Seminar: Network and Communication Privacy Presenter: Sabbir Ahmmed
Seminar: Network and Communication Privacy
Presenter: Sabbir Ahmmed
DNS Privacy And Confidential DNS
DNSCurve: Usable security for DNS
DNS ReviewImage Credit: [5]
DNS ReviewImage Credit: [5]
DNS Vulnerabilities
● Three important questions○ How do attackers target DNS in general?○ How do attackers spy on your DNS queries?○ How do attackers forge DNS responses?
Image Credit: [5]
DNSSEC
● Limitations○ availability/confidentiality○ responses are authenticated but not encrypted○ DNSSEC only signs RRs○ does not protect against DoS attacks directly○ DNSSEC cannot protect against false assumptions
Source: DataStax
Introduction to DNSCurve
● Uses elliptic-curve cryptography [1], not RSA● Daniel J. Bernstein● Uses a particular elliptic curve, Curve25519
○ 1 chance in 1000000000000000000000000000 !○ 3000-bit RSA
● What does DNSCurve do for me? ○ confidentiality○ integrity○ availability○ other aspects
Source: DataStax
DNSCurve Protocol
uz5………………………………...51-byte 255-bit public key
DNSCurve Protocol
● What are sent to the server?
DNSCurve Protocol
● How does the server open the box?
DNSCurve Protocol
● What does the server send back?
DNSCurve Protocol
DNSCurve Protocol
● Speedups○ The server○ The cache
● Computing Curve25519 shared secrets for ten million servers : 10 mins
DNSCurve: How to get it
● Simply upgrade your DNS cache○ dnscache /BIND○ PowerDNS Recursor /nominum○ MaraDNS /Unbound
● No extra cache configuration is required.● No extra firewall configuration is required● Network bandwidth remains essentially unchanged● ISP's DNS vs. Cache DNS (side benefits)● Daily copies of root zone (side benefits)
Implementations
● CurveDNS○ allows DNS administrators to protect existing
installations without patching● DNSCrypt from OpenDNS
○ protects the channel between OpenDNS and its users● Curve-Protect
○ for common services like DNS, SSH, HTTP, and SMTP
References and bibliography
1. http://dnscurve.org/index.html
2. "Curve25519: new Diffie–Hellman speed records", 2006, Daniel J. Bernstein
3. NSA: The Case for Elliptic Curve Cryptography
4. Adam Langley: What a difference a prime makes
5. CURVEPROTECT SOFTWARE (EXPERIMENTAL)
6. DNS Cache Poisoning: Definition and Prevention
Conclusion
The slides are published under a permissive license (Creative Commons: BY-SA)