CNT Computer and Network Security: DNS Security
|
|
- Nancy Craig
- 6 years ago
- Views:
Transcription
1 CNT Computer and Network Security: DNS Security Professor Patrick Traynor Fall 2017
2 Reminders Related Work is due on Wednesday I look forward to reading these! Remember, quality matters in everything that you do, from matters technical to presentation! Assignment #3 is due on 10/18. Yikes, this one is tough. Get it done! Midterm exam: 10/13 I will discuss the exam format, etc, on 10/7 2
3 Address Translation The Internet relies on IP addresses for routing and delivering traffic. Efficient encoding makes the job of routers easy, and keeps routing tables small due to aggregation. When the Internet consisted of only a small number of hosts, such a solution was sufficient. Anyone could memorize the addresses of the 8 machines that could possibly talk to each other. Unfortunately, IP addresses are not memorable at scale. Very quickly, it was realized that some mechanism would be required to manage the translation from easy to remember names to routing-optimized IPv4 addresses. 3
4 hosts.conf The first reliable mechanism was, hosts.conf, a file stored on every Internet connected computer. Once in a while, that file would need to be updated with a current list of all of the hosts on the Internet. Network administrators would often have to physically deliver this update to every machine in their domain. Scalability quickly made this approach obsolete. That said, your machines still have hosts.conf, which you can use to statically configure any domain to IP pair you wish. 4
5 DNS - The Domain Name System DNS maps between IP address ( ) and domain and host names (thunder.cise.ufl.edu) How it works: the root servers redirect you to the top level domains (TLD) DNS servers, which redirect you to the appropriate sub-domain, and recursively. Note: there are 13 root servers that contain the TLDs for.org,.edu, and country specific registries (.fr,.ch) root.edu ufl.edu cise.ufl.edu thunder.cise.ufl.edu Host (resolver) 5
6 DNS Scalability DNS is one of the most scalable subsystems deployed today. How does it do that? The protocol is simple, running over UDP. Iterative execution and stub-resolvers limit the duties of core nodes. Caching, caching and more caching. DNS is so robust that botnet administrators sometimes attempt to DDoS it to demonstrate the overwhelming power of their malicious infrastructure. 6
7 DNS Vulnerabilities Nothing is authenticated, so really the game is over You can not really trust what you hear But, many applications are doing just that. Spoofing of DNS is really dangerous Moreover, DNS is a catalog of resources Zone-transfers allow bulk acquisition of DNS data and hence provide a map for attacking the network Lots of opportunity to abuse the system Relies heavily on caching for efficiency -- cache pollution Once something is wrong, it can remain that way in caches for a long time (e.g., it takes a long time flush) Data may be corrupted before it gets to authoritative server 7
8 DNS Cache Poisoning Root Servers 3 QID=600 IP for neighborhoodbank.com ns.neighborhoodbank.com 1 QID=599 IP for Victim nameserver 2 QID=599 referral to neighborhoodbank.com 4 QID=600 IP: a - IP: QID=599 QID=600 QID=601 evil.net fake! evil client 0 IP for Client 5 Transaction 8
9 Limitations DNS Cache poisoning has been known and understood since almost as long as DNS has been deployed. Ok, then why was virtually nothing done to fix the problem? At the end of the day, the practicality of actually achieving this attack was judged to be too low to justify the expense of fixing it in any principled manner. 9
10 Kaminsky Variant Root Servers 3 QID=600 IP for neighborhoodbank.com neighborhoodbank.com ns.neighborhoodbank.com 1 QID=599 IP for neighborhoodbank.com Victim nameserver 2 QID=599 referral to neighborhoodbank.com 0 IP for neighborhoodbank.com 4 QID=600 Ad: a - Ad: QID=599 QID=600 QID=601 evil.net fake! evil client Client 10
11 Kaminsky - It s in the Details... That s all well and good, but how do you get such a request from inside a target network? What can you do to prevent such attacks? 11
12 Kaminsky - The Aftermath The community (operations, research, and government) took this vulnerability very seriously. Disclosure was withheld for many months, to ensure that the majority of vendors could provide some sort of working solution. Large-scale patching took place over the course of about a month, with interesting results. 12
13 Solutions DNS is one of the core services of the Internet. If we can t get this right, we may need to quit trying to fix anything else. 13
14 Source Port Randomization DNS query ID guessing attacks are easy given the very limited space allocated for QID (16 bits). Why can t we just expand this field? Some have proposed the use of a random source port to expand the effective QID of each query. Potentially adds another 16 bits if enforced. What are the limitations of this proposed solution? 14
15 DNS Cookies Server and resolver use a new option field to include random cookies for each other. Cookie generation suggested using HMAC-SHA1 Resolver Query: RC:123, SC:???,E:0 Server SC:789 ErrReply: RC:123, SC:789, E:BadC Query: RC:123, SC:789,E:0 AnsReply: RC:123, SC:789,E:0 RC:123 RC:123 ForgedQuery: RC:XYZ, SC:???,E:0 ErrReply: RC:XYZ, SC:789, E:BadC ForgedReply: RC:???, SC:???,E:0 RC:XYZ Source: IETF Draft Presentation 15
16 0x20 Bit Randomization DNS requests are NOT case sensitive: = This approach proposes the use of random capitalization of letters in domain names to provide additional bits of randomness. How many additional bits does the above example provide? Ok - guessing is now very difficult. Are we finished? 16
17 What did we fix? adversary QID = QID = Client Victim nameserver QID = QID = neighborhoodbank.com 17
18 What did we fix? adversary QID = neighborhoodbank.com Client adversarial Victim nameserver 18
19 ISPs as Adversaries? 19
20 DNSSEC A standard-based (IETF) solution to security in DNS Prevents data spoofing and corruption Public key based solution to verifying DNS data Authenticates Communication between servers DNS data Public keys (a bootstrap for PKI?) 20
21 DNSSEC Mechanisms TSIG : transaction signatures protect DNS operations Zone loads, some server to server requests (master -> slave), etc. Time-stamped signed responses for dynamic requests A misnomer -- it currently uses shared secrets for TSIG (HMAC) or do real signatures using public key cryptography SIG0: a public key equivalent of TSIG Works similarly, but with public keys Not as popular as TSIG, being evaluated Note: these mechanisms assume clock sync. (NTP) 21
22 DNSSEC Mechanisms Securing the DNS records Each domain signs their zone with a private key Public keys published via DNS Indirectly signed by parent zones Ideally, you only need a self-signed root, and follow keys down the hierarchy Signs Signs Signs root.edu ufl.edu cise.ufl.edu 22
23 DNSSEC challenges Incremental deployability/bootstrapping problem Everyone has DNS, can t assume a flag day Resource imbalances Some devices can t afford real authentication Cultural Most people don t have any strong reason to have secure DNS ($$$ not justified in most environments) Lots of transitive trust assumptions (you have no idea how the middlemen do business) Take away: DNSsec is being deployed, but it is unclear whether it will be used appropriately/widely 23
24 DNSSEC Criticisms Not everyone agrees that this standard is the right way to move forward. The cryptographic operations can be slow. There is little agreement about who should hold the root keys. It can make responses HUGE! 24
25 Anti-DNSSEC It s Unnecessary! If you already use TLS, do you need it? It s a Government Controlled PKI! Why are some people concerned about this? It s Cryptographically Weak! It uses RSA 1024-bit keys. Is that not enough? 25
26 What Practicioners Think From: Randy Bush Subject: multiple-choice question of the day Date: March 18, :54:03 AM PDT To: No transition plan Declared victory before the hard part even started No real long term plan No realistic estimation of costs No real support for the folk on the front lines Victory will be next month Describes: a - The war in Iraq b - DNSsec c - IPv6 d - All of the above 26
27 DNSSEC: The Reality DNSSEC now signs multiple TLDs Countries (.br,.bg,.cz, and others) and regional authorities (RIPE NCC, ARIN).org,.com and.net as well. But not everyone can read DNSSEC Recursive resolvers can t all handle this Endpoint operating systems often don t 27
28 DNSCurve DNSCurve relies on Elliptic Curve Cryptography. Much more efficient in terms of performance and space. Criticisms: DNSSec offers algorithm options, DNSCurve locks in the use of Curve DNSCurve secures a connection, not individual messages, meaning that cache entries can be replaced. To date, only OpenDNS uses DNSCurve. 28
29 Wrap-Up DNS is one of the most critical services underlying stable operation of the Internet. Unfortunately, it is extremely vulnerable to attack as it has no strong authentication mechanisms. There are lots of proposed solutions, both immediately deployable (weak) and principled (strong). While we will likely see widespread DNSSEC deployment, it will almost certainly never be complete. How much is enough? 29
CSE Computer Security
CSE 543 - Computer Security Lecture 19 - Network Security November 6, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Big picture Abstract Introduction Results Summary Background Problem Description/Finalized
More informationCSC 574 Computer and Network Security. DNS Security
CSC 574 Computer and Network Security DNS Security Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides by Will Enck and Micah Sherr) A primer on routing Routing Problem: How do Alice s messages
More informationHoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client
More informationUSING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION
USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION 11-30-2016 USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION Transaction Signatures (TSIG) provide a secure
More informationModule: Network Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Network Security Professor Patrick McDaniel Spring 2009 1 Networking Fundamentally about transmitting information between users, applications,
More informationCSE543 Computer and Network Security Module: Network Security
CSE543 Computer and Network Security Module: Network Security Professor Patrick McDaniel Fall 2009 1 Networking Fundamentally about transmitting information between two devices Direct communication is
More informationCSE443 - Introduction to Computer and Network Security Network Security
CSE443 - Introduction to Computer and Network Security Network Security Professor Kevin Butler Winter 2011 Computer and Information Science Networking Fundamentally about transmitting information between
More informationDNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION
DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION Peter R. Egli 1/10 Contents 1. Security Problems of DNS 2. Solutions for securing DNS 3. Security with DNSSEC
More informationRoot Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail
What is DNS? Systems to convert domain names into ip addresses: For an instance; www.tashicell.com 118.103.136.66 Reverse: 118.103.136.66 www.tashicell.com DNS Hierarchy Root Servers The top of the DNS
More informationA Security Evaluation of DNSSEC with NSEC Review
A Security Evaluation of DNSSEC with NSEC Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationIn the Domain Name System s language, rcode 0 stands for: no error condition.
12/2017 SIMPLE, FAST, RESILIENT In the Domain Name System s language, rcode 0 stands for: no error condition. If a DNS server answers a query with this result code, the service is running properly. This
More informationDNSSEC All You Need To Know To Get Started
DNSSEC All You Need To Know To Get Started Olaf M. Kolkman RIPE NCC A Semi Technical Introduction Why do we need DNSSEC What does DNSSEC provide How does DNSSEC work Question: www.ripe.net A Reminder:
More informationThis time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
More informationAn Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
More informationBEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE 12-07-2016 BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE Your external DNS is a mission critical business resource.
More information(DNS, and DNSSEC and DDOS) Geoff Huston APNIC
D* (DNS, and DNSSEC and DDOS) Geoff Huston APNIC How to be bad 2 How to be bad Host and application-based exploits abound And are not going away anytime soon! And there are attacks on the Internet infrastructure
More informationComputer Security CS 426
Computer Security CS 426 Lecture 34 DNS Security 1 Domain Name System Translate host names to IP addresses E.g., www.google.com 74.125.91.103 Hostnames are human-friendly IP addresses keep changing And
More informationDNS and SMTP. James Walden CIT 485: Advanced Cybersecurity. James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31
DNS and SMTP James Walden CIT 485: Advanced Cybersecurity James WaldenCIT 485: Advanced Cybersecurity DNS and SMTP 1 / 31 Table of contents 1. DNS 2. DNS Protocol Packets 3. DNS Caching 4. DNS Cache Poisoning
More informationDNS Cache Poisoning Looking at CERT VU#800113
DNS Cache Poisoning Looking at CERT VU#800113 Nadhem J. AlFardan Consulting Systems Engineer Cisco Systems ANOTHER BORING DNS ISSUE Agenda DNS Poisoning - Introduction Looking at DNS Insufficient Socket
More informationDNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
More informationRe-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist
Re-engineering the DNS One Resolver at a Time Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist 1 In this presentation I ll talk about the DNS, and the root server infrastructure
More informationDNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
More informationAn ARIN Update. Susan Hamlin Director of Communications and Member Services
An ARIN Update Susan Hamlin Director of Communications and Member Services ARIN, a nonprofit member-based organization, supports the operation of the Internet through the management of Internet number
More informationDOMAIN NAME SECURITY EXTENSIONS
DOMAIN NAME SECURITY EXTENSIONS The aim of this paper is to provide information with regards to the current status of Domain Name System (DNS) and its evolution into Domain Name System Security Extensions
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationMAGPI: Advanced Services IPv6, Multicast, DNSSEC
MAGPI: Advanced Services IPv6, Multicast, DNSSEC Shumon Huque MAGPI GigaPoP & Univ. of Pennsylvania MAGPI Technical Meeting April 19th 2006, Philadelphia, PA 1 Outline A description of advanced services
More informationNetwork Working Group Request for Comments: Category: Best Current Practice October 2008
Network Working Group Request for Comments: 5358 BCP: 140 Category: Best Current Practice J. Damas ISC F. Neves Registro.br October 2008 Preventing Use of Recursive Nameservers in Reflector Attacks Status
More information2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008
2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008 Kim Davies Manager, Root Zone Services Internet Corporation for Assigned Names & Numbers How do you attack the DNS? A typical DNS query
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationDNS Security. Wolfgang Nagele DNS Group Manager
DNS Security Wolfgang Nagele DNS Group Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since then:
More informationDNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
More informationRIPE Network Coordination Centre. K-root and DNSSEC. Wolfgang Nagele RIPE NCC.
K-root and DNSSEC Wolfgang Nagele RIPE NCC RIPE NCC One of the five Regional Internet Registries Provides IP address and AS number resources to Europe and Middle-East regions DNS related work - Parent
More informationNetwork Security Part 3 Domain Name System
Network Security Part 3 Domain Name System Domain Name System The$domain$name$system$(DNS)$is$an$applica6on7layer$ protocol$$for$mapping$domain$names$to$ip$addresses$ DNS www.example.com 208.77.188.166
More informationRegistry Vulnerabilities An Overview
Registry Vulnerabilities An Overview Edward Lewis ed.lewis@neustar.biz ccnso Tech Day @ ICANN 46 April 8, 2013 1 Goal of the Presentation» High-level overview of where security matters» Reduce the chances
More informationBy Paul Wouters
By Paul Wouters Overview presentation Theory of DNSSEC Using bind with DNSSEC Securing Ò.nlÓ with SECREG Securing Ò.orgÓ with VerisignLabs Deploying DNSSEC on large scale Audience participation
More informationLess is More Cipher-Suite Negotiation for DNSSEC
Less is More Cipher-Suite Negotiation for DNSSEC Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt Bruno Crispo Trento University Domain Name System (DNS) Lookup services
More informationDNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
More information6 March 2012
6 March 2012 richard.lamb@icann.org www.majorbank.se=? 1.2.3.4 Get page Login page Username / Password Account Data DNS Resolver ISP www.majorbank.se = 1.2.3.4 DNS Server webserver www @ 1.2.3.4 Majorbank
More informationICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017
ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017 Welcome, everyone. I appreciate the invitation to say a few words here. This is an important meeting and I think
More informationDNS Security. Wolfgang Nagele DNS Services Manager
DNS Security Wolfgang Nagele DNS Services Manager DNS: the Domain Name System Specified by Paul Mockapetris in 1983 Distributed Hierarchical Database Main purpose: Translate names to IP addresses Since
More informationCS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017
CS 356 Using Cryptographic Tools to Secure the Domain Name System (DNS) Spring 2017 Background Motivation Overview Network Infrastructure Security DNS and DNS Vulnerabilities The DNS Security Extensions
More informationOverview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly
Last Lecture Overview Scheduled tasks and log management This Lecture DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly Next Lecture Address assignment (DHCP) TELE 301 Lecture 11: DNS 1 TELE
More informationSecSpider: Distributed DNSSEC Monitoring and Key Learning
SecSpider: Distributed DNSSEC Monitoring and Key Learning Eric Osterweil UCLA Joint work with Dan Massey and Lixia Zhang Colorado State University & UCLA 1 Who is Deploying DNSSEC? Monitoring Started From
More informationI certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist?
RRSIG: I certify that this DNS record set is correct Problem: how to certify a negative response, i.e. that a record doesn t exist? NSEC: I certify that there are no DNS records (of type X) whose record
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationToward Unspoofable Network Identifiers. CS 585 Fall 2009
Toward Unspoofable Network Identifiers CS 585 Fall 2009 The Problem DNS Spoofing Attacks (e.g., Kaminsky) At link (Ethernet) and IP layers, either: Software sets the source address in the packet, or Software
More informationDNS SECURITY BEST PRACTICES
White Paper DNS SECURITY BEST PRACTICES Highlights Have alternative name server software ready to use Keep your name server software up-to-date Use DNSSEC-compliant and TSIG-compliant name server software
More informationRethinking Authentication. Steven M. Bellovin
Rethinking Authentication Steven M. https://www.cs.columbia.edu/~smb Why? I don t think we understand the real security issues with authentication Our defenses are ad hoc I regard this as a step towards
More informationScott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
More informationDNSSEC the.se way: Overview, deployment and lessons learned. Anne-Marie Eklund Löwinder Quality & Security Manager
DNSSEC the.se way: Overview, deployment and lessons learned Anne-Marie Eklund Löwinder Quality & Security Manager My agenda Getting Started Finding out about.se Finding out what DNS does for you Why DNSSEC?
More informationTable of Contents. DNS security basics. What DNSSEC has to offer. In what sense is DNS insecure? Why DNS needs to be secured.
Table of Contents DNS security basics The basics Karst Koymans (with Niels Sijm) Informatics Institute University of Amsterdam (version 2.3, 2013/09/13 11:46:36) Tuesday, Sep 17, 2013 Why DNS needs to
More informationDNSSEC Deployment Issues
DNSSEC Deployment Issues Johan Ihrén, Autonomica AB Outline The very, very, very short summary is that as the protocol phase is over deployment issues need to be sorted out requires new participants as
More informationAlgorithm for DNSSEC Trusted Key Rollover
Algorithm for DNSSEC Trusted Key Rollover Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, FRANCE {gilles.guette, bernard.cousin, david.fort}@irisa.fr Abstract.
More informationSome DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
More informationThe Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla
The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Venugopalan Ramasubramanian Emin Gün Sirer Presented By: Kamalakar Kambhatla * Slides adapted from the paper -
More informationDomain Name System.
Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps
More informationProtecting Privacy: The Evolution of DNS Security
Protecting Privacy: The Evolution of DNS Security Burt Kaliski Senior Vice President and CTO, Verisign NSF Technology Transfer to Practice in Cyber Security Workshop November 4, 2015 Agenda DNS Overview
More informationDomain Name System Security
Slide title 70 pt APITALS Domain Name System Security e subtitle um 30 pt Bengt Sahlin Ericsson Research NomadicLab Bengt.Sahlin@ericsson.com Objectives Provide DNS basics, essential for understanding
More informationDNSCurve: Usable security for DNS
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois
More informationHow do we make the transition less painful? IPv6 & recursive resolvers:
How do we make the transition less painful? IPv6 & recursive resolvers: 11.5.2009 Overview of the problem IPv6 rollout may not impact production IPv4 Rolling out dedicated IPv6 hostnames is not a good
More informationDNSSEC: what every sysadmin should know to keep things working
DNSSEC: what every sysadmin should know to keep things working Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl About SURFnet National Research and Education Network (NREN) Founded in 1986 > 11000km
More informationDNS SECurity Extensions technical overview
The EURid Insights series aims to analyse specific aspects of the domainname environment. The reports are based on surveys, studies and research developed by EURid in cooperation with industry experts
More informationOutline Key Management CS 239 Computer Security February 9, 2004
Outline Key Management CS 239 Computer Security February 9, 2004 Properties of keys Key management Key servers Certificates Page 1 Page 2 Introduction Properties of Keys It doesn t matter how strong your
More informationSIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels
Network Security - ISA 656 Voice Over IP (VoIP) Security Simple SIP ing Alice s Bob Session Initiation Protocol Control channel for Voice over IP (Other control channel protocols exist, notably H.323 and
More informationDNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited
DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert suman@bdcert.org Amber IT Limited suman@amberit.com.bd DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control
More informationDNSSEC: A game changing example of multi-stakeholder cooperation. ICANN Meeting, Singapore 21 June 2011
DNSSEC: A game changing example of multi-stakeholder cooperation ICANN Meeting, Singapore 21 June 2011 richard.lamb@icann.org ICANN ICANN is a global organization that coordinates the Internet s unique
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationOutline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016
Networks and Communication Department NET 412 NETWORK SECURITY PROTOCOLS Lecture 7: DNS Security 2 Outline Part I: DNS Overview of DNS DNS Components DNS Transactions Attack on DNS Part II: DNS Security
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationApplication Firewalls
Application Moving Up the Stack Advantages Disadvantages Example: Protecting Email Email Threats Inbound Email Different Sublayers Combining Firewall Types Firewalling Email Enforcement Application Distributed
More informationProgress Report 1. Group RP16. All work done by Ivan Gromov and Andrew McConnell
Progress Report 1 Group RP16 All work done by Ivan Gromov and Andrew McConnell Steps completed: Task Mode Task Name Duration Start Finish Predecessor s Resource Names Manually Schedule d First Lab research
More informationDEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER
DEFENCE IN DEPTH HOW ANTIVIRUS, TRADITIONAL FIREWALLS, AND DNS FIREWALLS WORK TOGETHER D-Zone DNS Firewall 18-10-20171 EXECUTIVE SUMMARY Cyber attacks continue to grow at an alarming rate with ransomware
More informationCS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS
: Computer Networks Lecture 6: Apr 5, 2004 Naming and DNS Any problem in computer science can be solved with another layer of indirection David Wheeler Naming is a layer of indirection What problems does
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationMulti Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02. Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K.
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions
More informationDNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix
DNS: Useful tool or just a hammer? Paul Ebersman pebersman@infoblox.com, @paul_ipv6 DNS-OARC 06 Oct 2013, Phoenix 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive recursive
More informationDNS Security. Ch 1: The Importance of DNS Security. Updated
DNS Security Ch 1: The Importance of DNS Security Updated 8-21-17 DNS is Essential Without DNS, no one can use domain names like ccsf.edu Almost every Internet communication begins with a DNS resolution
More informationDNS and BGP. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu. University of Wisconsin CS 642
DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 DNS and BGP University of Wisconsin CS 642 128.105.5.31
More informationModule: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring 2009 1 Routing 101 Network routing exists to provide hosts desirable paths from the source
More informationNew Challenges and Dangers for the DNS. Jim Reid ORIGIN TIS-INS
New Challenges and Dangers for the DNS Jim Reid ORIGIN TIS-INS Jim.Reid@nl.origin-it.com DNS Challenges - Netadmin99 Santa Clara Slide 1 Introduction new technologies IPv6, W2K dynamic DNS updates secure
More informationWho s Protecting Your Keys? August 2018
Who s Protecting Your Keys? August 2018 Protecting the most vital data from the core to the cloud to the field Trusted, U.S. based source for cyber security solutions We develop, manufacture, sell and
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationNetwork Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015
Network Security DNS (In)security Radboud University, The Netherlands Autumn 2015 A short recap Routing means directing (Internet) traffic to its target Internet is divided into 52, 000 Autonomous Systems
More informationAttacks on DNS: Risks of Caching
Attacks on DNS: Risks of Caching CS 161: Computer Security Prof. David Wagner March 30, 2016 Today Midterm 2 grades available Reminder: Start Project 2, Part 2! Today, DNS: protocol for mapping hostnames
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported
More informationThe DNS security mess. D. J. Bernstein University of Illinois at Chicago
The DNS security mess D. J. Bernstein University of Illinois at Chicago A public-key signature system Message Ñ Signer s secret key Ò Signed message Ñ Ö Signer s public key Ò Verify Ö = SHA-256 ( ÖÒ Ñ)
More informationThe DNS security mess. D. J. Bernstein University of Illinois at Chicago
The DNS security mess D. J. Bernstein University of Illinois at Chicago A public-key signature system Message Ñ Signer s secret key Ò Signed message Ñ Ö Signer s public key Ò Verify Ö = SHA-256 ( ÖÒ Ñ)
More informationInternet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016
Internet Technology 06. Exam 1 Review Paul Krzyzanowski Rutgers University Spring 2016 March 2, 2016 2016 Paul Krzyzanowski 1 Question 1 Defend or contradict this statement: for maximum efficiency, at
More informationDNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
More informationLecture 3 - Passwords and Authentication
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor
More informationDomain Name System Security
Domain Name System Security T-110.4100 Tietokoneverkot October 2008 Bengt Sahlin 2008/10/02 Bengt Sahlin 1 Objectives Provide DNS basics, essential for understanding DNS security
More informationGDS Resource Record: Generalization of the Delegation Signer Model
GDS Resource Record: Generalization of the Delegation Signer Model Gilles Guette, Bernard Cousin, and David Fort IRISA, Campus de Beaulieu, 35042 Rennes CEDEX, France {gilles.guette, bernard.cousin, david.fort}@irisa.fr
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationMCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008 Objectives Discuss the basics of the Domain Name System (DNS) and its
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationDNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs)
DNSSEC Why, how, why now? Olaf Kolkman (NLnet Labs) olaf@nlnetlabs.nl Stichting NLnet Labs page 2 Registrars/ Registrants DNS Architecture As friend secondary As ISP Cache server Registry DB primary As
More informationYour projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100
You should worry if you are below this point Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /0 * 100 o Optimistic: (Your
More informationCSCE 463/612 Networks and Distributed Processing Spring 2018
CSCE 463/612 Networks and Distributed Processing Spring 2018 Application Layer IV Dmitri Loguinov Texas A&M University February 13, 2018 1 Chapter 2: Roadmap 2.1 Principles of network applications 2.2
More information