DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
|
|
- Jean Johnston
- 6 years ago
- Views:
Transcription
1 DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
2 DNS Refresher and Intro to DNS Security Extension (DNSSEC)
3 Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data Quick overview New RRs Using public key cryptography to sign a single zone Delegating signing authority ; building chains of trust Key exchange and rollovers Conclusions
4 DNS Resolving Question: A A? root-servers Resolver A? Add to cache Caching forwarder (recursive) A? go ask net X.gtld-servers.net (+ glue) gtld-servers go ask ns1.arin.net (+ glue) 6 A? 10 TTL arin-server
5 DNS: Data Flow Zone administrator Zone file 1 master 4 Caching forwarder Dynamic updates slaves resolver
6 DNS Vulnerabilities Corrupting data Zone administrator 1 4 Zone file master Impersonating master Caching forwarder Cache impersonation Dynamic updates slaves Unauthorized updates Cache pollution by Data spoofing resolver Server protection Data protection
7 DNS Protocol Vulnerability DNS data can be spoofed and corrupted on its way between server and resolver or forwarder The DNS protocol does not allow you to check the validity of DNS data Exploited by bugs in resolver implementation (predictable transaction ID) Corrupted DNS data might end up in caches and stay there for a long time (TTL) How does a slave (secondary) knows it is talking to the proper master (primary)?
8 Motivation for DNSSEC DNSSEC protects against data spoofing and corruption DNSSEC (TSIG) provides mechanisms to authenticate servers DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data A secure DNS will be used as a public key infrastructure (PKI)
9 Now for the Meat l We will be talking now how to solve cache pollution l It is quite complicated
10 l We will talk about: Overview è The problems that DNSSEC addresses èthe protocol and implementations èthings to take into account to deploy DNSSEC èthe practical problems tied to real-world deployment
11 Contents l Scope of the problem ldns reminders lbasics of DNSSEC ldeployment & operations lissues (what isn't solved) & other aspects lstatus of DNSSEC today
12 So what are the issues? What's the problem? DNS Cache Poisoning Forgery: respond before the intended nameserver Redirection of a domain's nameserver Redirection of NS records to another target domain DNS Hijacking Response to non-existent domains Rogue DNS servers These have been spotted in the wild code IS available...
13 What's the problem? What risks? l l See Dan Kaminsky's slides for the extent of the risks - MANY case scenarios è MX hijacking èentire domain redirection ètake a large.com offline ècomplete spoofing of a bank's DNS info èmore fun stuff A great illustrated guide
14 Refresher
15 DNS reminders l ISC BIND zone file format is commonly used, and we will use this notation here. zone. SOA nsx.zone. hostmaster.zone. ( ; serial 1d ; refresh 12h ; retry 1w ; expire 1h ) ; neg. TTL zone. zone. NS NS MX A ns.zone. ns.otherzone. 5 server.otherzone
16 DNS reminders l Record structure: NAME [TTL] TYPE DATA (type specific) host.zone A sub.zone MX 5 server.otherzone.
17 DNS reminders l Multiple resource records with same name and type are grouped into Resource Record Sets (RRsets): mail.zone. mail.zone. MX MX 5 server1.zone. 10 server2.zone. RRset server1.zone. server1.zone. server1.zone. A A A RRset server1.zone. server1.zone. AAAA 2001:123:456::1 AAAA 2001:123:456::2 RRset server2.zone. A RRset
18 DNS points of attack
19 DNS Data Flow Points of attack MASTER zone file (text, DB) DATA STUB resolver caching resolver (recursive) Zone Transfer dynamic updates SLAVES ATTACK VECTORS man in the middle cache poisoning modified data spoofing master (routing/dos) spoofed updates corrupted data
20 DNSSEC concepts
21 DNSSEC quick summary l Data authenticity and integrity by signing the Resource Records Sets with a private key lpublic DNSKEYs published, used to verify the RRSIGs lchildren sign their zones with their private key Authenticity of that key established by signature/checksum by the parent of the (DS) delegation signer record l Repeat for parent... lnot that difficult on paper Operationally, it is a bit more complicated
22 DNS SECurity extensions DNSSEC overview l Concepts lnew Resource Records (DNSKEY, RRSIG, NSEC/NSEC3 and DS) lnew packet options (CD, AD, DO) lsetting up a Secure Zone ldelegating Signing Authority lkey Rollovers
23 DNSSEC concepts l Changes DNS trust model from one of open and trusting to one of verifiable lextensive use of public key cryptography to provide: Authentication of origin Data integrity Authenticated denial of existence l No attempt to provide confidentiality ldnssec does not place computational load on the authoritative servers (!= those signing the zone) lno modifications to the core protocol Can coexist with today's infrastructure è kind of (EDNS0)
24 DNSSEC concepts l Build a chain of trust using the existing delegationbased model of distribution that is the DNS ldon't sign the entire zone, sign a RRset. ORG NSRC l Note: the parent DOES NOT sign the child zone. The parent signs a pointer (hash) to the key used to sign the data of child zone (important!) WS
25 New Resource Records
26 Implementing the Trust Chain New resource records RRSIG: resource record signatures DNSKEY: DNS public key DS: delegation signature NSEC: denial of existence
27 New Resource Record: RRSIG Example: ~ carlosm$ dig +dnssec ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; ANSWER SECTION: 60 IN A IN RRSIG A nic.se. HeeUZ5h5iExK5uU1SuNRIf2Dbmh2/ awv8fkjmzixuztavrhv39pfmfng DHdHoZxoz85hqqYiWb +t9ezh5+iqxqk8axrdic9nn6wxifoowes+iukq rvyqxf1ntkzvu1a325vwa8obtbevgvkhqg6bdijkyehixjlq4crofcew Izk= ;; AUTHORITY SECTION: nic.se IN NS ns3.nic.se. nic.se. nic.se IN 2974 IN NS NS ns2.nic.se. ns.nic.se. nic.se IN RRSIG NS nic.se. GSzAUC3SC3D0G/ iescopnvux8wkqx1dgbw491ratxz53b7sy0pquyt1w eb063z62rtx7etynncjwpklytg9fembdced9af3kztjhxq6b+tpmmxyk FoKAVaV0cHTcGUXSObFquGr5/03G79C/YHJmXw0bHun5ER5yrOtOLegU IAU= 27
28 New Resource Record: DNSKEY Example: aruba:~ carlos$ DNSKEY lacnic.net. ;; Truncated, retrying in TCP mode. ;; QUESTION SECTION: ;lacnic.net. IN DNSKEY ;; ANSWER SECTION: lacnic.net IN DNSKEY AwEAAb6YDZrhzHo3gu48uNvxFpvQ/I0TvaqGlYFE9VkplBkexiXwMHfm BVZF4SU7zSBcdX23jnotHmJd6Jicbhpk0ZVXS5szwbuC2TXaifx6bTOj fd0z8/zsk62tpvgdroqvgotunkmb1ozamx2vm4q58ofxqkkzm21sceur 6KhZo+pDkUWlDgI/gPLj1MFiorN9EWjUWbfHnnwVAldD6ftZ6KmhWlxm 7ynJ4Q3Glu5BX8ySh6l5JdFNyoVltfPXrwXJ4nqEaAEmPo8Vic++V3l5 2aQIgUnLmZ6mdfOxCT/YGcMIqUaiXRA0CpOMUr+K7GIvJIVyacOzIfe0 FKV/MreaVOk= 28
29 Trust Chains How do clients verify a zone's RRSets? It queries for the corresponding DNSKEY The necessary computations are carried out and then compared with the signature in the RRSIG If they match the signatures are valid But, how can we trust the DNSKEY? It listed on the same zone we want to verify! We need to validate the trust chain 29
30 Trust Chains (ii) DS Record Delegation Signature DS records "sign" the keys in their child zones In this way one can also verify the DNSKEY as it is signed when the parent zone is signed DS records contain a hash of the public key That is a hash of the DNSKEY's record content 30
31 New Resource Record: DS Example: ; <<>> DiG P1 DS lacnic.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lacnic.net. IN DS ;; ANSWER SECTION: lacnic.net IN DS B BD70481CACDDB1D21E5B0DBC
32 Denial of Existence What happens when you ask DNS about something that does not exist? NXDOMAIN! However, in an NXDOMAIN response the ANSWER section is empty, there is nothing to sign Remember: negative answer are also cached, so they can be a DoS vector
33 Negative Responses Sample NXDOMAIN response: ; <<>> DiG P1 A holy-molly.lacnic.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6541 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;holy-molly.lacnic.net. IN A ;; AUTHORITY SECTION: lacnic.net IN SOA NS.lacnic.net. Hostmaster.lacnic.net
34 Signed Negative Responses Sample signed NXDOMAIN response: aruba:~ carlos$ dig A holy-molly.lacnic.net. ; <<>> DiG P1 <<>> A holy-molly.lacnic.net. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 512 ;; QUESTION SECTION: ;holy-molly.lacnic.net. IN A ;; AUTHORITY SECTION: lacnic.net IN SOA NS.lacnic.net. Hostmaster.lacnic.net lacnic.net IN RRSIG SOA lacnic.net. EMkejVSEa3CvVzA2e3ap1n7QlgVUEPonIeBH4vcWjk..(snip) lacnic.net IN NSEC 18.lacnic.net. A NS SOA MX AAAA RRSIG NSEC DNSKEY TYPE65534 lacnic.net IN RRSIG NSEC lacnic.net. JivHI2aMXlX1l9cL5L+33LH/HlJb8JPvasGi85..(snip) ftp.lacnic.net IN NSEC d.in-addr-servers.lacnic.net. CNAME RRSIG NSEC ftp.lacnic.net IN RRSIG NSEC lacnic.net. XeUME57RIh5g4HyPZUG+RPUNBZVc+wxXq6Thtj8Q5nkkN 34
35 Using DNSSEC
36 Response Validation Signing zones is just half of the picture For DNSSEC to be actually useful, responses need to be validated This is the job of the recursive DNS servers Validation is usually just a configuration switch Need to make sure the root zone key is installed
37 Security Status of Data (RFC ) l Secure Resolver is able to build a chain of signed DNSKEY and DS RRs from a trusted security anchor to the RRset l Insecure Resolver knows that it has no chain of signed DNSKEY and DS RRs from any trusted starting point to the RRset l Bogus Resolver believes that it ought to be able to establish a chain of trust but for which it is unable to do so May indicate an attack but may also indicate a configuration error or some form of data corruption l Indeterminate Resolver is not able to determine whether the RRset should be signed
38 DNSSEC: new fields l Updates DNS protocol at the packet level lnon-compliant DNS recursive servers should ignore these: CD: Checking Disabled (ask recursing server to not perform validation, even if DNSSEC signatures are available and verifiable, i.e.: a Secure Entry Point can be found) AD: Authenticated Data, set on the answer by the validating server if the answer could be validated, and the client requested validation l A new EDNS0 option DO: DNSSEC OK (EDNS0 OPT header) to indicate client support for DNSSEC options
39 Thank You
DNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationDNSSEC deployment. Phil Regnauld Hervey Allen
DNSSEC deployment Phil Regnauld Hervey Allen Overview We will talk about: the problems that DNSSEC addresses the protocol and implementations the practical problems tied to real-world deployment We will
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationImplementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
More informationARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationNetwork Working Group
Network Working Group R. Arends Request for Comments: 4035 Telematica Instituut Obsoletes: 2535, 3008, 3090, 3445, 3655, 3658, R. Austein 3755, 3757, 3845 ISC Updates: 1034, 1035, 2136, 2181, 2308, 3225,
More informationBIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationExpires: November 15, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004
DNS Extensions Internet-Draft Expires: November 15, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST May 17, 2004 Protocol Modifications for the DNS
More informationUnderstanding and Deploying DNSSEC. Champika Wijayatunga SANOG29 - Pakistan Jan 2017
Understanding and Deploying DNSSEC Champika Wijayatunga SANOG29 - Pakistan Jan 2017 Agenda 1 2 3 Background Why DNSSEC? How it Works? 4 5 Signatures and Key Rollovers DNSSEC Demo 2 3 Background DNS in
More informationDNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr
DNSSEC Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec 1.6.5.3.7.5.1.4.6.3.9.4.e164.arpa. naptr 1 A protocol from better times An ancient protocol People were friendly and
More informationDNS security. Karst Koymans & Niels Sijm. Tuesday, September 18, Informatics Institute University of Amsterdam
DNS security Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Tuesday, September 18, 2012 Karst Koymans & Niels Sijm (UvA) DNS security Tuesday, September 18, 2012 1 / 38 1 Chain
More informationTable of Contents. DNS security. Alternative DNS security mechanism. DNSSEC specification. The long (and winding) road to the DNSSEC specification
Table of Contents DNS security Karst Koymans Informatics Institute University of Amsterdam (version 1.19, 2011/09/27 14:18:11) Friday, September 23, 2011 The long (and winding) road to the DNSSEC specification
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationAuthoritative-only server & TSIG
Authoritative-only server & TSIG cctld workshop Apia, Samoa,20 23 June 2006 Andy Linton (Materials by Alain Aina) Different type of servers Several types of name servers Authoritative servers master (primary)
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationAssessing and Improving the Quality of DNSSEC
Assessing and Improving the Quality of DNSSEC Deployment Casey Deccio, Ph.D. Sandia National Laboratories AIMS-4 CAIDA, SDSC, San Diego, CA Feb 9, 2012 Sandia is a multiprogram laboratory operated by Sandia
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot September 2010 Bengt Sahlin 2011/09/27 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationExpires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003
DNS Extensions Internet-Draft Expires: June 16, 2004 R. Arends Telematica Instituut M. Larson VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003 Protocol Modifications for the DNS
More information12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationThis time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
More informationThe State and Challenges of the DNSSEC Deployment. Eric Osterweil Michael Ryan Dan Massey Lixia Zhang
The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang 1 Monitoring Shows What s Working and What needs Work DNS operations must already deal with widespread
More informationRSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
More informationDNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationDomain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi
Domain Name System (DNS) Session-1: Fundamentals Joe Abley AfNOG Workshop, AIS 2017, Nairobi Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved
More informationCS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
More informationIs your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018
lieter_ PowerDNS pieterlexis PowerDNS Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018 1 What s all this about? A DNS recap What is EDNS? Issues with EDNS on the internet
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017
Internet Engineering Task Force (IETF) Request for Comments: 8109 BCP: 209 Category: Best Current Practice ISSN: 2070-1721 P. Koch DENIC eg M. Larson P. Hoffman ICANN March 2017 Initializing a DNS Resolver
More informationDNSSECbis Lookaside Validation. Peter Losher Internet Systems Consortium (November 2006)
DNSSECbis Lookaside Validation Peter Losher Internet Systems Consortium (November 2006) Topics Introduction DNS Delegation and Resolution DNSSECbis Data and Traversal DLV Overview
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationSecuring Domain Name Resolution with DNSSEC
White Paper Securing Domain Name Resolution with DNSSEC diamondip.com by Timothy Rooney Product management director BT Diamond IP Resolution with DNSSEC Introduction By Tim Rooney, Director, Product Management
More informationGoal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
More informationOutline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016
Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security
More informationDNSSEC at ORNL. Paige Stafford Joint Techs Conference, Fairbanks July 2011
DNSSEC at ORNL Paige Stafford Joint Techs Conference, Fairbanks July 2011 Outline Background Brief review of DNSSEC ORNL before DNSSEC was implemented Implementation experience Signer appliance Validation
More informationpage 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016
page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, 10-14 October 2016 page 2 IP: Identifiers on the Internet The fundamental identifier on the internet is an IP address. Each host connected
More informationBy Paul Wouters
By Paul Wouters Overview presentation Theory of DNSSEC Using bind with DNSSEC Securing Ò.nlÓ with SECREG Securing Ò.orgÓ with VerisignLabs Deploying DNSSEC on large scale Audience participation
More informationDNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A
DNS Review Quiz Match the term to the description: C B A Level: Domain name DNS zone Delegation Descriptions: A. Transfer of authority for/to a subdomain B. A set of names under the same authority (ie.com
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationDNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46
DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 16, 2008 dr. C. P. J. Koymans (UvA) DNS September 16, 2008 1 / 46 DNS and BIND DNS (Domain Name System) concepts theory
More informationTable of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.
Table of Contents Specification and implementation DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 14, 2009 A short history of DNS Root servers Basic concepts Delegation
More informationTWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) Why do we need DNSSEC? Many application depend on DNS DNS is not secure. There are known vulnerabilities
TWNIC DNS 網路安全研討會安全問題之解決對策 (DNSSEC) TWCERT/CC 陳宗裕 Why do we need DNSSEC? Many application depend on DNS DNS is not secure There are known vulnerabilities DNSSEC protect against data spoofing and corruptions
More informationInternet Engineering. DNS Message Format. Contents. Robert Elz.
Internet Engineering 241-461 Robert Elz kre@munnari.oz.au kre@coe.psu.ac.th http://fivedots.coe.psu.ac.th/~kre Contents The Domain Name System The DNS Database DNS Protocols DNS Message Formats ueries
More informationTroubleshooting DNSSEC Visually
Troubleshooting DNSSEC Visually Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin company, for the U.S. Department
More informationDNS. Introduction To. everything you never wanted to know about IP directory services
Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 what is the domain name system anyway? it's like a phone book...kinda DNS is (1)
More information2017 DNSSEC KSK Rollover. DSSEC KSK Rollover
2017 DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover APNIC 44 Edward.Lewis@icann.org FIRST TC September 11, 2017 13 September 2017 DNSSEC Signing vs. Validation DNS Security Extensions Digital
More informationDNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam
DNS Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 14, 2012 Karst Koymans & Niels Sijm (UvA) DNS Friday, September 14, 2012 1 / 32 1 DNS on the wire 2 Zone transfers
More informationSession J9: DNSSEC and DNS Security
Session J9 and Security InfoSec World 2008 Session J9: and Security Steve Pinkham, Maven Security Consulting What is? slide 2 Easy answer: Stands for Domain Name System System for converting names to/from
More informationLab 6 Implementing DNSSEC
Lab 6 Implementing DNSSEC Objective: Deploy DNSSEC-signed zones. Background DNSSEC (or DNS Security Extensions) provide security to the zone files. Note: In the steps below, we are using myzone.net - our
More informationHands-on DNSSEC with DNSViz. Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016
Hands-on DNSSEC with DNSViz Casey Deccio, Verisign Labs RIPE 72, Copenhagen May 23, 2016 Preparation Demo and exercises available at: http://dnsviz.net/demo/ Includes links to the following: VirtualBox
More informationDomain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale
Domain Name System (DNS) Computers use IP addresses. Why do we need names? Names are easier for people to remember Session-1: Fundamentals Computers may be moved between networks, in which case their IP
More informationInternet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice. Parsons November 2016
Internet Engineering Task Force (IETF) Request for Comments: 8027 BCP: 207 Category: Best Current Practice ISSN: 2070-1721 W. Hardaker USC/ISI O. Gudmundsson CloudFlare S. Krishnaswamy Parsons November
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationDefeating DNS Amplification Attacks. UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect
Defeating DNS Amplification Attacks UKNOF Manchester Central, UK January 21 2014 Ralf Weber Senior Infrastructure Architect History of DNS Amplification DNS amplification attacks aren't new Periodically
More informationTable of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.
Table of Contents Specification and implementation DNS Karst Koymans Informatics Institute University of Amsterdam (version 1.11, 2010/10/04 10:03:37) Tuesday, September 14, 2010 A short history of DNS
More informationDNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)
DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs) olaf@nlnetlabs.nl Stichting NLnet Labs page 2 Registrars/ Registrants DNS Architecture As friend secondary As ISP Cache server Registry DB primary As
More informationDomain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.
Domain Name System (DNS) Computers use IP addresses. Why do we need names? Names are easier for people to remember DNS Fundamentals Computers may be moved between networks, in which case their IP address
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationDNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 17.2, 2017/09/25 12:41:57) Friday, September 22, 2017 Karst Koymans (UvA) DNS Friday, September 22, 2017 1
More informationDNS Security. APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga
DNS Security APNIC42 Colombo Sri Lanka 01 October 2016 Champika Wijayatunga 2 Brief Overview of DNS What is the Domain Name System? A distributed database primarily used to obtain
More informationDNSSEC for ISPs workshop João Damas
DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC Overview of zone signing DNSSEC validation trust anchors validation impact of enabling validation debugging
More informationAPNIC elearning: DNS Concepts
APNIC elearning: DNS Concepts 27 MAY 2015 11:00 AM AEST Brisbane (UTC+10) Issue Date: Revision: Introduction Presenter Sheryl Hermoso Training Officer sheryl@apnic.net Specialties: Network Security IPv6
More informationTest cases for domain checks a step towards a best prac5ce. Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC
Test cases for domain checks a step towards a best prac5ce Mats Du(erg,.SE Sandoche Balakrichenan, AFNIC Zonemaster Upcoming tool for test of delegacon of a domain The development of Zonemaster has several
More informationECE 435 Network Engineering Lecture 7
ECE 435 Network Engineering Lecture 7 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 September 2018 HW#3 was Posted Announcements 1 HW#2 Review C code will be discussed next
More informationDocumentation. Name Server Predelegation Check
Name Server Predelegation Check Doc. version: 1.4.1 Doc. status: Final Doc. date: 01.12.2015 Doc. name: Name Server Predelegation Check- -DNS Services-V1.4.1-2015-12-01 Copyright 2015 DENIC eg Imprint
More informationSome advanced topics. Karst Koymans. Tuesday, September 16, 2014
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 44, 2014/09/15 08:39:47) Tuesday, September 16, 2014 Karst Koymans (UvA) DNS Tuesday, September 16, 2014 1
More informationDNSSEC. CS 161: Computer Security Prof. David Wagner. April 11, 2016
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS
More informationRFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---
RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal --- Kazunori Fujiwara fujiwara@jprs.co.jp Japan Registry Services Co., Ltd (JPRS) DNS-OARC Workshop 2016/10/16 Last
More informationDNSSEC for ISPs workshop.! João Damas
DNSSEC for ISPs workshop!!! João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC (30 ) Overview of zone signing (30 ) DNSSEC validation (60 ) trust anchors validation impact of enabling
More informationDENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber
DENIC DNSSEC Testbed Software support for DNSSEC Ralf Weber (ralf.weber@nominum.com) Who is Nominum? Mission Product Leadership Industry Expertise Deliver the Trusted Internet Experience Strategic Partners:
More informationRoot Zone DNSSEC KSK Rollover. DSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover ENOG 15 Edward.Lewis@icann.org FIRST TC September 11, 2017 5 June 2018 The Basics This talk is related to the Domain Name System, in particular,
More informationOrdinary DNS: A? k.root-servers.net. com. NS a.gtld-servers.net a.gtld-servers.net A Client's Resolver
Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30 k.root-servers.net Ordinary DNS: www.google.com A? com. NS a.gtld-servers.net a.gtld-servers.net A 192.5.6.30
More information22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium
DNS COMPLIANCE Fred Baker Internet Systems Consortium Background - 2014 ISC was in the process of adding DNS COOKIE (RFC 7873) to BIND and we wanted to see how many servers would mishandle DNS COOKIE options
More informationDNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31
DNS and SMTP James Walden CIT 485: Advanced Cybersecurity James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31 Table of contents 1. DNS 2. DNS Protocol Packets 3. DNS Caching 4. DNS Cache Poisoning
More informationCNAME-based Redirection Design Notes
CNAME-based Redirection Design Notes When we configure a redirect type of local-zone or access-control action, we might want to specify a CNAME as the action data, whose canonical name is managed by an
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006-2015 Wenliang Du, Syracuse University. The development of this document is partially funded by the National Science Foundation s Course,
More informationWorst Current Practice. Lutz Donnerhacke IKS GmbH
Worst Current Practice Lutz Donnerhacke IKS GmbH Worst Current Practice Not a talk about simple bugs Too many WTFs to talk about Sometimes instructive anyway SEOS: IPv6 packets crash Ether Channels: Card
More informationDNS Fundamentals. Steve Conte ICANN60 October 2017
DNS Fundamentals Steve Conte ICANN60 October 2017 Names and Numbers IP addresses easy for machines but hard for people IPv4: 192.0.2.7 IPv6: 2001:db8::7 People need to use names In the early days of the
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Web Security Abusing cookies Phishing, Spreading misinformation You are not seeing what you think you are! HREFs, Ill-constructed strings in HREFs Dynamic HTML, Scripting
More informationDNS Security DNSSEC. *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html. IT352 Network Security Najwa AlGhamdi
DNS Security DNSSEC *http://compsec101.antibo zo.net/papers/dnssec/dnss ec.html 1 IT352 Network Security Najwa AlGhamdi Introduction DNSSEC is a security extensions to the DNS protocol in response to the
More informationTHE BRUTAL WORLD OF DNSSEC
THE BRUTAL WORLD OF DNSSEC Patrik Fältström Head of Technology Netnod 1 Security Issues with DNS Zone Administrator Bad Data False Master Caching Resolver Zonefile Master Slave slave slave False Cache
More informationMeasuring the effects of DNSSEC deployment on query load
Measuring the effects of DNSSEC deployment on query load Jelte Jansen NLnet Labs NLnet Labs document 26-2 May 1, 26 Abstract Ripe NCC recently started signing the zones on their DNS servers. This document
More informationManaging Caching DNS Server
This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring
More informationDNS and cctld Management. Save Vocea and Champika Wijayatunga Apia Samoa July 2015
DNS and cctld Management Save Vocea and Champika Wijayatunga Apia Samoa 14-15 July 2015 Agenda 1 2 3 Intro to ICANN DNS Concepts Root Server Operation 4 5 6 Managing Zones cctld Management Security, Stability
More informationDomain Name Service. DNS Overview. October 2009 Computer Networking 1
Domain Name Service DNS Overview October 2009 Computer Networking 1 Why DNS? Addresses are used to locate objects (contain routing information) Names are easier to remember and use than numbers DNS provides
More informationDNS Cache Poisoning Looking at CERT VU#800113
DNS Cache Poisoning Looking at CERT VU#800113 Nadhem J. AlFardan Consulting Systems Engineer Cisco Systems ANOTHER BORING DNS ISSUE Agenda DNS Poisoning - Introduction Looking at DNS Insufficient Socket
More information