Published on July 13, 2016
1. Why Implement DNSSEC? Champika Wijayatunga | ION – Hangzhou | 14 July 2016
2. | 2 Speaker Intro • Champika Wijayatunga (ICANN) – Regional SSR Engagement Manager – APAC firstname.lastname@example.org
3. DNS Recap 3
4. | 4 DNS in a Nutshell • DNS is a distributed database • Types of DNS servers – DNS Authoritative • Primary • Secondaries – DNS Resolver • Recursive • Cache • Stub resolver 4
5. | 5 Client Resolver (ISP) www.example.net. ? www.example.net. ? a.server.net. 188.8.131.52 DNS Resolution 5 10.1.2.3 .net nameserver a.server.net. 184.108.40.206" Root Server l.root-servers.net." 220.127.116.11 2001:500:3::42" example.net nameserver ns.example.net. 18.104.22.168"
6. Threats and Risks in DNS
7. | 7 Basic Cache Poisoning Attacker – Launches a spam campaign where spam message contains http://loseweightfastnow.com – Attacker’s name server will respond to a DNS query for loseweightnow.com with malicious data about ebay.com – Vulnerable resolvers add malicious data to local caches – The malicious data will send victims to an eBay phishing site for the lifetime of the cached entry 7 What is the IPv4 address for loseweightfastnow.com My Mac My local resolver ecrime name server loseweightfastnow.com IPv4 address is 192.168.1.1 ALSO www.ebay.com is at 192.168.1.2 I’ll cache this response… and update www.ebay.com
8. | 8 Query Interception (DNS Hijacking) 6/15/16 8 • A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that returns forge responses – Can be done using a DNS proxy, compromised access router or recursor, ARP poisoning, or evil twin Wifi access point Bank Web SiteIntended path for online banking transactions Redirected path Redirected path Fake Bank Web Site Evil Twin AP Attacker’s resolverEvil twin AP or compromised router redirects DNS queries to attacker’s name server Attacker’s name server returns fake bank web site address
9. Why DNSSEC? 9
10. | 10 DNS: Data Flow 10 Primary Caching Servers Resolvers Zone administrator Zone file Dynamic updates 1 2 Secondaries 3 4 5
11. | 11 DNS Vulnerabilities 11 Primary Caching Servers Resolver Zone administrator Zone file Dynamic updates 1 2 Secondaries 3 Server protection 4 5 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Data protection Altered zone data
12. | 12 Securing DNS • There are two aspects when considering DNS Security – Server protection – Data protection • Server protection – Protecting servers • Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.) – Protecting server transactions • Deployment of TSIG, ACLs etc. (To secure transactions against server impersonations, secure zone transfers, unauthorized updates etc.) • Data protection – Authenticity and Integrity of Data • Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)
13. | 13 Where DNSSEC fits in • CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks • DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents • With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)
14. | 14 DNS Security Extensions • Uses public key cryptography to verify the authenticity of DNS zone data (records) – DNSSEC zone data is digitally signed using a private key for that zone – A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that Zone 14
15. | 15 What DNSSEC does and doesn’t do • Does not do – Protect against host threats (DDoS, buffer overruns in code, etc.) – Keep DNS data private – Ensure correctness of DNS data • Does Do: Establish the legitimacy of data retrieved from the DNS – Protects end users from being redirected to malicious sites – Allows any data stored in the DNS to be validated as trustworthy
16. | 16 Client Resolver (ISP) www.example.net. ? www.example.net. ? a.server.net. How DNSSEC Works 16 10.1.2.3 .net nameserver Root Server example.net nameserver
17. | 17 How DNSSEC Works • Data authenticity and integrity by signing the Resource Records Sets with a private key • Public DNSKEYs published, used to verify the RRSIGs • Children sign their zones with their private key – Authenticity of that key established by parent signing hash (DS) of the child zone's key • Repeat for parent… • Not that difficult on paper – Operationally, it is a bit more complicated – DSKEY → KEY –signs→ zone data 17
18. | 18 The Business Case for DNSSEC • Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. • DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). • DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.
19. | 19 DNSSEC ccTLD Map https://rick.eng.br/dnssecstat/
20. | 20 DNSSEC Deployment https://rick.eng.br/dnssecstat/
21. | 21 DNSSEC: So what’s the problem? • Not enough IT departments know about it or are too busy putting out other security fires. • When they do look into it they hear old stories of FUD and lack of turnkey solutions. • Registrars*/DNS providers see no demand leading to “chicken-and-egg” problems. *but required by new ICANN registrar agreement
22. | 22 What you can do • For Companies: – Sign your corporate domain names – Just turn on validation on corporate DNS resolvers • For Users: – Ask ISP to turn on validation on their DNS resolvers • For All: – Take advantage of DNSSEC education and training
23. DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.
24. | 24 Email: <email@example.com> Website: icann.org gplus.to/icann weibo.com/ICANNorg flickr.com/photos/icann slideshare.net/icannpresentations twitter.com/icann twitter.com/icann4biz facebook.com/icannorg linkedin.com/company/icann youtube.com/user/icannnews Thank you and Questions
ION Hangzhou; ION Bangladesh; Past ION ... Why should you deploy DNSSEC-validating DNS resolvers ... 5 Responses to Deploying DNSSEC: Validation on ...
ION Hangzhou; ION Bangladesh; ... ION Hangzhou (China ... ION lets network operators stay ahead of the curve to understand and deploy emerging ...
ION Toronto 2011: DNSSEC: How to deploy it, and why you should bother ... (ION) Conference in Toronto on November 14, 2011, Joe Abley, ...
What is DNSSEC and why is it so important? ... http://www.internetsociety.org/deploy... Slides, audio and video from ION Toronto can be found at:
One Month until IPv6, DNSSEC, IETF and More at ION Hangzhou . By Megan Kruse. We’re just ... WHY to Implement DNSSEC Champika Wijayatunga, ICANN;
ion at ion. Greater Boston Area. Graphic Design. Current ion at ion See less. View More View Less. View Profile. ion ion. ion ion ion chez ion. Brasov ...
View 12510 Pas$ion posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Why DNSSEC? Many internet ... for communicating with devices which hold cryptographic information and perform cryptographic functions. To deploy OpenDNSSEC