Intro To DNS Security with Cory Von Wallenstein & Chris Brenton
-
Upload
dyn -
Category
Technology
-
view
1.415 -
download
0
description
Transcript of Intro To DNS Security with Cory Von Wallenstein & Chris Brenton
![Page 1: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/1.jpg)
Intro To DNS SecurityOctober 23, 2013
Cory von WallensteinChief Technologist
@cvwdyn
Chris BrentonDirector of Security
@chris_brenton
![Page 2: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/2.jpg)
Pg. 2 Intro To DNS Security @cvwdyn @chris_brenton
Your Presenters
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
![Page 3: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/3.jpg)
Pg. 3 Intro To DNS Security @cvwdyn @chris_brenton
What We Will Cover
DNS security state of the union: 2013 Why DNS security is important Securing the architecture Securing the deployment Securing your zone info Securing your registration info
![Page 4: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/4.jpg)
Pg. 4 Intro To DNS Security @cvwdyn @chris_brenton
![Page 5: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/5.jpg)
Pg. 5 Intro To DNS Security @cvwdyn @chris_brenton
![Page 6: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/6.jpg)
Pg. 6 Intro To DNS Security @cvwdyn @chris_brenton
![Page 7: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/7.jpg)
Pg. 7 Intro To DNS Security @cvwdyn @chris_brenton
![Page 8: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/8.jpg)
Pg. 8 Intro To DNS Security @cvwdyn @chris_brenton
![Page 9: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/9.jpg)
Pg. 9 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
It’s old tech, so we must have it secured by now…right?
![Page 10: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/10.jpg)
Pg. 10 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
DNS is effectively our root of trust:
You “ass-u-me” typing in www.google.com will always bring you to a Google server
If sent to the wrong IP address, would you even notice?
![Page 11: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/11.jpg)
Pg. 11 Intro To DNS Security @cvwdyn @chris_brenton
Is DNS Still Sexy?
If DNS is compromised, everything else falls apart.
![Page 12: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/12.jpg)
Pg. 12 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Run split DNS:
![Page 13: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/13.jpg)
Pg. 13 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Two separate sets of name server records:
One for use by internal clients One for use by the rest of the world
![Page 14: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/14.jpg)
Pg. 14 Intro To DNS Security @cvwdyn @chris_brenton
Architecture
Helps protect internal systems from cache poisoning and other various nastiness
![Page 15: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/15.jpg)
Pg. 15 Intro To DNS Security @cvwdyn @chris_brenton
Internal Name Servers
Accessed by internal systems only Contains a full list of host records Usually identifies your hosts by private IP Will act recursively Will hand back upward referrals
![Page 16: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/16.jpg)
Pg. 16 Intro To DNS Security @cvwdyn @chris_brenton
External Name Servers
Accessed by the rest of the Internet Contains only records you want the world to
see Usually identifies your hosts by legal IP Will not act recursively Will not hand back upward referrals
![Page 17: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/17.jpg)
Pg. 17 Intro To DNS Security @cvwdyn @chris_brenton
Recursive Answers
DNS is a distributed system Not all servers know every answer “Recursion” identifies what to do when an
answer is not in cache
![Page 18: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/18.jpg)
Pg. 18 Intro To DNS Security @cvwdyn @chris_brenton
Recursive Answers
Recursive = Do the lookup work for the client
Non-Recursive = Don't be so friendly
![Page 19: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/19.jpg)
Pg. 19 Intro To DNS Security @cvwdyn @chris_brenton
Non-Recursive Possibilities
Hand back the list of root name servers Referred to as an “upward referral”
Hand back the error code “Refused” Let the client figure out what to do next
![Page 20: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/20.jpg)
Pg. 20 Intro To DNS Security @cvwdyn @chris_brenton
Why Recursion Can Be Bad
Can be leveraged for cache poisoning attacks:
Redirect your employees to an IP owned by the attacker
![Page 21: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/21.jpg)
Pg. 21 Intro To DNS Security @cvwdyn @chris_brenton
Why Recursion Can Be Bad
Can be leveraged for DDoS attacks:
Most DNS is UDP based Connectionless, so its easy to spoof the
source IP Small questions that result in big answers =
amplification A savvy attacker can get 30X amplification
![Page 22: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/22.jpg)
Pg. 22 Intro To DNS Security @cvwdyn @chris_brenton
Why Upward Referrals Are Bad
Non-recursive servers have historically handed back a list of root name server
Considered the polite thing to do
![Page 23: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/23.jpg)
Pg. 23 Intro To DNS Security @cvwdyn @chris_brenton
Why Upward Referrals Are Bad
Every name server should already maintain a current list of root name servers
That “polite” answer still provides a 10X amplification in a DDoS attack
![Page 24: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/24.jpg)
Pg. 24 Intro To DNS Security @cvwdyn @chris_brenton
Configuring Bind
Disabling Recursion and upward referrals
In /etc/named.conf:
recursion no;additional-from-cache no;
![Page 25: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/25.jpg)
Pg. 25 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS
![Page 26: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/26.jpg)
Pg. 26 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy
![Page 27: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/27.jpg)
Pg. 27 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses
![Page 28: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/28.jpg)
Pg. 28 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses Protect against cache poisoning
![Page 29: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/29.jpg)
Pg. 29 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC
Spec to secure DNS Provides authentication but not data privacy Trust anchor to create a chain of trust
Designed to create “trusted” responses Protect against cache poisoning Can protect additional info via TXT records
![Page 30: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/30.jpg)
Pg. 30 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
![Page 31: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/31.jpg)
Pg. 31 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse
![Page 32: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/32.jpg)
Pg. 32 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment
![Page 33: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/33.jpg)
Pg. 33 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature”
![Page 34: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/34.jpg)
Pg. 34 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature” Still no data privacy
![Page 35: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/35.jpg)
Pg. 35 Intro To DNS Security @cvwdyn @chris_brenton
DNSSEC Pitfalls
Large responses make DDoS issues even worse Can be problematic with split zone deployment Can be a problem when handing back bogus
answers are “a feature” Still no data privacy Crawling zones mitigated but not resolved
![Page 36: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/36.jpg)
Pg. 36 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call
![Page 37: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/37.jpg)
Pg. 37 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers
![Page 38: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/38.jpg)
Pg. 38 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers May be mandated in some situations
![Page 39: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/39.jpg)
Pg. 39 Intro To DNS Security @cvwdyn @chris_brenton
Should I Use DNSSEC?
Case-by-case judgment call Useful when IP filtering is problematic
for protecting zone transfers May be mandated in some situations Will probably be a requirement
Someday...maybe
![Page 40: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/40.jpg)
Pg. 40 Intro To DNS Security @cvwdyn @chris_brenton
Dyn Makes DNSSEC Easier To Enable
![Page 41: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/41.jpg)
Pg. 41 Intro To DNS Security @cvwdyn @chris_brenton
Protecting Your Registration
The easiest way to compromise all of your servers is to compromise your zone
Popular attack pattern Rapid7 owned by attackers with a…
![Page 42: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/42.jpg)
Pg. 42 Intro To DNS Security @cvwdyn @chris_brenton
Bit.ly/DynSec1
![Page 43: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/43.jpg)
Pg. 43 Intro To DNS Security @cvwdyn @chris_brenton
Domain Status Codes
Many registrars support codes to protect your domain
Permits you to limit zone management
![Page 44: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/44.jpg)
Pg. 44 Intro To DNS Security @cvwdyn @chris_brenton
Domain Status Codes
Predefine authentication process for changes:
Requires call back to a specified phone number
Only certain individuals can make changes
![Page 45: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/45.jpg)
Pg. 45 Intro To DNS Security @cvwdyn @chris_brenton
Status Code Examples
• Transfer prohibited• Delete prohibited• Update prohibited• Renew prohibited
Bit.ly/DynSec2
![Page 46: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/46.jpg)
Pg. 46 Intro To DNS Security @cvwdyn @chris_brenton
Protected Zone
foo$ whois dyn.com[whois.dyndns.com]Registrant: Hostmaster, Dyn-Inc [email protected]
…Domain status: clientDeleteProhibited clientTransferProhibited clientUpdateProhibited
![Page 47: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/47.jpg)
Pg. 47 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?
Questions to Ask Your Registrar
![Page 48: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/48.jpg)
Pg. 48 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?
Questions to Ask Your Registrar
![Page 49: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/49.jpg)
Pg. 49 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?
Questions to Ask Your Registrar
![Page 50: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/50.jpg)
Pg. 50 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?
Questions to Ask Your Registrar
![Page 51: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/51.jpg)
Pg. 51 Intro To DNS Security @cvwdyn @chris_brenton
• What are my authentication options?• How will authorized changes be verified?• Can I lock changes to a call back number?• Backup plan when primary auth goes FUBAR?• Can auth be circumvented via API or portal?
Questions to Ask Your Registrar
![Page 52: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/52.jpg)
Pg. 52 Intro To DNS Security @cvwdyn @chris_brenton
Questions?
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
![Page 53: Intro To DNS Security with Cory Von Wallenstein & Chris Brenton](https://reader036.fdocuments.in/reader036/viewer/2022062418/554d307fb4c905ca208b56d3/html5/thumbnails/53.jpg)
Pg. 53 Intro To DNS Security @cvwdyn @chris_brenton
Next Webinar: Wed., Nov. 20th
Cory von Wallenstein
Chief Technologist
@cvwdyn
Chris BrentonDirector of
Security@Chris_Brenton
DNS Security: PCI in The Public Cloud