CS Lecture 22 DNS Security
|
|
- Dora Davidson
- 8 years ago
- Views:
Transcription
1 CS Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013
2 The Domain Name System Virtually every application uses the Domain Name System (DNS). DNS database maps: Name to IP address Root edu mil ru = And many other mappings isi darpa af mil (mail servers, IPv6, reverse ) Data organized as tree structure. Each zone is authoritative nge andrews for its local data.
3 DNS Query and Response A? Root DNS Server End-user A Caching DNS Server mil DNS Server Actually = But how would you determine this? darpa.mil DNS Server
4 DNS Vulnerabilities Original DNS design focused on data availability DNS zone data is replicated at multiple servers. A DNS zone works as long as one server is available. DDoS attacks against the root must take out 13 root servers. But the DNS design included no authentication. Any DNS response is generally believed. No attempt to distinguish valid data from invalid. Just one false root server could disrupt the entire DNS.
5 A Simple DNS Attack Easy to observe UDP DNS query sent to well known server on well known port. Joe s Laptop A? A A Dan s Laptop First response wins. Second response is silently dropped on the floor. Caching DNS Server Root DNS Server mil DNS Server darpa.mil DNS Server
6 Secure64 Caching Server A More Complex Attack Response A attacker.com NS ns.attacker.com attacker.com NS ns.attacker.com A A = Query Query ns.attacker.com Secure64 Laptop Remote attacker
7 Routing Based DNS Attacks BGP Also Provides No Authentication Faults and attacks can mis-direct traffic. One (of many) examples observed from BGP logs. Server could have replied with false DNS data. ISPs announced new path for 20 minutes to 3 hours originates route to /24 BGP monitor Internet c.gtld-servers.net
8 The Problem in a Nutshell Resolver can not distinguish between valid and invalid data in a response. Idea is to add source authentication Verify the data received in a response is equal to the data entered by the zone administrator. Must work across caches and views. Must maintain a working DNS for old clients.
9 DNS Security Extensions Cryptography is like magic fairy dust, we just sprinkle it on our protocols and its makes everything secure - IEEE Security and Privacy Magazine, Jan 2003
10 Secure DNS Query and Response Caching DNS Server Authoritative DNS Servers End-user = Plus (RSA) signature by the darpa.mil private key Attacker can not forge this answer without the darpa.mil private key.
11 Authentication of DNS Responses Each zone signs its data using a private key. Recommend signing done offline in advance Query for a particular record returns: The requested resource record set. A signature (SIG) of the requested resource record set. Resolver authenticates response using public key. Public key is pre-configured or learned via a sequence of key records in the DNS heirarchy.
12 Learning DNS Public Keys Public key is required to verify signature RRSIG record identified the key name and key tag. If you are pre-configured with key, then done. UCLA resolver is configured with the ucla.edu key Typical resolver does not have all the public keys. Configure root key and perhaps some local keys Query zone for the desired public Query returns DNSKEY record and a signature from the parent zone.
13 Example DNSSEC Records name TTL class RRSIG type_covered Algorithm labels TTL expiration ( inception dates key_tag key_name signature ) IN A IN RRSIG A ( darpa.mil. Base 64 encoding of signature ) name TTL class DNSKEY FLAGS PROTOCOL Algorithm public key darpa.mil IN DNSKEY ( Base64 encoding of pub key ) darpa.mil IN RRSIG DNSKEY ( mil. Base 64 encoding of signature ) Note the darpa.mil DNSKEY is signed by the mil private key (We later show why this doesn t work)
14 Authenticated Denial of Existence What if the requested record doesn t exist? Query for foo.isi.edu returns No such name How do you authenticate this? Must meet a variety of operational constraints Some zones refuse to store any keying information online. Some zones don t trust (all) of their secondary servers. Can t control which server a resolver contacts. Some zones don t have compuational resources to sign on the fly Can t predict user would ask for foo.isi.edu
15 NSEC Records Solution: sign next name after a.isi.edu. is g.isi.edu. foo.isi.edu.? Caching DNS Server Authoritative DNS Servers End-user foo.isi.edu. does not exist a.isi.edu NSEC g.isi.edu. a.isi.edu RRSIG NSEC.
16 There is no magic fairy dust
17 Zone Walking and Monitoring Solution: sign next name after a.colostate.edu. is g.colostate.edu. foo.colostate.edu.? Caching DNS Server Authoritative DNS Servers End-user foo.colostate.edu. does not exist a.colostate.edu NSEC g.colostate.edu. a.colostate.edu RRSIG NSEC.
18 Revising DNS Key Management Operational Problems in RFC 2535 DNSSEC USC/ISI led one of the first multi-administion testbeds. Identified fundamental key management & scaling issues. Revision now at the end of the standards process Provide a coherent design that meets needs of vendors/operators Currently co-editor of the IETF revision [1]. Basic Principles Behind the DNS Revision The DNS succeeded by de-coupling zones. But authentication chains require coordination. Store a hash (copy) of the child key at the parent. Overcomes the DNS atomic RRset problem. Manages authentication chains using operations similar to those currently used for maintaining server chains.
19 Revised DNS Key Management darpa.mil NS records Can Change mil key without notifying darpa.mil darpa.mil DS record (hash of pubkey 1) darpa.mil SIG(DS) by mil private key mil DNS Server darpa.mil DNS Server darpa.mil DNSKEY (pub key 1) darpa.mil DNSKEY (pub key 2) darpa.mil RRSIG(A) by key 1 } Can Change key 2 without notifying.mil A record RRSIG(A) by key 2
20 DNS Key Signing Key Roll-Over mil DNS Server darpa.mil DS record (hash of pubkey 3) darpa.mil RRSIG(DS) by mil private key darpa.mil DS record (hash of pubkey 1) darpa.mil RRSIG(DS) by mil private key darpa.mil DNS Server darpa.mil DNSKEY (pub key 1) darpa.mil DNSKEY (pub key 2) darpa.mil RRSIG(A) DNSKEY (pub by key 13) darpa.mil RRSIG(A) by key 13 darpa.mil RRSIG(A) by key 3 } Objective: Replace DNSKEY 1 with new DNSKEY 3
21 Minimal Requirements Parent must indicate how to reach the child. NS records at parent MUST identify at least one valid name server for child. Parent must identify a trusted key at child. DS record at parent MUST match a valid KEY stored at the child.
22 Protocol Complications Building on an existing system Objective is to strengthen the system. But additions also add stress to weak points. Some example cases: Denial of service added by the DS record. NS records stored at the parent. Over use of the KEY record.
23 Hidden DS Denial of Service DS Record is Stored Only at the Parent. All DS records should be sent to parent. What if you ask ucla.edu for the ucla.edu DS? Early BIND Implementation Choice: Server says I m not authoritative for this data. Resolver hears Not authortitative for ucla.edu The Resulting Under-Specification Attack Ask resolver to send DS query to each ucla.edu server. Each server declared not authortiative for ucla.edu! Query for now returns: cache says all ucla.edu servers are broken
24 Flaws in the DNS Design (glue) Parent (edu) stores NS records for child (isi.edu) Provides a hint on how to reach the child Child also stores a copy of the same NS RRset. Child (isi.edu) is the authoritative source. Implications for Authentication: Parent is not the authoritative source of the data. Child data is not available if parent is wrong. Resolver/cache can t distinguish between the set stored at the child and the set stored at the parent. DNSSEC Solution: Only the child signs its NS RRset
25 NS records stored at the Parent Edu server stores NS records for ucla.edu Tells a resolver where to find ucla.edu servers. Ucla.edu server also stores ucla.edu NS set. Ucla.edu is the authoritative source. Parent and child differ due to various reasons SeePappas SIGCOMM 2004 Loose coordination works since only requires some overlap in parent/child NS. Security assumes identical. Security also says parent can t sign NS set. Parent is not the authoritative source of the data.
26 Over Use of KEY Record Original KEY record used for DNSSEC and IPSEC, , TLS, etc. Resolver looking for DNSSEC key gets all possible keys. Data (ipsec key) should be separate from control (DNSSEC) key. Fixed in RFC 3449 that limits KEY to DNSSEC.
27 Wild Cards Authenticated denial further complicated by wildcards. Must prove b.darpa.mil does not exist Must also prove no wildcard would match. Algorithm for computing necessary wildcards now available in revised specification. Pathological cases require many NXT records. Motivates one further change Proposal to add bit indicating: next (signed?) name after a is c and no wildcards apply in between
28 Moving DNSSEC to the End Host DNS security design worked with DNS resolvers and servers. Default was to send DNSSEC data. Verified old resolvers and servers ignore it. But DNS interacts with many other pieces. Firewalls did not ignore the extra records. Our subcontract was blackholed by DARPA. DARPA firewall thought the SIG records were an attack! DNSSEC OK bit added to protocol Resolver sets this bit indicated DNSSEC data is okay.
29 Who is Deploying DNSSEC? Monitoring Started From Close to Day One DNSSEC RFCs published in March 2005 Monitoring launched in October 2005 Find Zones Using Crawling and User Submissions Continually crawl DNS looking for secure zones Allow users to submit the names of secure zones
30 DNSSEC Deployment Oct 16, 2007: 10,319 Secure Zones
31 Deployment Observations (Undirected) Crawling DNS Finds Few Secure Zones Vast DNS + tiny DNSSEC => low (near 0) hit rate for crawler User Submissions Drive Current Monitoring SecSpider is well publicized => high submission rate Augment secure zones with parent/child and popular sites Trend is positive, but still very small deployment overall Some top level domains deploying or deployed (e.g. se zone) Not yet at critical mass for DNSSEC
32 A Closer Look at Secure Zones Monitor Closely Tracks All Secure Zones Frequent Queries to Monitor Changes Exploit DNSSEC zone walking Still tractable due to relativley small DNSSEC deployment Monitoring Reveals Many Challenges DNSSEC deployment is not simple after all Challenge in Islands of Security Challenge in Key Management Challenge in Preventing Replays
33 Challenge 1: Islands of Security DNS relies on the tree herarchy to learn public keys Everyone knows root public key But how would this happen and who manages it? Root key used to sign edu public key But neither root or edu have public keys now. edu key used to sign colostate.edu key But no hierarchy leads to the public key? How does a resolver learn a secure zone s public key?
34 Challenge 1: Islands of Security Island of Security: DNS sub-tree where every zone in the sub-tree has deployed DNSSEC Design envisioned a single island of security All zones deploy DNSSEC and manually configure the root key Monitoring reality shows disconnected deployments DNSSEC deployed in isolated subtrees and must manually configure the public key for each island of security
35 Islands of Security Vast majority of secure zones are single zone islands. Small number of large islands but this includes testbeds.
36 Addressing Islands of Security Deploy DNSSEC at all zones or at least from root down Has yet to happen operationally.. Develop an Alternative PKI? DLV provides some service to store and report public keys Can we trust the public keys visible at the monitor? Must ensure keys came from monitor Must ensure monitor was not tricked But can rely on distributed services and checking by actual admins.
37 Challenge 2: Key Management Design is Relatively Simple, But Operations are complex Establish key pair and sign the zone Relatively straight-forward, but issues below add challenges.. Establish an Authentication Chain with a Secure Parent Cross-domain coordination with a different administration Update the key pair periodically Due to planned changes or key compromise Simple concept of parent private key signs the child public key. But many complex details
38 Minimum and Maximum Values
39 Average Key Lifetimes
40 Addressing Key Management Manual operation of complex steps is unrealistic Need to improve management tools and increase automation Possible, but need to overcome off-line key issues Match operations with monitoring Must have monitoring to provide external view of zone Must have some form of correctness check Monitoring data can aide in the automation process by checking which steps have been done Ex: detect when the DS record at the parent has changed
41 Challenge 3: Lifetimes&Replays Each cryptographic signature has a fixed lifetime Ex: Signature for edu expires on Oct 31. What if the addresses changes today? Actions Taken in the DNS Server removes changed record and replaces with new copy But attacker can still replay the old record and signature Vulnerable Records: data has changed, but the signature on old copy has not yet expired Vulnerable records can be replayed and resolver will authenticate the old copy
42 Vulnerable DNS Record Sets
43 Addressing Lifetimes & Replays With sufficient prediction, vulnerable records can be avoided Make signature lifetime match data lifetime Dramatic Improvement Coincided With Monitoring Vulnerable records greatly reduced in current data
44 The Role of Monitoring Monitoring is essential is large-scale systems Monitoring illustrates extent of known issues in deployment Monitoring identifies new challenges in deployment SecSpider Monitoring Benefits DNSSEC Illustrates progress and documents scale of known issues Identifies new challenges Allows zone admins to see how others perceive them Various examples of how monitoring led to changes Monitoring is the solution to many challenges
45 Future Directions Challenge 1: Islands of Security Monitor can be used to bootstrap public key information Challenge is to authenticate public keys came from monitor and limit chance monitor data is subverted by attacer Challenge 2 and 3: Cryptographic Management Given an external view of data, zone admins can adapt Monitoring can verify key management is working Monitoring can aide in automating DNS key management Current work is using SecSpider data to identify new challenges and practically solve existing challenges
46
47 Summary DNSSEC is useful example. Protocol evolved when it hit operations. Lesson highlight flaws So do we abandon DNSSEC? The solution is multiple fences. If DNSSEC is the solution, it failed. If DNSSEC is part of the solution, it succeeds.
DNS at NLnet Labs. Matthijs Mekking
DNS at NLnet Labs Matthijs Mekking Topics NLnet Labs DNS DNSSEC Recent events NLnet Internet Provider until 1997 The first internet backbone in Holland Funding research and software projects that aid the
More informationPart 5 DNS Security. SAST01 An Introduction to Information Security 2015-09-21. Martin Hell Department of Electrical and Information Technology
SAST01 An Introduction to Information Security Part 5 DNS Security Martin Hell Department of Electrical and Information Technology How DNS works Amplification attacks Cache poisoning attacks DNSSEC 1 2
More informationPublic Key Validation for the DNS Security Extensions
Public Key Validation for the DNS Security Extensions Daniel Massey USC/ISI masseyd@isi.edu Ed Lewis Network Associates, Inc. lewis@tislabs.com Russ Mundy Network Associates, Inc. mundy@tislabs.com Allison
More informationDNSSEC Applying cryptography to the Domain Name System
DNSSEC Applying cryptography to the Domain Name System Gijs van den Broek Graduate Intern at SURFnet Overview First half: Introduction to DNS Attacks on DNS Second half: DNSSEC Questions: please ask! DNSSEC
More informationThe Domain Name System from a security point of view
The Domain Name System from a security point of view Simon Boman Patrik Hellström Email: {simbo105, pathe321}@student.liu.se Supervisor: David Byers, {davby@ida.liu.se} Project Report for Information Security
More informationDNS security: poisoning, attacks and mitigation
DNS security: poisoning, attacks and mitigation The Domain Name Service underpins our use of the Internet, but it has been proven to be flawed and open to attack. Richard Agar and Kenneth Paterson explain
More informationDNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)
DNSSEC: A Vision Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Outline DNS Today DNS Attacks DNSSEC: An Approach Countering DNS Attacks Conclusion 2 DNS Today DNS is
More informationEDU DNSSEC Testbed. Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network
EDU DNSSEC Testbed Shumon Huque, University of Pennsylvania Larry Blunk, MERIT Network Internet2 Joint Techs Conference Salt Lake City, Utah February 2nd 2010 1 DNSSEC DNS Security Extensions A system
More informationInternet-Praktikum I Lab 3: DNS
Kommunikationsnetze Internet-Praktikum I Lab 3: DNS Mark Schmidt, Andreas Stockmayer Sommersemester 2015 kn.inf.uni-tuebingen.de Motivation for the DNS Problem IP addresses hard to remember for humans
More informationDeploying DNSSEC: From End-Customer To Content
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical
More informationDNS Security: New Threats, Immediate Responses, Long Term Outlook. 2007 2008 Infoblox Inc. All Rights Reserved.
DNS Security: New Threats, Immediate Responses, Long Term Outlook 2007 2008 Infoblox Inc. All Rights Reserved. A Brief History of the Recent DNS Vulnerability Kaminsky briefs key stakeholders (CERT, ISC,
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationComputer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System
Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce 18/02/15 Networks: DNS attacks 1 Domain Name System The domain name system (DNS) is an applica>on- layer protocol
More informationComputer Networks: Domain Name System
Computer Networks: Domain Name System Domain Name System The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses DNS www.example.com 208.77.188.166 http://www.example.com
More informationAmerican International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2
American International Group, Inc. DNS Practice Statement for the AIG Zone Version 0.2 1 Table of contents 1 INTRODUCTION... 6 1.1 Overview...6 1.2 Document Name and Identification...6 1.3 Community and
More informationDomain Name System Security
Domain Name System Security Guevara Noubir Network Security Northeastern University 1 Domain Name System DNS is a fundamental applica=on layer protocol Not visible but invoked every =me a remote site is
More informationLecture 2 CS 3311. An example of a middleware service: DNS Domain Name System
Lecture 2 CS 3311 An example of a middleware service: DNS Domain Name System The problem Networked computers have names and IP addresses. Applications use names; IP uses for routing purposes IP addresses.
More informationXN--P1AI (РФ) DNSSEC Policy and Practice Statement
XN--P1AI (РФ) DNSSEC Policy and Practice Statement XN--P1AI (РФ) DNSSEC Policy and Practice Statement... 1 INTRODUCTION... 2 Overview... 2 Document name and identification... 2 Community and Applicability...
More informationNetworking Domain Name System
IBM i Networking Domain Name System Version 7.2 IBM i Networking Domain Name System Version 7.2 Note Before using this information and the product it supports, read the information in Notices on page
More informationRough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. http://www.nlnetlabs.nl/ Universiteit van Amsterdam, Sep 2006.
page 2 Rough Outline An introduction to DNSSEC Olaf Kolkman 21 September 2006 Stichting (www.nlnetlabs.nl) Introduction Why DNSSEC DNSSEC Theory Famous last words page 3 DNSSEC evangineers of the day Olaf:
More informationGDS Resource Record: Generalization of the Delegation Signer Model
GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, David Fort To cite this version: Gilles Guette, Bernard Cousin, David Fort. GDS Resource Record: Generalization
More informationUse Domain Name System and IP Version 6
Use Domain Name System and IP Version 6 What You Will Learn The introduction of IP Version 6 (IPv6) into an enterprise environment requires some changes both in the provisioned Domain Name System (DNS)
More informationDNSSEC in your workflow
DNSSEC in your workflow Presentation roadmap Overview of problem space Architectural changes to allow for DNSSEC deployment Deployment tasks Key maintenance DNS server infrastructure Providing secure delegations
More informationDNSSEC - Why Network Operators Should Care And How To Accelerate Deployment
DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment Dan York, CISSP Senior Content Strategist, Internet Society Eurasia Network Operators' Group (ENOG) 4 Moscow, Russia October
More informationA Security Evaluation of DNSSEC with NSEC3
A Security Evaluation of DNSSEC with NSEC3 Jason Bau Stanford University Stanford, CA, USA jbau@stanford.edu Abstract Domain Name System Security Extensions (DNSSEC) with Hashed Authenticated Denial of
More informationReverse DNS considerations for IPv6
Reverse DNS considerations for IPv6 Kostas Zorbadelos OTE David Freedman - ClaraNet Reverse DNS in IPv4 Every Internet-reachable host should have a name Make sure your PTR and A records match. For every
More informationDNSSEC - Tanzania
DNSSEC Policy & Practice Statement for.tz Zone Version 1.1 Effective Date: January 1, 2013 Tanzania Network Information Centre 14107 LAPF Millenium Towers, Ground Floor, Suite 04 New Bagamoyo Road, Dar
More informationDNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS
AFNIC s Issue Papers DNSSEC Domain Name System Security Extensions 1 - Organisation and operation of the DNS 2 - Cache poisoning attacks 3 - What DNSSEC can do 4 - What DNSSEC cannot do 5 - Using keys
More informationRequest for Comments: 1788 Category: Experimental April 1995
Network Working Group W. Simpson Request for Comments: 1788 Daydreamer Category: Experimental April 1995 Status of this Memo ICMP Domain Name Messages This document defines an Experimental Protocol for
More informationA New Look at the Old Domain Name System
A New Look at the Old Domain Name System Yair Amir 1, Daniel Massey 2, Ciprian Tutu 1 Technical Report CNDS-2003-2 http://www.cnds.jhu.edu July 18, 2003 Abstract The Domain Name System (DNS) is undergoing
More informationHow To Use Dnsec
Jakob-Haringer-Str. 8/V Tel.: +43 662 46 69-0 Fax: +43 662 46 69-19 5020 Salzburg, Austria E-Mail:service@nic.at Web: www.nic.at DNSSEC Policy & Practice Statement (DPS) for.at A: Bank Austria Creditanstalt
More informationDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
F5 Technical Brief DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks Domain Name System (DNS) provides one of the most basic but critical functions on the Internet. If DNS isn t working,
More informationDNS SECURITY TROUBLESHOOTING GUIDE
DNS SECURITY TROUBLESHOOTING GUIDE INTERNET DEPLOYMENT OF DNS SECURITY 27 November 2006 Table of Contents 1. INTRODUCTION...3 2. DNS SECURITY SPECIFIC FAILURE MODES...3 2.1 SIGNATURES...3 2.1.1 Signature
More informationAuthenticated Denial of Existence in the DNS
CC BY-SA 3.0 SIDN Labs 2011/0x01-v2 Authenticated Denial of Existence in the DNS Miek Gieben, miek.gieben@sidn.nl, SIDN Matthijs Mekking, matthijs@nlnetlabs.nl, NLnet Labs January 2012 Abstract Authenticated
More informationDNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. olaf@nlnetlabs.nl and mankin@psg.com. http://www.nlnetlabs.nl/ 8 Feb 2006 Stichting NLnet Labs
DNS Risks, DNSSEC Olaf M. Kolkman and Allison Mankin olaf@nlnetlabs.nl and mankin@psg.com 8 Feb 2006 Stichting NLnet Labs DNSSEC evangineers of the day Allison: Independent consultant Member of the Internet2
More informationUsing the Domain Name System for System Break-ins
Using the Domain Name System for System Break-ins Steven M. Bellovin Presented by: Thomas Repantis trep@cs.ucr.edu CS255-Computer Security, Winter 2004 p.1/37 Overview Using DNS to spoof a host s name
More informationUSING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION Transaction Signatures (TSIG) provide a secure method for communicating in the Domain Name System (DNS) from a primary to a secondary
More informationWHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid
WHITE PAPER Best Practices DNSSEC Zone Management on the Infoblox Grid What Is DNSSEC, and What Problem Does It Solve? DNSSEC is a suite of Request for Comments (RFC) compliant specifications developed
More informationIntroduction to the DANE Protocol
Introduction to the DANE Protocol ICANN 47 July 17, 2013 Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC, routing and other Internet technologies: Case Studies
More informationServer Certificates based on DNSSEC
Server Certificates based on DNSSEC Audun Jøsang and Kashif Sana Dar University of Oslo josang@mn.uio.no and kashifd@ifi.uio.no Abstract. Globally unique domain names and IP addresses that are provided
More informationAn Introduction to the Domain Name System
An Introduction to the Domain Name System Olaf Kolkman Olaf@nlnetlabs.nl October 28, 2005 Stichting NLnet Labs This Presentation An introduction to the DNS Laymen level For non-technologists About protocol
More informationDNSSEC Policy and Practice Statement.amsterdam
DNSSEC Policy and Practice Statement.amsterdam Contact T +31 26 352 55 00 support@sidn.nl www.sidn.nl Offices Meander 501 6825 MD Arnhem Mailing address Postbus 5022 6802 EA Arnhem May 24, 2016 Public
More informationDANE Secured E-Mail Demonstration. Wes Hardaker Parsons <wes.hardaker@parsons.com>
DANE Secured E-Mail Demonstration Wes Hardaker Parsons Overview My Background In scope topics Securing E-Mail Requirements Implementing Each Requirement 2 My Background Part of the Network Security
More informationSecure Domain Name System (DNS) Deployment Guide
NIST Special Publication 800-81-2 Secure Domain Name System (DNS) Deployment Guide Ramaswamy Chandramouli Scott Rose C O M P U T E R S E C U R I T Y NIST Special Publication 800-81-2 Secure Domain Name
More informationMotivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace
Motivation Domain Name System (DNS) IP addresses hard to remember Meaningful names easier to use Assign names to IP addresses Name resolution map names to IP addresses when needed Namespace set of all
More informationSecuring DNS Infrastructure Using DNSSEC
Securing DNS Infrastructure Using DNSSEC Ram Mohan Executive Vice President, Afilias rmohan@afilias.info February 28, 2009 Agenda Getting Started Finding out what DNS does for you What Can Go Wrong A Survival
More informationAn Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis
An Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis Ramaswamy Chandramouli NIST, Gaithersburg, MD 20899 (mouli@nist.gov) Abstract The Domain Name System (DNS) is the world
More informationDNSSEC Practice Statement (DPS)
DNSSEC Practice Statement (DPS) 1. Introduction This document, "DNSSEC Practice Statement ( the DPS ) for the zones under management of Zodiac Registry Limited, states ideas of policies and practices with
More informationTHE DOMAIN NAME SYSTEM DNS
Announcements THE DOMAIN NAME SYSTEM DNS Internet Protocols CSC / ECE 573 Fall, 2005 N. C. State University copyright 2005 Douglas S. Reeves 2 Today s Lecture I. Names vs. Addresses II. III. IV. The Namespace
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015
Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems
More informationThe Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. <matthaeus.wander@uni-due.de> Duisburg, June 19, 2015
The Impact of DNSSEC on the Internet Landscape Matthäus Wander Duisburg, June 19, 2015 Outline Domain Name System Security problems Attacks in practice DNS Security Extensions
More information2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008
2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How does the DNS work? A typical DNS query The
More informationWhere is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011
The Internet is for Everyone. Become an ISOC Member. Cyber Security Symposium 2011 Where is Hong Kong in the secure Internet infrastructure development Warren Kwok, CISSP Internet Society Hong Kong 12
More informationDNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers
DNSSec Operation Manual for the.cz and 0.2.4.e164.arpa Registers version 1.9., valid since 1 January 2010 Introduction This material lays out operational rules that govern the work of the CZ.NIC association
More informationSSL BEST PRACTICES OVERVIEW
SSL BEST PRACTICES OVERVIEW THESE PROBLEMS ARE PERVASIVE 77.9% 5.2% 19.2% 42.3% 77.9% of sites are HTTP 5.2% have an incomplete chain 19.2% support weak/insecure cipher suites 42.3% support SSL 3.0 83.1%
More informationDeploying and Monitoring DNS Security (DNSSEC)
Deploying and Monitoring DNS Security (DNSSEC) Eric Osterweil UCLA eoster@cs.ucla.edu Dan Massey Colorado State University massey@cs.colostate.edu Lixia Zhang UCLA lixia@cs.ucla.edu Abstract SecSpider
More informationDNSSEC Policy Statement Version 1.1.0. 1. Introduction. 1.1. Overview. 1.2. Document Name and Identification. 1.3. Community and Applicability
DNSSEC Policy Statement Version 1.1.0 This DNSSEC Practice Statement (DPS) conforms to the template included in RFC 6841. 1. Introduction The approach described here is modelled closely on the corresponding
More informationDNSSEC Deployment a case study
DNSSEC Deployment a case study Olaf M. Kolkman Olaf@NLnetLabs.nl RIPE NCCs Project Team: Katie Petrusha, Brett Carr, Cagri Coltekin, Adrian Bedford, Arno Meulenkamp, and Henk Uijterwaal Januari 17, 2006
More informationResilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.
Resilient Networking 6: Attacks on DNS Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC SoSe 2014 Fachbereich Informatik Telecooperation Group
More informationSecurity of IPv6 and DNSSEC for penetration testers
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationPresented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010
Presented by Greg Lindsay Technical Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group April 7, 2010 Windows 7 DNS client DNS devolution Security-awareness:
More informationDefending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>
Defending your DNS in a post-kaminsky world Paul Wouters Overview History of DNS and the Kaminsky attack Various DNS problems explained Where to address the DNS problem Nameservers,
More informationDNSSEC Root Zone. High Level Technical Architecture
DNSSEC Root Zone Prepared by the Root DNSSEC Design Team Joe Abley David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren David Knight Tomofumi Okubo Jakob Schlyter Version 1.2.1 October
More informationDNSSEC. What is DNSSEC? Why is DNSSEC necessary? Ensuring a secure Internet
SEC Ensuring a secure Internet What is SEC? SEC is an extension of the Domain Name System (), that ensures the authenticity and integrity of the data in replies. Technical measures have been implemented
More informationNDN Technical Memo: NDNS, NDN based Domain Name System
NDN, Technical Report NDN-00XX. http://named-data.net/techreports.html NDN Technical Memo: NDNS, NDN based Domain Name System immediate Revision history Revision Revision date Description 0.21 Oct 22,
More informationDNSSEC Root Zone. High Level Technical Architecture
DNSSEC Root Zone Prepared by the Root DNSSEC Design Team Joe Abley David Blacka David Conrad Richard Lamb Matt Larson Fredrik Ljunggren David Knight Tomofumi Okubo Jakob Schlyter Version 1.4 June 7, 2010
More informationpage 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl http://www.nlnetlabs.nl/ 28 Feb 2013 Stichting NLnet Labs
page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl page 2 One slide DNS Root www.nlnetlabs.nl A Referral: nl NS www.nlnetlabs.nl A 213.154.224.1 www.nlnetlabs.nl A www.nlnetlabs.nl A 213.154.224.1
More informationDNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper
DNSSEC - SECURE DNS FOR GOVERNMENT Whitepaper ii BlueCat Networks Use of this document Copyright This document and all information (in text, Graphical User Interface ( GUI ), video and audio forms), images,
More informationDomain Name System Security
Abstract Domain Name System Security Ladislav Hagara hgr@vabo.cz Department of Automated Command Systems and Informatics Military Academy in Brno Brno, Czech Republic Domain Name System (DNS) is one of
More informationCS3600 SYSTEMS AND NETWORKS
CS3600 SYSTEMS AND NETWORKS FALL 2011 Lecture 19: DNS Prof. Alan Mislove (amislove@ccs.neu.edu) Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang Human Involvement
More informationDNS Security FAQ for Registrants
DNS Security FAQ for Registrants DNSSEC has been developed to provide authentication and integrity to the Domain Name System (DNS). The introduction of DNSSEC to.nz will improve the security posture of
More informationSecure Domain Name System (DNS) Deployment Guide
Special Publication 800-81 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy
More informationA Best Practices Architecture for DNSSEC
WHITEPAPER A Best Practices Architecture for DNSSEC Cricket Liu, Vice President of Architecture Background The Domain Name System is the Internet s standard naming service. DNS is responsible for mapping
More informationDomain Name System. CS 571 Fall 2006. 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved
Domain Name System CS 571 Fall 2006 2006, Kenneth L. Calvert University of Kentucky, USA All rights reserved DNS Specifications Domain Names Concepts and Facilities RFC 1034, November 1987 Introduction
More informationDomain Name System (DNS) Security By Diane Davidowicz 1999 Diane Davidowicz
Domain Name System (DNS) Security By Diane Davidowicz 1999 Diane Davidowicz Contents 1. Abstract...3 2. Introduction...3 3. Overview of the DNS...3 3.1. Fundamentals of DNS...4 3.1.1. The Domain Name Space...4
More informationCS 348: Computer Networks. - DNS; 22 nd Oct 2012. Instructor: Sridhar Iyer IIT Bombay
CS 348: Computer Networks - DNS; 22 nd Oct 2012 Instructor: Sridhar Iyer IIT Bombay Domain Name System Map between host names and IP addresses People: many identifiers: name, Passport #, Internet hosts:
More informationDNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008
DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008 Kim Davies Internet Assigned Numbers Authority Internet Corporation for Assigned Names & Numbers Agenda How do you
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Issues Phishing Spreading misinformation Cookies! Authentication Domain name DNS Security Transport layer security Dynamic HTML Java applets, ActiveX, JavaScript Exploiting
More informationHow To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN
How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN Applicable Version: 10.6.2 onwards Overview Virtual host implementation is based on the Destination NAT concept. Virtual
More informationPublic Key Infrastructure (PKI)
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
More informationDomain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org
Domain Name System (DNS) RFC 1034 RFC 1035 http://www.ietf.org TCP/IP Protocol Suite Application Layer DHCP DNS SNMP HTTP SMTP POP Transport Layer UDP TCP ICMP IGMP Network Layer IP Link Layer ARP ARP
More informationUnbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)
Unbound a caching, validating DNSSEC resolver UKUUG Spring 2011 Conference Leeds, UK March 2011 Jan-Piet Mens $ dig 1.1.0.3.3.0.8.1.7.1.9.4.e164.arpa naptr Do you trust your name server? DNS clients typically
More informationPublic-Root Name Server Operational Requirements
Public-Root Name Server Operational Requirements Published January the 17 th, 2005 Status of this Document This document provides information to the Public-Root and Internet technical community. This document
More informationStep-by-Step DNSSEC-Tools Operator Guidance Document
Step-by-Step DNSSEC-Tools Operator Guidance Document Using the DNSSEC-Tools v1.0 distribution SPARTA, Inc. Table of Contents 1. Introduction... 1 Organization of this Document... 1 Key Concepts... 2 Zones
More informationTHE MASTER LIST OF DNS TERMINOLOGY. v 2.0
THE MASTER LIST OF DNS TERMINOLOGY v 2.0 DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To help people
More informationApplication Protocols in the TCP/IP Reference Model
Application Protocols in the TCP/IP Reference Model File Transfer E-Mail Network Management WWW Virtual Terminal Name Service File Transfer HTTP FTP Telnet SMTP DNS SNMP TFTP Internet protocols TCP UDP
More informationDomain Name System 2015-04-28 17:49:44 UTC. 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement
Domain Name System 2015-04-28 17:49:44 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents Domain Name System... 4 Domain Name System... 5 How DNS Works
More informationApplication Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System
Application Protocols in the TCP/IP Reference Model Application Protocols in the TCP/IP Reference Model File Transfer E-Mail Network Management Protocols of the application layer are common communication
More informationTHE MASTER LIST OF DNS TERMINOLOGY. First Edition
THE MASTER LIST OF DNS TERMINOLOGY First Edition DNS can be hard to understand and if you re unfamiliar with the terminology, learning more about DNS can seem as daunting as learning a new language. To
More informationDefending against DNS reflection amplification attacks
University of Amsterdam System & Network Engineering RP1 Defending against DNS reflection amplification attacks February 14, 2013 Authors: Thijs Rozekrans Javy de Koning
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationThe Domain Name System
DNS " This is the means by which we can convert names like news.bbc.co.uk into IP addresses like 212.59.226.30 " Purely for the benefit of human users: we can remember numbers (e.g., telephone numbers),
More informationThe Root of the Matter: Hints or Slaves
The Root of the Matter: Hints or Slaves David Malone October 21, 2003 Abstract We consider the possibility of having a name server act as a slave to the root zone, rather than caching
More informationGeorgia College & State University
Georgia College & State University Milledgeville, GA Domain Name Service Procedures Domain Name Service Table of Contents TABLE OF REVISIONS... 3 SECTION 1: INTRODUCTION... 4 1.1 Scope and Objective...
More informationKB259302 - Windows 2000 DNS Event Messages 1 Through 1614
Page 1 of 6 Knowledge Base Windows 2000 DNS Event Messages 1 Through 1614 PSS ID Number: 259302 Article Last Modified on 10/29/2003 The information in this article applies to: Microsoft Windows 2000 Server
More informationNetwork Security Fundamentals
APNIC elearning: Network Security Fundamentals 27 November 2013 04:30 pm Brisbane Time (GMT+10) Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationSSL and Browsers: The Pillars of Broken Security
SSL and Browsers: The Pillars of Broken Security Ivan Ristic Wolfgang Kandek Qualys, Inc. Session ID: TECH-403 Session Classification: Intermediate SSL, TLS, And PKI SSL (or TLS, if you prefer) is the
More informationAuthentication Application
Authentication Application KERBEROS In an open distributed environment servers to be able to restrict access to authorized users to be able to authenticate requests for service a workstation cannot be
More information