What We are Learning About DNS Security: DNSSEC and Much More

What We are LearningAbout DNS Security

DNSSEC and Much More

7/27/2011

1

Edward Lewis

Director, Member of Technical Staff

© Neustar Inc. / Proprietary and Confidential

Joseph is unhappy about my talk

8/1/2011

© Neustar Inc. / Proprietary and Confidential2

» This is the first day since

my son was born that I

have not been home

» He's 6 1/2 months old

» When I told him I'd be

away July 27, he had

this frown

» Still, it is an honor to be

invited to speak here

today

» This talk is dedicated to

little Joe

Agenda

»The significance of DNSSEC

»What you should be doing about DDoS

»What you need to do

8/1/2011


In the Wake of DNSSEC

» The protocol and code has been strengthened

» We've improved the state of operations

» Cooperation has become very important

8/1/2011


Briefly, What is DNSSEC?

»DNSSEC is an add-on to the DNS protocol

»It adds information to DNS answers that provide

proof that the data is genuine» DNSSEC is like automobile safety belts for DNS

»The greatest benefit is preventing ISP caches from

accepting forged answers, misdirecting customers

8/1/2011


Protocol Strengthening

» The DNS protocol, as specified, is a very weak

base to secure

» One of the benefits of DNSSEC is that is made us

take a critical look at the protocol

8/1/2011


DNSSEC

Why securing DNS is so hard

»DNS goals are» global scale, fast response, high availability

»It's a crowd, not one person

8/1/2011


...and...

»The original specifications are informal, incomplete» Leading to a wide range of interpretations

» And thus a wide range of different implementations

» Rely on the memories of the "old guys"

8/1/2011


»Security throughout the DNS» Data Loading (EPP & WhoIs-related too)

» Data Replication (zone transfers)

» Queries and Responses (e.g., DNSSEC, TSIG, wild card)

»New code, new code everywhere

»And new ways to operate

Updates to DNS

8/1/2011


What DNSSEC got right

»DNSSEC is a technical success

»DNSSEC was designed with adoption by transition

in mind» This is what IPv6 lacks

»But adoption by slow transition is not easy and

requires patience, it's a good plan and a lot of

execution» Slow adoption is a beneficial thing, a feature, really!

»And the path to DNSSEC's completion can teach

us much about security improvements

8/1/2011


Strengthening Cooperation

»When teaching the ISO seven layer protocol

model I came across this in an old textbook» There are times when it is necessary to handle an error in

the layer above the one you are designing

»Translating this into DNS and security events» During times of attack, out-of-band coordination must

have already been established

8/1/2011


Coordinate?

»Who?: Anyone that teams in a defense» Government and Private Industry

» Competitors

» Across borders and oceans

»When?» Strategic and tactical

» Frequently, openly

» During exercises, events

»Where?» Conferences, workshops

» In-person meetings at offices

» And don't forget - happy hours!

8/1/2011


Government - Industry cooperation

»Government and Industry relationship is important

»Government learns from experts in industry

»Government always maintains legal authority

»Government provides leadership in mandates and

funding

»Industry provides innovation and takes the risk

8/1/2011


DDoS

»You can be a target of a DDoS» Solutions include capacity, reserves, and traffic scrubbing

»You can be used to launch a DDoS» Open recursive servers can reflect and amplify an attack

»(You could also be the attacker...;))

8/1/2011


Anti-DDOS

»Expertise is needed to defend against these

attacks» Target owners, ISPs and other security entities have this

»This is why cooperation, set up ahead of time, is

critical

»If you need to "click here" ... it is too late for you!

8/1/2011


Failure to set up cooperation

»There are two possible outcomes

»"Fail closed" and not respond adequately» Examples are one person having a password and being

on vacation when the attack happens

»"Fail open" and be open to be fooled (social

engineered) by an attacker» Examples are attackers causing a diversion and then

acting as "first responders"/emergency workers to monitor

damage and adjust attacks

8/1/2011


Securing the DNS system

»The DNS is spread amongst many elements» Registries, registrars, web hosters, dns operators

» ISPs, open/remote recursive servers

» Policy elements, law enforcement

»Each element can self-secure, but end-to-end

security is also needed

»This is one final push to form cooperative groups!

8/1/2011


Better DNS & cooperation is not enough

»Attacks will happen

»Defenses will not stop all damage» If a defense stops all attacks, it is probably too tight!

»This makes logging or tracing activity an important

element

8/1/2011


What do we learn from logging events

»The information left behind by an attack is valuable

»We learn the techniques

»We learn the level of sophistication

»We learn the weaknesses of the attack

»We learn how the attackers are learning

»We learn who the attackers are

»We might even be able to convict and punish them

8/1/2011


A stronger system

»DNS is becoming a stronger system

»We know it takes more than a good protocol,

because "good" depends on the way you measure

»We know it takes world-wide cooperation and in-

depth cooperation to run a network that opens

communication without letting it be overrun with

abuse

»We want citizens to have access to government

services to help their lives, not gangs like

ANONYMOUS to disrupt lives

8/1/2011


What You Need to Do to Prepare

»Learn about DNSSEC» It's like getting used to

seatbelts

» It's not scary but it takes work

»And begin to get to know

others in the Industry &

Government» Help defend the network

8/1/2011


Thank you!

22

Education

What We are Learning About DNS Security: DNSSEC and Much More