Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
|
|
- Ambrose Hardy
- 6 years ago
- Views:
Transcription
1 What is DNS? Systems to convert domain names into ip addresses: For an instance; Reverse:
2 DNS Hierarchy
3 Root Servers The top of the DNS hierarchy There are 13 root name servers operated around the world, with names from [a-m].root-servers.net There are more than 13 physical root name servers Each rootserver has an instance deployed via anycast Root hints file come in many names (db.cache, named.root, named.cache, named.ca) Get it from ftp.rs.internic.net See root-servers.org for more detail
4 DNS QUERY-How Does It Work? Image:(nsrc)
5 Background The original DNS protocol wasn t designed with security in mind It has very few built-in security mechanism DNSSEC and TSIG were developed to help address this problem
6 Name Servers Name servers answer DNS questions Several types of name servers Authoritative servers master (primary) slave (secondary) Caching or recursive server also caching forwarders
7 Authoritative Nameserver A nameserver that is authorised to provide an answer for a particular domain. Can be more than one auth nameserver primary Two types based on management method: secondary Primary (Master) and Secondary (Slave) Only one primary nameserver All changes to the zone are done in the primary secondary Secondary nameserver/s will retrieve a copy of the zonefile from the primary server Slaves poll the master periodically Primary server can notify the slaves
8 Caching Vs Authoritative Server DNS servers can be put in two categories: caching and authoritative Caching nameservers act as query forwarders on behalf of clients, and cache answers for later. Can be the same software (often is), but mixing functionality (recursive/caching and authoritative) is discouraged (security risks + confusing) The TTL of the answer is used to determine how long it may be cached without requerying.
9 ZONE File Sample $TTL ; 24 hours could have been written as 24h or 1d $ORIGIN 1D IN SOA ns1.example.com. hostmaster.example.com. ( ; serial 3H ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS ns1.example.com. IN MX 10 mail.another.com. ns1 IN A ;name server definition www IN A ;web server definition fred IN A
10 Reverse Zone File Sample $TTL ; 24 hours, could have been written as 24h or 1d $ORIGIN 1D IN SOA ns1.example.com. hostmaster.example.com. ( ; serial 3H ; refresh 15 ; retry 1w ; expire 3h ; minimum ) IN NS ns1.example.com. 1 IN PTR ns1.example.com. 2 IN PTR 4 IN PTR fred.example.com.
11 Record Types Basic record types: A, AAAA: IPv4, IPv6 address NS: NameServer MX: Mail exchanger CNAME: Canonical name (alias) PTR: Reverse
12 DNS RISKS Misdirection of queries for an entire domain(cache Poisoning) Response to non-existent domains MX hijacking Make a large domain (SLD or TLD) domain disappear from an ISP's cache DoS Identity theft using SSL stripping attacks (banks, egovernance) Many more
13 DNS Cache Poisoning 1 I want to access Client DNS Caching Server QID=64569 QID=64570 QID=64571 QID=64571 match! (pretending to be the authoritative zone) Root/GTLD QID= Webserver ( ) ns.example.com
14 DNS DOS Attack Reflected DNS amplification Using open recursive DNS servers and spoofed source IP (target) Seeks to exhaust target network s resources (bandwidth) with responses from multiple DNS servers DNS query floods flood of legitimate-seeming queries sent to target DNS server for a domain Uses botnet that automatically sends a significant number of queries Difficult to differentiate between a standard and malicious query
15 DNS Amplification A type of reflection attack combined with amplification Source of attack is reflected off another machine Traffic received is bigger (amplified) than the traffic sent by the attacker UDP packet s source address is spoofed (Spamhaus Attack)
16
17 Open Resolvers DNS servers that answer recursive queries from any host on the Internet Check if you re running open resolvers More statistics at reports/latest.html
18 Good DNS Practices Enter the correct address of the responsible person for each zone you add to or manage on a DNS server. Do not combine authoritative and recursive nameserver functions -- have each function performed by separate server sets. Run multiple, distributed authoritative servers, avoiding single points of failure in critical resource paths. A variety of strategies are available (including anycast and load-balancing) to ensure robust geographic and network diversity in your deployment.
19 Securing NameServers Run the most recent version of the DNS software Apply the latest patch Hide version Restrict queries Allow-query { acl_match_list; }; Prevent unauthorized zone transfers Allow-transfer { acl_match_list; }; Run BIND with the least privilege (use chroot) Use TSIG and DNSSEC
20 DNS: Data Flow Zone administrator Zone file 1 master 4 Caching forwarder Dynamic updates slaves resolver
21 DNS Vulnerabilities Corrupting data Zone administrator Zone file 1 Impersonating master master 4 Caching forwarder Cache impersonation Dynamic updates 2 Unauthorized updates slaves 3 Cache pollution by Data spoofing 5 resolver Server protection Data protection
22 TSIG Protected Vulnerabilities Zone administrator Impersonating master Zone file master Caching forwarder Dynamic updates slaves resolver Unauthorized updates
23 What is TSIG - Transaction Signature? A mechanism for protecting a message from a primary to secondary and vice versa A keyed-hash is applied (like a digital signature) so recipient can verify message DNS question or answer and the timestamp Based on a shared secret - both sender and receiver are configured with it
24 Transaction Signatures (TSIG) TSIG is most-commonly used to authenticate slave servers to master servers during zone transfers Protects against impersonating master and unauthorized updates Master and slave servers: share a common secret key & agree on key name Synchronized clocks (NTP) The shared information (key) is used to authenticate a client to a server Remember to change the key periodically
25 What is TSIG - Transaction Signature? TSIG (RFC 2845) authorizing dynamic updates & zone transfers authentication of caching forwarders Used in server configuration, not in zone file
26 TSIG steps Generate secret dnssec-keygen -a <algorithm> -b <bits> -n host <name of the key> Communicate secret scp <keyfile> Configure servers key { algorithm...; secret...;} server x { key...; } Test <zone> AXFR -k <TSIG keyfile>
27 DNS Security Extensions (DNSSEC) Protects the integrity of data in the DNS by establishing a chain of trust Uses public key cryptography each link in the chain has a public/private key pair A form of digitally signing the data to attest its validity Standard is defined in RFC4033, RFC4034, and RFC4035 Guarantees Authenticity Integrity Non-existence of a domain
28
29 DNSSEC Concepts Changes DNS trust model from one of open and trusting to one of verifiable Use of public key cryptography to provide: Authentication of origin Data integrity Authenticated denial of existence No attempt to provide confidentiality (NO encryption) DNSSEC does not normally place computational load on the authoritative servers (!= those signing the zone) No modifications to the core protocol.
30 DNSSEC Concepts Build a chain of trust using the existing delegation-based model of distribution that is the DNS.
31 DNSSEC Concepts Don't sign the entire zone, sign a RRset Note: the parent DOES NOT sign the child zone. The parent signs a pointer (hash) to the key used to sign the data of child zone (DS record). Always on the master server. Check if slaves are receiving the signed zones.
32 DNSSEc: new RRs RRSIG = Signature over RRset made using private key DNSKEY = Public key, needed for verifying a RRSIG DS = Delegation Signer; Pointer for building chains of authentication NSEC = Next Secure; indicates which name is the next one in the zone and which typecodes are available for the current name authenticated non-existence of data DS record provides a mechanism to delegate trust to public keys of third parties
33 Types of Keys Zone Signing Key (ZSK) Sign the RRsets within the zone Public key of ZSK is defined by a DNSKEY RR Key Signing Key (KSK) Signed the keys which includes ZSK and KSK and may also be used outside the zone
34 Signing the zone (using the BIND tools) 1. Generate keypairs 2. Include public DNSKEYs in zone file 3. Sign the zone using the secret key ZSK 4. Publishing the zone 5. Push DS record up to your parent(how?) (Note:signing always done in Master and validation in resolver)
35 Creation of Keys Trusted anchor in a security aware server Part of the chain of trust by a parent name server Use of a single key or both keys is an operational choice (RFC allows both methods) Create ksk(key signing key) and zsk(zone signing key), be it manual or automated signing.
36 Key Generation # Generate ZSK dnssec-keygen [-a rsasha1 -b 1024] -n ZONE myzone # Generate KSK dnssec-keygen [-a rsasha1 -b 2048] -n ZONE -f KSK myzone Signing Of Zone:dnssec-signzone myzone
37 KEY MANAGEMENT Need to implement secure key storage, management procedures Need to sign your zones Registries need to accept DS records from users (how?) Need to publish DS records to parents (how?) Manual Signing: Key RollOvers Key Never expire. Need to resign Automated Signing: Opendnssec or inline signing.
38 Inline Signing Dnssec Signing made easy.(automatic signing and key rollovers) Requires Bind Version 9.9 and above. Enabled by the "inline-signing yes;" statement in named.conf Create zsk and ksk but sign using inline and resign using (auto-dnssec maintain). Check if it s signing. Check logs. $ mytld NS +dnssec(to check if dnssec is working, for manual also) $ sudo named-checkzone -D -f raw -o - mytld mytld.signed less how do we update the zone and resign it? Problem:Doesn t generate keys in some distro,use haveged.
DNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationBy Paul Wouters
By Paul Wouters Overview presentation Theory of DNSSEC Using bind with DNSSEC Securing Ò.nlÓ with SECREG Securing Ò.orgÓ with VerisignLabs Deploying DNSSEC on large scale Audience participation
More informationDNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationLab 6 Implementing DNSSEC
Lab 6 Implementing DNSSEC Objective: Deploy DNSSEC-signed zones. Background DNSSEC (or DNS Security Extensions) provide security to the zone files. Note: In the steps below, we are using myzone.net - our
More informationManaging Authoritative DNS Server
This chapter explains how to set the Authoritative DNS server parameters. Before you proceed with the tasks in this chapter, read Managing Zones which explains how to set up the basic properties of a primary
More informationOutline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016
Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security
More informationSession J9: DNSSEC and DNS Security
Session J9 and Security InfoSec World 2008 Session J9: and Security Steve Pinkham, Maven Security Consulting What is? slide 2 Easy answer: Stands for Domain Name System System for converting names to/from
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationDNSSEC deployment. Phil Regnauld Hervey Allen
DNSSEC deployment Phil Regnauld Hervey Allen Overview We will talk about: the problems that DNSSEC addresses the protocol and implementations the practical problems tied to real-world deployment We will
More informationDNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga
DNS Security APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga 2 Brief Overview of DNS What is the Domain Name System? A distributed database primarily used to obtain
More informationDNS / DNSSEC Workshop. bdnog November 2017, Dhaka, Bangladesh
DNS / DNSSEC Workshop bdnog7 19-22 November 2017, Dhaka, Bangladesh Issue Date: 03 November 2015 Revision: 2.0-draft4 Overview DNS Overview BIND DNS Configuration Recursive and Forward DNS Reverse DNS
More informationDNS. Introduction To. everything you never wanted to know about IP directory services
Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 what is the domain name system anyway? it's like a phone book...kinda DNS is (1)
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDNS Fundamentals. Steve Conte ICANN60 October 2017
DNS Fundamentals Steve Conte ICANN60 October 2017 Names and Numbers IP addresses easy for machines but hard for people IPv4: 192.0.2.7 IPv6: 2001:db8::7 People need to use names In the early days of the
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More informationUnderstanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017
Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationDNSSEC Tutorial. Auckland, New Zealand 06 August As part of: Issue Date: Revision:
DNSSEC Tutorial Auckland, New Zealand 06 August 2018 As part of: Issue Date: Revision: Outline DNS Operations DNS Security Concepts DNSSec Primer Implementing DNSSec DNS Operations 3 Domain Name System
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationThe State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang
The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread
More information3. The DNSSEC Primer. Data Integrity (hashes) Authenticated Denial of Existence (NSEC,
3. The DNSSEC Primer Authentication (keys, signatures) Data Integrity (hashes) Chain of Trust (root zone, when signed) Authenticated Denial of Existence (NSEC, NSEC3) DNS Authoritative ROOT SERVERS TLD
More informationSome Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution
SYSADMIN DNSSEC Sergey Ilin, Fotolia Trusted name resolution with DNSSEC CHAIN OF TRUST Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.
More informationNetwork Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationAPNIC DNS/DNSSEC Workshop
APNIC DNS/DNSSEC Workshop Contact: training@apnic.net WDNS02_v1.0 DNS A lookup mechanism for translating objects into other objects A globally distributed, loosely coherent, scalable, reliable, dynamic
More informationEbook: DNS FUNDAMENTALS. From a Technical Dow Street, Manchester, NH USA
8 Ebook: DNS FUNDAMENTALS From a Technical Perspective 603 668 4998USA 150 Dow Street, Manchester, NH 03101 150 Dow Street, Manchester, NH 03101 USA DNS Fundamentals From a Technical Perspective Introduction:
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationDomain Name System - Advanced Computer Networks
- Advanced Computer Networks Saurabh Barjatiya International Institute Of Information Technology, Hyderabad 26 August, 2011 Contents 1 Distributed database, highly volatile Domain names Top level domains
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationDNS Security. *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi
DNS Security *http://compsec101.antibozo.net/pa pers/dnssec/dnssec.html 1 IT352 Network Security Najwa AlGhamdi Introduction The DNS provides a mechanism that resolves Internet host names into IP addresses
More information12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC
More informationAssessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
More informationMigrating an OpenDNSSEC signer (February 2016)
Migrating an OpenDNSSEC signer (February 2016) Contributors David Njuki Amreesh Phokeer Logan Velvindron Alain Aina Email david.njuki@afrinic.net amreesh@afrinic.net logan@afrinic.net aalain@trstech.net
More informationBIG-IP DNS Services: Implementations. Version 12.1
BIG-IP DNS Services: Implementations Version 12.1 Table of Contents Table of Contents Configuring DNS Express...9 What is DNS Express?...9 About configuring DNS Express...9 Configuring DNS Express to
More informationExpires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004
DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS
More informationDNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
More informationAPNIC elearning: DNS Concepts
APNIC elearning: DNS Concepts 27 MAY 2015 11:00 AM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationCIRA DNSSEC PRACTICE STATEMENT
CIRA DNSSEC PRACTICE STATEMENT 1. Introduction This DNSSEC Practice Statement ( DPS ) is a statement of security practices and provisions made by the Canadian Internet Registration Authority (CIRA). These
More informationDNS. A Massively Distributed Database. Justin Scott December 12, 2018
DNS A Massively Distributed Database Justin Scott December 12, 2018 What is DNS? Translates Hostnames to IP Addresses What is DNS? Example: www.serverlogic.com 23.185.0.4 What is DNS? Example: www.serverlogic.com
More informationGoal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationBIG-IP DNS Services: Implementations. Version 12.0
BIG-IP DNS Services: Implementations Version 12.0 Table of Contents Table of Contents Configuring DNS Express...11 What is DNS Express?...11 About configuring DNS Express...11 Configuring DNS Express
More informationSecuring Domain Name Resolution with DNSSEC
White Paper Securing Domain Name Resolution with DNSSEC diamondip.com by Timothy Rooney Product management director BT Diamond IP Resolution with DNSSEC Introduction By Tim Rooney, Director, Product Management
More informationDNS / DNSSEC Workshop
DNS / DNSSEC Workshop Hong Kong 22-24 January 2018 Issue Date: Revision: Overview DNS Overview BIND DNS Configuration Recursive and Forward DNS Reverse DNS Troubleshooting DNS Security Overview DNS Transactions
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 Agenda 1 2 3 Introduction to DNS DNS Features
More informationDomain Name System (DNS)
Domain Name System (DNS) Computer Networks Lecture 9 http://goo.gl/pze5o8 Domain Name System Naming service used in the Internet Accomplishes mapping of logical ("domain") names to IP addresses (and other
More informationAuthoritative-only server & TSIG
Authoritative-only server & TSIG cctld workshop Apia, Samoa,20 23 June 2006 Andy Linton (Materials by Alain Aina) Different type of servers Several types of name servers Authoritative servers master (primary)
More informationDNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011
DNSSEC at ORNL Paige Stafford Joint Techs Conference, Fairbanks July 2011 Outline Background Brief review of DNSSEC ORNL before DNSSEC was implemented Implementation experience Signer appliance Validation
More informationDocumentation. Name Server Predelegation Check
Name Server Predelegation Check Doc. version: 1.4.1 Doc. status: Final Doc. date: 01.12.2015 Doc. name: Name Server Predelegation Check- -DNS Services-V1.4.1-2015-12-01 Copyright 2015 DENIC eg Imprint
More informationDNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $
DNSSEC HOWTO A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, 2004 $Revision: 1.4.4.8 $ For review only, do not redistribute. DNSSEC HOWTO A Tutorial in Disguise. This
More informationDEPLOY A DNS SERVER IN A SECURE WAY
DEPLOY A DNS SERVER IN A SECURE WAY BIND (Berkeley Internet Name Domain) is one of the more widely used DNS servers. This article guides readers on how to deploy a BIND DNS server in a secure way by implementing
More informationSecured Dynamic Updates
Secured Dynamic Updates Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 Snapshot code is available for this BIND 9.2 can perform most of the dynamic update
More informationHarness Your Internet Activity
Harness Your Internet Activity Enabling Efficiency and Service Differentiation Ralf Weber October 13, 2014 Authoritative DNS Proven High-performance Tested with up to 1 Billion resource records per server
More informationRe-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist
Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure
More informationTable of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
More informationConfiguration of Authoritative Nameservice
Configuration of Authoritative Nameservice AfCHIX 2011 Blantyre, Malawi (based on slides from Brian Candler for NSRC) Recap DNS is a distributed database Resolver asks Cache for information Cache traverses
More informationTWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities
TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) TWCERT/CC 陳宗裕 Why do we need DNSSEC? Many application depend on DNS DNS is not secure There are known vulnerabilities DNSSEC protect against data spoofing and corruptions
More informationExpires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003
DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS
More informationAfilias DNSSEC Practice Statement (DPS) Version
Afilias DNSSEC Practice Statement (DPS) Version 1.07 2018-02-26 Page 1 of 8 1. INTRODUCTION 1.1. Overview This document was created using the template provided under the current practicing documentation.
More informationSOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION
SOFTWARE USER MANUAL (SUM): TRAINING, PROCEDURAL, AND DEVELOPMENT DOCUMENTATION Step-by-Step DNS Security Operator Guidance Document (Version 1.0) [Using the BIND-9.3.0 (or later) distribution] 1 December
More informationExperience from a Swedish Agency and a Nordic operator
Experience from a Swedish Agency and a Nordic operator fredrik@xpd.se Overview Skatteverket (Swedish Tax Agency) End user perspective TDC Registrar perspective Skatteverket Why DNSSEC? How to deploy? What
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationNetwork Security Part 3 Domain Name System
Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166
More informationSecure Domain Name System (DNS) Deployment Guide
Special Publication 800-81r1 Sponsored by the Department of Homeland Security Secure Domain Name System (DNS) Deployment Guide Recommendations of the National Institute of Standards and Technology Ramaswamy
More informationConexim DNS Administrator s Guide. Conexim DNS Administrator s Guide
Conexim DNS Administrator s Guide Last Updated February 2016 1 Contents Conexim DNS Quick Reference... 3 DNS Delegation Information... 3 Control Panel Access... 3 Supported Record Types... 3 Getting Support...
More informationTHE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY
Ebook: THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY From A Record & DNS to Zones 603 668 4998 Your Master List of Key DNS Terms As more users and more online services (sites, microservices, connected things,
More informationDNSSEC for Humans and BIND 10. Paul Vixie Internet Systems Consortium June 9, 2011
DNSSEC for Humans and BIND 10 Paul Vixie Internet Systems Consortium June 9, 2011 Agenda BIND and DNSSEC Why do I want DNSSEC? Why DNSSEC for Humans? BIND 9.7 Features More DNSSEC for Humans Why BIND 10?
More informationRHCE BOOT CAMP BIND. Wednesday, November 28, 12
RHCE BOOT CAMP BIND CONFIG FILES BIND basically has two types of configuration files: BIND configuration file, specific to BIND and it s features Database files, or zone files, which contain DNS resource
More informationSeamless transition of domain name system (DNS) authoritative servers
Vol. 9(12), pp. 566-570, 30 June, 2014 DOI: 10.5897/SRE2013.5741 Article Number: 2B9B29C45695 ISSN 1992-2248 2014 Copyright 2014 Author(s) retain the copyright of this article http://www.academicjournals.org/sre
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationManaging Zones. Staged and Synchronous Modes CHAPTER. See Also
CHAPTER 15 Managing Zones The Domain Name System (DNS) is a distributed database for objects in a computer network. By using a nameserver approach, the network consists of a hierarchy of autonomous domains
More informationF5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution
F5 Technical Brief F5 and Infoblox DNS Integrated Architecture: Offering a Complete Scalable, Secure DNS Solution As market leaders in the application delivery market and DNS, DHCP, and IP Address Management
More informationDNS / DNSSEC Workshop. bdnog May 2017, Bogra, Bangladesh
DNS / DNSSEC Workshop bdnog6 19-23 May 2017, Bogra, Bangladesh Issue Date: 03 November 2015 Revision: 2.0-draft4 Overview DNS Overview BIND DNS Configuration Recursive and Forward DNS Reverse DNS 2 Overview
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationKeeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson
Keeping DNS parents and children in sync at Internet Speed! Ólafur Guðmundsson olafur@cloudflare.com How long does it take to? Post a new selfie on Facebook and all your friends to be notified few seconds
More informationUSING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION 11-30-2016 USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION Transaction Signatures (TSIG) provide a secure
More informationRunning the Setup Web UI
The Cisco Prime IP Express setup interview in the web UI takes you through a series of consecutive pages to set up a basic configuration. For an introduction and details on the basic navigation for the
More informationIntroduction to the Domain Name System
The Domain Name System (DNS) handles the growing number of Internet users. DNS translates names, such as www.cisco.com, into IP addresses, such as 192.168.40.0 (or the more extended IPv6 addresses), so
More informationDevelopment of DNS security, attacks and countermeasures
Development of DNS security, attacks and countermeasures Karl Andersson Linköpings Tekniska Högskola karan496-at-student.liu.se David Montag Linköpings Tekniska Högskola davmo024-at-student.liu.se Abstract
More informationRemote DNS Cache Poisoning Attack Lab
SEED Labs Remote DNS Cache Poisoning Attack Lab 1 Remote DNS Cache Poisoning Attack Lab Copyright 2006-2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the
More informationRemote DNS Cache Poisoning Attack Lab
CS482 Remote DNS Cache Poisoning Attack Lab 1 1 Lab Overview Remote DNS Cache Poisoning Attack Lab The objective of this lab is for students to gain the first-hand experience on the remote DNS cache poisoning
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006-2015 Wenliang Du, Syracuse University. The development of this document is partially funded by the National Science Foundation s Course,
More informationThe Performance of ECC Algorithms in DNSSEC: A Model-based Approach
Master Thesis The Performance of ECC Algorithms in DNSSEC: A Model-based Approach Faculty: Group: Electrical Engineering, Mathematics and Computer Science Design and Analysis of Communication Systems Author
More informationIntroduction to Network. Topics
Introduction to Network Security Chapter 7 Transport Layer Protocols 1 TCP Layer Topics Responsible for reliable end-to-end transfer of application data. TCP vulnerabilities UDP UDP vulnerabilities DNS
More informationNetworking Applications
Networking Dr. Ayman A. Abdel-Hamid College of Computing and Information Technology Arab Academy for Science & Technology and Maritime Transport 1 Outline Introduction Name Space concepts Domain Name Space
More informationManaging Caching DNS Server
This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright 2018 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award
More information