DUKE UNIVERSITY DNSSEC 101 Kevin Miller.
-
Upload
emily-floyd -
Category
Documents
-
view
217 -
download
1
Transcript of DUKE UNIVERSITY DNSSEC 101 Kevin Miller.
•WWW.OIT.DUKE.EDU•
DNSSEC 101Kevin Miller
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
Inbound Email VolumeInbound Email Volume
Received EmailSpam, virus filtering using DNSReceived EmailSpam, virus filtering using DNS
10+ DNS QueriesPer Message
10+ DNS QueriesPer Message
•WWW.OIT.DUKE.EDU•
Risks from DNS Attacks
• Impersonate your web site• Redirect your phone calls• Man-in-the-middle (password theft)• Reroute or block your email• Disrupt your network, application services• Attack vectors for malware (data theft)• Denial of service
Diagram source: Internet Storm Center
•WWW.OIT.DUKE.EDU•
DNS Attack: Cache Poisoning
Where is website.com?Where is website.com?
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Forgery
Where is educause.edu?Where is educause.edu?
Answer: 198.59.61.65Answer: 198.59.61.65
Answer: 12.1.2.3
Answer: 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Indirection
Where is educause.edu?Where is educause.edu?
Answer: 12.1.2.3
Answer: 12.1.2.3
•WWW.OIT.DUKE.EDU•
DNS Attack: Amplification
60 byte request60 byte request
4000 byteresponse
4000 byteresponse
•WWW.OIT.DUKE.EDU•
Software Defects
Buffer overflowOther vectors
Buffer overflowOther vectors
•WWW.OIT.DUKE.EDU•
Risk Reduction To Date
• Improving weaknesses in DNS software– Patching software defects– Limiting cache poisoning opportunities
• Improve operational best practices– Restrict access to DNS recursers– Install anti-IP spoofing filters
• Improve host security– Anti-virus, anti-malware defenses
Photo source: BCP38
•WWW.OIT.DUKE.EDU•
DNSSEC
• Cryptographically sign DNS records– Also the absence of records
• Maintains DNS architecture– Hierarchical, distributed signatures
• Significant risk reduction, if used widely– Protects you (www.school.edu)– Protects your users (www.bank.com)
•WWW.OIT.DUKE.EDU•
What Can Be Done Now?
• Discover local implications– How do you manage DNS? What tools are used?– What impact would DNSSEC have?– Do your vendors support it?– Can you servers handle DNSSEC overhead?
• Begin building expertise, experience– Sign a test zone– Deploy a test DNSSEC recurser
• Deployment– Sign your zones– Utilize DNSSEC-enabled recurser with DLV
•WWW.OIT.DUKE.EDU•
Additional Resources
• http://www.dnssec.net• http://www.bind9.net• http://www.dnsreport.com• http://www.dnssec-deployment.org/• http://www.uoregon.edu/~joe/port53wars/
port53wars.pdf• http://www.nanog.org/mtg-0606/damas.html