Understanding the DNS & DNS Security
Dec 27, 2014
Understanding the DNS & DNS Security!
2
+ Internet Protocol address uniquely identifies laptops or phones or other devices
+ The Domain Name System matches IP addresses with a name
+ IP routing and DNS are the underpinning of unified Internet
The World’s Network – the Domain Name System!
3
A sample DNS query!
Where is www.iana.org?
192.0.2.1
4
+ A computer sends a question to a DNS server, like “where is IANA.org?”
+ It receives an answer and assumes that it is correct.
+ There are multiple ways that traffic on the Internet can be intercepted and modified, so that the answer given is false.
Making the DNS Secure!
5
Receiving the Wrong Answer!
Where is
www.iana.
org?
192.0.2.0
13.13.14.0
Poisoning a Cache!
+ Attacker knows iterative resolvers may cache
+ Attacker + Composes a DNS response with
malicious data about a targeted domain
+ Tricks a resolver into adding this malicious data to its local cache
+ Later queries processed by server will return malicious data for the life of the cached entry + Example: user at My Mac clicks
on a URL in an email message from [email protected]
What is the IPv4 address for loseweigh<astnow.com?
My Mac
My local resolver
ecrime name server
loseweigh<astnow.com IPv4 address is 192.168.1.1
ALSO www.ebay.com is at 192.168.1.2
I’ll cache this response… and
update www.ebay.com
6
7
+ Protects DNS data against forgery!
+ Uses public key cryptography to sign authoritative zone data!
+ Assures that the data origin is authentic!
+ Assures that the data are what the authenticated data originator published!
+ Trust model also uses public key cryptography!
+ Parent zones sign public keys of child zone!(root signs TLDs, TLDs sign registered domains…!
DNS Security (DNSSEC)
7
8
Authority signs zone data with private key!
Authorities must keep private keys secret!!
Public Key Cryptography in DNSSEC!
8
DNSData
Signed DNSData
+ Digital
signatures
Publish
Sign with Private key Authoritative"
server
9
Authority publishes public key so that any recipient can decrypt to verify that “the data are correct and came from the right place”
Public Key Cryptography in DNSSEC!
9
Authoritativeserver
Signed ZoneData
Validatingrecursive
server
Validate with Public key
10
+ Manages root key with VeriSign and trusted international representatives of Internet community
+ Processes requests for changes of public key and other records from registries at top of DNS
+ Educates and assists Internet community with DNSSEC
+ Implements DNSSEC on its own domains
ICANN’s Role in DNSSEC Deployment!
11
+ Browser and/or Operating System support
+ DNSSEC support from domain name registration service providers (registrars, resellers)
+ Misconceptions regarding key management, performance, software/hardware availability and reliability
Obstacles to Broader DNSSEC Adoption!
12
• Fast pace of deployment at the TLD level "!
• Deployed at root!• Supported by software!• Growing support by ISPs!• Required by new gTLDs!!à Inevitable widespread deployment across core Internet infrastructure!
DNSSEC Deployment!
Thank You & Questions?!