A Security Evaluation of DNSSEC with NSEC Review

Size: px
Start display at page:

Download "A Security Evaluation of DNSSEC with NSEC Review"

Transcription

1 A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, Introduction to the topic and the reason for the topic being interesting This paper discusses the security related aspects of Domain Name System Security Extensions, or DNSSEC, which employs Next Secure 3 or NSEC3. Next Secure 3 is used for enlisiting a set of present resource records, resource records are set of values which are stored in DNS corresponding to a set of host names. Domain Name System Security Extensions is used ensure the authenticity of the records by appending digital signatures to the resource records. The topic is interesting considering the recent disclosure of Domain Name System cache poisoning attacks. 2 Questions that the paper asks and how are those questions interesting The paper explores the security related aspects of Domain Name System Security Extensions, DNSSEC with NSEC3. The question is interesting as a wrong entry into Domain Name System redirects the traffic to a malicious site, hence security issues related to Domain Name System s Security must be given prime importance. 3 How does it answer the questions In order to answer the question the author first enlists basic information related to Domain Name System, which is given below: 1. Domain Name System is used for mapping a host name to its corresponding IP address. 2. In a Domain Name System, domain name can be treated in-dices into a table which stores its corresponding records called Resource Records. 3. Resource Records includes a domain s IPv4 addresses, IPv6 address, Mail Servers (MX), Name Servers (NS). 4. Glue Records are the IP address and nameserver record of the Child which are stored which are stored in the parent. These records are helpful in delegation. 5. The procedure of resolving a host name to its corresponding IP address is given below: (a) The users host computer which represents the Stub Resolver queries the local recursive resolver for mapping a host name to an IP address. 1

2 (b) The local recursive resolver then queries the Root Zone asking it for the IP address of the host name. (c) Since the Root Zone does not contain the requisite information, it redirects the recursive resolver to the authoritative TLD zone. (d) Since the TLD zone also does not contain the requisite information, it redirects the recursive resolver to the authoritative DNS server of the requested host name. (e) Upon querying the authoritative DNS server, the recursive resolver obtains the IP address of the hostname, which it returns to the stub resolver. Along with this it caches the queried data. 6. The DNS recursive resolver accepts the most recently received reply to a due query, whose Transaction ID matches the Transaction ID of the query. Thus an attacker which an forge a reply matching the queries Transaction ID can introduce false records into the recursive resolver cache. Such an attack is known as cache poisoning attack. 7. Into order to carry out a cache poisoning attack, a man-in-the-middle attacker can eavesdrop on the recursive resolver s traffic and thus gets to know the Transaction ID of the query, which the attacker uses to create false reply attacks, which in turn introduce false records into the recursive resolver s cache. 8. Kaminsky s attack is another way in which the recursive resolver s cache can be poisoned. Kaminsky s cache poisoning attack is carried out according to the following steps: (a) The attacker sends requests to recursive resolver to map fake host names. (b) The recursive resolver now sends requests to the root zone, which redirects it to the TLD zone. (c) The TLD zone replies to the recursive resolver s query by giving returning to it the address and the nameserver glue records. (d) Before the TLD zone could send the reply packet, the attacker sends the fake packet containing the address and nameserver record of the zone. (e) Thus further queries are redirected by the recursive resolver towards the attackers zone. In order to mitigate this weakness of DNS, Kaminsky proposed to randomize the source port. However, the solution proposed by Kaminsky just decreases the probability of an attack, it does not prevent such an attack. Also Kaminsky s solution still does not protect from man-in-the-middle attacks. Domain Name System Security Extension Protocol consists of the following features: 1. Domain Name Security Extension ensures authenticity of the responses by adding adding cryptographic signatures to resource records. 2. RFC-4033 states that DNSSEC does not provide for security of packets exchanged between the stub resolver and the recursive resolver. 3. In order to support the Public Key Infrastructure provided by DNSSEC, the following resource records are added to DNSSEC: (a) DNSKEY: DNSKEY contains the public key which is used for verifying the cryptographic signature. (b) RRSIG: RRSIG contains the cryptographic signature. (c) DS or Delegation Signer: In delegation it contains the digest of the key of the delegation. 4. In cases where the child or the parent does not support DNSSEC, an insecure delegation is created. 5. In order to ensure integrity DNSSEC cryptographically signs the resource records and sends it along with the reply packets. 2

3 6. In order to attest the existence of valid domain names and invalid domain names. A list containing the set of existing records is created, this list is named Next Secure(NSEC). This list is included into resource records which are used for verification by the recursive resolver. Another method for authentication which has been proposed is Next Secure3 (NSEC3) in which hashed values of the valid domain names are stored in the Resource Records. 7. Domain Name System Security Extensions stores absolute time values in the Time To Live(TTL) field as relative Time To Live values are vulnerable to replay attacks. 8. The packet used by Domain Name System Security Extension is the same as that of Domain Name System, but with the addition of resource records needed for security. The DNS header also contains the following security related bits: (a) Authenticated Data(AD) is used by the sending DNS server to signify that it has verified the data. (b) Checking Disabled(CD) is used to verify that the queried DNS severs should not verify the data. 9. DNSSEC is immune to Kaminsky s cache poisoning attack, as before caching the glued records are verified by the attestation chain. In order to judge the security provided by DNSSEC, the authors build a non deterministic finite automaton called Murϕ. Murϕ works by checking the security invariants. The details about Murϕ are given below: 1. Murϕ s architecture includes: DNS root servers, which are the regarded as the trusted end point. It also includes TLD zone servers and servers which are responsible for a domain, both these are represented in the system by transition rules. It represents the attacker by the information that the attacker has gathered by eavesdropping and the transitions that are caused when it varies the system parameters. 2. When a zone receives an RR Query the following steps are performed by the recursive resolver: (a) If the response record pertaining to the query exists in the the zones server, then a signed response record is given by the server to the recursive resolver. (b) If the response record pertaining to the query does not exist in the zone server, then the following two cases may arise: i. The queried data does not exist at all. Then the covering query is returned corresponding to its status as mentioned below: A. opt-out option in Next Secure 3. B. There does not exist opt-out option in Next Secure 3. (c) The queried data exists but in the child zone. Corresponding to this there are two cases: i. If it followed a secure authentication chain, then secure delegation is returned. ii. If it follows an insecure authentication chain, then the following two cases may arise: A. Glue records containing IP address and nameserver in the next secure 3 chain are returned. B. Glue records containing IP address and nameserver which are not in the valid records of the next secure 3 chain are returned. 3. The recursive resolver s depiction in Murϕ is illustrated below: (a) The time to live field and the other data pertaining to the query expires as it should in the original model. (b) The recursive resolver s model as incorporated into Murϕ has decision making abilities, which help it in deciding the corresponding response for a query. The recursive resolver incorporated into Murϕ contains the following two caches: i. Attested Cache: Whose contents have been verified up to the root zone. 3

4 ii. Non-Attested Cache: Whose contents are not secure up to the root zone. 4. The attacker may resort to any of the following means: (a) The attacker may eavesdrop on the communication between the recursive resolver and the DNS server. (b) The attacker may copy any of the packets transferred between the recursive resolver and the DNS server. (c) The attacker may change any of the following parts of the transmitted packets: i. Header ii. The part containing the question. iii. The attacker may delete some parts of the resource record. iv. The attacker may add some fields into the resource records. v. The attacker change the address field, the authoritative server and the nameserver. 5. The following invariants are checked by Murϕ: (a) Verifies that the recursive resolver has not stored any false resource records. (b) Only the valid keys are cached. (c) Verifies the attestation chain of the resource record. 6. The parent record cached in the recursive resolver may expire before the child record, which it attests. Some of the security invariant breaches that may be caused are: 1. There are some glue records which are not cryptographically signed, this feature was incorporated into DNSSEC in order to make it backward compatible with other DNS systems which did not employ DNSSEC. The attacker can exploit this by changing the glue records. 2. Apart from glue records as discussed in step 1, there are are false resource records which can be sent by the attacker to the recursive resolver, since the recursive resolver can not now verify the records, hence this leads to cache poisoning. 3. A security invariant breach can occur, since an attacker can successfully change the contents of the Domain Name System Security Extension s response packet. 4. It may happen that a businessman has to change the location of his company and thus release give up its IP addresses. The attacker may some how take advantage of this and can acquire a set of IP addresses which were released. Now by default the attacker also becomes the owner of businessman s resource record s digital signatures, thus capable of sending fake records to the recursive resolver. The author s modified Murϕ to include all the above mentioned weaknesses and ran the modified protocol successfully. In order to mitigate the vulnerability in DNSSEC, the author suggests that the recursive resolver must only accept responses from DNSSEC and not from DNS. Also verification of all the resource records must be performed at the recursive resolver itself. In order to perform this, the recursive resolver must maintain an attested cache, which contains the information about the authority for the recursive records as well as the attestation chain. The authors depict the weaknesses of Domain Name System Security Extensions by carrying out an experiment. In the experiment the authors create a server bank.com which redirects the recursive resolver to The server also creates an opt-out Next Secure 3 option for the site attack1.bank.com and delegation to attack2.bank.com which is not secure. The authors were able to carry out the following attacks (Reference: A security evaluation of DNSSEC with Next Secure 3 by John Mitchell, et.al.): 4

5 1. In order for the attack to succeed the user either sends a request to recursive resolver for browsing the website or embeds and image in another site, which contains the hyper-link to the attackers site. The recursive resolver sends an honest query to the bank.com server. But before bank.com server sends a reply, the attacker sends its reply, with the transaction ID matching that of the query, but containing the IP address of the attacker. This attack is possible because of either the next secure 3 opt-out option or a not secure delegation to the attacker s site.this poisons the cache and the cache remains poisoned till the Time To Live period of the Resource Record expires. 2. The attacker carries off the users cookies by exploiting the browser s policy that cookies which are not secure may be transmitted to a sub-domain of the main domain. The following steps demonstrate the attack being carried out: (a) The user clicks on an image containing the hyperlink to the attacker s site. (b) The recursive resolver sends a query to the DNS zone server. (c) The attacker eavesdrops on the communication and hence gets to know the Transaction ID of the query. (d) Using the Transaction ID the attacker sends a false response to the recursive resolver containing a redirection to the attacker s server. (e) The recursive resolver queries the attacker s server for the IP address of the site, the attacking server responds with the attacker s site address. (f) Now the users browser sends the insecure cookies to the received IP address for starting the session. Thus the above steps illustrate how an attacker can successfully steal a user s cookies by exploiting the vulnerabilities of the browser as well as DNSSEC. 4 Methodology used to investigate the paper In order to investigate the paper the authors build a non deterministic finite automaton and carried out experiments to depict the vulnerabilities of DNSSEC. 5 What I learned from the paper I learned from the paper the vulnerabilities present in Domain Name System Security Extensions. 6 How the paper relates to previous work The paper relates to Daniel Bernstein s presentation at WOOT 09 in the following manner: 1. Daniel Brenstein s presentation just describes the weaknesses of DNSSEC, whereas the present paper along with discussing the weaknesses describes measures which when adopted will help in mitigating the weaknesses. 2. Brenstein suggests that a security breach can be caused by forging the glue records containing the IP address and the nameserver records, whereas this paper suggests that such a forging extra capabilities to the attacker. 7 Strengths of the paper I liked the fact that the authors implemented a factual attack in laboratory under the actual circumstances whereby the vulnerabilities present in DNSSEC are used to steal the actual browser cookies. 5

6 8 Weaknesses of the paper I found out the following weaknesses in the paper: 1. The author suggests that Next Secure 3 is used to provide security as the owner names are cryptographically hashed and not available in cleartext. However an attacker may still be able to find out the owners name as the mapping between the owner names and the cryptographic hash text is of a limited size and thus easily guessable. 2. I find that absolute time temporal specification for signatures has the limitation that absolute time requires proper synchronization of the clocks of the nameserver and the recursive resolver. 3. The author states that Resolvers must only securely answer the user s query when all of the information necessary to answer queried Resource Records with integrity guarantee is contained within the attested cache (Reference: A security evaluation of DNSSEC with NSEC3). I find the weakness that here the author wants a drastic change, i suggest that the author should also take into consideration the existent domain name systems which do not employ DNSSEC. 9 Results DNSSEC has loopholes and in order to mitigate these some of the below mentioned approaches have been suggested in the paper(reference: A security evaluation of DNSSEC with NSEC3): 1. In order to run a secure site Next Secure 3 records should not use the opt-out option. Also the people possessing the IP addresses should only give them up when their corresponding Resource Record signatures have expired. 2. In order to build a secure website no cookies should be sent over an insecure connection like http. 3. It is also required that the recursive resolver should correctly implement its security logic 4. The connection between recursive resolver and the end users stub resolver must be a secure one. 5. The browsers user interface must be designed in such a manner that it should give indications to the user about secure and not secure DNSSEC connection. 6

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014 Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client

More information

A Survey of BGP Security Review

A Survey of BGP Security Review A Survey of BGP Security Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being interesting Border

More information

A Look Back at Security Problems in the TCP/IP Protocol Suite Review

A Look Back at Security Problems in the TCP/IP Protocol Suite Review A Look Back at Security Problems in the TCP/IP Protocol Suite Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 26, 2011 1 Introduction to the topic and the reason

More information

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC

More information

Secure Frame Communication in Browsers Review

Secure Frame Communication in Browsers Review Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being

More information

Toward Unspoofable Network Identifiers. CS 585 Fall 2009

Toward Unspoofable Network Identifiers. CS 585 Fall 2009 Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software

More information

Robust Defenses for Cross-Site Request Forgery Review

Robust Defenses for Cross-Site Request Forgery Review Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic

More information

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and

More information

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004

Expires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS

More information

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS

12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS 12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC

More information

Network Working Group

Network Working Group Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,

More information

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS

More information

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

An Overview of DNSSEC. Cesar Diaz! lacnic.net! An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that

More information

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference:  Lecture 7: DNS Security 3/28/2016 Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security

More information

DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d

DNSSEC Trust tree:  (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name

More information

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator

More information

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,

3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC, 3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD

More information

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS

More information

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

DNS Mark Kosters Carlos Martínez ARIN - LACNIC DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity

More information

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.

Table of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured. Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to

More information

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017

CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions

More information

DNSSEC All You Need To Know To Get Started

DNSSEC All You Need To Know To Get Started DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:

More information

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?

I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record

More information

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam

DNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain

More information

Algorithm for DNSSEC Trusted Key Rollover

Algorithm for DNSSEC Trusted Key Rollover Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.

More information

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN

ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them

More information

Computer Security CS 426

Computer Security CS 426 Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And

More information

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How do you attack the DNS? A typical DNS query

More information

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SECURITY EXTENSIONS DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions

More information

CSC 574 Computer and Network Security. DNS Security

CSC 574 Computer and Network Security. DNS Security CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages

More information

Domain Name System Security

Domain Name System Security Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security

More information

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification

Table of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification

More information

DNS Security. *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

DNS Security. *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi DNS Security *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html 1 IT352 Network Security Najwa AlGhamdi Introduction The DNS provides a mechanism that resolves Internet host names into IP addresses

More information

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

This time. Digging into. Networking. Protocols. Naming DNS & DHCP This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be

More information

Assessing and Improving the Quality of DNSSEC

Assessing and Improving the Quality of DNSSEC Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia

More information

A paper on DNSSEC - NSEC3 with Opt-Out

A paper on DNSSEC - NSEC3 with Opt-Out A paper on DNSSEC - NSEC3 with Opt-Out DNSSEC A Way Forward for TLD Registries Method for faster adoption of DNSSEC Providing greater security with minimal impact on customers, registries and Zone Management

More information

Remote DNS Cache Poisoning Attack Lab

Remote DNS Cache Poisoning Attack Lab CS482 Remote DNS Cache Poisoning Attack Lab 1 1 Lab Overview Remote DNS Cache Poisoning Attack Lab The objective of this lab is for students to gain the first-hand experience on the remote DNS cache poisoning

More information

Domain Name System Security

Domain Name System Security Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding

More information

Introduction to the Domain Name System

Introduction to the Domain Name System The Domain Name System (DNS) handles the growing number of Internet users. DNS translates names, such as www.cisco.com, into IP addresses, such as 192.168.40.0 (or the more extended IPv6 addresses), so

More information

DNS SECurity Extensions technical overview

DNS SECurity Extensions technical overview The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts

More information

Web Security. Mahalingam Ramkumar

Web Security. Mahalingam Ramkumar Web Security Mahalingam Ramkumar Web Security Abusing cookies Phishing, Spreading misinformation You are not seeing what you think you are! HREFs, Ill-constructed strings in HREFs Dynamic HTML, Scripting

More information

SecSpider: Distributed DNSSEC Monitoring and Key Learning

SecSpider: Distributed DNSSEC Monitoring and Key Learning SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From

More information

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007 Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO

More information

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017

Understanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in

More information

Less is More Cipher-Suite Negotiation for DNSSEC

Less is More Cipher-Suite Negotiation for DNSSEC Less is More Cipher-Suite Negotiation for DNSSEC Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt Bruno Crispo Trento University Domain Name System (DNS) Lookup services

More information

Network Working Group. Category: Informational November 2007

Network Working Group. Category: Informational November 2007 Network Working Group S. Weiler Request for Comments: 5074 SPARTA, Inc. Category: Informational November 2007 Status of This Memo DNSSEC Lookaside Validation (DLV) This memo provides information for the

More information

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University

Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities

More information

Managing Caching DNS Server

Managing Caching DNS Server This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring

More information

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal --- RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal --- Kazunori Fujiwara fujiwara@jprs.co.jp Japan Registry Services Co., Ltd (JPRS) DNS-OARC Workshop 2016/10/16 Last

More information

Afilias DNSSEC Practice Statement (DPS) Version

Afilias DNSSEC Practice Statement (DPS) Version Afilias DNSSEC Practice Statement (DPS) Version 1.07 2018-02-26 Page 1 of 8 1. INTRODUCTION 1.1. Overview This document was created using the template provided under the current practicing documentation.

More information

Advanced Caching DNS Server

Advanced Caching DNS Server This chapter explains how to set the Caching DNS parameters for the advanced features of the server. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which

More information

Seamless transition of domain name system (DNS) authoritative servers

Seamless transition of domain name system (DNS) authoritative servers Vol. 9(12), pp. 566-570, 30 June, 2014 DOI: 10.5897/SRE2013.5741 Article Number: 2B9B29C45695 ISSN 1992-2248 2014 Copyright 2014 Author(s) retain the copyright of this article http://www.academicjournals.org/sre

More information

GDS Resource Record: Generalization of the Delegation Signer Model

GDS Resource Record: Generalization of the Delegation Signer Model GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, France {gilles.guette, bernard.cousin, david.fort}@irisa.fr

More information

Ordinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver

Ordinary DNS:   A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30 k.root-servers.net Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30

More information

DNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi

DNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi Introduction DNSSEC is a security extensions to the DNS protocol in response to the

More information

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com

More information

DNSSEC Basics, Risks and Benefits

DNSSEC Basics, Risks and Benefits DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning

More information

DNSSEC Basics, Risks and Benefits

DNSSEC Basics, Risks and Benefits DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning

More information

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) OSI Session / presentation / application Layer Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016) 1 Higher level protocols On top of IP, TCP, UDP, etc. there are a plethora

More information

Final exam in. Web Security EITF05. Department of Electrical and Information Technology Lund University

Final exam in. Web Security EITF05. Department of Electrical and Information Technology Lund University Final exam in Web Security EITF05 Department of Electrical and Information Technology Lund University October 22 nd, 2013, 8.00-13.00 You may answer in either Swedish or English. If any data is lacking,

More information

Network Working Group Request for Comments: 5155 Category: Standards Track Nominet D. Blacka VeriSign, Inc. March 2008

Network Working Group Request for Comments: 5155 Category: Standards Track Nominet D. Blacka VeriSign, Inc. March 2008 Network Working Group Request for Comments: 5155 Category: Standards Track B. Laurie G. Sisson R. Arends Nominet D. Blacka VeriSign, Inc. March 2008 DNS Security (DNSSEC) Hashed Authenticated Denial of

More information

Transaction oriented DNS flow analysis (WIP)

Transaction oriented DNS flow analysis (WIP) Transaction oriented DNS flow analysis (WIP) Shigeya Suzuki / Bill Manning WIDE Project USC/ISI & Keio University + Auto-ID Labs Japan CAIDA Workshop 2006 @ISI, March 17th 2006 Topics Current on-going

More information

Domain Name System Security

Domain Name System Security Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security

More information

CS System Security Mid-Semester Review

CS System Security Mid-Semester Review CS 356 - System Security Mid-Semester Review Fall 2013 Mid-Term Exam Thursday, 9:30-10:45 you may bring one 8-1/2 x 11 sheet of paper with any notes you would like no cellphones, calculators This is to

More information

CIS 5373 Systems Security

CIS 5373 Systems Security CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What

More information

The Performance of ECC Algorithms in DNSSEC: A Model-based Approach

The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Master Thesis The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Faculty: Group: Electrical Engineering, Mathematics and Computer Science Design and Analysis of Communication Systems Author

More information

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic

More information

Test cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC

Test cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC Test cases for domain checks a step towards a best prac5ce Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC Zonemaster Upcoming tool for test of delegacon of a domain The development of Zonemaster has several

More information

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston

The ISP Column A column on various things Internet. DNSSEC and DNS over TLS. August 2018 Geoff Huston The ISP Column A column on various things Internet August 2018 Geoff Huston DNSSEC and DNS over TLS The APNIC Blog has recently published a very interesting article by Willem Toorop of NLnet Labs on the

More information

Domain Name System (DNS)

Domain Name System (DNS) Domain Name System (DNS) Computer Networks Lecture 9 http://goo.gl/pze5o8 Domain Name System Naming service used in the Internet Accomplishes mapping of logical ("domain") names to IP addresses (and other

More information

Updates: 2535 November 2003 Category: Standards Track

Updates: 2535 November 2003 Category: Standards Track Network Working Group B. Wellington Request for Comments: 3655 O. Gudmundsson Updates: 2535 November 2003 Category: Standards Track Status of this Memo Redefinition of DNS Authenticated Data (AD) bit This

More information

Documentation. Name Server Predelegation Check

Documentation. Name Server Predelegation Check Name Server Predelegation Check Doc. version: 1.4.1 Doc. status: Final Doc. date: 01.12.2015 Doc. name: Name Server Predelegation Check- -DNS Services-V1.4.1-2015-12-01 Copyright 2015 DENIC eg Imprint

More information

Uniform Resource Locators (URL)

Uniform Resource Locators (URL) The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web

More information

Remote DNS Cache Poisoning Attack Lab

Remote DNS Cache Poisoning Attack Lab SEED Labs Remote DNS Cache Poisoning Attack Lab 1 Remote DNS Cache Poisoning Attack Lab Copyright 2006-2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the

More information

Measuring the effects of DNSSEC deployment on query load

Measuring the effects of DNSSEC deployment on query load Measuring the effects of DNSSEC deployment on query load Jelte Jansen NLnet Labs NLnet Labs document 26-2 May 1, 26 Abstract Ripe NCC recently started signing the zones on their DNS servers. This document

More information

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017 Internet Engineering Task Force (IETF) Request for Comments: 8109 BCP: 209 Category: Best Current Practice ISSN: 2070-1721 P. Koch DENIC eg M. Larson P. Hoffman ICANN March 2017 Initializing a DNS Resolver

More information

DNSSEC deployment. Phil Regnauld Hervey Allen

DNSSEC deployment. Phil Regnauld Hervey Allen DNSSEC deployment Phil Regnauld Hervey Allen Overview We will talk about: the problems that DNSSEC addresses the protocol and implementations the practical problems tied to real-world deployment We will

More information

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang

The State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread

More information

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring

More information

Securing Domain Name Resolution with DNSSEC

Securing Domain Name Resolution with DNSSEC White Paper Securing Domain Name Resolution with DNSSEC diamondip.com by Timothy Rooney Product management director BT Diamond IP Resolution with DNSSEC Introduction By Tim Rooney, Director, Product Management

More information

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016

DNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016 DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,

More information

Protecting Privacy: The Evolution of DNS Security

Protecting Privacy: The Evolution of DNS Security Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview

More information

CNT Computer and Network Security: DNS Security

CNT Computer and Network Security: DNS Security CNT 5410 - Computer and Network Security: DNS Security Professor Patrick Traynor Fall 2017 Reminders Related Work is due on Wednesday I look forward to reading these! Remember, quality matters in everything

More information

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting

DNSSEC in Switzerland 2 nd DENIC Testbed Meeting DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH

More information

Development of DNS security, attacks and countermeasures

Development of DNS security, attacks and countermeasures Development of DNS security, attacks and countermeasures Karl Andersson Linköpings Tekniska Högskola karan496-at-student.liu.se David Montag Linköpings Tekniska Högskola davmo024-at-student.liu.se Abstract

More information

DNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015

DNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015 DNS and cctld Management Save Vocea and Champika Wijayatunga Apia Samoa 14-15 July 2015 Agenda 1 2 3 Intro to ICANN DNS Concepts Root Server Operation 4 5 6 Managing Zones cctld Management Security, Stability

More information

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner

OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES. Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner OFF-PATH ATTACKS AGAINST PUBLIC KEY INFRASTRUCTURES Markus Brandt, Tianxiang Dai, Elias Heftrig, Amit Klein, Haya Shulman, Michael Waidner 1 AGENDA Objectives Attacking Impact Mitigation Summary 2 AGENDA

More information

Fragmentation Considered Poisonous

Fragmentation Considered Poisonous Fragmentation Considered Poisonous Amir Herzberg and Haya Shulman Dept. of Computer Science, Bar Ilan University amir.herzberg@gmail.com, haya.shulman@gmail.com arxiv:1205.4011v1 [cs.cr] 17 May 2012 Abstract

More information

The ISP Column A column on things Internet. Three DNS articles: 3. Helping Resolvers to help the DNS. RFC8192 Aggressive NSEC Caching

The ISP Column A column on things Internet. Three DNS articles: 3. Helping Resolvers to help the DNS. RFC8192 Aggressive NSEC Caching The ISP Column A column on things Internet Geoff Huston November 2017 Three DNS articles: 3. Helping Resolvers to help the DNS In this final article of a trio that looks at today s hot topics in the DNS,

More information

IP Addressing: DNS Configuration Guide

IP Addressing: DNS Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

DNS and HTTP. A High-Level Overview of how the Internet works

DNS and HTTP. A High-Level Overview of how the Internet works DNS and HTTP A High-Level Overview of how the Internet works Adam Portier Fall 2017 How do I Google? Smaller problems you need to solve 1. Where is Google? 2. How do I access the Google webpage? 3. How

More information

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging

More information

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and

More information

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber

DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:

More information

More on DNS and DNSSEC

More on DNS and DNSSEC More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers

More information

DNS Cache Poisoning Looking at CERT VU#800113

DNS Cache Poisoning Looking at CERT VU#800113 DNS Cache Poisoning Looking at CERT VU#800113 Nadhem J. AlFardan Consulting Systems Engineer Cisco Systems ANOTHER BORING DNS ISSUE Agenda DNS Poisoning - Introduction Looking at DNS Insufficient Socket

More information

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015 Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems

More information

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure

More information

Network Security Part 3 Domain Name System

Network Security Part 3 Domain Name System Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166

More information