•WWW.OIT.DUKE.EDU• DNSSEC 101 Kevin Miller
DNSSEC 101
Jan 07, 2016
DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
•WWW.OIT.DUKE.EDU•
DNSSEC 101Kevin Miller
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
Inbound Email VolumeInbound Email Volume
Received EmailSpam, virus filtering using DNSReceived EmailSpam, virus filtering using DNS
10+ DNS QueriesPer Message
10+ DNS QueriesPer Message
•WWW.OIT.DUKE.EDU•
Risks from DNS Attacks
• Impersonate your web site• Redirect your phone calls• Man-in-the-middle (password theft)• Reroute or block your email• Disrupt your network, application services• Attack vectors for malware (data theft)• Denial of service
Diagram source: Internet Storm Center
•WWW.OIT.DUKE.EDU•
DNS Attack: Cache Poisoning
Where is website.com?Where is website.com?
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Forgery
Where is educause.edu?Where is educause.edu?
Answer: 198.59.61.65Answer: 198.59.61.65
Answer: 12.1.2.3
Answer: 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Indirection
Where is educause.edu?Where is educause.edu?
Answer: 12.1.2.3
Answer: 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Amplification
60 byte request60 byte request
4000 byteresponse
4000 byteresponse
•WWW.OIT.DUKE.EDU•
Software Defects
Buffer overflowOther vectors
Buffer overflowOther vectors
•WWW.OIT.DUKE.EDU•
Risk Reduction To Date
• Improving weaknesses in DNS software– Patching software defects– Limiting cache poisoning opportunities
• Improve operational best practices– Restrict access to DNS recursers– Install anti-IP spoofing filters
• Improve host security– Anti-virus, anti-malware defenses
Photo source: BCP38
•WWW.OIT.DUKE.EDU•
DNSSEC
• Cryptographically sign DNS records– Also the absence of records
• Maintains DNS architecture– Hierarchical, distributed signatures
• Significant risk reduction, if used widely– Protects you (www.school.edu)– Protects your users (www.bank.com)
•WWW.OIT.DUKE.EDU•
What Can Be Done Now?
• Discover local implications– How do you manage DNS? What tools are used?– What impact would DNSSEC have?– Do your vendors support it?– Can you servers handle DNSSEC overhead?
• Begin building expertise, experience– Sign a test zone– Deploy a test DNSSEC recurser
• Deployment– Sign your zones– Utilize DNSSEC-enabled recurser with DLV
•WWW.OIT.DUKE.EDU•
Additional Resources
• http://www.dnssec.net• http://www.bind9.net• http://www.dnsreport.com• http://www.dnssec-deployment.org/• http://www.uoregon.edu/~joe/port53wars/
port53wars.pdf• http://www.nanog.org/mtg-0606/damas.html
Related Documents
