Measuring DNS Vulnerabilities and DNSSEC Challenges from an Irish Perspective. SATIN Conference, NPL, London, 04 th April 2011
|
|
|
- Barry Ramsey
- 5 years ago
- Views:
Transcription
1 Measuring DNS Vulnerabilities and DNSSEC Challenges from an Irish Perspective SATIN Conference, NPL, London, 04 th April 2011
2 Introduction Billy Glynn (working with IEDR for circa. 10 years) IEDR operate the cctld for Ireland (dot IE) M.Sc MIS in Trinity College Dublin Thesis based on DNSSEC in Ireland Distinction Measurements DNS vulnerabilities DNSSEC PMTU Issues Glynn, B :: IEDR :: 04/03/2011
3 DNS Vulnerabilities
4 DNS Vulnerabilities
5 DNS Vulnerabilities
6 DNS Vulnerabilities
7 Example DNS Query Response: ; <<>> DiG P2 <<>> ie. any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ie. IN ANY ;; ANSWER SECTION: ie IN SOA banba.domainregistry.ie. hostmaster.ucd.ie ie IN NS uucp-gw-1.pa.dec.com. ie IN NS ns-ie.nic.fr. ie IN NS gns2.domainregistry.ie. ie IN NS gns1.domainregistry.ie. ie IN NS b.iedr.ie. ie IN NS uucp-gw-2.pa.dec.com. ie IN NS banba.domainregistry.ie. ie IN NS ns3.ns.esat.net. ie IN NS ice.netsource.ie. ;; Query time: 3 msec ;; SERVER: #53( ) ;; WHEN: Tue Nov 16 15:27: ;; MSG SIZE rcvd: 306 DNSSEC Challenges ;; MSG SIZE rcvd: 306 Glynn, B :: IEDR :: 04/03/2011
8 Example DNSSEC Query Response: ;; Truncated, retrying in TCP mode. ; <<>> DiG P2 <<>> ie. any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa ra; QUERY: 1, ANSWER: 18, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ie. IN ANY DNSSEC Challenges ;; Truncated, retrying in TCP mode. ;; ANSWER SECTION: ie IN SOA banba.domainregistry.ie. hostmaster.ucd.ie ie IN RRSIG NSEC3PARAM ie. ytk5ef/289wub8zftdwvgdfxsrvymk6x8wc/hnu2tgvc6l5hjbsvinb+ aurcmvllvcgr8qsc3q6pku7cp3uhbqsz4epiqlvohx70g28fmuwveblo hs3vxo3x8i825ccjz55zgomtrkxoi+2vkbc42ukjg1/62lel8brjo0so YeI= ie IN NSEC3PARAM EF4C00323C5D9AF ie IN RRSIG DNSKEY ie. dgqbhrywv9gexhhuakgcq2zmrzeuifc7hl2lhqsvjtllewr/d2ujg0vt qfbhjryxd0zu8thunuqmizbczykm9drewhlj2nhz6e+vlh4mazykn8u2 gjam2wigbjcefms675szwrvgylfcnryq6fzgaiubndee4sbxfuodeolt YmgLilZFMxGNtw7H+YpszomRIANb+RVuRakelB8yjD2/tAmaIFt22iXS 9TVN15Qk4wIkNb6dh3AzV/cTxJq892PjlQlFPzQGOOyUQQ4h5SP1Fld+ mf6slpfdkoclo3oqocbokgcmctjr5fuyp/uomfc1kk9hfkuytkpbttto UJJExg== ie IN DNSKEY AwEAAewFCGaQxUBlcLE23ZS2qSTnI5G7qSQt7Pya8AnI9i5rh06ZM7wA maefockxhv1p/zqlskgyv12f7rtnx6bcno6xonqkgxssovtzkddmwypv KleJq30sPBS3KbZ/1WR4yrkcoz8izsAvL9JJLie9TQuGSTVSO6iK6HM1 ZS1dHtCb ie IN DNSKEY AwEAAdoswsqcgmwK4K0pzuDogHwEozgmIw+7O7wbSDy0jKUuVN847/6A yu9kbubhknfbb4upmglzxa2pfs5z1ahjuutyl6nyxzalz8wspi6yqknb oiyf1w+wupaxvwj+hphdwgauftkbgxn7tbiq9c1lnmx0tpywyoyvq/vw 832+4lyG1EKtchhPkY3s1l+y2EbEEZdEBh74MYWPdbokjO54dx899jDn StYTIfwYZTmdXjavdDgeYOeEG/BdtlCsAdGc+wYKQf0Dg7E9wqWDGpqK HOOwdCWg5UkJCPOdrQbFAM1qECOv1H8aYQV6J0F5pDc4BK6gntaU4vmf wjsnv9gqi3k= ie IN DNSKEY AwEAAc2zF4KBTwC7T3vAbr04jICmWxciMjbsEnrZJdJjoeFmFzXUHDTJ tq56/vx6boxx+qyzy2d4v5visyo3nuy9tiwlc88eapem3nlcypihxzo/ 6YhCAOW3cbJNhMdqfgsMsrGe5tqTKeLIV9LlTq22z8kufPPS2TBHhv45 WFVz4pBL ie IN RRSIG SOA ie. zhtj/xv0twynhwuxbskrrp8+cokir2zawqhpj/e/yxxopbxb7mhodae3 1JzQjUmy2b1xqfwzFAnKeE6TlBz8LUfChFfuvxui5CQ3zdeXMJNdmfgm ZwQEjHZmzf0mBVSSC40ZlhdLIsUrRjvoBe33Z7qFr85jGZQKewIvY3M0 esw= ie IN RRSIG NS ie. E/s89FL7qe4w8VzDBVsjDt4cks3DwRnCvrqNQeiGnxvqg9YuwXzzFssU olefnjecdmyescl/nswbj2vwlalqdvxmsyzq0fm1rgetxa4hqlbmncpg INvcqr0Qp3UnZG6anjXxysT9PZAX9yeGdYamAjAw3OdUaMVl4O0w98HJ Uok= ie IN NS ice.netsource.ie. ie IN NS gns1.domainregistry.ie. ie IN NS uucp-gw-1.pa.dec.com. ie IN NS ns-ie.nic.fr. ie IN NS gns2.domainregistry.ie. ie IN NS uucp-gw-2.pa.dec.com. ie IN NS banba.domainregistry.ie. ;; MSG SIZE rcvd: 1679 ie IN NS ns3.ns.esat.net. ie IN NS b.iedr.ie. ;; Query time: 2 msec ;; SERVER: #53( ) ;; WHEN: Tue Nov 16 15:25: ;; MSG SIZE rcvd: 1679 Glynn, B :: IEDR :: 04/03/2011
9 Glynn, B :: IEDR :: 04/03/2011 DNSSEC Challenges
10 Glynn, B :: IEDR :: 04/03/2011 DNSSEC Challenges
11 Glynn, B :: IEDR :: 18/11/2010 Challenges: DNSSEC Issues
12 Glynn, B :: IEDR :: 04/03/2011 dot IE DNSSEC Testbed
13 State of Play in dot IE Irish DNSSEC Task Force: Mailing List - dnssec-tf@iedr.ie Subscribe at: dnssec-tf-subscribe@iedr.ie Testing DNSSEC Evaluating HSMs Testing Key Rollovers Development of DPS Aiming to be signed by November 2011 Glynn, B :: IEDR :: 04/03/2011
14 Questions?
Implementing DNSSEC with DynDNS and GoDaddy
Implementing DNSSEC with DynDNS and GoDaddy Lawrence E. Hughes Sixscape Communications 27 December 2017 DNSSEC is an IETF standard for adding security to the DNS system, by digitally signing every resource
Testing IPv6 address records in the DNS root
Testing IPv6 address records in the DNS root February 2007 Geoff Huston Chief Scientist APNIC Priming a DNS name server 1. Take the provided root hints file 2. Generate a DNS query for resource records
BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium
BIND-USERS and Other Debugging Experiences Mark Andrews Internet Systems Consortium Mark_Andrews@isc.org http://isc.org BIND-USERS and Other Debugging Experiences We will look at some typical debugging
2017 DNSSEC KSK Rollover. DSSEC KSK Rollover
2017 DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover APNIC 44 Edward.Lewis@icann.org FIRST TC September 11, 2017 13 September 2017 DNSSEC Signing vs. Validation DNS Security Extensions Digital
RSA and ECDSA. Geoff Huston APNIC. #apricot2017
RSA and ECDSA Geoff Huston APNIC It s all about Cryptography Why use Cryptography? Public key cryptography can be used in a number of ways: protecting a session from third party eavesdroppers Encryption
Defeating DNS Amplification Attacks. UKNOF Manchester Central, UK January Ralf Weber Senior Infrastructure Architect
Defeating DNS Amplification Attacks UKNOF Manchester Central, UK January 21 2014 Ralf Weber Senior Infrastructure Architect History of DNS Amplification DNS amplification attacks aren't new Periodically
ECE 435 Network Engineering Lecture 7
ECE 435 Network Engineering Lecture 7 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 September 2018 HW#3 was Posted Announcements 1 HW#2 Review C code will be discussed next
Root Zone DNSSEC KSK Rollover. DSSEC KSK Rollover
Root Zone DNSSEC KSK Rollover 2017 Edward Lewis DSSEC KSK Rollover ENOG 15 Edward.Lewis@icann.org FIRST TC September 11, 2017 5 June 2018 The Basics This talk is related to the Domain Name System, in particular,
Best practices. Defining your own EGO service to add High Availability capability for your existing applications. IBM Platform Symphony
IBM Platform Symphony Best practices Defining your own EGO service to add High Availability capability for your existing applications Leo Lin IBM Systems & Technology Group, Software Defined Systems Advisory
DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO
DNS Workshop @CaribNOG12 Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and
Internet Engineering. DNS Message Format. Contents. Robert Elz.
Internet Engineering 241-461 Robert Elz kre@munnari.oz.au kre@coe.psu.ac.th http://fivedots.coe.psu.ac.th/~kre Contents The Domain Name System The DNS Database DNS Protocols DNS Message Formats ueries
DNS over IPv6 - A Study in Fragmentation
DNS over IPv6 - A Study in Fragmentation DNS OARC, September 2017 Geoff Huston, Joao Damas APNIC Labs What happens to a large DNS response? (Where large is > 1280 octets) What happens to a large DNS response?
EDNS Compliance. Mark Andrews
EDNS Compliance Mark Andrews marka@isc.org DataSets Root and TLD servers Alexa Top 1000 Alexa Bottom 1000 of Top 1Million GOV servers from Alexa Top 1Million AU servers from Alexa Top 1Million Methodology
Troubleshooting DNSSEC Visually
Troubleshooting DNSSEC Visually Sandia National Laboratories is a multi-program laboratory operated by Sandia Corporation, a wholly owned subsidiary of Lockheed Martin company, for the U.S. Department
Cisco Expressway ENUM Dialing
Cisco Expressway ENUM Dialing Deployment Guide First Published: December 2013 Last Updated: November 2015 Cisco Expressway X8.7 Cisco Systems, Inc. www.cisco.com 2 Introduction ENUM (E.164 Number Mapping)
Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.
Domain Name System (DNS) Computers use IP addresses. Why do we need names? Names are easier for people to remember DNS Fundamentals Computers may be moved between networks, in which case their IP address
DNS Mark Kosters Carlos Martínez ARIN - LACNIC
DNS Workshop @CaribNOG8 Mark Kosters Carlos Martínez ARIN - LACNIC DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity
WE POWER YOUR MOBILE WORLD ENUM INTEGRATION MANUAL
ENUM INTEGRATION MANUAL 1 CONTENTS INTRODUCTION... 3 CONNECTIVITY... 3 TECHNICAL SPECIFICATION... 4 Valid format for ENUM server query... 4 ENUM server responses... 6 ENUM responses in case of error processing
ENUM Dialing on Cisco Expressway
ENUM Dialing on Cisco Expressway Deployment Guide Cisco Expressway X8.2 D15064.02 June 2014 Contents Introduction 3 Configuring the Expressway 4 Configuring an ENUM zone and search rule 4 Configuring the
CPSC 441 COMPUTER COMMUNICATIONS MIDTERM EXAM SOLUTION
CPSC 441 COMPUTER COMMUNICATIONS MIDTERM EXAM SOLUTION Department of Computer Science University of Calgary Professor: Carey Williamson March 2, 2012 This is a CLOSED BOOK exam. Textbooks, notes, laptops,
The accidental hacker DNS Amplifica7on Norid registrar seminar Registrarseminar 2013 Oslo, NO wed, december 4th, 2013 Marco Davids
The accidental hacker DNS Amplifica7on Norid registrar seminar 2013 Registrarseminar 2013 Oslo, NO wed, december 4th, 2013 Marco Davids 1 Pleased to meet you! Personalia: Marco Davids Technical Advisor
Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi
Domain Name System (DNS) Session-1: Fundamentals Joe Abley AfNOG Workshop, AIS 2017, Nairobi Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved
FortiNAC SRV Records on Production DNS
FortiNAC SRV Records on Production DNS Version: 8.x Date: 09/10/2018 Rev: B FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET KNOWLEDGE BASE http://kb.fortinet.com
Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018
lieter_ PowerDNS pieterlexis PowerDNS Is your DNS server up-to-date? Pieter Lexis Senior PowerDNS Engineer April 22 nd 2018 1 What s all this about? A DNS recap What is EDNS? Issues with EDNS on the internet
How to Enable Internet for Guest Virtual Machine using Datacard Tata Photon.
How to Enable Internet for Guest Virtual Machine using Datacard Tata Photon. Table of Contents 1) Host, Guest and VBox version.... 2 2) Check your current Host and add 3 rd Adapter to Host windows... 3
6.033 Computer System Engineering
MIT OpenCourseWare http://ocw.mit.edu 6.033 Computer System Engineering Spring 2009 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. M.I.T. DEPARTMENT
Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale
Domain Name System (DNS) Computers use IP addresses. Why do we need names? Names are easier for people to remember Session-1: Fundamentals Computers may be moved between networks, in which case their IP
Goal of this session
DNS refresher Overview Goal of this session What is DNS? How is DNS built and how does it work? How does a query work? Record types Caching and Authoritative Delegation: domains vs zones Finding the error:
Lab 6 Implementing DNSSEC
Lab 6 Implementing DNSSEC Objective: Deploy DNSSEC-signed zones. Background DNSSEC (or DNS Security Extensions) provide security to the zone files. Note: In the steps below, we are using myzone.net - our
CSE 127: Computer Security Network Security. Kirill Levchenko
CSE 127: Computer Security Network Security Kirill Levchenko November 28, 2017 Network Security Original TCP/IP design: Trusted network and hosts Hosts and networks administered by mutually trusted parties
CS118 Discussion 1A, Week 3. Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m.
CS118 Discussion 1A, Week 3 Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m. 1 Outline Application Layer Protocol: DNS, CDN, P2P Transport Layer Protocol: UDP, principles of reliable transport protocol
Authoritative-only server & TSIG
Authoritative-only server & TSIG cctld workshop Apia, Samoa,20 23 June 2006 Andy Linton (Materials by Alain Aina) Different type of servers Several types of name servers Authoritative servers master (primary)
Creating Your Virtual Data Center
NET201 Creating Your Virtual Data Center VPC Fundamentals and Connectivity Options Becky Weiss, Principal Engineer, EC2 Networking October 2015 2015, Amazon Web Services, Inc. or its Affiliates. All rights
Written examination in TDTS06 Computer Networks at 8 12
LiTH, The Institute of Technology at Linköping University 1(6) IDA, The Department of Computer and Information Science Juha Takkinen 2010-10-26 Written examination in TDTS06 Computer Networks 2010-10-23
Crear un centro de datos virtual en AWS
Crear un centro de datos virtual en AWS Fundamentos de VPC y opciones de conectividad Damián Arregui, Solutions Architect, AWS Jueves 1ro de Junio 2016 2016, Amazon Web Services, Inc. or its Affiliates.
Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006-2015 Wenliang Du, Syracuse University. The development of this document is partially funded by the National Science Foundation s Course,
Information Network I: The Application Layer. Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique
Information Network I: The Application Layer Doudou Fall Internet Engineering Laboratory Nara Institute of Science and Technique Outline Domain Name System World Wide Web and HTTP Content Delivery Networks
DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet
DNSSEC operational experiences and recommendations Antti Ristimäki, CSC/Funet Agenda Funet DNSSEC status A short DNSSEC tutorial Zone signing considerations Private key security Network layer impacts Monitoring
DNS Flag day. A tale of five cctlds. Hugo Salgado,.CL Sebastián Castro,.NZ DNS-OARC 29, Amsterdam
DNS Flag day A tale of five cctlds Hugo Salgado,.CL Sebastián Castro,.NZ DNS-OARC 29, Amsterdam 1 What is EDNS? RFC 6891 Defines a backward compatible mechanism to signal support for new DNS options Original
Domain Name System (DNS)
Domain Name System (DNS) Smith College, CSC 249 Feb 6, 2017 1 TODAY: Domain Name System qthe directory system for the Internet v Used by other application layer protocols v via socket programming qmaps
page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, October 2016
page 1 Plain Old DNS WACREN, DNS/DNSSEC Regional Workshop Ouagadougou, 10-14 October 2016 page 2 IP: Identifiers on the Internet The fundamental identifier on the internet is an IP address. Each host connected
Based on Brian Candler's materials ISOC CCTLD workshop
Based on Brian Candler's materials ISOC CCTLD workshop Easier for people to remember Computers may be moved between networks, in which case their IP address will change A centrally maintained file, distributed
IPv6-only mobile network
IPv6-only mobile network Tomasz Kossut, Michał Czerwonka Orange Poland IPv6 Day Kopenhagen, 06.11.2017 1 table of contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Possible
DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46
DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 16, 2008 dr. C. P. J. Koymans (UvA) DNS September 16, 2008 1 / 46 DNS and BIND DNS (Domain Name System) concepts theory
DNS Session 1: Fundamentals. Based on Brian Candler's materials ISOC CCTLD workshop
DNS Session 1: Fundamentals Based on Brian Candler's materials ISOC CCTLD workshop Computers use IP addresses. Why do we need names? Easier for people to remember Especially true for IPv6 Computers may
Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.
Table of Contents Specification and implementation DNS dr. C. P. J. Koymans Informatics Institute University of Amsterdam September 14, 2009 A short history of DNS Root servers Basic concepts Delegation
Domain Name Service. DNS Overview. October 2009 Computer Networking 1
Domain Name Service DNS Overview October 2009 Computer Networking 1 Why DNS? Addresses are used to locate objects (contain routing information) Names are easier to remember and use than numbers DNS provides
CNAME-based Redirection Design Notes
CNAME-based Redirection Design Notes When we configure a redirect type of local-zone or access-control action, we might want to specify a CNAME as the action data, whose canonical name is managed by an
Independent Submission Request for Comments: ISSN: January 2014
Independent Submission Request for Comments: 7108 Category: Informational ISSN: 2070-1721 J. Abley Dyn, Inc. T. Manderson ICANN January 2014 Abstract A Summary of Various Mechanisms Deployed at L-Root
Preparation Test AAAA and EDNS0 support Share Your Results Results Reported Testing Period
Testing Recursive Name Servers for IPv6 and EDNS0 Support SAC 017 15 March 2007 Preparation Test AAAA and EDNS0 support Share Your Results Results Reported Testing Period Background The DNS Root Server
DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014!
DANE Demonstration! Duane Wessels, Verisign! ICANN 49 DNSSEC Workshop! March 26, 2014! Outline! What is DANE?! The TLSA Record! TLSA Browser Plugin! Generating the TLSA Record! Other uses for DANE! 2!
CS 5565 Spring CS 5565 Midterm
CS 5565 This is a closed-book, closed-internet, closed-cellphone and closed-computer exam. However, you may refer to your sheet of prepared notes. Your exam should have 11 pages with 5 questions totaling
Response Differences between NSD and other DNS Servers
Response Differences between NSD and other DNS Servers Jelte Jansen, NLnet Labs Wouter Wijngaards, NLnet Labs NLnet Labs document 2006-004 November 2, 2006 Abstract This note describes observed differences
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE. Application Layer. Jean Yves Le Boudec 2014
1 ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Application Layer Jean Yves Le Boudec 2014 Contents 1. The Application Layer 2. The Domain Name System 3. Application Layer Gateways 4. IPv4 / IPv6 5. ALG46 Textbook
Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007
Some DNSSEC thoughts DNSOPS.JP BOF Interop Japan 2007 Geoff Huston Chief Scientist, APNIC June 2007 The DNS is a miracle! You send out a question into the net And an answer comes back! Somehow But WHO
DNSSEC Signing Experiences. Michael Sinatra, UC Berkeley Internet2 Member Meeting 3 November 2010
DNSSEC Signing Experiences Michael Sinatra, UC Berkeley Internet2 Member Meeting 3 November 2010 1 Why deploy DNSSEC? DNS has traditionally been an asecure protocol. More applications rely on security--from
DNSSEC HOWTO. A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, $Revision: $
DNSSEC HOWTO A Tutorial in Disguise. Olaf Kolkman, RIPE NCC Published September, 2004 $Revision: 1.4.4.8 $ For review only, do not redistribute. DNSSEC HOWTO A Tutorial in Disguise. This
Welcome! Acknowledgements. Introduction to DNS. cctld DNS Workshop October 2004, Bangkok, Thailand
Welcome! cctld DNS Workshop 8-11 October 2004, Bangkok, Thailand Champika Wijayatunga, APNIC Acknowledgements Bill Manning Ed Lewis Joe Abley Olaf M. Kolkman EP.NET Introduction to
ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE. Application Layer. Jean Yves Le Boudec 2015
1 ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Application Layer Jean Yves Le Boudec 2015 Contents 1. The Application Layer 2. The Domain Name System 3. Application Layer Gateways 4. IPv4 / IPv6 5. ALG46 Textbook
Qwest IPv6. Engineering & Certification 1/31/2011. Government Services
Qwest IPv6 Engineering & Certification 1/31/2011 Agenda Qwest IPv6 history IPv4 Depletion & Carrier Timeline IPv6 Service objectives Qwest IP Networks => IPv6 Networks? IPv6 Implementation: Public port
OPS535 Lab 5. Dynamic DNS. RFC 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)
OPS535 Lab 5 Dynamic DNS Overview In this lab, you add a forward lookup zone and a reverse lookup zone to your primary DNS server and configure both zones to support dynamic updates. Dynamic DNS zone accepts
You can t do that with nslookup: A DNS(SEC) troubleshooting tutorial. Michael Sinatra Energy Sciences Network NANOG 53
You can t do that with nslookup: A DNS(SEC) troubleshooting tutorial Michael Sinatra Energy Sciences Network NANOG 53 What this tutorial is about Learning how to use advanced tools to troubleshoot DNS
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting
DNSSEC in Switzerland 2 nd DENIC Testbed Meeting Frankfurt, 26. January 2010 Samuel Benz samuel.benz@switch.ch About SWITCH The SWITCH foundation operates the national research network since 1987 SWITCH
DNSSEC for ISPs workshop João Damas
DNSSEC for ISPs workshop João Damas (joao@isc.org) 1 Outline of workshop Brief intro to DNSSEC Overview of zone signing DNSSEC validation trust anchors validation impact of enabling validation debugging
DNSSEC at Penn. Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Conference July 20th 2009
DNSSEC at Penn Shumon Huque University of Pennsylvania ESCC/Internet2 Joint Techs Conference July 20th 2009 1 DNSSEC at a glance DNS Security Extensions A system to verify the authenticity of DNS data
Installing MyDNS And The MyDNSConfig Control Panel On Fedora 8
By Falko Timme Published: 2007-12-06 19:24 Installing MyDNS And The MyDNSConfig Control Panel On Fedora 8 Version 1.0 Author: Falko Timme Last edited 12/03/2007 In this tutorial
An Overview of DNSSEC. Cesar Diaz! lacnic.net!
An Overview of DNSSEC Cesar Diaz! cesar@ lacnic.net! 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that
Worst Current Practice. Lutz Donnerhacke IKS GmbH
Worst Current Practice Lutz Donnerhacke IKS GmbH Worst Current Practice Not a talk about simple bugs Too many WTFs to talk about Sometimes instructive anyway SEOS: IPv6 packets crash Ether Channels: Card
Authenticating Devices
Authenticating Devices Cisco TelePresence Deployment Guide Cisco VCS X6.1 D14819.01 May 2011 Contents Contents Document revision history... 4 Introduction... 5 Local database... 6 Configuration... 6 H.350
Reference manual. version 2.3.8
Reference manual version 2.3.8 Contents 1 Introduction 9 1.1 Domain Name System................................... 10 1.1.1 Zones........................................ 10 1.1.2 Authoritative name servers............................
This time. Digging into. Networking. Protocols. Naming DNS & DHCP
This time Digging into Networking Protocols Naming DNS & DHCP Naming IP addresses allow global connectivity But they re pretty useless for humans! Can t be expected to pick their own IP address Can t be
In This Issue. From The Editor
March 2015 Volume 18, Number 1 A Quarterly Technical Publication for Internet and Intranet Professionals In This Issue From the Editor... 1 Scaling the Root... 2 Gigabit Ethernet... 20 Fragments... 33
DNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 17.2, 2017/09/25 12:41:57) Friday, September 22, 2017 Karst Koymans (UvA) DNS Friday, September 22, 2017 1
RIPE NCC DNS Update. Wolfgang Nagele DNS Services Manager
RIPE NCC DNS Update Wolfgang Nagele DNS Services Manager DNS Department Services Reverse DNS for RIPE NCC zones Secondary for other RIRs K-root F-reverse (in-addr.arpa & ip6.arpa) Secondary DNS for cctlds
DNSSEC: what every sysadmin should know to keep things working
DNSSEC: what every sysadmin should know to keep things working Roland van Rijswijk - Deij roland.vanrijswijk@surfnet.nl About SURFnet National Research and Education Network (NREN) Founded in 1986 > 11000km
DNS & DHCP CONFIGURATION
WELCOME DNS & DHCP CONFIGURATION Group Members Anmol Nazakat Ameena Fatima Shakeel ur Rehman Gulraiz Azam Irfan Ullah 1 2 3 4 5 BSIT-F14-E78 BSIT-F14-E100 BSIT-F14-E66 BSIT-F14-E69 BSIT-F14-E79 3 Today
Some advanced topics. Karst Koymans. Tuesday, September 16, 2014
DNS Some advanced topics Karst Koymans Informatics Institute University of Amsterdam (version 44, 2014/09/15 08:39:47) Tuesday, September 16, 2014 Karst Koymans (UvA) DNS Tuesday, September 16, 2014 1
Objectives. Upon completion you will be able to:
Domain Name System: DNS Objectives Upon completion you will be able to: Understand how the DNS is organized Know the domains in the DNS Know how a name or address is resolved Be familiar with the query
Monitoring DNSSEC, not everything is perfect, yet
Monitoring DNSSEC, not everything is perfect, yet Stéphane Bortzmeyer AFNIC bortzmeyer@nic.fr SATIN, 4 April 2011 1 Monitoring DNSSEC, not everything is perfect, yet / DNSSEC shakes monitoring 1. We all
Transition to IPv6. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
Transition to IPv6 Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 10/12/2015 CSCI 445 Fall 2015 1 Acknowledgements Some pictures used in this presentation
DNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam
DNS Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 14, 2012 Karst Koymans & Niels Sijm (UvA) DNS Friday, September 14, 2012 1 / 32 1 DNS on the wire 2 Zone transfers
DNS DNS DNS Summer Days 2013 Copyright
DNS DNS 2013 7 19 DNS Summer Days 2013 JPRS @OrangeMorishita Copyright 2013 1 : 1965 9 21 47 : 7 Copyright 2013 2 Copyright 2013 3 DNS Summer Days 2012 DNS 1 DNS RFC 2181 Copyright 2013 4 DNS Summer Days
DNSSEC Trust tree: (A) ---dnslab.org. (DS keytag: 9247 dig (DNSKEY keytag. ---org. (DS keytag: d
DNSSEC Trust tree: www.dnslab.org. (A) ---dnslab.org. (DNSKEY keytag: 7308 alg ---dnslab.org. (DNSKEY keytag: 9247 ---dnslab.org. (DS keytag: 9247 dig DNSSEC ---org. (DNSKEY keytag: 24209 a Domain Name
Monitoring DNSSEC, not everything is perfect, yet
1 Monitoring DNSSEC, not everything is perfect, yet / Monitoring DNSSEC, not everything is perfect, yet Stéphane Bortzmeyer AFNIC bortzmeyer@nic.fr SATIN, 4 April 2011 2 Monitoring DNSSEC, not everything
Printed by Jed Crandall Sep 01, 11 6:35 netsstuff.txt PCMCIA USB IDE SCSI. Network interfaces. Framebuffer devices. Display.
Sep 01, 11 6:35 Page 1/20 Script started on Thu 01 Sep 2011 05:41:59 AM MDT ^[[4mrhea^[[24m:^[[1m~^[[0m> ifconfig eth0 Link encap:ethernet HWaddr 00:24:e8:3c:98:11 inet addr:64.106.21.25 Bcast:64.106.21.255
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net
The impact of DNSSEC on k.root-servers.net and ns-pri.ripe.net Olaf M. Kolkman Question What would be the immediate and initial effect on memory, CPU and bandwidth resources if we were to deploy DNSSEC
Course Organization. The Internet as a Blackbox: Applications. Opening the Blackbox: The IP Protocol Stack
Course Organization The Internet as a Blackbox: Applications Basic terminology & concepts (protocols, API ) Dive into DNS, Email, HTTP, SNMP & their interface to the blackbox Opening the Blackbox: The
Probing Open Recursive Name Servers
Probing Open Recursive Name Servers John Kristoff jtk@ultradns.net NANOG 37 NSP-Security BoF jtk (jtk@ultradns.net) Probing ORNSs June 6, 2006 1 / 16 ORNS Candidate Data Sets 51,196 reflector attack, Feb.
22/06/ :37 DNS COMPLIANCE. Fred Baker Internet Systems Consortium
DNS COMPLIANCE Fred Baker Internet Systems Consortium Background - 2014 ISC was in the process of adding DNS COOKIE (RFC 7873) to BIND and we wanted to see how many servers would mishandle DNS COOKIE options
4. Performance Specifications. 4.1 Goals and intentions of Service Level Agreements and Public Service Monitoring. Goals of Service Level Agreements:
4. Performance Specifications 4.1 Goals and intentions of Service Level Agreements and Public Service Monitoring Goals of Service Level Agreements: Service Level Agreements are set between ICANN and Registry
5 DNS Security Extensions DNSSEC
Information Security 1 (InfSi1) 5 DNS Security Extensions DNSSEC Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) Andreas Steffen, 22.10.2013, 5-DNSSEC.pptx 1 Information
Monitoring DNSSEC. Martin Leucht Julien Nyczak Supervisor: Rick van Rein
Monitoring DNSSEC Martin Leucht Julien Nyczak Supervisor: Rick van Rein System and Network Engineering 2015 Introduction DNSSEC becomes more and more popular
Domain Name System (DNS) Session 2: Resolver Operation and debugging. Joe Abley AfNOG Workshop, AIS 2017, Nairobi
Domain Name System (DNS) Session 2: Resolver Operation and debugging Joe Abley AfNOG Workshop, AIS 2017, Nairobi DNS Resolver Operation How Resolvers Work (1)! If we've dealt with this query before recently,
Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.
Table of Contents Specification and implementation DNS Karst Koymans Informatics Institute University of Amsterdam (version 1.11, 2010/10/04 10:03:37) Tuesday, September 14, 2010 A short history of DNS
Network Protocols. DNS Intel *slightly modified public version of another talk. TDC 375 Autumn 2009/10 John Kristoff DePaul University 1
Network Protocols DNS Intel *slightly modified public version of another talk TDC 375 Autumn 2009/10 John Kristoff DePaul University 1 What's in a name? dns research01.cti.depaul.edu. TDC 375 Autumn 2009/10
DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix
DNS: Useful tool or just a hammer? Paul Ebersman pebersman@infoblox.com, @paul_ipv6 DNS-OARC 06 Oct 2013, Phoenix 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive recursive
ARIN Support for DNSSEC and RPKI. ION San Diego 11 December 2012 Pete Toscano, ARIN
ARIN Support for DNSSEC and ION San Diego 11 December 2012 Pete Toscano, ARIN 2 DNS and BGP They have been around for a long time. DNS: 1982 BGP: 1989 They are not very secure. Methods for securing them
Scott Rose, NIST Winter JointTechs Meeting Jan 30, 2011 Clemson University
Scott Rose, NIST scottr@nist.gov 2011 Winter JointTechs Meeting Jan 30, 2011 Clemson University Special Thanks to RIPE NCC who provided the base slides for this tutorial. DNS is not secure Known vulnerabilities
DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific
DNS/DNSSEC Workshop In Collaboration with APNIC and HKIRC Hong Kong Champika Wijayatunga Regional Security Engagement Manager Asia Pacific 22-24 January 2018 1 DNSSEC 2 2 DNS: Data Flow Zone administrator
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS
12 DNS Security Extensions DNS resolution via recursive nameserver DNS request/response format Simple DNS cache poisoning The Dan Kaminsky DNS vulnerability DNS root servers DNSSEC chain of trust DNSSEC