Secure DNS / DNSsec. Dresden, May 8th, Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin

Similar documents
DNS SECURITY TROUBLESHOOTING GUIDE

Domain Name System Security

DNS at NLnet Labs. Matthijs Mekking

Internet-Praktikum I Lab 3: DNS

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Step-by-Step DNSSEC-Tools Operator Guidance Document

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

DNSSEC in your workflow

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Benchmarking Zonemaster Sandoche Balakrichenan (Afnic) & Einar Lonn (IIS)

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

Creating a master/slave DNS server combination for your Grid Infrastructure

How-to: DNS Enumeration

Thales nshield HSM. Integration Guide for ISC BIND DNSSEC.

WHITE PAPER. Best Practices DNSSEC Zone Management on the Infoblox Grid

DNSSEC Deployment a case study

DNSSEC Applying cryptography to the Domain Name System

DNSSEC. Introduction Principles Deployment

Goal of this session

DOMAIN NAME SECURITY EXTENSIONS

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Domain Name System (DNS) Fundamentals

The Domain Name System from a security point of view

DNS Pharming Attack Lab

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

Rough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. Universiteit van Amsterdam, Sep 2006.

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

DNS Security FAQ for Registrants

CSE 127: Computer Security. Network Security. Kirill Levchenko

Networking Domain Name System

DNS and LDAP persistent search

Forouzan: Chapter 17. Domain Name System (DNS)

Building a Linux IPv6 DNS Server

THE DOMAIN NAME SYSTEM DNS

DNSSEC: A Vision. Anil Sagar. Additional Director Indian Computer Emergency Response Team (CERT-In)

dnsperf DNS Performance Tool Manual

Resilient Networking. Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning. Securing DNS Split-Split-DNS DNSSEC.

Georgia College & State University

Domain Name System Security Extensions... 3

DNSSEC - SECURE DNS FOR GOVERNMENT. Whitepaper

DNS Security: New Threats, Immediate Responses, Long Term Outlook Infoblox Inc. All Rights Reserved.

Remote DNS Cache Poisoning Attack Lab

DNSSEC - Why Network Operators Should Care And How To Accelerate Deployment

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

DNS zone transfers from FreeIPA to non-freeipa slave servers

Deploying DNSSEC: From End-Customer To Content

DNSSEC. Zone Management. with ZKT

FAQ (Frequently Asked Questions)

Lecture 2 CS An example of a middleware service: DNS Domain Name System

Tanenbaum, Computer Networks (extraits) Adaptation par J.Bétréma. DNS The Domain Name System

Application Protocols in the TCP/IP Reference Model

DNSSEC Practice Statement (DPS)

Internet Security [1] VU Engin Kirda

Domain Name System (DNS)

Application Protocols in the TCP/IP Reference Model. Application Protocols in the TCP/IP Reference Model. DNS - Concept. DNS - Domain Name System

Domain Name System (DNS) RFC 1034 RFC

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Configuring DNS on Cisco Routers

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

BIND 9 DNS Security. Enterprise Applications Division of the Systems and Network Analysis Center (SNAC) Information Assurance Directorate

DNSSEC Policy Statement Version Introduction Overview Document Name and Identification Community and Applicability

DNSSEC. Introduction. Domain Name System Security Extensions. AFNIC s Issue Papers. 1 - Organisation and operation of the DNS

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

DNSSec Operation Manual for the.cz and e164.arpa Registers

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

Good practices guide for deploying DNSSEC

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

XN--P1AI (РФ) DNSSEC Policy and Practice Statement

DNSSEC Support in SOHO CPE. OARC Workshop Ottawa 24 th September 2008

Use Domain Name System and IP Version 6

- Domain Name System -

DNS : Domain Name System

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.

Security of IPv6 and DNSSEC for penetration testers

DNS Best Practices. Mike Jager Network Startup Resource Center

DNS. Computer Networks. Seminar 12

DNS security: poisoning, attacks and mitigation

American International Group, Inc. DNS Practice Statement for the AIG Zone. Version 0.2

Enabling DNS for IPv6 CSD Fall 2011

DNSSEC. Key Maintenance Analysis. by Jelte Jansen

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

Securing an Internet Name Server

CS Lecture 22 DNS Security

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Some advanced topics. Karst Koymans. Friday, September 11, 2015

The Use of DNS Resource Records

Prepared by: National Institute of Standards and Technology SPARTA, Inc. Shinkuro, Inc.

DNSSEC Policy and Practice Statement.amsterdam

Domain Name System Security

Copyright

DNS + DHCP. Michael Tsai 2015/04/27

DNS. Computer networks - Administration 1DV202. fredag 30 mars 12

DNS Service on Linux. Supawit Wannapila CCNA, RHCE

Overview of DNSSEC deployment worldwide

DNS based Load Balancing with Fault Tolerance

Transcription:

Department of Computer Science Institute for System Architecture, Chair of Computer Networks Secure DNS / DNSsec Garbacz, Jan Eisfeld, Martin Gebhardt, Ralf Lu, Yi Mochaourab, Rami Knechtel, Martin Dresden, May 8th, 2006

Outline 01 Motivation 02 DNSsec Mechanism 03 BIND TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 2 von XYZ

01 Motivation Outline Classic DNS Attacks on DNS DNS Cache Poisoning DNS spoofing Man-in-the-Middle-Attack Attacks on DNS-Server Attacks on Clients Is DNSsec already used? TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 3 von XYZ

01 Motivation Classic DNS DNS translates between domain names and IP addresses Quite old (more than 20 years) DNS does not have any built-in security TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 4 von XYZ

01 Motivation Classic DNS TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 5 von XYZ

01 Motivation Attacks on DNS DNS Cache Poisoning Aim: changing information in DNS server to link user to a compromised server Function: user clicks link to Z, DNS server does not know -> ask Z, Z answers and adds additional info. For example, that XY is an alias for Z. if user surfs to XY the DNS send him the IP of Z Problem: elementary errors in DNS TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 6 von XYZ

01 Motivation Attacks on DNS DNS Cache Poisoning TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 7 von XYZ

01 Motivation Attacks on DNS DNS spoofing Aim: changing information in DNS server to link user to a compromised server Function: Z asks A for himself, A knows his IP, sends it back, answer includes a QueryID! Z asks for XY, A does not know XY, asks B. in this time Z sends the wrong answer. if the QueryID is correct, A will accept and the cache of A is poisoned all requests to A for XY will be linked to Z Problem: no authentication, simple guessing of the QueryID TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 8 von XYZ

01 Motivation Attacks on DNS DNS spoofing TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 9 von XYZ

01 Motivation Attacks on DNS Man-in-the-Middle-Attack changing of DNS-pakets, which are going past for example with an attacked router Attacks on DNS-Server getting access to weak servers an manipulate the database Attacks on Clients attacker sends modified replies to spoofed requests and the server the correct reply. the client accept the first reply. TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 10 von XYZ

Attacks on Clients It s easy for the hacker to snoop UDP DNS query send to well known server on well known port PC2 www. pc1.tu-dresden.de? www.pc1.tu-dresden.de 141.30.211.3 www.pc1.tu-dresden.de 128.9.128.127 Hacker Local DNS Server Root Server tu-dresden.de Server The one, who sends it s response first, is the winner!!! pc1.tu-dresden.de Server IP for example 141.30.211.3 TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 11 von XYZ

01 Motivation Is DNSsec already used? In October 2005 Sweden (.SE) enables DNSSEC in their zone. This make.se the first cctld to deploy DNSSEC. At the same time RIPE NCC (ripe.net) is in the process of deploying DNSSEC in the reverse zones. RIPE RIPE NCC cctld Réseaux IP Européens RIPE Network Coordination Center country code Top Level Domain TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 12 von XYZ

02 DNSsec Mechanism 1. New Resource Records 2. Setting up a Secure Zone (Zone Signing) 3. Authentication TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 13 von XYZ

02 DNSsec Mechanism New Resource Records DNSKEY: DNS Public Key Public key, needed for verifying a RRSIG RRSIG: Resource Record Signature Signature over RRset made using private key NSEC: Next Secure Indicates which name is the next one in the zone and which type codes are available for the current name DS: Delegation Signer Delegation Signer; Pointer for building chains of authentication TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 14 von XYZ

02 DNSsec Mechanism Setting up a Secure Zone (Zone Signing) 1. Generate keypair (public/private key) 2. Sign the zone Insert NSEC Records Insert RSIG Records Insert DS Records 3. Distribute the Public Key (DNSKEY) www.ripe.net/ disi/dnssec_howto/ TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 15 von XYZ

02 DNSsec Mechanism Authentication The Public Key can verify the authenticity of signatures and check both integrity and authenticity of the data. www.ripe.net/ disi/dnssec_howto/ TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 16 von XYZ

03 BIND Outline Introduction Securing DNS data Securing communication between Servers Configuring a recursive name server to verify answers /etc/named.conf Key Generation Signing Zones TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 17 von XYZ

03 BIND Introduction BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System, including: a Domain Name System server (named) a Domain Name System resolver library tools for verifying the proper operation of the DNS server The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service. TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 18 von XYZ

03 BIND Securing DNS data 1. Configuring a recursive name server to verify answers 2. Securing a DNS zone 3. Delegating of signing authority; becoming globally secure 4. Rolling keys Securing communication between Servers 5. Securing zone transfers TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 19 von XYZ

03 BIND Configuring a recursive name server to verify answers TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 20 von XYZ

03 BIND /etc/named.conf $dig @10.0.53.204 example.net SOA +retry=1 +dnssec +multiline ; <<>> DiG 9.3.0beta3 <<>> @10.0.53.204 example.net SOA +retry=1 +dnssec +multiline ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50414 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;example.net. IN SOA ;; ANSWER SECTION: example.net. 100 IN SOA ns.registry.tld. olaf.ripe.net. ( 2002050501 ; serial 100 ; refresh (1 minute 40 seconds) 200 ; retry (3 minutes 20 seconds) 604800 ; expire (1 week) 100 ; minimum (1 minute 40 seconds) ) example.net. 100 IN RRSIG SOA 5 2 100 20040528103254 ( 20040428103254 14804 example.net. GMdIREMWV+LMuoDZvoVKyUobeEdeXTqzdV0MAUB9VSf7 gt+doba2tmysmg9onvujcbkbrzvlq56csgggqmeet8/q 8auCpFYiXiFri+9LitVKK+n3UvBIb6AL+/acyhUmUzbq 5mF1nuWUDiuIuv/fXFGIeS9V/6P7+ufXWqedhVY= ) ;; ADDITIONAL SECTION: example.net. 100 IN DNSKEY 257 3 5 ( / / ) ;; Query time: 783 msec ;; SERVER: 10.0.53.204#53(10.0.53.204) ;; WHEN: Wed May 12 11:41:06 2004 ;; MSG SIZE rcvd: 890 TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 21 von XYZ

03 BIND Key Generation Usage: dnssec-keygen -a alg -b bits -n type [options] name Version: 9.3.0 Required options: -a algorithm: RSA RSAMD5 DH DSA RSASHA1 HMAC-MD5 -b key size, in bits: RSAMD5: [512..4096] RSASHA1: [512..4096] DH: [128..4096] DSA: [512..1024] and divisible by 64 HMAC-MD5: [1..512] -n nametype: ZONE HOST ENTITY USER OTHER name: owner of the key Other options: -c <class> (default: IN) -e use large exponent (RSAMD5/RSASHA1 only) -f keyflag: KSK -g <generator> use specified generator (DH only) -t <type>: AUTHCONF NOAUTHCONF NOAUTH NOCONF (default: AUTHCONF) -p <protocol>: default: 3 [dnssec] -s <strength> strength value this key signs DNS records with (default: 0) -r <randomdev>: a file containing random data -v <verbose level> -k : generate a TYPE=KEY key Output: K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 22 von XYZ

03 BIND Signing Zones Usage: dnssec-signzone [options] zonefile [keys] Version: 9.3.0 Options: (default value in parenthesis) -c class (IN) -d directory directory to find keyset files (.) -g: generate DS records from keyset files -s YYYYMMDDHHMMSS +offset: RRSIG start time - absolute offset (now - 1 hour) -e YYYYMMDDHHMMSS +offset "now"+offset]: RRSIG end time - absolute from start from now (now + 30 days) -i interval: cycle interval - resign if < interval from end ( (end-start)/4 ) -v debuglevel (0) -o origin: zone origin (name of zonefile) -f outfile: file the signed zone is written in (zonefile +.signed) -r randomdev: a file containing random data -a: verify generated signatures -p: use pseudorandom data (faster but less secure) -t: print statistics -n ncpus (number of cpus present) -k key_signing_key -l lookasidezone -z: ignore KSK flag in DNSKEYs Signing Keys: (default: all zone keys that have private keys) keyfile (Kname+alg+tag) TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 23 von XYZ

04 Bibliography RFCs RFC 4033 DNS Security Introduction and Requirements RFC 4034 Resource Records for the DNS Security Extensions RFC 4035 Protocol Modifications for the DNS Security Extensions TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 24 von XYZ

04 Bibliography URLs http://www.ripe.net/training/dnssec/ http://www.ripe.net/training/dnssec/material/dnssec.pdf http://www.ripe.net/disi/dnssec_howto http://www.isc.org/index.pl?/sw/bind/ http://www.dnssec.net/dns-threats.php A short history of DNSSEC http://www.nlnetlabs.nl/dnssec/history.html NIC-SE makes Internet safer using dnssec http://sartryck.idg.se/art/nic-se_cs912005e.html http://dnssec.nic.se/ TU Dresden, 08.05.06 Secure DNS / DNSsec Folie 25 von XYZ

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information