Understanding the DNS & DNS Security!

2

+ Internet Protocol address uniquely identifies laptops or phones or other devices

+ The Domain Name System matches IP addresses with a name

+ IP routing and DNS are the underpinning of unified Internet

The World’s Network – the Domain Name System!

3

A sample DNS query!

Where  is  www.iana.org?  

192.0.2.1  

4

+ A computer sends a question to a DNS server, like “where is IANA.org?”

+ It receives an answer and assumes that it is correct.

+ There are multiple ways that traffic on the Internet can be intercepted and modified, so that the answer given is false.

Making the DNS Secure!

5

Receiving the Wrong Answer!

Where  is  

www.iana.

org?  

192.0.2.0  

13.13.14.0  

Poisoning a Cache!

+  Attacker knows iterative resolvers may cache

+  Attacker +  Composes a DNS response with

malicious data about a targeted domain

+  Tricks a resolver into adding this malicious data to its local cache

+  Later queries processed by server will return malicious data for the life of the cached entry +  Example: user at My Mac clicks

on a URL in an email message from try@loseweightfastnow.com

What  is  the  IPv4  address  for  loseweigh<astnow.com?  

My Mac

My local resolver

ecrime name server

loseweigh<astnow.com  IPv4  address  is  192.168.1.1    

ALSO  www.ebay.com  is  at  192.168.1.2  

I’ll  cache  this  response…  and  

update  www.ebay.com    

6  

7

+  Protects DNS data against forgery!

+  Uses public key cryptography to sign authoritative zone data!

+  Assures that the data origin is authentic!

+  Assures that the data are what the authenticated data originator published!

+  Trust model also uses public key cryptography!

+  Parent zones sign public keys of child zone!(root signs TLDs, TLDs sign registered domains…!

DNS Security (DNSSEC)  

7  

8

Authority signs zone data with private key!

Authorities must keep private keys secret!!

Public Key Cryptography in DNSSEC!

8  

DNSData

Signed DNSData

+ Digital

signatures

Publish

Sign with Private key Authoritative"

server

9

Authority  publishes  public  key  so  that  any  recipient  can  decrypt  to  verify  that  “the  data  are  correct  and  came  from  the  right  place”  

 

Public Key Cryptography in DNSSEC!

9  

Authoritativeserver

Signed ZoneData

Validatingrecursive

server

Validate with Public key

10

+ Manages root key with VeriSign and trusted international representatives of Internet community

+ Processes requests for changes of public key and other records from registries at top of DNS

+ Educates and assists Internet community with DNSSEC

+ Implements DNSSEC on its own domains

ICANN’s Role in DNSSEC Deployment!

11

+ Browser and/or Operating System support

+ DNSSEC support from domain name registration service providers (registrars, resellers)

+ Misconceptions regarding key management, performance, software/hardware availability and reliability

Obstacles to Broader DNSSEC Adoption!

12

•  Fast pace of deployment at the TLD level "!

•  Deployed at root!•  Supported by software!•  Growing support by ISPs!•  Required by new gTLDs!!à Inevitable widespread deployment across core Internet infrastructure!

DNSSEC Deployment!

Thank You & Questions?!