By Team Trojans -1 Arjun Ashok

Priyank MohanBalaji Thirunavukkarasu

AgendaDNS & its structureDNS ThreatsDNSSECTrust Models for Key ValidationDNSSEC VulnerabilitiesDNSSEC RoadblocksAlternatives to DNS SecurityThe Road ahead

Domain Name System (DNS)Hierarchical distributed database which provides

the service of translating the domain names to IP addresses.

Follows a hierarchical tree structure – analogous to the Unix file system

DNS Threats:Packet interceptionName Chaining

DNS Communication

Denial of ServiceBrute Force

DNSSECFirst introduced in RFC 2535 "Domain Name System

Security Extensions" in 1999.Provides authentication and integrity of DNS data

Authentication of Name Server (NS) data by resolverIntegrity of data checked through signed, hashed

public key.Resolver is configured with public key of NSsA resolver that knows the zone’s public key can verify the

signature and authenticate the DNS response. Can be visualized as a sealed transparent envelope,

wherein seal applied to envelope and not to message, by the sender.

Trust Models for Key Validation A Tree Based approach:Follows a strict chain/hierarchy of trust.Zone public key considered valid only if

signed by parent.

Disadvantages:Creates a single point of failure.Places all the peer zones under the same

umbrella of security.

Trust Models for Key ValidationA Web of Trust approach:Allows servers to choose their own trust

relationships.A public key is considered valid as long as it

has been signed by another server.No single point of failure.Robust and scalable.Disadvantages:An impersonated malicious zone can create

its own set of keys and establish a trust relationship.

DNSSec Vulnerabilities Zone private/public key compromise – Key

compromise can lead to an entire sub-domain being marked as bogus.

A server’s current time could be changed in order to validate expired signatures. Hence there should be some means to sync the time between primary and secondary servers.

An attacker can spoof an entire zone server by querying the NSEC RR’s, which store an ordered list of all the existing domain names.

Roadblocks and ChallengesIt is infeasible to implement a PKI

infrastructure. No third party authority of trust (CA) exists in

DNSSec, highly dependable on private key usage.trade-off between performance and security.

It is difficult to ensure all the servers have the updated keys. Servers high up in hierarchy are unaware of the

state of the child nodes.All servers need to be online within a specified time

frame in order to receive the updated keys.

Alternatives to DNSSECName Server Software

Configuration and maintenance of name server to avoid

DOS, Attacks such as Zone transfer, packet flooding, ARP spoofing.

To counter these attacks, the following steps are implemented:

Using secure OS, Using software to check integrity of zone files and Restricting access privileges on name server.

Contd..TSIG – Transition Signature

Involves mutual Authentication of servers based on shared secret key, Source side it employs HMAC

Threats avoided by TSIG

Road Ahead..The main hindrance in adopting DNSSEC

Implementation complexity and ScalabilityTo overcome this Software64 DNS signer is used to

automate processes like generation, backup, restoration, roll over and zone signing in configuration file.

Higher scalability achieved using high speed crypto. Algorithms 6,000 RSA operations/sec with 1024 bit key.

Another improvisation is implementation of DNSSEC till the client stub resolver level (user level).

QUESTIONS