Protecting Privacy: The Evolution of DNS Security

Transcription

1 Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015

2 Agenda DNS Overview Privacy Risks Risk Mitigations Recommendations

3 DNS Overview 3

4 Domain Name System (DNS) Overview Hierarchical, global name space for Internet names, e.g., DNS records associate IP addresses, other data with domain names Authoritative name servers publish records, delegate to other name servers Clients typically query via a recursive name server

5 DNS Hierarchy - Example Root Top Level.com Top Level.gov Top Level.edu 2 nd Level 2 nd Level 2 nd Level 2 nd Level example.com nsf.gov dhs.gov southalabama.edu 3 rd Level Name server either answers query directly, or refers to another name server to which it has delegated its authority

6 DNS Resolution Resolution is the process of answering a query by following the hierarchy of name servers To resolve query root server, then.com, then example.com Each refers to next in hierarchy Recursive name server optimizes process by caching recent results

7 DNS Resolution - Example Root Name Server Web Server A: ask.com name server.com Name Server Recursive Name Server 4 2 Request Response 5 A: ask example.com name server 8 example.com Name Server 6 Internet User (Client) 7

8 DNS Privacy Risks DNS data may be at risk of disclosure: Between client and recursive At recursive name server Between recursive and authoritative At authoritative name server Data may also be at risk of modification: privacy risk if client misdirected Important to consider such risks as part of overall privacy strategy

9 Privacy Risks

10 Risk 1: Between Client and Recursive Client effectively reveals browsing history via DNS traffic to recursive name server Adversary must be on path to see it, but it s all in one place Risk increases when recursive name server deployed outside organization How to protect against eavesdropping?

11 Risk 1: Between Client and Recursive Root Name Server Web Server A: ask.com name server.com Name Server 5 A: ask example.com name server Recursive Name Server Eavesdrop Request Response example.com Name Server 6 Internet User (Client) 7

12 Risk 2: At Recursive Name Server Recursive name server learns client s browsing history through its DNS traffic Adversary may try to compromise server to get this data Server itself may be adversary, misusing data How to protect against compromise, misuse?

13 Risk 2: At Recursive Name Server Root Name Server Web Server A: ask.com name server.com Name Server 5 A: ask example.com name server Recursive Name Server 4 2 Misuse 8 Request Response example.com Name Server 6 Internet User (Client) 7

14 Risk 3: Between Recursive and Authoritative Recursive name server reveals samples of community s browsing history via DNS traffic to authoritative name servers Adversary again must be on path to see traffic, but all in one place Authoritative name servers by definition deployed outside organization How to protect against eavesdropping?

15 Risk 3: Between Recursive and Authoritative Root Name Server Web Server A: ask.com name server.com Name Server Recursive Name Server 4 2 Request Response 5 A: ask example.com name server 8 example.com Name Server 6 Internet User (Client) 7

16 Risk 4: At Authoritative Name Server Authoritative name server learns samples of recursive s community s browsing history Adversary may again try to compromise server to get this data Server itself may again be adversary How to protect against compromise, misuse?

17 Risk 4: At Authoritative Name Server Root Name Server Misuse 3 A: ask.com name server Web Server com Name Server Misuse 5 A: ask example.com name server Recursive Name Server Request Response example.com Name Server Misuse 7 6 Internet User (Client)

18 Risk 5: Modification In addition to risks related to disclosure of DNS traffic, clients privacy may also be at risk if DNS responses are modified By modifying a DNS response, an adversary can misdirect a client to an incorrect server, facilitating an attack

19 Risk 5: Modification Root Name Server Attack Server com Name Server 3 5 A: ask.com Modify name server A: ask Modify example.com name server Recursive Name Server 4 2 Poison 8 Modify Misdirected! 1 example.com Name Server 6 A: Internet User (Client) 7 Modify A:

20 Summary of Risks Root Name Server Misuse.com Name Server Misuse Attack Server A: ask.com name Modify server A: ask example.com Modify name server Recursive Name Server 4 2 Poison Eavesdrop Misuse 8 Modify Misdirected! 1 example.com Name Server Misuse 7 Modify 6 Internet User (Client)

21 Risk Mitigations

22 Mitigating DNS Privacy Risks Data handling policies can help mitigate the risks Technical enhancements to DNS have also been introduced in recent years to mitigate these risks: DNS-over-TLS qname-minimization DANE and DNSSEC

23 Mitigation 1: Data Handling Data handling policies, technologies and audits can mitigate risk of compromise, misuse of data at recursive, authoritative servers Root, top-level domain servers generally operate under established agreements Other authoritative name servers, recursive name servers may not

24 Risks 2 & 4: Misuse Root Name Server Misuse 3 A: ask.com name server Web Server com Name Server Misuse 5 A: ask example.com name server Recursive Name Server 4 2 Misuse 8 Request Response example.com Name Server Misuse 7 6 Internet User (Client)

25 Mitigation 1: Data Handling Root Name Server Protect 3 A: ask.com name server Web Server com Name Server Protect 5 A: ask example.com name server Recursive Name Server 4 2 Protect 8 Request Response example.com Name Server Protect 7 6 Internet User (Client)

26 Mitigation 2: DNS-Over-TLS Like other Internet protocols, DNS can be made more secure and information disclosure can be reduced by running over Transport Layer Security (TLS) IETF DPRIVE working group currently developing DNSover-TLS specification Mitigates eavesdropping (risks 1 & 3) Also mitigates modification in transit

27 Risks 1 & 3: Eavesdropping Root Name Server Web Server A: ask.com name server.com Name Server 5 A: ask example.com name server Recursive Name Server Eavesdrop Request Response example.com Name Server 6 Internet User (Client) 7

28 Mitigation 2: DNS-over-TLS Root Name Server 3 Encrypt A: ask.com name server Web Server com Name Server 5 Encrypt A: ask example.com name server Recursive Name Server Encrypt Request Response example.com Name Server 7 Encrypt 6 Internet User (Client)

29 Mitigation 3: qname-minimization DNS information disclosure can be reduced by asking authoritative only enough for referral to next server not full query name ( qname ) each time IETF DNSOP working group currently developing qnameminimization spec Partially mitigates eavesdropping (risk 3) w/o encryption or changing authoritative

30 Risks 1 & 3: Eavesdropping Root Name Server Web Server A: ask.com name server.com Name Server Recursive Name Server 4 2 Request Response 5 A: ask example.com name server 8 example.com Name Server 6 Internet User (Client) 7

31 Mitigation 3: qname-minimization Root Name Server.com? Web Server Minimize A: ask.com name server.com Name Server 5 Minimize A: ask example.com name server Recursive Name Server Request Response example.com Name Server 6 Internet User (Client) 7

32 Mitigation 4: DNSSEC and DANE DNS Security Extensions (DNSSEC) mitigates modification risk by adding digital signatures to DNS records Recursive, client can validate that records are unmodified DNS-Based Authentication of Named Entities (DANE) extends validation to include web server keys and certificates

33 Risk 5: Modification Root Name Server Attack Server com Name Server 3 5 A: ask.com Modify name server A: ask Modify example.com name server Recursive Name Server 4 2 Poison 8 A: Modify Misdirected! 1 example.com Name Server 6 Internet User (Client) 7 A: Modify

34 Mitigation 4: DNSSEC and DANE Root Name Server Sign 3 A: ask.com name server Web Server com Name Server Sign 5 A: ask example.com name server Recursive Name Server 4 2 Validate 8 Request Validate Response example.com Name Server Sign 6 Internet User (Client) 7

35 Summary: Risk Mitigation Matrix Risk Disclosure or Misuse Modification Data Handling Client to Recursive At Recursive Recursive to Authoritative At Authoritative Protect Protect + Mitigation DNS-over-TLS Encrypt Encrypt + qnameminimization Minimize Minimize DNSSEC and DANE Sign Validate

36 Recommendations

37 Recommendations for Privacy Professionals If DNS is part of the system you re protecting... Ask if these risks apply Ask if existing mitigations are sufficient Consider how these mitigations can help Ask your DNS provider about its privacy practices

38 For More Information Burt Kaliski

39 Q & A

40 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.