dns security
play

DNS Security The Domain Name Service (DNS) translates - PowerPoint PPT Presentation

Jul 07, 2023 •157 likes •431 views

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS also provides other similar services It wasnt designed with security in

  1. DNS Security • The Domain Name Service (DNS) translates human-readable names to IP addresses – E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 – DNS also provides other similar services • It wasn’t designed with security in mind Lecture 18 Page 1 CS 236 Online

  2. DNS Threats • Threats to name lookup secrecy – Definition of DNS system says this data isn’t secret • Threats to DNS information integrity – Very important, since everything trusts that this translation is correct • Threats to DNS availability – Potential to disrupt Internet service Lecture 18 Page 2 CS 236 Online

  3. What Could Really Go Wrong? • DNS lookups could be faked – Meaning packets go to the wrong place • The DNS service could be subject to a DoS attack – Or could be used to amplify one • Attackers could “bug” a DNS server to learn what users are looking up Lecture 18 Page 3 CS 236 Online

  4. Where Does the Threat Occur? • Unlike routing, threat can occur in several places – At DNS servers – But also at DNS clients • Which is almost everyone • Core problem is that DNS responses aren’t authenticated Lecture 18 Page 4 CS 236 Online

  5. The DNS Lookup Process lookup thesiger.cs.ucla.edu answer 131.179.191.144 ping thesiger.cs.ucla.edu If the answer is Should result in a ping wrong, in standard packet being sent to DNS the client is 131.179.191.144 screwed Lecture 18 Page 5 CS 236 Online

  6. How Did the DNS Server Perform the Lookup? • Leaving aside details, it has a table of translations between names and addresses • It looked up thesiger.cs.ucla.edu in the table • And replied with whatever the address was Lecture 18 Page 6 CS 236 Online

  7. Where Did That Table Come From? • Ultimately, the table entries are created by those owning the domains – On a good day . . . • And stored at servers that are authoritative for that domain • In this case, the UCLA Computer Science Department DNS server ultimately stored it • Other servers use a hierarchical lookup method to find the translation when needed Lecture 18 Page 7 CS 236 Online

  8. Doing Hierarchical Translation Where’s edu? lookup thesiger.cs.ucla.edu DNS root server Where’s ucla.edu? edu root server Where’s thesiger.cs.ucla.edu? Where’s cs.ucla.edu? ucla.edu root server cs.ucla.edu root server Lecture 18 Page 8 CS 236 Online

  9. Where Can This Go Wrong? • Someone can spoof the answer from a DNS server – Relatively easy, since UDP is used • One of the DNS servers can lie • Someone can corrupt the database of one of the DNS servers Lecture 18 Page 9 CS 236 Online

  10. The Spoofing Problem lookup thesiger.cs.ucla.edu answer 131.179.191.144 Unfortunately, most DNS stub resolvers will take the first answer answer 97.22.101.53 Lecture 18 Page 10 CS 236 Online

  11. DNS Servers Lying answer 97.22.101.53 lookup thesiger.cs.ucla.edu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . thesiger.cs.ucla.edu 131.178.192.144 . . . . . . . . . . . . That wasn’t very nice of him! . . . . . . . . . . . . . . . . . . . . . . . . Lecture 18 Page 11 CS 236 Online

  12. DNS Database Corruption answer 97.22.101.53 lookup thesiger.cs.ucla.edu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97.22.101.53 . . . thesiger.cs.ucla.edu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lecture 18 Page 12 CS 236 Online

  13. The DNSSEC Solution • Sign the translations • Who does the signing? – The server doing the response? – Or the server that “owns” the namespace in question? • DNSSEC uses the latter solution Lecture 18 Page 13 CS 236 Online

  14. Implications of the DNSSEC Solution • DNS databases must store signatures of resource records • There must be a way of checking the signatures • The protocol must allow signatures to be returned Lecture 18 Page 14 CS 236 Online

  15. Checking the Signature • Basically, use certificates to validate public keys for namespaces • Who signs the certificates? – The entity controlling the higher level namespace • This implies a hierarchical solution Lecture 18 Page 15 CS 236 Online

  16. The DNSSEC Signing Hierarchy • In principle, ICANN signs for itself and for top level domains (TLDs) – Like .com, .edu, country codes, etc. • Each TLD signs for domains under it • Those domains sign for domains below them • And so on down Lecture 18 Page 16 CS 236 Online

  17. An Example • Who signs the translation for thesiger.cs.ucla.edu to 131.179.192.144? • The UCLA CS DNS server • How does someone know that’s the right server to sign? • Because the UCLA server says so – Securely, with signatures • The edu server verifies the UCLA server’s signature • Ultimately, hierarchical signatures leading up to ICANN’s attestation of who controls the edu namespace • Where do you keep that information? – In DNS databases Lecture 18 Page 17 CS 236 Online

  18. Using DNSSEC • To be really secure, you must check signatures yourself • Next best is to have a really trusted authority check the signatures – And to have secure, authenticated communications between trusted authority and you Lecture 18 Page 18 CS 236 Online

  19. A Major Issue • When you look up something like cs.ucla.edu, you get back a signed record • What if you look up a name that doesn’t exist? • How can you get a signed record for every possible non-existent name? Lecture 18 Page 19 CS 236 Online

  20. The DNSSEC Solution • Names are alphabetically orderable • Between any two names that exist, there are a bunch of names that don’t • Sign the whole range of non-existent names • If someone looks one up, give them the range signature Lecture 18 Page 20 CS 236 Online

  21. For Example, You get lasr.cs.ucla.edu 131.179.192.136 authoritative lbsr.cs.ucla.edu – pelican.cs.ucla.edu 131.179.128.17 NOT ASSIGNED information that pd.cs.ucla.edu toucan.cs.ucla.edu 131.179.128.16 the name isn’t pelican.cs.ucla.edu 131.179.128.17 assigned toucan.cs.ucla.edu 131.179.128.16 Foils spoofing attacks > host last.cs.ucla.edu Lecture 18 Page 21 CS 236 Online

  22. Status of DNSSEC • Working implementations available • In use in some places • Heavily promoted – First by DARPA – Now by DHS • Beginning to get out there Lecture 18 Page 22 CS 236 Online

  23. Status of DNSSEC Deployment • ICANN has signed the root – .com, .gov, .edu, .org, .net all signed at top level – Not everyone below has signed, though • Many “islands” of DNSSEC signatures – Signing for themselves and those below them – In most cases, just for themselves • Utility depends on end machines checking signatures Lecture 18 Page 23 CS 236 Online

  24. Using DNSSEC • Actually installing and using DNSSEC not quite as easy as it sounds • Lots of complexities down in the weeds • Particularly hard for domains with lots of churn in their namespace – Every new name requires big changes to what gets signed Lecture 18 Page 24 CS 236 Online

  25. Other DNS Solutions • Encrypt communications with DNS servers – Prevents DNS cache poisoning – But assumes that DNS server already has right record • Ask multiple servers – Majority rules or require consensus Lecture 18 Page 25 CS 236 Online

  26. Conclusion • Correct Internet behavior depends on a few key technologies – Especially routing and DNS • Initial (still popular) implementations of those technologies are not secure • Work is ongoing on improving their security Lecture 18 Page 26 CS 236 Online

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard

On Robust Covert Channels Inside DNS Lucas Nussbaum , Pierre Neyron and Olivier Richard Laboratoire dInformatique de Grenoble / INRIA Lucas Nussbaum, Pierre Neyron and Olivier Richard On Robust Covert Channels Inside DNS 1 / 18 Introduction

784 views • 18 slides
DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart

DNS and BGP CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642

798 views • 35 slides
Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela

Andrs E. Azprua #imv2020 Internet Censorship, DNS poisoning and Phishing in Venezuela Measuring from censorship to state-sponsored attacks Andrs E. Azprua #imv2020 @VEsinFiltro VEsinFiltro.com VENEZUELAN CONTEXT Critical failure

833 views • 56 slides
DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao

TLP WHITE DNS-BASED THREAT HUNTING: learn, share and improve. repeat. Joo Collier de Mendona @sec_joao Zurich, September 2016. $ whoami Brazilian living in Germany for a long time Since 2010 at Deutsche Telekom CERT / CDC

643 views • 27 slides
Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider,

Large-scale Analysis of Infrastructure-leaking DNS Servers Dennis Tatang , Carl Schneider, Thorsten Holz Ruhr-University Bochum, Germany Motivation DNS: www.rub.de 134.147.64.10 Daily use on the Internet by every user Various

422 views • 27 slides
DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical

DNS of Multiphase Flows Simple Front Tracking DNS of Multiphase Flows Direct Numerical Software is needed for a variety of purposes. Simulations of In addition to large scale somewhat general purpose codes that represent close

179 views • 4 slides
DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on

DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on

DNS Basics 1 Computers use IP Addresses To send an IP datagram to another computer on Internet (e.g. a web server), must know its IP address What is the IP address of the computer running ICT website? Registration? Facebook? Humans

214 views • 8 slides
ISOC ION Conference Advancing the Network - Where Weve Been, Where Were Headed Shumon

ISOC ION Conference Advancing the Network - Where Weve Been, Where Were Headed Shumon

ISOC ION Conference Advancing the Network - Where Weve Been, Where Were Headed Shumon Huque Ron Broersma Paul Ebersman John Spence Paul Mockapetris San Diego, California, December 11th 2012 1 Advancing the Network: Where We've Been,

542 views • 9 slides

More recommend