Deploying DNSSEC: From End-Customer To Content

Similar documents

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Introduction to the DANE Protocol

Next Steps In Accelerating DNSSEC Deployment

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

DNSSEC Applying cryptography to the Domain Name System

DANE Secured Demonstration. Wes Hardaker Parsons

Securing End-to-End Internet communications using DANE protocol

A Step-by-Step guide for implementing DANE with a Proof of Concept

Securing DNS Infrastructure Using DNSSEC

One year of DANE Tales and Lessons Learned. sys4.de

Computer Networks: Domain Name System

Public Key Infrastructure (PKI)

FAQ (Frequently Asked Questions)

DNS security: poisoning, attacks and mitigation

DNS Risks, DNSSEC. Olaf M. Kolkman and Allison Mankin. and 8 Feb 2006 Stichting NLnet Labs

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

A quick overview of the DANE WG. * DNS-based Authentication of Named Entities

DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

DNS at NLnet Labs. Matthijs Mekking

Analyzing DANE's Response to Known DNSsec Vulnerabilities

The Domain Name System from a security point of view

SAC 049 SSAC Report on DNS Zone Risk Assessment and Management

DNS Root NameServers

DNSSEC Root Zone. High Level Technical Architecture

DNSSEC Practice Statement (DPS)

Reverse Proxy Guide. Version 2.0 April 2016

DNSSEC for Everybody: A Beginner s Guide

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNS and BIND. David White

Internet-Praktikum I Lab 3: DNS

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Security of IPv6 and DNSSEC for penetration testers

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

Domain Name System Security

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

SSL and Browsers: The Pillars of Broken Security

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

Namecoin as alternative to the Domain Name System

Networking Domain Name System

Digital certificates and SSL

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

Using the Domain Name System for System Break-ins

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

A Security Evaluation of DNSSEC with NSEC3

DNSSEC. What is DNSSEC? Why is DNSSEC necessary? Ensuring a secure Internet

DNS SECURITY TROUBLESHOOTING GUIDE

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

DNSSEC in your workflow

DNSSEC and DNS Proxying

Monitoring the DNS. Gustavo Lozano Event Name XX XXXX 2015

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Basic Vulnerability Issues for SIP Security

DNSSEC in stats. GC-SEC Global Cyber Security Center. Andrea Rigoni. CENTR Bruxelles, 7th October Global Cyber Security Center Director General

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Apache Security with SSL Using Ubuntu

Introduction to the Domain Name System

CentralNic Privacy Policy Last Updated: July 31, 2012 Page 1 of 12. CentralNic. Version 1.0. July 31,

Internet Privacy Options

DNSSEC Misconfigurations: How incorrectly configured security leads to unreachability

Secure Domain Name System (DNS) Deployment Guide

NANOG DNS BoF. DNS DNSSEC IPv6 Tuesday, February 1, 2011 NATIONAL ENGINEERING & TECHNICAL OPERATIONS

Security in the Network Infrastructure - DNS, DDoS,, etc.

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

DNSSEC Practice Statement.OVH

Acano solution. Security Considerations. August E

SSL BEST PRACTICES OVERVIEW

A Best Practices Architecture for DNSSEC

Remote DNS Cache Poisoning Attack Lab

Domain Name System Security (DNSSEC)

DNSSEC. Introduction Principles Deployment

Securing LAN Connected Devices in Industrial Sites with TLS and Multicast DNS

Security server configuration

Transcription:

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org

Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical Architect, DCS1 Pte Jitender Kumar, Technical Account Manager, Afilias Richard Lamb, DNSSEC Program Manager, ICANN

A Quick Introduction to DNS and DNSSEC

What Problem Is DNSSEC Trying To Solve? DNSSEC = "DNS Security Extensions" Defined in RFCs 4033, 4034, 4035 Operational Practices: RFC 4641 Ensures that the information entered into DNS by the domain name holder is the SAME information retrieved from DNS by an end user. Let's walk through an example to explain

A Normal DNS Interaction Server 3 https://example.com/ example.com? 1 DNS Resolver Resolver checks its local cache. If it has the answer, it sends it back. example.com 10.1.1.123 4 If not web page Browser 2 10.1.1.123

A Normal DNS Interaction.com NS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS example.com 6 web page Browser 4 10.1.1.123 3 10.1.1.123

DNS Works On Speed First result received by a DNS resolver is treated as the correct answer. Opportunity is there for an attacker to be the first one to get an answer to the DNS resolver, either by: Getting to the correct point in the network to provide faster responses; Blocking the responses from the legitimate servers (ex. executing a Denial of Service attack against the legitimate servers to slow their responses)

Attacking DNS.com NS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS example.com 6 10.1.1.123 web page Browser 4 192.168.2.2 3 192.168.2.2 Attacking example.com

A Poisoned Cache Server 3 https://example.com/ example.com? 1 DNS Resolver Resolver cache now has wrong data: example.com 192.168.2.2 4 web page Browser 2 192.168.2.2 This stays in the cache until the Time-To-Live (TTL) expires!

How Does DNSSEC Help? DNSSEC introduces new DNS records for a domain: RRSIG a signature ("hash") of a set of DNS records DNSKEY a public key that a resolver can use to validate RRSIG A DNSSEC-validating DNS resolver: Uses DNSKEY to perform a hash calculation on received DNS records Compares result with RRSIG records. If results match, records are the same as those transmitted. If the results do NOT match, they were potentially changed during the travel from the DNS server.

A DNSSEC Interaction root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com 6 web page Browser 4 10.1.1.123 3 10.1.1.123 DNSKEY RRSIGs

But Can DNSSEC Be Spoofed? But why can't an attacker simply insert DNSKEY and RRSIG records? What prevents DNSSEC from being spoofed? An additional was introduced, the "Delegation Signer (DS)" record It is a fingerprint of the DNSKEY record that is sent to the TLD registry Provides a global "chain of trust" from the root of DNS down to the domain Attackers would have to compromise the registry

A DNSSEC Interaction.com NS DS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS DS example.com 6 web page Browser 4 10.1.1.123 3 10.1.1.123 DNSKEY RRSIGs

The Global Chain of Trust.com NS DS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS DS example.com 6 web page Browser 4 10.1.1.123 3 10.1.1.123 DNSKEY RRSIGs

Attempting to Spoof DNS.com NS DS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS DS example.com 6 web page Browser 3 10.1.1.123 DNSKEY RRSIGs 192.168.2.2 DNSKEY RRSIGs Attacking example.com

Attempting to Spoof DNS.com NS DS root.com Server 5 https://example.com/ example.com? 1 DNS Resolver 2 example.com NS DS example.com 6 web page Browser 4 SERVFAIL 3 192.168.2.2 DNSKEY RRSIGs 10.1.1.123 DNSKEY RRSIGs Attacking example.com

What DNSSEC Proves: "These ARE the IP addresses you are looking for." (or they are not) Ensures that information entered into DNS by the domain name holder (or the operator of the DNS hosting service for the domain) is the SAME information that is received by the end user.

The Two Parts of DNSSEC Signing Validating Registries Applications Registrars Enterprises DNS Hosting ISPs

DNSSEC and SSL

Why Do I Need DNSSEC If I Have SSL? A common question: why do I need DNSSEC if I already have a SSL certificate? (or an "EV-SSL" certificate?) SSL (more formerly known today as Transport Layer Security (TLS)) solves a different issue it provides encryption and protection of the communication between the browser and the web server

The Typical TLS (SSL) Interaction root Server.com 6 5 https://example.com/ example.com TLS-encrypted web page 2 example.com? 1 DNS Resolver 3 10.1.1.123 Browser 4 10.1.1.123

The Typical TLS (SSL) Interaction root Server.com 6 5 https://example.com/ example.com TLS-encrypted web page 2 example.com? 3 Is this encrypted with the CORRECT certificate? Browser 1 4 10.1.1.123 DNS Resolver 10.1.1.123

What About This? Server https://www.example.com/ DNS Server www.example.com? TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://www.example.com/ 1 1.2.3.4 2 TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser

Problems? Server https://www.example.com/ DNS Server www.example.com? TLS-encrypted web page with CORRECT certificate Firewall https://www.example.com/ 1 1.2.3.4 2 TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser

Problems? Server https://www.example.com/ DNS Server www.example.com? TLS-encrypted web page with CORRECT certificate Firewall https://www.example.com/ 1 1.2.3.4 2 Log files or other servers TLS-encrypted web page with NEW certificate (re-signed by firewall) Browser Potentially including personal information

Issues A Certificate Authority (CA) can sign ANY domain. Now over 1,500 CAs there have been compromises where valid certs were issued for domains. Middle-boxes such as firewalls can re-sign sessions.

A Powerful Combination TLS/SSL = encryption + limited integrity protection DNSSEC = strong integrity protection How to get encryption + strong integrity protection? TLS + DNSSEC = DANE

DNS-Based Authentication of Named Entities (DANE) Q: How do you know if the TLS (SSL) certificate is the correct one the site wants you to use? A: Store the certificate (or fingerprint) in DNS (new TLSA record) and sign them with DNSSEC. A browser that understand DNSSEC and DANE will then know when the required certificate is NOT being used. Certificate stored in DNS is controlled by the domain name holder. It could be a certificate signed by a CA or a selfsigned certificate.

DANE Server https://example.com/ DNS Server TLS-encrypted web page with CORRECT certificate Firewall (or attacker) https://example.com/ example.com? 1 2 10.1.1.123 DNSKEY RRSIGs TLSA Log files or other servers TLS-encrypted web page with NEW certificate (re-signed by firewall) DANE-equipped browser compares TLS certificate with what DNS / DNSSEC says it should be. Browser w/dane

DANE Not Just For The DANE defines protocol for storing TLS certificates in DNS Securing transactions is the obvious use case Other uses also possible: Email via S/MIME VoIP Jabber/XMPP?

DNSSEC Deployment In Asia

Map courtesy of Shinkuro, Inc.

Map courtesy of Shinkuro, Inc.

Panel Discussion

Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical Architect, DCS1 Pte Jitender Kumar, Technical Account Manager, Afilias Richard Lamb, DNSSEC Program Manager, ICANN

Next Steps In Deploying DNSSEC

Three Steps TLD Operators Can Take: 1. Sign your TLD Tools and services available to help automate process 2. Accept DS records Make it as easy as possible (and accept multiple records) 3. Work with your registrars Help them make it easy for DNS hosting providers and registrants 4. Help With Statistics Can you help by providing statistics? Implement DNSSEC and make your TLD more secure

Three Steps For Network Operators and Enterprises 1. Deploy DNSSEC-validating DNS resolvers 2. Sign your own domains where possible 3. Help promote support of DANE protocol Allow usage of TLSA record. Let browser vendors and others know you want to use DANE. Help raise awareness of how DANE and DNSSEC can make the Internet more secure.

Internet Society Deploy360 Programme Providing real-world deployment info for IPv6, DNSSEC and other Internet technologies: Case Studies Tutorials Videos Whitepapers News, information English content, initially, but will be translated into other languages.

Dan York, CISSP Senior Content Strategist, Internet Society york@isoc.org Thank You! www.internetsociety.org