Download ppt - DNSSEC 101

Transcript
Page 1: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNSSEC 101Kevin Miller

Page 2: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Underpins Everything

Email

Web

Enterprise

Systems

VoIP

IMCMS

Page 3: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Underpins Everything

Email

Web

Enterprise

Systems

VoIP

IMCMS

Inbound Email VolumeInbound Email Volume

Received EmailSpam, virus filtering using DNSReceived EmailSpam, virus filtering using DNS

10+ DNS QueriesPer Message

10+ DNS QueriesPer Message

Page 4: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Risks from DNS Attacks

• Impersonate your web site• Redirect your phone calls• Man-in-the-middle (password theft)• Reroute or block your email• Disrupt your network, application services• Attack vectors for malware (data theft)• Denial of service

Diagram source: Internet Storm Center

Page 5: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Cache Poisoning

Where is website.com?Where is website.com?

Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3

Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3

Page 6: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Forgery

Where is educause.edu?Where is educause.edu?

Answer: 198.59.61.65Answer: 198.59.61.65

Answer: 12.1.2.3

Answer: 12.1.2.3

Page 7: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Indirection

Where is educause.edu?Where is educause.edu?

Answer: 12.1.2.3

Answer: 12.1.2.3

Page 8: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNS Attack: Amplification

60 byte request60 byte request

4000 byteresponse

4000 byteresponse

Page 9: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Software Defects

Buffer overflowOther vectors

Buffer overflowOther vectors

Page 10: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Risk Reduction To Date

• Improving weaknesses in DNS software– Patching software defects– Limiting cache poisoning opportunities

• Improve operational best practices– Restrict access to DNS recursers– Install anti-IP spoofing filters

• Improve host security– Anti-virus, anti-malware defenses

Photo source: BCP38

Page 11: DNSSEC 101

•WWW.OIT.DUKE.EDU•

DNSSEC

• Cryptographically sign DNS records– Also the absence of records

• Maintains DNS architecture– Hierarchical, distributed signatures

• Significant risk reduction, if used widely– Protects you (www.school.edu)– Protects your users (www.bank.com)

Page 12: DNSSEC 101

•WWW.OIT.DUKE.EDU•

What Can Be Done Now?

• Discover local implications– How do you manage DNS? What tools are used?– What impact would DNSSEC have?– Do your vendors support it?– Can you servers handle DNSSEC overhead?

• Begin building expertise, experience– Sign a test zone– Deploy a test DNSSEC recurser

• Deployment– Sign your zones– Utilize DNSSEC-enabled recurser with DLV

Page 13: DNSSEC 101

•WWW.OIT.DUKE.EDU•

Additional Resources

• http://www.dnssec.net• http://www.bind9.net• http://www.dnsreport.com• http://www.dnssec-deployment.org/• http://www.uoregon.edu/~joe/port53wars/

port53wars.pdf• http://www.nanog.org/mtg-0606/damas.html


Recommended

DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page
DNSSEC:’’Where’We’Are’(and’how’ …...Resolver’only’caches’validated’records’ =? DNS Resolver with DNSSEC = 1.2.3.4 DNS Server with DNSSEC 1.2.3.4 Get page Documents
OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC •
OPPORTUNISTIC IPSEC USING DNSSEC - schd.wsschd.ws/hosted_files/icann58copenhagen2017/1c/Paul Wouters... · 5 Opportunistic IPsec using DNSSEC OPPORTUNISTIC IPSEC USING DNSSEC • Documents
Some DNSSEC thoughts
Some DNSSEC thoughts Documents
DNSSEC FIRST
DNSSEC FIRST Technology
DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's
DNSSEC Deployment Activity in Japan - Introduction of ... › wp-content › uploads › 2012 › 01 › ... · •What is DNSSEC •Introduction of DNSSEC Japan •DNSSEC Japan's Documents
Measuring DNSSEC - APNIC · NON-DNSSEC 45,911 88 AS27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP Brazil NON-DNSSEC 39,970 40 AS12322 PROXAD Free SAS France NON-DNSSEC 39,913 358
Measuring DNSSEC - APNIC · NON-DNSSEC 45,911 88 AS27699 TELECOMUNICACOES DE SAO PAULO S/A - TELESP Brazil NON-DNSSEC 39,970 40 AS12322 PROXAD Free SAS France NON-DNSSEC 39,913 358 Documents
DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment
DNSSEC Deployment - Internet Society · DNSSEC evangelist of the day ¥NLnet Labs ÐNot for profit Open Source Software lab ¥Developed NSD ÐDNS and DNSSEC research ... DNSSEC deployment Documents
DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension
DNSSEC MANAGEMENT - efficientip.com€¦ · DNSSEC Principles An important point to underline is that DNSSEC (DNS Security Extensions) does not modify DNS protocol. DNSSEC is an extension Documents
DNS Risks, DNSSEC
DNS Risks, DNSSEC Documents
Deploying DNSSEC
Deploying DNSSEC Documents
Measuring DNSSEC
Measuring DNSSEC Documents
DNSSEC & KSK Rollover - mednsf.org · | 2 What is DNSSEC? ¤ DNSSEC = “DNS Security Extensions” ¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name
DNSSEC & KSK Rollover - mednsf.org · | 2 What is DNSSEC? ¤ DNSSEC = “DNS Security Extensions” ¤ DNSSEC is a protocol that is currently being deployed to secure the Domain Name Documents
Dominic Stahl Infoblox DNSSEC Solution - DENIC eG: Wir ... · Infoblox DNSSEC Solution simple, secure and reliable Infoblox DNSSEC Solution ... Infoblox DNSSEC Offering:
Dominic Stahl Infoblox DNSSEC Solution - DENIC eG: Wir ... · Infoblox DNSSEC Solution simple, secure and reliable Infoblox DNSSEC Solution ... Infoblox DNSSEC Offering: Documents
DNSSEC Deployment Guide - 123seminarsonly.com...For an overview of DNSSEC, see Introduction to DNSSEC. For a description of how DNSSEC works in Windows Server® 2008 R2 and Windows®
DNSSEC Deployment Guide - 123seminarsonly.com...For an overview of DNSSEC, see Introduction to DNSSEC. For a description of how DNSSEC works in Windows Server® 2008 R2 and Windows® Documents
DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone
DNSSEC - uniba.sknew.dcs.fmph.uniba.sk/files/biti/l03-dnssec-2016.pdf · I DNSSEC Root Zone High Level Technical Architecture (Dra˝) I DNSSEC Practice Statement for the Root Zone Documents
Introduction DNSSec
Introduction DNSSec Internet
DNSSEC Implementation Considerations and Risk Analysisdnssec-deployment.icann.org/training/AMM/amm-dnssec-design.pdf · DNSSEC Implementation Considerations and Risk Analysis TAGI
DNSSEC Implementation Considerations and Risk Analysisdnssec-deployment.icann.org/training/AMM/amm-dnssec-design.pdf · DNSSEC Implementation Considerations and Risk Analysis TAGI Documents
DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com
DNSSEC in Practice: Using DNSSEC- Tools to Deploy DNSSEC · DNSSEC in Practice: Using DNSSEC-Tools to Deploy DNSSEC Wes Hardaker. Russ Mundy. Suresh Krishnaswamy {hardaker,mundy,suresh}@sparta.com Documents