13
•WWW.OIT.DUKE.EDU• DNSSEC 101 Kevin Miller

DNSSEC 101

  • Upload
    tuari

  • View
    25

  • Download
    1

Embed Size (px)

DESCRIPTION

DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message. - PowerPoint PPT Presentation

Citation preview

Page 1: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNSSEC 101Kevin Miller

Page 2: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Underpins Everything

Email

Web

Enterprise

Systems

VoIP

IMCMS

Page 3: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Underpins Everything

Email

Web

Enterprise

Systems

VoIP

IMCMS

Inbound Email VolumeInbound Email Volume

Received EmailSpam, virus filtering using DNSReceived EmailSpam, virus filtering using DNS

10+ DNS QueriesPer Message

10+ DNS QueriesPer Message

Page 4: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Risks from DNS Attacks

• Impersonate your web site• Redirect your phone calls• Man-in-the-middle (password theft)• Reroute or block your email• Disrupt your network, application services• Attack vectors for malware (data theft)• Denial of service

Diagram source: Internet Storm Center

Page 5: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Cache Poisoning

Where is website.com?Where is website.com?

Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3

Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3

Page 6: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Forgery

Where is educause.edu?Where is educause.edu?

Answer: 198.59.61.65Answer: 198.59.61.65

Answer: 12.1.2.3

Answer: 12.1.2.3

Page 7: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Indirection

Where is educause.edu?Where is educause.edu?

Answer: 12.1.2.3

Answer: 12.1.2.3

Page 8: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Amplification

60 byte request60 byte request

4000 byteresponse

4000 byteresponse

Page 9: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Software Defects

Buffer overflowOther vectors

Buffer overflowOther vectors

Page 10: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Risk Reduction To Date

• Improving weaknesses in DNS software– Patching software defects– Limiting cache poisoning opportunities

• Improve operational best practices– Restrict access to DNS recursers– Install anti-IP spoofing filters

• Improve host security– Anti-virus, anti-malware defenses

Photo source: BCP38

Page 11: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNSSEC

• Cryptographically sign DNS records– Also the absence of records

• Maintains DNS architecture– Hierarchical, distributed signatures

• Significant risk reduction, if used widely– Protects you (www.school.edu)– Protects your users (www.bank.com)

Page 12: DNSSEC 101

•WWW.OIT.DUKE.EDU•

What Can Be Done Now?

• Discover local implications– How do you manage DNS? What tools are used?– What impact would DNSSEC have?– Do your vendors support it?– Can you servers handle DNSSEC overhead?

• Begin building expertise, experience– Sign a test zone– Deploy a test DNSSEC recurser

• Deployment– Sign your zones– Utilize DNSSEC-enabled recurser with DLV

Page 13: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Additional Resources

• http://www.dnssec.net• http://www.bind9.net• http://www.dnsreport.com• http://www.dnssec-deployment.org/• http://www.uoregon.edu/~joe/port53wars/

port53wars.pdf• http://www.nanog.org/mtg-0606/damas.html


Some DNSSEC thoughts

Some DNSSEC thoughts

Documents
DNS Svr2008r2 Dnssec

DNS Svr2008r2 Dnssec

Documents
DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

DNSSEC - Red Hat · DNSSEC . Topics DNSSEC theory in 7 screen shots DNSSEC software: validating, signing Converting applications to use DNSSEC Using DNSSEC for non-DNS purposes TLSA,

Documents
OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC •

OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC •

Documents
Introduction DNSSec

Introduction DNSSec

Internet
DNSSEC FIRST

DNSSEC FIRST

Technology
Summit 2010 Dnssec

Summit 2010 Dnssec

Documents
Measuring DNSSEC

Measuring DNSSEC

Documents
DNSSEC Deployment Guide - 123seminarsonly.com...For an overview of DNSSEC, see Introduction to DNSSEC. For a description of how DNSSEC works in Windows Server® 2008 R2 and Windows®

DNSSEC Deployment Guide - 123seminarsonly.com...For an overview of DNSSEC, see Introduction to DNSSEC. For a description of how DNSSEC works in Windows Server® 2008 R2 and Windows®

Documents
Dnssec Tutorial

Dnssec Tutorial

Documents
DNSSEC 101

DNSSEC 101

Documents
Deploying DNSSEC v3

Deploying DNSSEC v3

Documents
DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page

Documents
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment

Documents
Internet2 DNSSEC Pilot

Internet2 DNSSEC Pilot

Documents
DUKE UNIVERSITY DNSSEC 101 Kevin Miller

DUKE UNIVERSITY DNSSEC 101 Kevin Miller

Documents
DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com

Documents
DNSSEC 101 - ripe.net

DNSSEC 101 - ripe.net

Documents
Deploying DNSSEC

Deploying DNSSEC

Documents
DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

DNSSEC Exposed - Deploying DNSSEC in Real Life Presentation

Documents
DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment

DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment

Documents
DNSSEC Practice Statement - CommBank › ... › registry › DNSSEC-practice-state… · 2019-08-09 · DNSSEC Practice Statement Page III ariservices.com CONFIDENTIAL TM Contact

DNSSEC Practice Statement - CommBank › ... › registry › DNSSEC-practice-state… · 2019-08-09 · DNSSEC Practice Statement Page III ariservices.com CONFIDENTIAL TM Contact

Documents
DNSSEC policy

DNSSEC policy

Documents
Threats to DNS DNSSEC overview/history DNSSEC in … · Threats to DNS DNSSEC overview/history DNSSEC today ... signed.infoblox.com. 3600 IN RRSIG NS 5 3 3600 20080410205926 20080311205926

Threats to DNS DNSSEC overview/history DNSSEC in … · Threats to DNS DNSSEC overview/history DNSSEC today ... signed.infoblox.com. 3600 IN RRSIG NS 5 3 3600 20080410205926 20080311205926

Documents
DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's

Documents
Measuring DNSSEC Use

Measuring DNSSEC Use

Documents
DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

DNSSEC MANAGEMENT - efficientip.com · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension

Documents
Measuring DNSSEC - APNIC · NON-DNSSEC 45,911 88 AS27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP Brazil NON-DNSSEC 39,970 40 AS12322 PROXAD Free SAS France NON-DNSSEC 39,913 358

Measuring DNSSEC - APNIC · NON-DNSSEC 45,911 88 AS27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP Brazil NON-DNSSEC 39,970 40 AS12322 PROXAD Free SAS France NON-DNSSEC 39,913 358

Documents
DNSSEC & KSK Rollover - mednsf.org · | 2 What is DNSSEC? ¤ DNSSEC = “DNS Security Extensions” ¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name

DNSSEC & KSK Rollover - mednsf.org · | 2 What is DNSSEC? ¤ DNSSEC = “DNS Security Extensions” ¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name

Documents