TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name...
-
Upload
anissa-dalton -
Category
Documents
-
view
212 -
download
0
Transcript of TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name...
![Page 1: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/1.jpg)
TODAY & TOMORROWDAY 2 - GROUP 5
PRESENTED BY:J A M E S S P E I R S
C H A R L E S H I G B YB R A D Y R E D F E A R N
Domain Name System (DNS)
J
![Page 2: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/2.jpg)
Overview
• Day 1 Review• DNS Exploit Types• DNS SEC• Public Key Infrastructure (PKI)• DNS SEC Implementation• Early DNS Fixes• DNS SEC Proposals• Which Is Best?
C
![Page 3: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/3.jpg)
Day 1 Review
• DNS• Bailiwick• Dan Kaminski• DNS Poisoning• SSL & HTTPS
B
![Page 4: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/4.jpg)
DNS Exploit Types
• Cache poisoningo Dan Kaminiski o HD Moore
Metasploit 10 seconds
• Client floodingo No other DNS responses are receivedo Denial-of-Service (DoS)
• Dynamic updateo Everything freely available - no query required
• Hosts file o Malware attacks
J
![Page 5: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/5.jpg)
DNS SEC
• Pros:o Can distribute public keys
emailo IPs are distributed securely o Reliable o Robust
• Cons:o Rework of DNS infrastructure (UDP)
10x larger packets 100x more resources
o Easier to run DoS attacko Unbroken zone signing all the way to the root
C
![Page 6: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/6.jpg)
Public Key Infrastructure (PKI)
1. I ask the Certificate Authority (CA) to issue a certificate in my name
2. The CA validates my identity, then issues me a certificate3. I present a certificate containing my identity to the user4. The user doesn't know me, so they ask the CA to verify my
identity5. The CA checks that my certificate is valid: unaltered,
unexpired, legitimate6. The CA tells the user my certificate is valid7. User now trusts me
B
![Page 7: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/7.jpg)
PKI Example
![Page 8: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/8.jpg)
DNS SEC Implementation
"Report on the ccNSO’s DNSSEC Survey 2009," http://ccnso.icann.org/surveys/dnssec-survey-report-2009.pdf C
![Page 9: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/9.jpg)
Early DNS Fixes
• Transaction ID randomization • Source port randomization
B
![Page 10: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/10.jpg)
Evgeniy Polyakov
• Cracked full-patched BIND 9o In 10 hrs o With gigabit Etherneto Trojan horse could do this within network
J
![Page 11: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/11.jpg)
De-Bouncing
Double queries• Pros
o Verified DNS querieso Easy to implement
• Conso Not enough bandwidtho Servers too busyo Easy to run DoS
C
![Page 12: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/12.jpg)
Abandon UDP
Make all DNS traffic TCP• 3-way handshake to start• 2 for question/answer• 2 to shutdown
• Pros:
o No information limito Can use PKI
• Cons:o 7x more bandwidtho Need more hardwareo Bridge UDP to TCP packeting
B
![Page 13: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/13.jpg)
0x20
Case sensitivity• Case is preserved in DNS query
• Pros:
o Random case can be sento Reply can be verifiedo Authoritative Name Servers need no updateo No bandwidth increase o Easy to implement
• Cons:o Querying servers need updateo Client update o Query servers need hardware
J
![Page 14: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/14.jpg)
Domain Vouching
Look-aside technology • Pros:
o Distributed loado One party maintains all DNS info
• Cons:o Bottleneck at voucher o Reliant on third-party service availabilityo DoS on third-party machineo URL redirection
example.com example.voucher.com
C
![Page 15: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/15.jpg)
U.S. Controls All
Department of Homeland Security (DHS) controls DNS activity• Pros:
o Can we trust DHS? o One authority?o U.S. dominance of Internet
• Cons: o Politics
Any non-US government is opposedo Censorship o One authorityo Trust
B
![Page 16: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/16.jpg)
PGP Signing Model
Proven example for PKI• Pros:
o Multiple non-governmental signers approve all keys Peer approval CA approval Anyone approves
o Create Root Key Set o Distribute Root Key Setso Distributed load o No single point of failure
• Cons:o Someone has to approve your keyo Some more hardwareo Everyone has to do it
J
![Page 17: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/17.jpg)
Which Is Best?
Class Discussion
C
![Page 18: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/18.jpg)
Summary
• Everything depends on DNS• DNS SEC 9 yrs old• Lots of proposals• No perfect solution • PGP model seems best right now• Lots of work to do• Without DNS SEC, we're in trouble
B
![Page 19: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/19.jpg)
Questions
?
![Page 20: TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)](https://reader035.fdocuments.in/reader035/viewer/2022072016/56649ee75503460f94bf8204/html5/thumbnails/20.jpg)
Vocabulary
• KSK - Key Signing Keys• ZSK - Zone Signing Key• RZM - Root Zone Maintainer• RKO - Root Key Operator• RZF - Root Zone File• RKS - Root Key Set • ZKS - Zone Key Set