Embed Size (px)
DESCRIPTION
This slideshow gives an overview of how F5's BIG-IP Application Delivery Controllers protect customers' DNS infrastructure against various attacks by implementing a unique dynamic security signing policy.
Citation preview
DNS Security (DNSSEC)With BIG-IP Global Traffic Manager
2
DNS Infrastructure is VulnerableSpoofing and cache poisoning allow hijacking of domains
Example.com
App ServersGSLB
LDNS
www.example.com? www.example.com?
123.123.123.123
Hacker
Spoofing with first response
Cache poisoning
012.012.012.012
012.012.012.012
Problem
Need to secure DNS infrastructure• Cache poisoning and spoofing can
hijack DNS records• Need a method for trusted responses• Need to meet US Government
mandate for DNSSEC compliance
3
What is DNSSEC?
• DNS protocol extensions ensure the integrity of data returned by domain name lookups.
• Incorporates a “chain of trust” into the DNS hierarchy using public key cryptography (PKI).
• Each link in the chain consists of a public-private key pair.
• Provides origin authenticity, data integrity, and secure denial of existence.– Origin authenticity: Resolvers can verify that data has originated from
authoritative sources.– Data integrity: Can also verify that responses are not modified in-flight.– Secure denial of existence: When there is no data for a query,
authoritative servers can provide a response that proves no data exists.
4
How Does DNSSEC Work?
• Each DNSSEC zone creates one or more pairs of public/private key(s)– Public portion put in DNSSEC record type DNSKEY
• Zones sign all sets with private key(s) and resolvers use DNSKEY(s) to verify sets– Each set has a signature attached to it: RRSIG
• So, if a resolver has a zone’s DNSKEY(s) it can verify that sets are intact by verifying their RRSIGs
5
Securing the DNS InfrastructureDynamic and secure DNS with Global Traffic Manager
Example.com
App ServersBIG-IP GTM
LDNS
www.example.com? www.example.com?
123.123.123.123+ public key
Hacker
123.123.123.123+ public key
Client gets signed, trusted
response
Solution
Secure and dynamic DNS• Ensure users get trusted DNS queries
with signed responses• Reduce management costs – Simple
to implement and maintain• Meet mandates with DNSSEC
compliant solution
BIG-IP Global Traffic Manager with DNSSEC
6
Example.com
Drop-in DNSSEC Compliance
Simple DNSSEC compliance• Drop GTM in front of existing DNS servers• GTM signs requests without changes to DNS
configuration
ExistingDNS Servers
BIG-IP GTM
site.example.com?
172.16.124.1+trusted SSL key
BIG-IP Global Traffic Manager with DNSSEC
7
Find Out More on DNSSEC
• Video: DNSSEC in Five Easy Steps
• Blog: It’s DNSSEC not DNSSUX
• Tech Tip: Configuring GTM’s DNS Security Extensions
![DNS and DNSSEC tutorial - huque.com · [DNS and DNSSEC, USENIX LISA 12] DNS Tutorial 7 [DNS and DNSSEC, USENIX LISA 12] DNS •Domain Name System •Base specs in RFC 1034 & 1035](https://img.pdfslide.us/doc/110x75/5e07f9aafac6bb58fa475551/dns-and-dnssec-tutorial-huquecom-dns-and-dnssec-usenix-lisa-12-dns-tutorial.jpg)
