New Challenges and Dangers for the DNS. Jim Reid ORIGIN TIS-INS

Similar documents
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration. Chapter 5 Introduction to DNS in Windows Server 2008

DNSSEC DNS SECURITY EXTENSIONS INTRODUCTION TO DNSSEC FOR SECURING DNS QUERIES AND INFORMATION

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

Secured Dynamic Updates

Lesson 9: Configuring DNS Records. MOAC : Administering Windows Server 2012

DNS. Some advanced topics. Karst Koymans. Informatics Institute University of Amsterdam. (version 17.2, 2017/09/25 12:41:57)

Agha Mohammad Haidari General ICT Manager in Ministry of Communication & IT Cell#

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Domain Name System (DNS)

DNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam

Some advanced topics. Karst Koymans. Tuesday, September 16, 2014

How to Configure DNS Zones

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

Domain Name System Security

Apple 9L Mac OS X Security and Mobility Download Full Version :

Domain Name System (DNS) DNS Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale. The old solution: HOSTS.

Domain Name System Security

Domain Name System Security

Request for Comments: 2535 Obsoletes: 2065 March 1999 Updates: 2181, 1035, 1034 Category: Standards Track

DNS. Introduction To. everything you never wanted to know about IP directory services

Resource Records APPENDIXA

Resource Records. Host Address Name-to-address mapping for the zone. Table 1: Resource Records

Domain Name System (DNS) Session-1: Fundamentals. Computers use IP addresses. Why do we need names? hosts.txt does not scale

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

By Paul Wouters

DNS. dr. C. P. J. Koymans. September 16, Informatics Institute University of Amsterdam. dr. C. P. J. Koymans (UvA) DNS September 16, / 46

Resource Records APPENDIX

Reverse DNS Overview

Managing DNS Firewall

Examination 2D1392 Protocols and Principles of the Internet 2E1605 Internetworking. Date: March 9 th 2007 at 8:00 13:00 SOLUTIONS

Domain Name System - Advanced Computer Networks

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

APNIC elearning: DNS Concepts

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

DNS Naming for Windows DECUS Symposium in Bonn 2002

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

IPv6 Support in the DNS. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

This video will look at how to create some of the more common DNS records on Windows Server using Remote Administration Tools for Windows 8.

Web Security. Mahalingam Ramkumar

This time. Digging into. Networking. Protocols. Naming DNS & DHCP

Page 1 of 7 SUMMARY MORE INFORMATION. Windows 2000 DNS Event Messages 1616 Through Microsoft resource record (RR) problems.

DNS & Iodine. Christian Grothoff.

CSC 574 Computer and Network Security. DNS Security

Conexim DNS Administrator s Guide. Conexim DNS Administrator s Guide

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS.

Managing Resource Records

Request for Comments: 3007 Updates: 2535, 2136 November 2000 Obsoletes: 2137 Category: Standards Track. Secure Domain Name System (DNS) Dynamic Update

Networking Applications

Expires: October 2000 April 2000

Request for Comments: 2230 Category: Informational November 1997

An Overview of DNSSEC. Cesar Diaz! lacnic.net!

S Computer Networks - Spring What and why? Structure of DNS Management of Domain Names Name Service in Practice

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Course Outline: Linux Professional Institute-LPI 202. Learning Method: Instructor-led Classroom Learning. Duration: 5.00 Day(s)/ 40 hrs.

DEPLOY A DNS SERVER IN A SECURE WAY

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Request for Comments: Category: Informational October 1994

Managing Caching DNS Server

phoenixnap Client Portal

DNS Fundamentals. Steve Conte ICANN60 October 2017

APNIC elearning: Cryptography Basics

Internet Protocol Version 6: advanced features. The innovative aspects of IPv6

DNSSEC. Lutz Donnerhacke. db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb dig +dnssec e164.arpa. naptr

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

RSA and ECDSA. Geoff Huston APNIC. #apricot2017

Key Management and Distribution

ENUM DNS Provisioning

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Expires: August 1998 February DNS Operational Security Considerations Status of This Document

Configuration of Authoritative Nameservice

Manage Your DNS In The Cloud Get Started With Route 53

CS Computer Networks 1: Authentication

BIND-USERS and Other Debugging Experiences. Mark Andrews Internet Systems Consortium

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Hands-On Microsoft Windows. Chapter 8 p Managing Windows Server 2008 Network Services

Network Working Group

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1

Cryptography and Network Security

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Network Security. Security of Mobile Internet Communications. Chapter 17. Network Security (WS 2002): 17 Mobile Internet Security 1 Dr.-Ing G.

DNS Mark Kosters Carlos Martínez ARIN - LACNIC

RFC 2181 Ranking data and referrals/glue importance --- new resolver algorithm proposal ---

Expires: June 16, 2004 VeriSign R. Austein ISC D. Massey USC/ISI S. Rose NIST December 17, 2003

Table of Contents DNS. Short history of DNS (1) DNS and BIND. Specification and implementation. A short history of DNS. Root servers.

Network Security: IPsec. Tuomas Aura

Configuring DNS. Finding Feature Information

Documentation. Name Server Predelegation Check

Session J9: DNSSEC and DNS Security

BIND 9 Administrator Reference Manual

DNS Mark Kosters Carlos Martínez {ARIN, LACNIC} CTO

Response Differences between NSD and other DNS Servers

FreeBSD Portsnap. What (it is), Why (it was written), and How (it works) Colin Percival The FreeBSD Project

Category: Experimental June DNS NSAP Resource Records. Status of this Memo

Assessing and Improving the Quality of DNSSEC

IPv6 support in the DNS

CSCE 463/612 Networks and Distributed Processing Spring 2018

Grandstream Networks, Inc. DNS SRV Guide

Transcription:

New Challenges and Dangers for the DNS Jim Reid ORIGIN TIS-INS Jim.Reid@nl.origin-it.com DNS Challenges - Netadmin99 Santa Clara Slide 1

Introduction new technologies IPv6, W2K dynamic DNS updates secure DNS new resource records NXT, KEY, SIG, TSIG AAAA, SRV, IXFR A6, DNAME close inter-relationships probably unavoidable DNS Challenges - Netadmin99 Santa Clara Slide 2

IPv6 128-bit addresses cumbersome reverse lookups ip6.int domain analagous to in-addr.arpa DNS Challenges - Netadmin99 Santa Clara Slide 3

W2K WINS dies (rejoice!) replaced by Active Directory Service depends on SRV records dynamic DNS updates WINS-like on the fly registration: names and addresses services - printing, dialup, etc DNS Challenges - Netadmin99 Santa Clara Slide 4

Secure DNS strong authentication name servers queries industrial-strength crypto Diffie-Hellman, RSA strong checksumming DSS, MD5 DNS Challenges - Netadmin99 Santa Clara Slide 5

Dynamic Updates on the fly updates of zone data needed for plug & play updates SOA zone version number BIG problems security write access to zone data scaling zone transfer storms on Monday morning zone synchronisation who updates forward & reverse zones? DNS Challenges - Netadmin99 Santa Clara Slide 6

Dynamic DNS Scaling Worries each (set of) updates bumps SOA => zone transfer to slaves get DHCP server to batch updates? writing transaction logs on name servers will slow this anyway DNS Challenges - Netadmin99 Santa Clara Slide 7

Dynamic DNS - Security Worries who gets write access to DNS zone? no fine-grained control anyone can change just about anything obviously not for desktops only for "trusted" systems sane DHCP servers even then use secure Dynamic DNS DNS Challenges - Netadmin99 Santa Clara Slide 8

Dynamic DNS & W2K W2K depends on Dynamic DNS makes DNS more WINS-like who wants a W2K box scribbling on their DNS data? put em in a leper colony delegate w2k.foo.bar (say) make ntbox.foo.bar a CNAME for ntbox.w2k.foo.bar weird WINS-like names undocumented JSPNRMPTGSBSSDIR from Remote Access Service DNS Challenges - Netadmin99 Santa Clara Slide 9

Dynamic DNS - Forward and Reverse Zones who does what? DHCP server does forward and reverse updates "atomic" operation least insecure method dynamic name/address mappings not good for dial-in pools what about fixed names or addresses? bind names and IP addresses to MAC addresses? might need this for IPv6 DNS Challenges - Netadmin99 Santa Clara Slide 10

Dynamic DNS - Forward and Reverse Zones DHCP server does forward update, client updates reverse zone seems to be the W2K approach asynchronous forward/reverse updates dial-ins can assign fixed names do you want random computers updating the DNS? scaling and security worries again DNS Challenges - Netadmin99 Santa Clara Slide 11

Secure Dynamic Updates RFC2137 crypto authentication a bit of a misnomer only authenticates the request no say over what the request changes DNS Challenges - Netadmin99 Santa Clara Slide 12

not much happening DHCP & Dynamic DNS ISC DHCP development stalled Microsoft could well drive this use static names in DNS (for now) hassles for roaming users move away from host-based authentication in long run? DNS Challenges - Netadmin99 Santa Clara Slide 13

Incremental Zone Transfer RFC1995 IXFR query type send deltas, not whole zones meant for.com implemented in BIND8.2 special case of dynamic updates comparable semantics DNS Challenges - Netadmin99 Santa Clara Slide 14

New Resource Records SRV service location SIG crypto-signature for a RR NXT what RRs have SIG records KEY public keys of SIG records shared secrets for TSIG? DNS Challenges - Netadmin99 Santa Clara Slide 15

More New Resource Records AAAA IPv6 addresses A6 map a domain name to an IPv6 address IPv6 delegation & reverse lookup should replace AAAA DNAME CNAMEs for domains DNS Challenges - Netadmin99 Santa Clara Slide 16

The SRV RR RFC2052 due for update Real Soon Now format: _Service._Proto.Name SRV Priority Weight Port Target example: _http._tcp.www.a.net. SRV 0 0 80 foo.bar. web service for www.a.net is on TCP port 80 of foo.bar. priority field is like MX priority weight field is for crude load balancing underscores in new standard DNS Challenges - Netadmin99 Santa Clara Slide 17

The TSIG RR type on standards track, no RFC yet transaction signatures lightweight authentication relies on a shared secret: HMAC-MD5 other algorithms possible not in zone files computed on the fly appended to additional data section DNS Challenges - Netadmin99 Santa Clara Slide 18

The KEY RR defined in RFC2065 public key for some name format: name KEY flags proto algorithm public-key flags - what kind of key? user, zone, IPsec, etc proto - identify non-dns applications SSH?, SSL?, email, IPsec, Kerberos? keys crypto algorithm - MD5/RSA base-64 encoding of key DNS Challenges - Netadmin99 Santa Clara Slide 19

Example KEY RR foo.com. IN KEY 513 3 1 ( \ AQOxuZdEyFDlONGz9xF3fdAvG \ PaUqj6s727UOXVtXKcyodC0EM \ C+82L1cDFa1AqsgPrMjHRqfzL \ iaaovkypof+sdwr+fd/dgzkax \ nk1fkrmrtydoznk3uqfje5n2q \ usddmzpkhet1qwiszowjjzcgu \ WU1wyH/B7TPTvuaPen/ExayQ== \ ) DNS Challenges - Netadmin99 Santa Clara Slide 20

The SIG RR also defined in RFC2065 format: name SIG type flags proto algorithm \ time-rr-signed sig-expiry-time \ footprint signer signature type is the RR type that is signed proto, flags and algorithm identify crypto timestamps thwart cryptanalytic replay and replay attacks => secure NTP signer: who signed the SIG signature in base-64 encoding DNS Challenges - Netadmin99 Santa Clara Slide 21

The SIG RR continued each SIG RR signs 1 resource record signer identifies relevant KEY RR delegated signing authority postmaster could sign MX records DNS Challenges - Netadmin99 Santa Clara Slide 22

Example SIG RR bar.foo.com. SIG MX 1 3 ( \ 19960102030405 \ 19961211100908 \ 21435 \ foo.com. \ MxFcby9k/yvedMfQgKzhH5er0Mu/ \ vilz45ikskcefggiwcn/gxhhai6v \ AuHAoNUz4YoU 1tVfSCSqQYn6//1 \ 1U6Nld80jEeC8aTrO+KKmCaY= ) DNS Challenges - Netadmin99 Santa Clara Slide 23

defined in RFC2065 The NXT RR which RRs are signed or not authentication of non-existent names RR type not found in zone files derived from zone contents in auth. section of reply from a secure name server example: foo.bar.com. NXT foo.bar.com. A NXT DNS Challenges - Netadmin99 Santa Clara Slide 24

SIG/KEY RR Generation primitive tools in BIND8.2 dnskeygen dnssigner scant documentation DNS Challenges - Netadmin99 Santa Clara Slide 25

Interesting SIG/KEY/TSIG Problems signing zone transfers wildcard resource records normalised RR names: all lower-case fully qualified domain names standard TTL values what original data was signed? DNS Challenges - Netadmin99 Santa Clara Slide 26

a very hard problem Key Management but we already knew that... private keys and shared secrets in /etc/named.conf server statements key statements very ugly an N-squared problem DNS Challenges - Netadmin99 Santa Clara Slide 27

Secure DNS Problems public-key crypto is expensive not for common usage signing "important" data zone transfers? keys, e-commerce? TSIG is computationally cheap-ish maybe for resolving? shared secret a problem: can t be secret probably OK dynamic DNS "trusted" DHCP servers DNS Challenges - Netadmin99 Santa Clara Slide 28

Secure DNS Concerns establishing relationships of trust between name servers master and slave servers intra- and inter-domain does foo.com. "trust" com.? does foo.com. "trust" bar.com.? does com. "trust" foo.com.? DNS Challenges - Netadmin99 Santa Clara Slide 29

Secure DNS and Top Level Domains query rate on TLD name servers: 2000/sec on Internet root server where is the compute power for even TSIG? key management for.com domain?million key & server statements? memory usage signing every RR makes zone 10x bigger! currently 600 Mb for unsigned.com domain DNS Challenges - Netadmin99 Santa Clara Slide 30

defined in RFC1886 The AAAA RR IPv6 notation from RFC1884 example IN AAAA 1080:0:0:0:8:800:200C:417A example IN AAAA 1080::8:800:200C:417A example IN AAAA 1080:0:0:0:8:800:32.12.65.122 example IN AAAA 1080::8:800:32.12.65.122 unwieldy PTR records b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0. \ 0.1.0.0.0.0.0.0.0.1.2.3.4.IP6.INT. PTR example may be obsoleted by A6 RR type DNS Challenges - Netadmin99 Santa Clara Slide 31

The A6 RR no RFC yet - on standards track two or three fields prefix length textual representation of IPv6 address domain name if non-zero prefix length example CC.NET.ALPHA-TLA.ORG. A6 0 2345:00C0:: C.NET.ALPHA-TLA.ORG "owns" IPv6 addresses beginning 2345:00C0 DNS Challenges - Netadmin99 Santa Clara Slide 32

The DNAME RR no RFC yet - on standards track format: owner DNAME target example: d.e.f. DNAME w.xy. lookup of a.b.c.d.e.f => lookup of a.b.c.w.xy useful with: A6 records RFC2317-style delegations DNS Challenges - Netadmin99 Santa Clara Slide 33

IPv6 and DNAME/A6 Records A6 & DNAME records are cleaner smaller and simpler ip6.int zone easier to manage & delegate regional, provider, subscriber bits parallel address spaces easier renumbering! should replace AAAA records bottom bits come from MAC address => dynamic DNS?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback