407 http://www.vs.uni-due.de Scientific Staff Christopher Boelmann Sebastian Schuster Matthäus Wander Working Areas Networked systems
More informationDecoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs
Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,
More informationOutline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg
Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright
More informationMeasurements and Laboratory Simulations of the Upper DNS Hierarchy
Measurements and Laboratory Simulations of the Upper DNS Hierarchy Duane Wessels 1, Marina Fomenkov 2, Nevil Brownlee 2, and kc claffy 2 1 The Measurement Factory, Inc. wessels@measurement-factory.com
More informationHow to Install the Active Directory Domain Services (AD DS) Role in Windows Server 2008 R2 and Promote a Server to a Domain Controller
How to Install the Active Directory Domain Services (AD DS) Role in Windows Server 2008 R2 and Promote a Server to a Domain Controller I am not responsible for your actions or their outcomes, in any way,
More informationReliable Strong Cache and Security for the Domain Name System
Reliable Strong Cache and Security for the Domain Name System S. Pari Elavarasan #1, K. Sampath Kumar *2 # Department of Computer Science and Engineering, PGP College of Engineering and Technology, Namakkal,
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AN OVERVIEW OF MOBILE ADHOC NETWORK: INTRUSION DETECTION, TYPES OF ATTACKS AND
More informationDNS Best Practices. Mike Jager Network Startup Resource Center mike@nsrc.org
DNS Best Practices Mike Jager Network Startup Resource Center mike@nsrc.org This document is a result of work by the Network Startup Resource Center (NSRC at http://www.nsrc.org). This document may be
More informationCSE 127: Computer Security. Network Security. Kirill Levchenko
CSE 127: Computer Security Network Security Kirill Levchenko December 4, 2014 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties
More informationTHE DOMAIN NAME SYSTEM DNS
Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace
More informationNET0183 Networks and Communications
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/2009 1 NET0183 Networks and Communications by Dr Andy Brooks DNS is a distributed database implemented in a hierarchy of many
More informationThe Graph Name System: pathnames and petnames in a rootless DNS
The Graph Name System: pathnames and petnames in a rootless DNS Tony Finch fanf2@cam.ac.uk dot@dotat.at University of Cambridge Computing Service August 2012 1 Introduction Names in the Domain Name System
More informationA Fair Solution to DNS Amplification Attacks
A Fair Solution to DNS Amplification Attacks Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis and Stefanos Gritzalis Laboratory of Information and Communication Systems Security Department of
More informationLarge-scale DNS and DNSSEC data sets for network security research
Large-scale DNS and DNSSEC data sets for network security research Roland van Rijswijk-Deij 1,2, Anna Sperotto 1, and Aiko Pras 1 1 Design and Analysis of Communication Systems (DACS), University of Twente,
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationReverse DNS considerations for IPv6
Reverse DNS considerations for IPv6 Kostas Zorbadelos OTE David Freedman - ClaraNet Reverse DNS in IPv4 Every Internet-reachable host should have a name Make sure your PTR and A records match. For every
More information