Modeling DNS Security: Misconfiguration, Availability, and Visualization Casey Deccio Sandia National Laboratories Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04- 94AL85000. BYU Computer Science Dept. Colloquium Sep 9, 2010
46
Embed
Modeling DNS Security: Misconfiguration, Availability, and Visualization
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Modeling DNS Security: Misconfiguration, Availability,
and VisualizationCasey Deccio
Sandia National Laboratories
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000.
BYU Computer Science Dept. Colloquium
Sep 9, 2010
Criticality of the DNS
The DNS is the “phone book” for the Internet Domain name to IP
address translation Mail server lookup Service discovery
Most Internet applications rely on DNS name resolution
2
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
Availability and security
DNS must be both available and accurate
Security was added as a retrofit Security increases complexity Troubleshooting is difficult
Misconfigurations abound, rendering name resolution unavailable Examples:
medicare.gov, nasa.gov, arpa
3
4
Objectives
Establish model and metrics for assessing availability of DNSSEC deployments
Quantify complexity that may increase potential for DNSSEC misconfiguration
Introduce techniques to mitigate effects of misconfiguration
Query: www.foo.com/A ?Query: www.foo.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
Outline
DNS/DNSSEC background DNSSEC availability model DNS complexity analysis Misconfiguration mitigation DNSSEC visualization Summary and future work
5
DNS namespace
Namespace is organized hierarchically
DNS root is top of namespace
Zones are autonomously managed pieces of DNS namespace
Subdomain namespace is delegated to child zones
6
. .
com com net net
bar.combar.combaz.netbaz.net
foo.comfoo.com
DNS name resolution Resolvers query authoritative servers Queries begin at root zone, resolvers follow
downward referrals Resolver stops when it receives authoritative
answer
7
…
.
…
.
…
com
…
com
…
bar.com
…
bar.comstub resolverstub resolver recursive
resolverrecursiveresolver
authoritative serversauthoritative servers
Query: www.bar.com/A ?Query: www.bar.com/A ?
Answer: 192.0.2.16Answer: 192.0.2.16
DNS attacks Tainted DNS responses can direct users to malicious services To forge DNS responses:
Guess query ID and UDP source port Arrive before legitimate response
Attackers success rate increased by: Eliciting queries of the resolver Sending large number of responses