Domain Name System Security
|
|
- May Flowers
- 8 years ago
- Views:
Transcription
1 Abstract Domain Name System Security Ladislav Hagara Department of Automated Command Systems and Informatics Military Academy in Brno Brno, Czech Republic Domain Name System (DNS) is one of the most important services keeping the Internet communication running. Its main task is to convert domain names to IP addresses and vice versa. Despite the fact that this task is really very important, DNS is quite vulnerable. The paper describes relatively new features of both DNS and the BIND (Berkeley Internet Name Domain) server. It explains the possibilities to restrict an access to BIND server according to IP addresses or TSIG (Transaction SIGnatures). The major part of the paper is dedicated to DNSSEC (DNS SECurity extensions), which is able to ensure authentication and integrity in DNS protocol. Keywords: DNS, DNSSEC, TSIG, SIG, KEY, NXT, BIND, ACL, computer security. 1. Introduction Do you have an address? Do you surf the Internet? Whatever you want to do on the Internet, the first thing you usually have to do is to use the domain name to specify the server you want to communicate with. It is easier for people to take the name (for example than an appropriate IP address (it is possible that one name has even several IP addresses). The name can attract people s attention more than IP address, it can be more useful in an advertisement and it looks better on business cards. Internet is however built on the IP addresses. After inserting the domain name (for example into the web browser, the client part of DNS will start the process, the goal of which is a conversion of the domain name to the corresponding IP address (in this example to ). If the conversion is successful, the web browser tries to connect with the web server running on that IP address. The same mechanism provides reverse conversion from the IP address to the domain name. Can we believe this conversion? Unfortunately NOT. DNS client sends a request for conversion to a local DNS server. If the local DNS server is not able to complete this request, it sends the request through the Internet to other DNS servers according to DNS hierarchy. If those DNS servers are not able to complete the request, they either inform the previous server about it or send the request to next DNS servers. If one of the servers is able to complete the request, it sends the response backward to the DNS client. The problem is that neither DNS client nor DNS server can authenticate that response. The response can come from any Internet hosts (IP address can be bogus) and can be falsified by hackers. For example it is relatively easy to redirect web traffic to fake sites. Hackers can accomplish that after inserting the domain name into the web browser, the DNS client can obtain for example IP address instead of IP address and the web browser displays Playmate of the Month
2 The purpose of this paper is not to describe hackers techniques. Their probable first step is to find out which DNS servers are responsible for the domain army.mil. It is very easy. They can use for example program dig. There are three DNS servers: ns01.army.mil, ns02.army.mil and ns03.army.mil. hgr]$ dig ; <<>> DiG <<>> ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: IN A ;; AUTHORITY SECTION: army.mil IN NS ns01.army.mil. army.mil IN NS ns03.army.mil. army.mil IN NS ns02.army.mil. ;; ADDITIONAL SECTION: ns01.army.mil IN A ns03.army.mil IN A ns02.army.mil IN A ;; Query time: 181 msec ;; SERVER: #53( ) ;; WHEN: Sun Apr 8 21:09: ;; MSG SIZE rcvd: BIND - Basic configuration If we want to offer DNS services we need a DNS server. One of the most widespread implementation of the DNS is BIND (Berkeley Internet Name Domain). BIND consists of a server part (daemon named) and a client part: a resolver library and several tools for verifying the proper operation of the DNS server. I will describe the version of BIND in this paper. If I want to describe new features I should describe a basic configuration. The configuration file of daemon named is /etc/named.conf. It is a text file and it is possible to edit it with any text editor. In our example the daemon named is master server for zones army.sec and in-addr.arpa. [root@spider sbin]# cat /etc/named.conf options { directory "/etc"; pid-file "/var/run/named.pid"; zone "army.sec" { type master; file "/etc/named.data/army.sec.hosts "; zone " in-addr.arpa" { type master; file "/etc/named.data/army.sec.rev";
3 The zones contain only three hosts: spider, snail and snake. There are four main RR (Resource Record): SOA, NS, A and PTR. [root@spider sbin]# cat /etc/named.data/army.sec.hosts $ttl army.sec. IN SOA spider.army.sec. hgr.army.sec. ( ) army.sec. IN NS spider.army.sec. spider.army.sec. IN A snake.army.sec. IN A snail.army.sec. IN A [root@spider sbin]# cat /etc/named.data/army.sec.rev $ttl in-addr.arpa. IN SOA spider.army.sec. hgr.army.sec. ( ) in-addr.arpa. IN NS spider.army.sec in-addr.arpa. IN PTR spider.army.sec in-addr.arpa. IN PTR snake.army.sec in-addr.arpa. IN PTR snail.army.sec. 3. IP restriction If we want to have a secured server it is necessary to restrict an access to it as much as possible. Primary restriction is based on IP addresses. To avoid repeated writing of IP addresses, it is possible to use ACL (Access Control List). There are two ACLs: reliable and unreliable defined in this example. acl reliable { ; ; acl unreliable { ; 3.1 Restriction of Zone Transfer The clause allow-transfer specifies which hosts are allowed to receive zone transfers from the server. It is a good idea to restrict it because by this transfer it is possible to find out a lot of interesting information, which can be exploited, for example the number of hosts (computers, routers, network printers), type of hosts, installed operating systems. From the incorrectly appointed names of hosts it is possible to identify main hosts (mail, ns, router) or deduce the location of the hosts (brno, office-23) or their owner (director, personnel). options { directory "/etc"; pid-file "/var/run/named.pid"; allow-transfer { reliable;
4 The host snail is allowed to download all content of the zone. The host snake is not a member of ACL reliable so it is not allowed to do that. [hgr@snail sbin]$ dig army.sec axfr ; <<>> DiG <<>> army.sec axfr ;; global options: printcmd army.sec IN SOA spider.army.sec. hgr.army.sec army.sec IN NS spider.army.sec. snail.army.sec IN A snake.army.sec IN A spider.army.sec IN A army.sec IN SOA spider.army.sec. hgr.army.sec ;; Query time: 3 msec ;; SERVER: #53( ) ;; WHEN: Sun Apr 8 22:47: ;; XFR size: 7 records [hgr@snake sbin]$ dig army.sec axfr ; <<>> DiG <<>> army.sec axfr ;; global options: printcmd ; Transfer failed. [hgr@snake sbin]$ Similarly, we can define hosts that can query our DNS server (allow-query). The clause blackhole defines the hosts queries from these addresses will not be responded to. options {... allow-query { reliable; blackhole { unreliable; 3.2 Restriction of Dynamic Updates It is possible dynamically delete or add records. It may be very useful with DHCP (Dynamic Host Configuration Protocol). The host after getting its IP address may create corresponding record in DNS database. Before giving back its IP address, it may delete its record from database. The problem is, that not only its record, it can delete any records and add bogus ones. zone "army.sec" { type master; file "/etc/named.data/army.sec.hosts"; allow-update { reliable; It is possible to try it by utility nsupdate. [hgr@snail bin]$ nsupdate > update add fly.army.sec 3600 A > It is useful to check a log file. We can see suspicious activities there. Apr 8 22:53:40 spider./named[2167]: client #3498: zone transfer denied Apr 8 22:58:23 spider./named[2183]: client #1026: query denied
5 4. TSIG Because the restriction based on IP addresses is not very reliable, to restrict the access better and to ensure the authentication and integrity, there has been the cryptography implemented in BIND. It is possible to use both symmetric keys and asymmetric keys. The symmetric keys are used in TSIG (Transaction SIGnature) and asymmetric keys are used in DNSSEC (DNS SECurity extensions). 4.1 Working with TSIG TSIG is based on symmetric cryptography. To generate symmetric key the command dnssec-keygen can be used. In the next example the command will generate a 128 bit (16 byte) HMAC-MD5 key key-transfer and the result will be in files called Kkey-transfer key and Kkeytransfer private [root@spider sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST key-transfer Kkey-transfer The content of Kkey-transfer private file. [root@spider sbin]# cat Kkey-transfer private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: 02qXAdDrcMC5r3/sYBXYSg== We must edit the file /etc/named.conf. Now we allow the transfer only for a signed request. key key-transfer { algorithm hmac-md5; secret "02qXAdDrcMC5r3/sYBXYSg=="; options {... allow-transfer { key key-transfer; Similarly we can create keys for update or query. [root@spider sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST key-update [root@spider sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST key-query zone "army.sec" {... allow-update { key key-update; allow-query { key key-query; The options -y of command dig makes the request is signed. [hgr@snake sbin]$ dig -y key-transfer:02qxaddrcmc5r3/sybxysg== army.sec axfr ; <<>> DiG <<>> -y key-transfer army.sec axfr ;; global options: printcmd army.sec IN SOA spider.army.sec. hgr.army.sec army.sec IN NS spider.army.sec. fly.army.sec IN A snail.army.sec IN A snake.army.sec IN A spider.army.sec IN A
6 army.sec IN SOA spider.army.sec. hgr.army.sec key-transfer. 0 ANY TSIG hmac-md5.sig-alg.reg.int Cvm9uMhIIU0T8j7jo/z1XQ== NOERROR 0 ;; Query time: 3 msec ;; SERVER: #53( ) ;; WHEN: Mon Apr 9 00:55: ;; XFR size: 8 records The command nsupdate has the option -y too. [hgr@snake sbin]$ nsupdate -y key-update:rtawudxxgejetzd9sskp8w== > update delete fly.army.sec A > 4.2 BIND remote control The remote name daemon control (rndc) program allows the system administrator to control the operation of the nameserver. [root@spider sbin]#./dnssec-keygen -a hmac-md5 -b 128 -n HOST key-rndc Kkey-rndc Configuration file for the command rndc is /etc/rndc.conf. [root@snake sbin]# cat /etc/rndc.conf key key-rndc { algorithm "hmac-md5"; secret "y5ouyu4ge5q4ep5gynicda=="; options { default-server spider.army.sec; default-key key-rndc; Now it is easy to reload name daemon remotely. [root@snake sbin]#./rndc reload rndc: reload command successful 5. DNSSEC DNSSEC (DNS SECurity extentions) provides data integrity and authentication to security aware resolvers and applications. It is based on the public key cryptography, so it works identically as other implementations of public key cryptography. The secured zone owns the pair of unique keys: the private key and the public key. These keys are generated at the same time according to a mathematical formula. It is impossible to deduce the private key from the public key. Data that are encrypted using one key may be decrypted only with corresponding second one. While the private key must be protected, the public key may be opened to the public. The encryption with private key is called digital signing. This encryption is very slow and resource-intensive process, so there are not all the data encrypted but only their hash value. This hash value is like a fingerprint that exactly represents the source data and it is computed from them by secure hash algorithm. If the security aware resolver or server receives the encrypted (signed) data, they decrypt them with zone s public key to obtain supposed hash value. Then they use the same hash algorithm as the signer used to compute its hash value. If this value matches the supposed one, the data are verified and the security aware
7 resolver or server may be guaranteed that data come from the authoritative source (the source which has corresponding private key) and the data have not been modified since they were signed. If the value does not match the supposed one, the data are bogus. This process is called verifying digital signature. 5.1 New Types of Resource Records DNSSEC defines three new types of resouce record (RR). The zone s public key is stored in a RR called KEY. This RR can store not only zone s public key but also keys associated with other zones, hosts or even users. The zone s private key is used to sign each RR in the zone. The digital signature for the RR is added to the zone in a RR called SIG. The KEY RR should be signed too, of course not with zone s key but with its parent zone s key. This allows a name server which knows the parent zone s public key to discover the subzone s public key and verify it. When the resolver or name server receives a response from the DNSSEC aware name server, this response includes the SIG record that corresponds to the records in the answer. The security aware resolver or name server can then retrieve the KEY record for the zone and verify it. Once the resolver or name server has verified the KEY record, it can decrypt the digital signature in the SIG record to get the hash value, recalculate it and compare the two. If queried RR does not exist, the name server must inform about it. This answer must be signed too. There is a signed RR called NXT. These NXT records are added automatically during the DNS signing process. The rest of this section describes creation and use of DNSSEC signed zones. It is necessary to pass several stages to use DNSSEC. 5.2 Generating Keys The dnssec-keygen program is used to generate keys. Two output files will be produced: Karmy.sec key and Karmy.sec private. The private key (in the.private file) is used to generate signatures, and the public key (in the.key file) is used for a signature verification. [root@spider sbin]#./dnssec-keygen -a DSA -b 768 -n ZONE army.sec Karmy.sec [root@spider sbin]# cat Karmy.sec key army.sec. IN KEY BLLe7IXZVdk4YNeVmIyCDmogBsHdhNvMVEejJDLHa+yQE8UI1mouVfS7 XdbOlyw+5YCuzo1gzaUvZ1m/7Jq00fpdbsQslpbIAWIoyY1kLVH5xkfp 8lrwJzmZjg13/pR55NrtKcokH2vnzjAOvNtyZ9eVSPDrI6oNVNjkG5KK ouisixxdczaae9ufvm+apx7t7p2r+eh6qgnddmg22vzcymmdqm1vwa9k ybjkcvdslhncaqoybak0c9zwkszliqds+c1wnlqxnheglskme9suqwac SUJuGFr+G9jG1a8y07R8/u0BbJva4dO2ZgmPDkNPxpNJS1vIPrYjRVt+ ergkuq6symjh9tlfrdvrttartiejpazbo977ymklco4jqb5pmkmqeiie Kx8Lngot/gvtHLJAPGvX [root@spider sbin]# cat Karmy.sec private Private-key-format: v1.2 Algorithm: 3 (DSA) Prime(p): hnvmveejjdlha+yqe8ui1mouvfs7xdbolyw+5ycuzo1gzauvz1m/7jq00fpdbsqslpbiawioyy1klvh5xkfp8lrwj zmzjg13/pr55nrtkcokh2vnzjaovntyz9evspdr Subprime(q): st7shdlv2thg15wyjiioaiagwd0= Base(g): I6oNVNjkG5KKoUisiXxDcZAaE9uFVm+Apx7t7P2r+EH6qGnDDmg22vZCyMMDQM1Vwa9KybjkcvDSLhnCaQoyBak0C 9ZWkszLiQDS+c1wnlQXnheGlSkmE9SUQWACSUJu Private_value(x): Ls+KPIt9Qc4e2bHh/Njc5292iVw= Public_value(y): GFr+G9jG1a8y07R8/u0BbJva4dO2ZgmPDkNPxpNJS1vIPrYjRVt+eRGKuq6symjh9TlFrdVrtTarTieJpAZbo977y mklco4jqb5pmkmqeiiekx8lngot/gvthljapgvx
8 5.3 Creating a Keyset The dnssec-makekeyset program is used to create a key set from one or more keys. The following command generates a key set with a TTL of 3600 and a signature validity period of 10 days starting from now. The key set must be signed by parent zone. [root@spider sbin]#./dnssec-makekeyset -t e Karmy.sec keyset-army.sec. [root@spider sbin]# cat keyset-army.sec. $ORIGIN. $TTL 3600 ; 1 hour army.sec IN KEY ( BLLe7IXZVdk4YNeVmIyCDmogBsHdhNvMVEejJDLHa+yQ E8UI1mouVfS7XdbOlyw+5YCuzo1gzaUvZ1m/7Jq00fpd bsqslpbiawioyy1klvh5xkfp8lrwjzmzjg13/pr55nrt KcokH2vnzjAOvNtyZ9eVSPDrI6oNVNjkG5KKoUisiXxD czaae9ufvm+apx7t7p2r+eh6qgnddmg22vzcymmdqm1v wa9kybjkcvdslhncaqoybak0c9zwkszliqds+c1wnlqx nheglskme9suqwacsujugfr+g9jg1a8y07r8/u0bbjva 4dO2ZgmPDkNPxpNJS1vIPrYjRVt+eRGKuq6symjh9TlF rdvrttartiejpazbo977ymklco4jqb5pmkmqeiiekx8l ngot/gvthljapgvx ) ; key id = SIG KEY ( army.sec. BHE34W4NmMMazzG9r6MsHLXshZciU4CpfhIUBPAXbkfx 8Ru6XToX2l8= ) 5.4 Signing the Child's Keyset The dnssec-signkey program is used to sign one child's keyset. One output file is produced: signedkeyarmy.sec. This file should be transmitted back to the child. It includes child s key from the keyset file and signatures generated by its parent s zone key (Ksec ). [root@spider sbin]#./dnssec-signkey keyset-army.sec. Ksec signedkey-army.sec. [root@spider sbin]# cat signedkey-army.sec. $ORIGIN. $TTL 3600 ; 1 hour army.sec IN KEY ( BLLe7IXZVdk4YNeVmIyCDmogBsHdhNvMVEejJDLHa+yQ E8UI1mouVfS7XdbOlyw+5YCuzo1gzaUvZ1m/7Jq00fpd bsqslpbiawioyy1klvh5xkfp8lrwjzmzjg13/pr55nrt KcokH2vnzjAOvNtyZ9eVSPDrI6oNVNjkG5KKoUisiXxD czaae9ufvm+apx7t7p2r+eh6qgnddmg22vzcymmdqm1v wa9kybjkcvdslhncaqoybak0c9zwkszliqds+c1wnlqx nheglskme9suqwacsujugfr+g9jg1a8y07r8/u0bbjva 4dO2ZgmPDkNPxpNJS1vIPrYjRVt+eRGKuq6symjh9TlF rdvrttartiejpazbo977ymklco4jqb5pmkmqeiiekx8l ngot/gvthljapgvx ) ; key id = SIG KEY ( sec. BCuu9HgcOKGjcej2kSOXpoymVCzOIqBv+/3u6EFWtwFd ybtw9fugdcc= ) 5.5 Signing the Zone The dnssec-signzone program is used to sign a zone. [root@spider sbin]# cp /etc/named.data/army.sec.hosts [root@spider sbin]# cat signedkey-army.sec. >> army.sec.hosts [root@spider sbin]#./dnssec-signzone -o army.sec army.sec.hosts army.sec.hosts.signed One output file is produced: army.sec.hosts.signed. This file is several times bigger than the original one
9 sbin]# cat army.sec.hosts.signed ; File written on Mon Apr 9 01:43: ; dnssec_signzone version army.sec IN SOA spider.army.sec. hgr.army.sec. ( ; serial ; refresh (3 hours) 3600 ; retry (1 hour) ; expire (5 days) ; minimum (10 hours 40 minutes) ) SIG SOA ( BC0VA1dfza4bngbqbxQloO9Kg9AIEHkowiuq 3FoUEGjeBMRN//DoZqc= ) NS spider.army.sec SIG NS ( BIip342vp7HCwYlzHEc1kNolmtMCRNiyOm6/ 32c19bS8vne/BB3AI5M= ) 3600 KEY ( BLLe7IXZVdk4YNeVmIyCDmogBsHdhNvMVEej JDLHa+yQE8UI1mouVfS7XdbOlyw+5YCuzo1g zauvz1m/7jq00fpdbsqslpbiawioyy1klvh5 xkfp8lrwjzmzjg13/pr55nrtkcokh2vnzjao vntyz9evspdri6onvnjkg5kkouisixxdczaa E9uFVm+Apx7t7P2r+EH6qGnDDmg22vZCyMMD QM1Vwa9KybjkcvDSLhnCaQoyBak0C9ZWkszL iqds+c1wnlqxnheglskme9suqwacsujugfr+ G9jG1a8y07R8/u0BbJva4dO2ZgmPDkNPxpNJ S1vIPrYjRVt+eRGKuq6symjh9TlFrdVrtTar TieJpAZbo977ymKlco4JQb5PMKmqEIIEKx8L ngot/gvthljapgvx ) ; key id = SIG KEY ( sec. BCuu9HgcOKGjcej2kSOXpoymVCzOIqBv+/3u 6EFWtwFdybTW9fUgdCc= ) NXT snail.army.sec. NS SOA SIG KEY NXT SIG NXT ( BIgM4PMuBXehahvu2DxBUv4/7UCyF4SVJzej kkrskl6bad/wafq+wug= ) snail.army.sec IN A SIG A ( BCAnba/0F4uUy01ujjUgv6wYYztFQehc29vt oys+zjmz1w7ls5qtecq= ) NXT snake.army.sec. A SIG NXT SIG NXT ( BGIa8BJXRede/G0XukufXxW4j2mQVRF+Nvx8 hzsysssfdz6zuvl2tuo= ) snake.army.sec IN A SIG A ( BE5TXL1AHjIpmcUo2Epd3ehIPYUnCUAyah3z dht+tyfhhtwhyp4sykc= ) NXT spider.army.sec. A SIG NXT SIG NXT ( BJhEaUJh4mHX95wikOm6ZmKco28gN8YdTM1s v4qpbocjxouzvviqwou= ) spider.army.sec IN A SIG A ( BCZDzpszafKMTKWlgzDHN8MkqwBOhJxOQmbc +EEi+whi0K2BnC/Bm/M= ) NXT army.sec. A SIG NXT SIG NXT ( BCXA/bAeLMwKsMPpt+0QQ/9HOv//EDkeqQk2 3uKKdGyz/IceQVAvYc0= )
10 5.6 Configuring Servers This signed file must be referenced by named.conf as the input file for the zone. zone "army.sec" { type master; file "/etc/named.data/army.sec.hosts.signed"; allow-update { key key-update; Finally we try the functions by utility dig. It looks like the output of DNS server, which is not aware of DNSSEC. [root@snake sbin]# dig army.sec ; <<>> DiG <<>> army.sec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;army.sec. IN A ;; AUTHORITY SECTION: army.sec IN SOA spider.army.sec. hgr.army.sec ;; Query time: 2 msec ;; SERVER: #53( ) ;; WHEN: Mon Apr 9 01:48: ;; MSG SIZE rcvd: 73 The output of utility dig with argument any is significantly different. [root@snake sbin]# dig army.sec any ;; Truncated, retrying in TCP mode. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;army.sec. IN ANY ;; ANSWER SECTION: army.sec IN SOA spider.army.sec. hgr.army.sec army.sec IN SIG SOA BC0VA1dfza4bngbqbxQloO9Kg9AIEHkowiuq3FoUEGjeBMRN//DoZqc= army.sec IN NS spider.army.sec. army.sec IN SIG NS BIip342vp7HCwYlzHEc1kNolmtMCRNiyOm6/32c19bS8vne/BB3AI5M= army.sec IN KEY BLLe7IXZVdk4YNeVmIyCDmogBsHdhNvMVEejJDLHa+yQE8UI1mouVfS7 XdbOlyw+5YCuzo1gzaUvZ1m/7Jq00fpdbsQslpbIAWIoyY1kLVH5xkfp 8lrwJzmZjg13/pR55NrtKcokH2vnzjAOvNtyZ9eVSPDrI6oNVNjkG5KK ouisixxdczaae9ufvm+apx7t7p2r+eh6qgnddmg22vzcymmdqm1vwa9k ybjkcvdslhncaqoybak0c9zwkszliqds+c1wnlqxnheglskme9suqwac SUJuGFr+G9jG1a8y07R8/u0BbJva4dO2ZgmPDkNPxpNJS1vIPrYjRVt+ ergkuq6symjh9tlfrdvrttartiejpazbo977ymklco4jqb5pmkmqeiie Kx8Lngot/gvtHLJAPGvX army.sec IN SIG KEY sec. BCuu9HgcOKGjcej2kSOXpoymVCzOIqBv+/3u6EFWtwFdybTW9fUgdCc= army.sec IN NXT snail.army.sec. NS SOA SIG KEY NXT army.sec IN SIG NXT BIgM4PMuBXehahvu2DxBUv4/7UCyF4SVJzejkkRSkL6baD/WAFQ+Wug=
11 ;; AUTHORITY SECTION: army.sec IN NS spider.army.sec. ;; ADDITIONAL SECTION: spider.army.sec IN A ;; Query time: 5 msec ;; SERVER: #53( ) ;; WHEN: Mon Apr 9 01:49: ;; MSG SIZE rcvd: Conclusions Name servers are subjects of plenty of attacks. It is important to protect them. It is a good idea to run the newest version of name server. Of course it does not guarantee its security but surely it minimizes its inclination to be hacked. Moreover, a new version embraces new features which can significantly improve the network security. With cryptography we can de facto guarantee authentication and integrity in DNS. It is possible to adopt these new technologies almost immediately. Why have not they been used yet? 7. References [1] Internet Software Consortium BIND, [2] FAQ about the Domain Name System Security extensions (DNSSEC), [3] The DNSSEC resources, [4] Cricket Liu, Securing an Internet Name Server, [5] Mourani, G.: Securing and Optimizing Linux: DNS and BIND, [6] Cricket Liu, The DNS Security Extensions, [7] DNS Resources Directory, [8] Internet Standards Archive, RFC Domain Name System Security (DNSSEC) Signing Authority RFC Domain Name System Security Extensions RFC Secure Domain Name System (DNS) Dynamic Update RFC Secret Key Transaction Authentication for DNS (TSIG)
How-to: DNS Enumeration
25-04-2010 Author: Mohd Izhar Ali Email: johncrackernet@yahoo.com Website: http://johncrackernet.blogspot.com Table of Contents How-to: DNS Enumeration 1: Introduction... 3 2: DNS Enumeration... 4 3: How-to-DNS
More informationCreating a master/slave DNS server combination for your Grid Infrastructure
Creating a master/slave DNS server combination for your Grid Infrastructure When doing a Grid Infrastructure installation, a DNS server is needed to resolve addresses for the cluster- scan addresses. In
More informationRecursive Name Server. CNNIC Zhang Cuiling
Recursive Name Server 2013-9-16 16 CNNIC Zhang Cuiling Outlines 1 Setup Root Hints File 2 ACL for Recursive Name Server 3 Setup an Experimental DNS System Review Recursive/Caching nameservers act as query
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation s Course,
More informationSecuring an Internet Name Server
Securing an Internet Name Server Cricket Liu cricket@verisign.com Securing an Internet Name Server Name servers exposed to the Internet are subject to a wide variety of attacks: Attacks against the name
More informationDomain Name System (DNS) Fundamentals
Domain Name System (DNS) Fundamentals Mike Jager Network Startup Resource Center mike.jager@synack.co.nz These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International
More informationnetkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)
Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group netkit lab dns Version Author(s) E-mail Web Description 2.2 G. Di Battista, M. Patrignani, M.
More informationStep-by-Step DNSSEC-Tools Operator Guidance Document
Step-by-Step DNSSEC-Tools Operator Guidance Document Using the DNSSEC-Tools v1.0 distribution SPARTA, Inc. Table of Contents 1. Introduction... 1 Organization of this Document... 1 Key Concepts... 2 Zones
More informationGoal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
More informationDomain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley abulley@ghana.com
Domain Name System (DNS) Session-1: Fundamentals Ayitey Bulley abulley@ghana.com Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between
More informationDNS SECURITY TROUBLESHOOTING GUIDE
DNS SECURITY TROUBLESHOOTING GUIDE INTERNET DEPLOYMENT OF DNS SECURITY 27 November 2006 Table of Contents 1. INTRODUCTION...3 2. DNS SECURITY SPECIFIC FAILURE MODES...3 2.1 SIGNATURES...3 2.1.1 Signature
More informationDNS zone transfers from FreeIPA to non-freeipa slave servers
FreeIPA Training Series DNS zone transfers from FreeIPA to non-freeipa slave servers FreeIPA 3.0 and bind-dyndb-ldap 2.3 Petr Špaček 01-03-2013 Text file based
More informationEnabling DNS for IPv6 CSD Fall 2011
Enabling DNS for IPv6 CSD Fall 2011 Team members: Bowei Dai daib@kth.se 15 credits Elis Kullberg elisk@kth.se 18 credits Hannes Junnila haju@kth.se 15 credits Nur Mohammad Rashed nmrashed@kth.se 15 credits
More informationDNS at NLnet Labs. Matthijs Mekking
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
More informationDNS Networks - Avoiding BIND Attack
Securing an Internet Name Server CERT Coordination Center Allen Householder, CERT/CC Brian King, CERT/CC In collaboration with Ken Silva, Verisign Based in part on a presentation originally created by
More informationNetworking Domain Name System
IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page
More informationBuilding a Linux IPv6 DNS Server
Building a Linux IPv6 DS Server By David Gordon and Ibrahim Haddad Open Systems Lab Ericsson Research Corporate Unit This article presents a tutorial on building an IPv6 DS Linux server that provides IPv6
More informationKAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10
KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10 Sincan 06935 Ankara, Turkey Version Table Manual Version/Date AAA/22.03.2011
More informationNetworking Domain Name System
System i Networking Domain Name System Version 6 Release 1 System i Networking Domain Name System Version 6 Release 1 Note Before using this information and the product it supports, read the information
More informationDNS Pharming Attack Lab
CNT 5410 - Fall 2014 1 DNS Pharming Attack Lab (This is a modified version of the exercise listed below. Modifications are to provide tighter configuration so as to minimize the risk of traffic leaving
More informationDNS Service on Linux. Supawit Wannapila CCNA, RHCE supawit.w@cmu.ac.th
DNS Service on Linux Supawit Wannapila CCNA, RHCE supawit.w@cmu.ac.th Host Name Resolution Common Host Name Service Files (/etc/hosts and /etc/networks) DNS (/etc/resolv.conf) Multiple client-side resolvers:
More informationHow to Configure Split DNS
How to Configure Split DNS Split DNS is a concept that allows a hostname to resolve to one IP address on the internal network, and another on the external network. An example is the G/On Server if it is
More informationThales nshield HSM. Integration Guide for ISC BIND DNSSEC. www.thalesgroup.com/iss
Thales nshield HSM Integration Guide for ISC BIND DNSSEC www.thalesgroup.com/iss Version: 1.1 Date: 15 June 2011 Copyright 2011 Thales e-security Limited. All rights reserved. Copyright in this document
More informationCopyright International Business Machines Corporation 2001. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure
iseries DNS iseries DNS Copyright International Business Machines Corporation 2001. All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule
More informationInternet-Praktikum I Lab 3: DNS
Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans
More informationMotivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace
Motivation Domain Name System (DNS) IP addresses hard to remember Meaningful names easier to use Assign names to IP addresses Name resolution map names to IP addresses when needed Namespace set of all
More informationThe Domain Name System
DNS " This is the means by which we can convert names like news.bbc.co.uk into IP addresses like 212.59.226.30 " Purely for the benefit of human users: we can remember numbers (e.g., telephone numbers),
More informationRed Hat system-config-bind BIND (Berkeley Internet Name Domain) DNS ( Domain Name System)
Red Hat system-config-bind BIND (Berkeley Internet Name Domain) DNS ( Domain Name System) Configuration tool User Guide and Manual Jason Vas Dias Copyright ( ) Red Hat Inc. 2005 Table
More informationDNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)
DNS Some advanced topics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.6, 2013/09/19 10:55:30) Friday, September 13, 2013 Karst Koymans (with Niels Sijm) (UvA)
More informationNetworking Domain Name System
System i Networking Domain Name System Version 5 Release 4 System i Networking Domain Name System Version 5 Release 4 Note Before using this information and the product it supports, read the information
More information- Domain Name System -
1 Name Resolution - Domain Name System - Name resolution systems provide the translation between alphanumeric names and numerical addresses, alleviating the need for users and administrators to memorize
More informationTunnel Client FAQ. Table of Contents. Version 0v5, November 2014 Revised: Kate Lance Author: Karl Auer
Tunnel Client FAQ Version 0v5, November 2014 Revised: Kate Lance Author: Karl Auer Table of Contents A. Tunnelling 1 How does tunnelling work? 2 What operating systems are supported? 3 Where can I get
More informationUSING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION Transaction Signatures (TSIG) provide a secure method for communicating in the Domain Name System (DNS) from a primary to a secondary
More informationSolaris Networking Guide. Stewart Watkiss. Volume. New User To Technical Expert Solaris Bookshelf. This document is currently under construction
Volume 3 New User To Technical Expert Solaris Bookshelf Stewart Watkiss This document is currently under construction This version is to be considered a preview only Solaris Networking Guide Copyright
More informationConfiguring the BIND name server (named) Configuring the BIND resolver Constructing the name server database files
Configuring DNS BIND: UNIX Name Service Configuring the BIND name server (named) Configuring the BIND resolver Constructing the name server database files Zone: a collection of domain information contained
More informationDomain Name Server. Training Division National Informatics Centre New Delhi
Domain Name Server Training Division National Informatics Centre New Delhi Domain Name Service (DNS) I. History of DNS II. DNS structure and its components III. Functioning of DNS IV. Possible Configurations
More informationTHE DOMAIN NAME SYSTEM DNS
Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace
More informationDomain Name System (DNS) Security By Diane Davidowicz 1999 Diane Davidowicz
Domain Name System (DNS) Security By Diane Davidowicz 1999 Diane Davidowicz Contents 1. Abstract...3 2. Introduction...3 3. Overview of the DNS...3 3.1. Fundamentals of DNS...4 3.1.1. The Domain Name Space...4
More informationBenchmarking Zonemaster Sandoche Balakrichenan (Afnic) & Einar Lonn (IIS)
Benchmarking Zonemaster Sandoche Balakrichenan (Afnic) & Einar Lonn (IIS) 1 1 Health check je n'ai pas eu de retour, peut être que c'était trop sybillin 2 DNS Health check Connectivity Name Server DNSSEC
More informationPart 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology
SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2
More informationDeploying & Configuring a DNS Server on OpenServer 6 or UnixWare 7. Kirk Farquhar
Deploying & Configuring a DNS Server on OpenServer 6 or UnixWare 7 Kirk Farquhar 1 Content Introduction Bind 8 & Bind 9 Administering a DNS Server H2N Using DNS Manager The SCO Resolvers Firewall Issues
More informationThe Domain Name System from a security point of view
The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security
More informationInternet Security [1] VU 184.216. Engin Kirda engin@infosys.tuwien.ac.at
Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Administration Challenge 2 deadline is tomorrow 177 correct solutions Challenge 4 will
More informationACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example Document ID: 113571 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationForouzan: Chapter 17. Domain Name System (DNS)
Forouzan: Chapter 17 Domain Name System (DNS) Domain Name System (DNS) Need System to map name to an IP address and vice versa We have used a host file in our Linux laboratory. Not feasible for the entire
More informationSimple DNS Configuration Example
Simple DNS Configuration Example Author : RIPE DNS working group Version : 1.0 RIPE NCC Document : ripe-192 See Also : Updates : Table of Contents Abstract Recommended Reading Preparation Example Files
More informationDNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .
Computer System Security and Management SMD139 Lecture 5: Domain Name System Peter A. Jonsson DNS Translation of Hostnames to IP addresses Hierarchical distributed database DNS Hierarchy The Root Name
More informationConfiguring DNS on Cisco Routers
Configuring DNS on Cisco Routers Document ID: 24182 Contents Introduction Prerequisites Requirements Components Used Conventions Setting Up a Router to Use DNS Lookups Troubleshooting You Can Ping a Web
More informationTable of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.
Table of Contents DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 154, 2015/09/14 10:44:10) Friday, September 11, 2015 DNS on the wire Encoding of domain names
More informationENTERPRISE LINUX NETWORKING SERVICES
ENTERPRISE LINUX NETWORKING SERVICES The is an expansive course that covers a wide range of network services useful to every organization. Special attention is paid to the concepts needed to implement
More informationDomain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works
More informationBIND 9 DNS Security. Enterprise Applications Division of the Systems and Network Analysis Center (SNAC) Information Assurance Directorate
BIND 9 DNS Security Report # I733-004R-2010 Date: 02/14/2011 Enterprise Applications Division of the Systems and Network Analysis Center (SNAC) Information Assurance Directorate Author(s) I733 National
More informationDNS : Domain Name System
1/30 DNS : Domain Name System Surasak Sanguanpong nguan@.ac.th http://www...ac.th/~nguan Last updated: May 24, 1999 Outline 2/30 DNS basic name space name resolution process protocol configurations Why
More informationDNS Resolving using nslookup
DNS Resolving using nslookup Oliver Hohlfeld & Andre Schröder January 8, 2007 Abstract This report belongs to a talk given at the networking course (Institue Eurecom, France) in January 2007. It is based
More informationGL275 - ENTERPRISE LINUX NETWORKING SERVICES
Length: 5 days The GL275 is an expansive course that covers a wide range of network services useful to every organization. Special attention is paid to the concepts needed to implement these services securely,
More informationGL-275: Red Hat Linux Network Services. Course Outline. Course Length: 5 days
GL-275: Red Hat Linux Network Services Course Length: 5 days Course Description: The GL275 is an expansive course that covers a wide range of network services useful to every organization. Special attention
More informationAutomatic Configuration of Slave Nameservers (BIND 9.7.2 only)
DNSSHIM 1 DNSSHIM is an open-source software that implements the Domain Name Name System (DNS) protocol for the Internet. Its main feature is to work as a Hidden Master nameserver, that is, provide information
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationUnbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)
Unbound a caching, validating DNSSEC resolver UKUUG Spring 2011 Conference Leeds, UK March 2011 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr Do you trust your name server? DNS clients typically
More informationThe Domain Name System: An Integral Part of the Internet. By Keiko Ishioka
The Domain Name System: An Integral Part of the Internet By Keiko Ishioka The Domain Name System (otherwise known as the Domain Name Server system) (DNS) is a distributed database that is accessed by anyone
More informationDNS + DHCP. Michael Tsai 2015/04/27
DNS + DHCP Michael Tsai 2015/04/27 lubuntu.ova http://goo.gl/bax8b8 DNS + DHCP DNS: domain name < > IP address DHCP: gives you a IP + configuration when you joins a new network DHCP = Dynamic Host Configuration
More informationDNS and LDAP persistent search
FreeIPA Training Series DNS and LDAP persistent search FreeIPA 3.0 and bind-dyndb-ldap 2.3 Petr Špaček 01-14-2013 FreeIPA DNS integration FreeIPA is able to store
More informationUsing Webmin and Bind9 to Setup DNS Sever on Linux
Global Open Versity Systems Integration Hands-on Labs Training Manual Using Webmin and Bind9 to Setup DNS Sever on Linux By Kefa Rabah, krabah@globalopenversity.org March 2008 Installing and Configuring
More informationBIND 9 Administrator Reference Manual
BIND 9 Administrator Reference Manual Copyright c 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 Internet Systems Consortium, Inc. ( ISC ) Copyright c 2000, 2001, 2002, 2003 Internet Software
More informationHow to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.
How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection. Table of Contents 1) Host, Guest and VBox version.... 2 2) Check your current Host and Guest Details... 3 3) Now
More informationDNS and BIND. David White
DNS and BIND David White DNS: Backbone of the Internet Translates Domains into unique IP Addresses i.e. developcents.com = 66.228.59.103 Distributed Database of Host Information Works seamlessly behind
More informationDNS HOWTO Nicolai Langfeldt (
Table of Contents DNS HOWTO...1 Nicolai Langfeldt (dns howto(at)langfeldt.net), Jamie Norrish and others...1 1. Preamble...1 2. Introduction...1 3. A resolving, caching name server...1 4. Forwarding...1
More informationAgenda. Network Services. Domain Names. Domain Name. Domain Names Domain Name System Internationalized Domain Names. Domain Names & DNS
Agenda Network Services Domain Names & DNS Domain Names Domain Name System Internationalized Domain Names Johann Oberleitner SS 2006 Domain Names Naming of Resources Problems of Internet's IP focus IP
More informationMeasurement of the Usage of Several Secure Internet Protocols from Internet Traces
Measurement of the Usage of Several Secure Internet Protocols from Internet Traces Yunfeng Fei, John Jones, Kyriakos Lakkas, Yuhong Zheng Abstract: In recent years many common applications have been modified
More informationTanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System
Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma DNS The Domain Name System RFC 1034 Network Working Group P. Mockapetris Request for Comments: 1034 ISI Obsoletes: RFCs 882, 883, 973 November
More informationENTERPRISE LINUX NETWORKING SERVICES
ENTERPRISE LINUX NETWORKING SERVICES COURSE DESCRIPTION: The GL275 is an expansive course that covers a wide range of network services useful to every organization. Special attention is paid to the concepts
More informationLab 8.3.1.2 Configure Basic AP Security through IOS CLI
Lab 8.3.1.2 Configure Basic AP Security through IOS CLI Estimated Time: 30 minutes Number of Team Members: Students will work in teams of two. Objective In this lab, the student will learn the following
More information1. LAB SNIFFING LAB ID: 10
H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB
More informationECE 4321 Computer Networks. Network Programming
ECE 4321 Computer Networks Network Programming Name Space System.Net Domain Name System (DNS) To resolve computer naming Host database is split up and distributed among multiple systems on the Internet
More informationDomain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org
Domain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org TCP/IP Protocol Suite Application Layer DHCP DNS SNMP HTTP SMTP POP Transport Layer UDP TCP ICMP IGMP Network Layer IP Link Layer ARP ARP
More informationTeldat Router. DNS Client
Teldat Router DNS Client Doc. DM723-I Rev. 10.00 March, 2003 INDEX Chapter 1 Domain Name System...1 1. Introduction...2 2. Resolution of domains...3 2.1. Domain names resolver functionality...4 2.2. Functionality
More informationDNS. Computer networks - Administration 1DV202. fredag 30 mars 12
DNS Computer networks - Administration 1DV202 DNS History Who needs DNS? The DNS namespace How DNS works The DNS database The BIND software Server and client configuration The history of DNS RFC 882 and
More informationDescription: Objective: Attending students will learn:
Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of
More informationRemote DNS Cache Poisoning Attack Lab
SEED Labs Remote DNS Cache Poisoning Attack Lab 1 Remote DNS Cache Poisoning Attack Lab Copyright c 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by the following
More information2G1701 Advanced Internetworking Group 5 : KiStaNEt ISP Project Report
2G1701 Advanced Internetworking Group 5 : KiStaNEt ISP Project Report Course staff : Group Members : Jon-Olov Vatn (Course Leader) Sermed Al-abbasi (Teaching Assistant) Zaheen Sherwani Carlos Loarca Xiong
More informationFAQ (Frequently Asked Questions)
FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias
More informationDNS Session 4: Delegation and reverse DNS. Joe Abley AfNOG 2006 workshop
DNS Session 4: Delegation and reverse DNS Joe Abley AfNOG 2006 workshop How do you delegate a subdomain? In principle straightforward: just insert NS records for the subdomain, pointing at someone else's
More information"Charting the Course... Enterprise Linux Networking Services Course Summary
Course Summary Description This an expansive course that covers a wide range of network services useful to every organization. Special attention is paid to the concepts needed to implement these services
More informationDomain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin
Domain Name System: DNS Objective: map names to IP addresses (i.e., high level names to low level names) Original namespace was flat, didn t scale.. Hierarchical naming permits decentralization by delegating
More informationConfiguring DNS. Finding Feature Information
The Domain Name System (DNS) is a distributed database in which you can map hostnames to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated hostname.
More informationServices: DNS domain name system
Services: DNS domain name system David Morgan Buying numbers and names numbers are IP addresses you buy them from an ISP the ISP makes sure those addresses go to your place the names are domain names you
More informationConfiguring SSL Termination
CHAPTER 4 This chapter describes the steps required to configure a CSS as a virtual SSL server for SSL termination. It contains the following major sections: Overview of SSL Termination Creating an SSL
More informationEE 7376: Introduction to Computer Networks. Homework #3: Network Security, Email, Web, DNS, and Network Management. Maximum Points: 60
EE 7376: Introduction to Computer Networks Homework #3: Network Security, Email, Web, DNS, and Network Management Maximum Points: 60 1. Network security attacks that have to do with eavesdropping on, or
More informationSome advanced topics. Karst Koymans. Friday, September 11, 2015
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 154, 2015/09/14 10:44:10) Friday, September 11, 2015 Karst Koymans (UvA) DNS Friday, September 11, 2015 1 /
More informationDnsCluster: A networking tool for automatic domain zone updating
DnsCluster: A networking tool for automatic domain zone updating Charalambos Alatas and Constantinos S. Hilas * Dept. of Informatics and Communications Technological Educational Institute of Serres Serres,
More informationCommon security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon
1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly
More informationwhat s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference
what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference whoami work for robert morris university, pittsburgh, pa primarily mac and voip admin @mboylan
More informationHTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide
HTG X XROADS NETWORKS Network Appliance How To Guide: EdgeDNS How To Guide V 3. 2 E D G E N E T W O R K A P P L I A N C E How To Guide EdgeDNS XRoads Networks 17165 Von Karman Suite 112 888-9-XROADS V
More informationAn Oracle White Paper December, 2012. Enterprise Manager 12c Cloud Control: Configuring OMS Disaster Recovery with F5 BIG-IP Global Traffic Manager
An Oracle White Paper December, 2012 Enterprise Manager 12c Cloud Control: Configuring OMS Disaster Recovery with F5 BIG-IP Global Traffic Manager Contents Contents... 1 Executive Overview... 2 Disaster
More informationDNS Conformance Test Specification For Client
DNS Conformance Test Specification For Client Revision 1.0 Yokogawa Electric Corporation References This test specification focus on following DNS related RFCs. RFC 1034 DOMAIN NAMES - CONCEPTS AND FACILITIES
More informationDNS Amplification Attacks as a DDoS Tool and Mitigation Techniques
DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques Klaus Steding-Jessen jessen@cert.br! Computer Emergency Response Team Brazil - CERT.br Network Information Center Brazil - NIC.br Brazilian
More informationDNS. Computer Networks. Seminar 12
DNS Computer Networks Seminar 12 DNS Introduction (Domain Name System) Naming system used in Internet Translate domain names to IP addresses and back Communication works on UDP (port 53), large requests/responses
More informationLesson 13: DNS Security. Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division
Lesson 13: DNS Security Javier Osuna josuna@gmv.com GMV Head of Security and Process Consulting Division Introduction to DNS The DNS enables people to use and surf the Internet, allowing the translation
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationWork No. 1 Samba. What is Samba?
Work No. 1 Samba What is Samba? Samba is an implementation of a Server Message Block (SMB) protocol server that can be run on almost every variant of UNIX in existence. Samba is an open source project,
More information