Domain Name System Security



Similar documents
CS3600 SYSTEMS AND NETWORKS

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Internet-Praktikum I Lab 3: DNS

The Domain Name System (DNS)

The Domain Name System (DNS)

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

DNS and BIND. David White

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Domain Name System (DNS) Reading: Section in Chapter 9

Domain Name System. Heng Sovannarith

INTERNET DOMAIN NAME SYSTEM

Talk-101 User Guide. DNSGate

Domain Name System Richard T. B. Ma

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

CS3250 Distributed Systems

How to set up the Integrated DNS Server for Inbound Load Balancing

How to Add Domains and DNS Records

DNS at NLnet Labs. Matthijs Mekking

Computer Networks: Domain Name System

- Domain Name System -

DNS: Domain Name System

Domain Name System (or Service) (DNS) Computer Networks Term B10

ECE 4321 Computer Networks. Network Programming

The Application Layer: DNS

DNS security: poisoning, attacks and mitigation

The Domain Name System from a security point of view

Names vs. Addresses. Flat vs. Hierarchical Space. Domain Name System (DNS) Computer Networks. Lecture 5: Domain Name System

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

Domain Name System (DNS) RFC 1034 RFC

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

The Domain Name System

The Use of DNS Resource Records

Chapter 9: Name Services. 9.1 Introduction 9.2 Name services and the DNS 9.3 Directory services 9.6 Summary

Domain Name System (DNS)

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

DNS : Domain Name System

DNS. Spring 2016 CS 438 Staff 1

DATA COMMUNICATOIN NETWORKING

IP addresses have hierarchy (network & subnet) Internet names (FQDNs) also have hierarchy. and of course there can be sub-sub-!!

Domain Name System. Overview. Domain Name System. Domain Name System

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

1 DNS Packet Structure

DNS and Interface User Guide

NET0183 Networks and Communications

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

How To Guide Edge Network Appliance How To Guide:

How To Map Between Ip Address And Name On A Domain Name System (Dns)

Application Protocols in the TCP/IP Reference Model

1 Introduction: Network Applications

Deploying DNSSEC: From End-Customer To Content

The Application Layer. CS158a Chris Pollett May 9, 2007.

Motivation. Users can t remember IP addresses. Implemented by library functions & servers. - Need to map symbolic names (

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Applications & Application-Layer Protocols: The Domain Name System and Peerto-Peer

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

The Domain Name System

DNSSEC Applying cryptography to the Domain Name System

DNS Domain Name System

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

Installing and Setting up Microsoft DNS Server

Section 1 Overview Section 2 Home... 5

Remote DNS Cache Poisoning Attack Lab

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Introduction to the Domain Name System

Use Domain Name System and IP Version 6

Distributed Systems. 09. Naming. Paul Krzyzanowski. Rutgers University. Fall 2015

FTP: the file transfer protocol

CSE/ISE 311: Systems Administra5on Networking 2

My Services Online Service Support. User Guide for DNS and NTP services

Glossary of Technical Terms Related to IPv6

Naming. Name Service. Why Name Services? Mappings. and related concepts

Introduction to Network Operating Systems

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

DNS & IPv6. Agenda 4/14/2009. MENOG4, 8-9 April Raed Al-Fayez SaudiNIC CITC rfayez@citc.gov.sa, DNS & IPv6.

Internet Security [1] VU Engin Kirda

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Domain Name System

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

HTG XROADS NETWORKS. Network Appliance How To Guide: EdgeDNS. How To Guide

DNS: Domain Name System

Chapter 2 Application Layer

Domain Name System DNS

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

How to Configure the Windows DNS Server

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

Transcription:

Domain Name System Security Guevara Noubir Network Security Northeastern University 1

Domain Name System DNS is a fundamental applica=on layer protocol Not visible but invoked every =me a remote site is accessed 2

Domain Naming System Hierarchy edu com gov mil org net uk fr neu mit cisco yahoo nasa nsf arpa navy acm ieee ccs ece math madrid firenze DNS maps abstract names to specific resources madrid.ccs.neu.edu -> 129.10.112.229 3

Name Servers Par==on hierarchy into zones edu com gov mil org net uk fr neu mit cisco yahoo nasa nsf arpa navy acm ieee ccs ece math madrid firenze Each zone implemented by two or more name servers neu name server Root name server Cisco name server CCS name server ECE name server 4

Resource Records Each name server maintains a collec=on of resource records (Name, Value, Type, Class, TTL) Name/Value: not necessarily host names to IP addresses Type A: Value is an IP address NS: Value gives domain name for host running name server that knows how to resolve names within specified domain CNAME: Value gives canonical name for par=cle host; used to define aliases MX: Value gives domain name for host running mail server that accepts messages for specified domain TXT: addi=onal text info SPF: Sender Policy Framework Class: allow other en==es to define types IN: Means Internet TTL: how long the resource record is valid 5

.edu Server (neu.edu, nb4276.neu.edu, NS, IN) (nb4276.neu.edu, 155.33.16.201, A, IN) 6

neu.edu Server (neu.edu, nb4286.neu.edu, MX, IN) (ccs.neu.edu, amber.ccs.neu.edu, NS, IN) (amber.ccs.neu.edu, 129.10.116.51, A, IN) (ece.neu.edu, ns1.ece.neu.edu, NS, IN) (ns1.ece.neu.edu, 129.10.60.31, A, IN) (mystic.math.neu.edu, 129.10.75.101, A, IN) 7

ccs.neu.edu Server (ccs.neu.edu, amber.ccs.neu.edu, MX, IN) (amber.ccs.neu.edu, 129.10.116.51, A, IN) (ccs.neu.edu, atlantis.ccs.neu.edu, MX, IN) (atlantis.ccs.neu.edu, 129.10.116.41, A, IN) 8

Name Resolu=on To reach firenze.ccs.neu.edu Strategy Go to local name server Local name server goes to root name server Local name server goes to edu name server Local name server goes to neu.edu name server Local name server goes to ccs.neu.edu name server and gets IP address 9

DNS Cache Poisoning DNS servers cache informa=on Poisoning an ISP DNS cache impacts all the ISP users How? A\acker queries the ISP DNS server ISP DNS Server starts resolving the query by asking the authorita=ve name server A\acker simultaneously sends a DNS response spoofing the IP address of the authorita=ve name server and providing a malicious IP address All the ISP users will be directed to the a\acker sites Problems? 10

DNS Cache Poisoning with Birthday Paradox Technique Randomiza=on makes it hard to predict the transac=on ID (16 bits) A\acker sends n fake requests and spoofs n malicious replies Probability of failing to match at least one query is: P fail = (1- n/2 16 ) n If n = 213 => P fail < 0.5 Problems? 11

Subdomain DNS Cache Poisoning (2008) A\acker generates requests for non- exis=ng sub- domains e.g., non- exis=ng.example.com The name server for the target domain ignores the requests The a\acker issues spoofed responses with guessed transac=on ID (no compe==on from target domain) A\acker response includes a response that resolves the name server of that target domain e.g., example.com to a malicious IP address Was successful against many DNS sohware packages e.g., BIND 12

Client- Side DNS Cache Poisoning A\acker sets up a malicious website Webpage contains HTML tags that automa=cally issue requests for addi=onal URLs e.g., image tags with non- exis=ng subdomains of the target domain The a\acker knows when to start spoofing the DNS replies because he owns the malicious website Current solu=ons: Source port randomiza=on Limi=ng ISP DNS replies to internal requests DNSSEC 13

DNSSEC DNS was not designed with security in mind DNSSEC provides a crypto- based solu=on that extends DNS (RFC 2535) Since 2000 but only slowly being deployed DNSSEC adds new types of DNS records DNS query: Client indicates that DNSSEC is supported DNS reply: If server supports DNSSEC, RRSIG digital signature is included Issues: PKI infrastructure / chain of trust following domain name hierarchy Root name server does not support DNSSEC Performance 14

Summary Domain Name System is a cri=cal applica=on of the Internet Major flaws have been iden=fied and par=ally fixed A strong solu=on (DNSSEC) is slowly being deployed (typical problem with the Internet) Thinking exercise: Go back to Problem Set 1, ques=on 1 Consider all the steps to connect to a website and the vulnerabili=es you are subject to 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information