View
87
Download
8
Category
Preview:
DESCRIPTION
Security in DNS(DNSSEC). Yalda Edalat Pramodh Pallapothu. Agenda. What is DNS? Cashing in DNS Threats to the DNS What should match in DNS transaction? What is DNSSEC? DNSKEY, RRSIG, NSEC, DS DNSSEC issues. What is DNS?. - PowerPoint PPT Presentation
Citation preview
Security in DNS(DNSSEC)
Yalda Edalat
Pramodh Pallapothu
Agenda
What is DNS? Cashing in DNS Threats to the DNS What should match in DNS transaction? What is DNSSEC? DNSKEY, RRSIG, NSEC, DS DNSSEC issues
What is DNS?
First step to communicate between computers which support IP is knowing IP address.
Memorizing four decimal numbers for each web site is difficult.
Memorizing host names are easier. At beginning, SRI-NIC was responsible to maintain a
single file containing IP addresses for hosts. Internet grows rapidly and need to guarantee the
uniqueness of IP addresses. Creating an Internet distribution database (DNS).
Cashing in DNS
To reduce load on DNS server caching mechanism for a specific period of time
after a successful answer.
Threats to the DNS:
Most weaknesses in DNS fall into these categories:
Cache poisoning Client flooding Compromise of DNS server’s authoritative data
Cache Poisoning
What should match in DNS transaction?
12
3
3
2
4
4
1
Other threats
Client flooding: client sends a query, but receives thousands of DNS responses from attacker lake in authentication of responses, without strong
authentication, the client can not verify the origin of response.
Compromise of DNS server’s authoritative data: attacker gains administrative privileges and plans to modify zone information
Need for more security
Original DNS did not include security. Dependency of some commands on hostnames
for authentication (“r” command in UNIX). False information in DNS cause unexpected
results. appropriate security is needed to provide
adequate protection in DNS, and it is accomplished through DNSSEC
DNSSEC
DNS Security Extension Defines additional Resource Records DNSKEY, RRSIG, NSEC and DS are four
of those Resource Records.
DNSKEY
It is the public key for the zone and is published in zone file.
example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3)
86400 secs -> TTL of 1 day 256 -> Flag value which indicates it’s a zone key.3 -> Protocol value5 -> RSA/SHA1 , RR value is base64 encoding.
RRSIG
RRSIG records store digital signatures that were created by signing the resource records associated with a domain using a DNSKEY.
host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( 20030220173103 2642 example.com. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr )
86400 secs -> TTLA -> indicates that this is a signing of the A RRs for
"host.example.com" 5 -> RSA/SHA1….….
NSEC
NSEC is used to provide proof of non- existense of any name within a zone.
alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 )
The first four text fields specify the name, TTL, Class, and RR type (NSEC). The entry host.example.com. is the next authoritative name after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC, and TYPE1234 mnemonics indicate that there are A, MX, RRSIG, NSEC, and TYPE1234 RRsets associated with the name alfa.example.com.
DS
The Delegation Signer (DS) RR contains the hash of the public key of the child zone. This record is signed by the parent zone's private key with a matching RRSIG RR.
dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 )
How does DNSSEC work ?
DNSSEC issues
The average size of a DNS response message increases. The zone file increases in size due to the addition of the
additional DNSSEC records. The number of DNS transactions increases due to the
requirement to perform additional queries for zone public key records when constructing trust chains.
The client has to spend additional time validating the signed data and validating the public key, potentially slowing the resolution process.
The server has to generate new signatures over all RRset changes, which places an incremental load on the server function.
DNSSEC Reference
RFC 3833 A Threat Analysis of the Domain Name SystemRFC 4033 DNS Security Introduction and RequirementsRFC 4034 Resource Records for the DNS Security ExtensionsRFC 4035 Protocol Modifications for the DNS Security Extensions
RFC 4398 Storing Certificates in the Domain Name System (DNS)
NSEC3 - "DNSSEC Hashed Authenticated Denial of Existence" draft-ietf-dnsext-nsec3-06.txt
DNS and Bind, 4th Edition, Paul Albitz and Cricket Liu, O'Reillywww.dnssec.org – A resource page for DNSSEC
Recommended