ION Hangzhou - Why Deploy DNSSEC?

50 %
50 %
Information about ION Hangzhou - Why Deploy DNSSEC?

Published on July 13, 2016

Author: Deploy360


1. Why Implement DNSSEC? Champika Wijayatunga | ION – Hangzhou | 14 July 2016

2. | 2 Speaker Intro •  Champika Wijayatunga (ICANN) –  Regional SSR Engagement Manager – APAC

3. DNS Recap 3

4. | 4 DNS in a Nutshell •  DNS is a distributed database •  Types of DNS servers –  DNS Authoritative •  Primary •  Secondaries –  DNS Resolver •  Recursive •  Cache •  Stub resolver 4

5. | 5 Client Resolver (ISP) ? ? DNS Resolution 5 .net nameserver" Root Server"
 2001:500:3::42" nameserver"

6. Threats and Risks in DNS

7. | 7 Basic Cache Poisoning Attacker – Launches a spam campaign where spam message contains – Attacker’s name server will respond to a DNS query for with malicious data about – Vulnerable resolvers add malicious data to local caches – The malicious data will send victims to an eBay phishing site for the lifetime of the cached entry 7 What is the IPv4 address for My Mac My local resolver ecrime name server IPv4 address is ALSO is at I’ll cache this response… and update

8. | 8 Query Interception (DNS Hijacking) 6/15/16 8 •  A man in the middle (MITM) or spoofing attack forwards DNS queries to a name server that returns forge responses –  Can be done using a DNS proxy, compromised access router or recursor, ARP poisoning, or evil twin Wifi access point Bank Web SiteIntended path for online banking transactions Redirected path Redirected path Fake Bank Web Site Evil Twin AP Attacker’s resolverEvil twin AP or compromised router redirects DNS queries to attacker’s name server Attacker’s name server returns fake bank web site address

9. Why DNSSEC? 9

10. | 10 DNS: Data Flow 10 Primary Caching Servers Resolvers Zone administrator Zone file Dynamic updates 1 2 Secondaries 3 4 5

11. | 11 DNS Vulnerabilities 11 Primary Caching Servers Resolver Zone administrator Zone file Dynamic updates 1 2 Secondaries 3 Server protection 4 5 Corrupting data Impersonating master Unauthorized updates Cache impersonation Cache pollution by Data spoofing Data protection Altered zone data

12. | 12 Securing DNS •  There are two aspects when considering DNS Security –  Server protection –  Data protection •  Server protection –  Protecting servers •  Make sure your DNS servers are protected (i.e. physical security, latest DNS server software, proper security policies, Server redundancies etc.) –  Protecting server transactions •  Deployment of TSIG, ACLs etc. (To secure transactions against server impersonations, secure zone transfers, unauthorized updates etc.) •  Data protection –  Authenticity and Integrity of Data •  Deployment of DNSSEC (Protect DNS data against cache poisoning, cache impersonations, spoofing etc.)

13. | 13 Where DNSSEC fits in •  CPU and bandwidth advances make legacy DNS vulnerable to MITM attacks •  DNS Security Extensions (DNSSEC) introduces digital signatures into DNS to cryptographically protect contents •  With DNSSEC fully deployed a business can be sure a customer gets un-modified data (and visa versa)

14. | 14 DNS Security Extensions •  Uses public key cryptography to verify the authenticity of DNS zone data (records) –  DNSSEC zone data is digitally signed using a private key for that zone –  A DNS server receiving DNSSEC signed zone data can verify the origin and integrity of the data by checking the signature using the public key for that Zone 14

15. | 15 What DNSSEC does and doesn’t do •  Does not do –  Protect against host threats (DDoS, buffer overruns in code, etc.) –  Keep DNS data private –  Ensure correctness of DNS data •  Does Do: Establish the legitimacy of data retrieved from the DNS –  Protects end users from being redirected to malicious sites –  Allows any data stored in the DNS to be validated as trustworthy

16. | 16 Client Resolver (ISP) ? ? How DNSSEC Works 16 .net nameserver Root Server nameserver

17. | 17 How DNSSEC Works •  Data authenticity and integrity by signing the Resource Records Sets with a private key •  Public DNSKEYs published, used to verify the RRSIGs •  Children sign their zones with their private key –  Authenticity of that key established by parent signing hash (DS) of the child zone's key •  Repeat for parent… •  Not that difficult on paper –  Operationally, it is a bit more complicated –  DSKEY → KEY –signs→ zone data 17

18. | 18 The Business Case for DNSSEC •  Cyber security is becoming a greater concern to enterprises, government, and end users. DNSSEC is a key tool and differentiator. •  DNSSEC is the biggest security upgrade to Internet infrastructure in over 20 years. It is a platform for new security applications (for those that see the opportunity). •  DNSSEC infrastructure deployment has been brisk but requires expertise. Getting ahead of the curve is a competitive advantage.

19. | 19 DNSSEC ccTLD Map

20. | 20 DNSSEC Deployment

21. | 21 DNSSEC: So what’s the problem? •  Not enough IT departments know about it or are too busy putting out other security fires. •  When they do look into it they hear old stories of FUD and lack of turnkey solutions. •  Registrars*/DNS providers see no demand leading to “chicken-and-egg” problems. *but required by new ICANN registrar agreement

22. | 22 What you can do •  For Companies: –  Sign your corporate domain names –  Just turn on validation on corporate DNS resolvers •  For Users: –  Ask ISP to turn on validation on their DNS resolvers •  For All: –  Take advantage of DNSSEC education and training

23. DNSSEC: Internet infrastructure upgrade to help address today’s needs and create tomorrow’s opportunity.

24. | 24 Email: <> Website: Thank you and Questions

Add a comment

Related pages

Deploying DNSSEC: Validation on recursive caching name ...

ION Hangzhou; ION Bangladesh; Past ION ... Why should you deploy DNSSEC-validating DNS resolvers ... 5 Responses to Deploying DNSSEC: Validation on ...
Read more

ION Hangzhou | Deploy360 Programme

ION Hangzhou; ION Bangladesh; ... ION Hangzhou (China ... ION lets network operators stay ahead of the curve to understand and deploy emerging ...
Read more

ION Toronto 2011: DNSSEC: How to deploy it, and why you ...

ION Toronto 2011: DNSSEC: How to deploy it, and why you should bother ... (ION) Conference in Toronto on November 14, 2011, Joe Abley, ...
Read more

ION Toronto - Why Implement DNSSEC? - YouTube

What is DNSSEC and why is it so important? ... Slides, audio and video from ION Toronto can be found at:
Read more

One Month until IPv6, DNSSEC, IETF and More at ION ...

One Month until IPv6, DNSSEC, IETF and More at ION Hangzhou . By Megan Kruse. We’re just ... WHY to Implement DNSSEC Champika Wijayatunga, ICANN;
Read more

Ión | LinkedIn

ion at ion. Greater Boston Area. Graphic Design. Current ion at ion See less. View More View Less. View Profile. ion ion. ion ion ion chez ion. Brasov ...
Read more

Pas$ion | LinkedIn

View 12510 Pas$ion posts, presentations, experts, and more. Get the professional knowledge you need on LinkedIn. LinkedIn Home What is LinkedIn? Join Today
Read more

OpenDNSSEC » About

Why DNSSEC? Many internet ... for communicating with devices which hold cryptographic information and perform cryptographic functions. To deploy OpenDNSSEC
Read more