dns workshop caribnog12
play

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, - PowerPoint PPT Presentation

Aug 04, 2023 •166 likes •562 views

DNS Workshop @CaribNOG12 Mark Kosters Carlos Martnez {ARIN, LACNIC} CTO DNS Refresher and Intro to DNS Security Extension (DNSSEC) Outline Introduction DNSSEC mechanisms to establish authenticity and integrity of data

  1. DNS Workshop @CaribNOG12 Mark Kosters – Carlos Martínez {ARIN, LACNIC} CTO

  2. DNS Refresher and Intro to DNS Security Extension (DNSSEC)

  3. Outline • Introduction • DNSSEC mechanisms – to establish authenticity and integrity of data • Quick overview • New RRs • Using public key cryptography to sign a single zone • Delegating signing authority ; building chains of trust • Key exchange and rollovers • Conclusions

  4. DNS Resolving Question: www.arin.net A root-servers www.arin.net A ? 2 1 “ go ask net server @ X.gtld-servers.net ” 3 www.arin.net A ? (+ glue) Caching Resolver 192.168.5.10 forwarder www.arin.net A ? 4 8 (recursive) gtld-servers “ go ask arinserver @ ns1.arin.net ” 5 (+ glue) 9 Add to cache www.arin.net A ? 6 TTL 10 “ 192.168.5.10 ” 7 arin-server

  5. DNS: Data Flow Zone administrator 1 4 Zone file master Caching forwarder 2 3 5 Dynamic updates slaves resolver

  6. DNS Vulnerabilities Corrupting data Impersonating master Cache impersonation Zone administrator 1 4 master Zone file Caching forwarder 2 3 5 Dynamic updates slaves resolver Cache pollution by Data spoofing Unauthorized updates Data protection Server protection

  7. DNS Protocol Vulnerability • DNS data can be spoofed and corrupted on its way between server and resolver or forwarder • The DNS protocol does not allow you to check the validity of DNS data • Exploited by bugs in resolver implementation (predictable transaction ID) • Corrupted DNS data might end up in caches and stay there for a long time (TTL) • How does a slave (secondary) knows it is talking to the proper master (primary)?

  8. Motivation for DNSSEC • DNSSEC protects against data spoofing and corruption • DNSSEC (TSIG) provides mechanisms to authenticate servers • DNSSEC (KEY/SIG/NXT) provides mechanisms to establish authenticity and integrity of data • A secure DNS will be used as a public key infrastructure (PKI)

  9. Now for the Meat l We will be talking now how to solve cache pollution l It is quite complicated

  10. Overview We will talk about: l The problems that DNSSEC addresses è è The protocol and implementations è Things to take into account to deploy DNSSEC è The practical problems tied to real-world deployment

  11. Contents Scope of the problem l l DNS reminders l Basics of DNSSEC l Deployment & operations l Issues (what isn't solved) & other aspects l Status of DNSSEC today

  12. What's the problem? So what are the issues? DNS Cache Poisoning − Forgery: respond before the intended nameserver − Redirection of a domain's nameserver − Redirection of NS records to another target domain DNS Hijacking − Response to non-existent domains − Rogue DNS servers These have been spotted in the wild – code IS available...

  13. What's the problem? What risks ? See Dan Kaminsky's slides for the extent of the risks l - MANY case scenarios è MX hijacking è Entire domain redirection è Take a large .COM offline è Complete spoofing of a bank's DNS info è More fun stuff A great illustrated guide l http://unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

  14. Refresher

  15. DNS reminders ISC BIND zone file format is commonly used, and we l will use this notation here. zone. SOA nsX.zone. hostmaster.zone. ( 2009022401 ; serial 1d ; refresh 12h ; retry 1w ; expire 1h ) ; neg. TTL zone. NS ns.zone. NS ns.otherzone. zone. MX 5 server.otherzone. A 1.2.3.4 www.zone. ...

  16. DNS reminders Record structure: l NAME [TTL] TYPE DATA (type specific) -------------------------------------------- host.zone. 3600 A 10.20.30.40 sub.zone. 86400 MX 5 server.otherzone.

  17. DNS reminders Multiple resource records with same name and type l are grouped into Resource Record Sets (RRsets): mail.zone. MX 5 server1.zone. RRset mail.zone. MX 10 server2.zone. server1.zone. A 10.20.30.40 server1.zone. A 10.20.30.41 RRset server1.zone. A 10.20.30.42 server1.zone. AAAA 2001:123:456::1 RRset server1.zone. AAAA 2001:123:456::2 server2.zone. A 11.22.33.44 RRset

  18. DNS points of attack

  19. DNS Data Flow Points of attack zone file (text, MASTER DB) caching DATA STUB Zone dynamic resolver updates resolver Transfer (recursive) SLAVES spoofing cache man in the modified spoofed corrupted ATTACK master middle data data poisoning updates VECTORS (routing/DoS)

  20. DNSSEC concepts

  21. DNSSEC quick summary Data authenticity and integrity by signing the l Resource Records Sets with a private key l Public DNSKEYs published, used to verify the RRSIGs l Children sign their zones with their private key − Authenticity of that key established by signature/checksum by the parent of the (DS) delegation signer record Repeat for parent... l l Not that difficult on paper − Operationally, it is a bit more complicated

  22. DNSSEC overview DNS SECurity extensions Concepts l l New Resource Records (DNSKEY, RRSIG, NSEC/NSEC3 and DS) l New packet options (CD, AD, DO) l Setting up a Secure Zone l Delegating Signing Authority l Key Rollovers

  23. DNSSEC concepts Changes DNS trust model from one of ”open” and l ”trusting” to one of ”verifiable” l Extensive use of public key cryptography to provide: − Authentication of origin − Data integrity − Authenticated denial of existence No attempt to provide confidentiality l l DNSSEC does not place computational load on the authoritative servers ( != those signing the zone) l No modifications to the core protocol − Can coexist with today's infrastructure è …kind of (EDNS0)

  24. DNSSEC concepts Build a chain of trust using the existing delegation- l based model of distribution that is the DNS l Don't sign the entire zone, sign a RRset “.” ORG NSRC WS l Note: the parent DOES NOT sign the child zone. The parent signs a pointer (hash) to the key used to sign the data of child zone (important!)

  25. New Resource Records

  26. Implementing the Trust Chain • New resource records – RRSIG: resource record signatures – DNSKEY: DNS public key – DS: delegation signature – NSEC: denial of existence

  27. New Resource Record: RRSIG • Example: ~ carlosm$ dig +dnssec www.nic.se dig +dnssec www.nic.se ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1 ;; ANSWER SECTION: www.nic.se. 60 IN A 212.247.7.218 www.nic.se. 60 IN RRSIG A 5 3 60 20101021132001 20101011132001 23369 nic.se. HeeUZ5h5iExK5uU1SuNRIf2Dbmh2/ aWV8FkjmzixUzTAVrHv39PfmfnG DHdHoZxoz85hqqYiWb +t9EZh5+iqxQk8AxRDic9Nn6WxifOoWeS+IUKQ rVyqXf1NtkZvu1A325vwa8obtbeVGVkhqg6bDIjKYeHixjlQ4cRoFcEW Izk= ;; AUTHORITY SECTION: nic.se. 2974 IN NS ns3.nic.se. nic.se. 2974 IN NS ns2.nic.se. nic.se. 2974 IN NS ns.nic.se. nic.se. 3600 IN RRSIG NS 5 2 3600 20101021132001 20101011132001 23369 nic.se. GSzAUC3SC3D0G/ iesCOPnVux8WkQx1dGbw491RatXz53b7SY0pQuyT1W eb063Z62rtX7etynNcJwpKlYTG9FeMbDceD9af3KzTJHxq6B+Tpmmxyk FoKAVaV0cHTcGUXSObFquGr5/03G79C/YHJmXw0bHun5ER5yrOtOLegU IAU= 27

  28. New Resource Record: DNSKEY • Example: aruba:~ carlos$ dig @8.8.8.8 DNSKEY lacnic.net. ;; Truncated, retrying in TCP mode. ;; QUESTION SECTION: ;lacnic.net. IN DNSKEY ;; ANSWER SECTION: lacnic.net. 6272 IN DNSKEY 257 3 8 AwEAAb6YDZrhzHo3gu48uNvxFpvQ/I0TvaqGlYFE9VkplBkexiXwMHfm BVZF4SU7zSBcdX23jnotHmJd6Jicbhpk0ZVXS5szwbuC2TXaifx6bTOj fd0z8/zsk62tpvGDROQVgOTUNKmb1oZamX2Vm4Q58oFXQKkZm21sCeuR 6KhZo+pDkUWlDgI/gPLj1MFiorN9EWjUWbfHnnwVAldD6ftZ6KmhWlxm 7ynJ4Q3Glu5BX8ySh6l5JdFNyoVltfPXrwXJ4nqEaAEmPo8Vic++V3l5 2aQIgUnLmZ6mdfOxCT/YGcMIqUaiXRA0CpOMUr+K7GIvJIVyacOzIfe0 FKV/MreaVOk= 28

  29. Trust Chains • How do clients verify a zone's RRSets? – It queries for the corresponding DNSKEY – The necessary computations are carried out and then compared with the signature in the RRSIG • If they match the signatures are valid • But, how can we trust the DNSKEY? It listed on the same zone we want to verify! – We need to validate the trust chain 29

  30. Trust Chains (ii) • DS Record “Delegation Signature” – DS records "sign" the keys in their child zones – In this way one can also verify the DNSKEY as it is signed when the parent zone is signed • DS records contain a hash of the public key – That is a hash of the DNSKEY's record content 30 • DS records in the parent zone are

  31. New Resource Record: DS • Example: ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 DS lacnic.net. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 68 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;lacnic.net. IN DS ;; ANSWER SECTION: lacnic.net. 21599 IN DS 57814 8 1 10B742924448BD70481CACDDB1D21E5B0DBC8802 31

  32. Denial of Existence • What happens when you ask DNS about something that does not exist? – NXDOMAIN! • However, in an NXDOMAIN response the ANSWER section is empty, there is nothing to sign • Remember: negative answer are also cached, so they can be a DoS vector

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GIT WORKSHOP GIT WORKSHOP 1 . 1 GIT WORKSHOP GIT WORKSHOP Manuela Salvucci

GIT WORKSHOP GIT WORKSHOP 1 . 1 GIT WORKSHOP GIT WORKSHOP Manuela Salvucci

GIT WORKSHOP GIT WORKSHOP 1 . 1 GIT WORKSHOP GIT WORKSHOP Manuela Salvucci manuelasalvucci@rcsi.ie 2019-11-06 1 . 2 OUTLINE OUTLINE What is version control? Why bother with formal version control? How to install and get started

1.7k views • 136 slides
23-25, August, 2017 @ Taipei.TW 2017 Belle II TRG/DAQ workshop An Announcement 0. workshop

23-25, August, 2017 @ Taipei.TW 2017 Belle II TRG/DAQ workshop An Announcement 0. workshop

23-25, August, 2017 @ Taipei.TW 2017 Belle II TRG/DAQ workshop An Announcement 0. workshop place 1. workshop major targets 2. schedule, lunch boxes, banquet 3. your badge 4. weather forecast 5. workshop photo 6. scenery after workshop

256 views • 11 slides
x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip

x64 Workshop Didier Stevens Go to http://workshop-x64.DidierStevens.com Unzip x64-workshop.zip to c:\workshop Install: 010EditorWin32Installer402.exe nasm-2.10.05-installer.exe SysinternalsSuite.zip tdm64-gcc-4.7.1-2.exe

724 views • 40 slides
Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

471 views • 23 slides
Strata forms workshop Landgate Workshop purpose This workshop has been developed for

Strata forms workshop Landgate Workshop purpose This workshop has been developed for

Strata forms workshop Landgate Workshop purpose This workshop has been developed for conveyancers and property lawyers who handle strata titles and want to build their confidence and understanding in form completion of the: Application

536 views • 21 slides
WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48 registered participants WDO WORKSHOP Opening remarks Reflections on ACERs First Monitoring Report and the Balancing Network Code Gas Department

1.43k views • 120 slides
WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48

WDO WORKSHOP ACER Workshop on Within Day Obligations TI TRE 15 May, 2017 In total 48 registered participants WDO WORKSHOP Opening remarks Reflections on ACERs First Monitoring Report and the Balancing Network Code Gas Department

1.51k views • 111 slides
Design Thinking Workshop Welcome to the workshop. Hand in your

Design Thinking Workshop Welcome to the workshop. Hand in your

Design Thinking Workshop Welcome to the workshop. Hand in your worksheets. Well come back in 5 minutes! Excited by the workshop? Stick around and help us test our ideas!

513 views • 34 slides
Biodiversity and Resilience of Agroecosystems Workshop March 7 &amp;8, 2013 This workshop is

Biodiversity and Resilience of Agroecosystems Workshop March 7 &amp;8, 2013 This workshop is

Biodiversity and Resilience of Agroecosystems Workshop March 7 &amp;8, 2013 This workshop is the first of a workshop series in preparation for the 2014 Resilience Conference to be held in Montpellier, France 1 . The objective of the workshop

388 views • 3 slides
Treasurers Workshop Welcome to our Treasurers Workshop Housekeeping A little about me

Treasurers Workshop Welcome to our Treasurers Workshop Housekeeping A little about me

Treasurers Workshop Welcome to our Treasurers Workshop Housekeeping A little about me Introductions Overview of the Workshop &amp; Participant Expectations - 15 minutes The Role of Treasurer, Must Do, Should Do, Could Do -

534 views • 36 slides
ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum

ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum

ESD Regional Workshop Year 2 Workshop 1 WSLA Year 2 u u Workshop 1 WSLA Curriculum Strands GOALS for the day: Refresh the leadership focus needed for the implementation of the Academy work in Year 2 Continue to examine the

307 views • 30 slides
RAs TLAFs Workshop RAs TLAFs Workshop Dundalk, 26 th July 2010 Objective of the Workshop

RAs TLAFs Workshop RAs TLAFs Workshop Dundalk, 26 th July 2010 Objective of the Workshop

RAs TLAFs Workshop RAs TLAFs Workshop Dundalk, 26 th July 2010 Objective of the Workshop Objective of the Workshop Proposed decision on TLAFs published on 18 th June; June; Workshop is an opportunity for industry to put forward their

197 views • 19 slides
Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to

The Bro Network Security Monitor Broadmap Bro Workshop 2011 NCSA, Urbana-Champaign, IL Bro Workshop 2011 Outline Near- to Medium-term Roadmap Current Research Projects Workshop Wrap-Up 2 Bro Workshop 2011 Version 2.0 Final 3 Bro

620 views • 57 slides
sparqs National Conference 2015: Workshop and Presentation Outlines Workshop Session 1: 10.30

sparqs National Conference 2015: Workshop and Presentation Outlines Workshop Session 1: 10.30

sparqs National Conference 2015: Workshop and Presentation Outlines Workshop Session 1: 10.30 11.30 Please choose one workshop from the list below. Workshop 1.1: Student Partnership in First Year curriculum design positives and pitfalls

686 views • 10 slides
ICT Workshop ICT Workshop ICT Workshop ICT Workshop Aims For The Afternoon: Aims

ICT Workshop ICT Workshop ICT Workshop ICT Workshop Aims For The Afternoon: Aims

ICT Workshop ICT Workshop ICT Workshop ICT Workshop Aims For The Afternoon: Aims For The Afternoon: Aims For The Afternoon: Aims For The Afternoon: Create an awareness of the importance of ICT in your childs education

1.58k views • 13 slides
Conservation workshop ( 5 days) Conservation workshop ( 5 days) Workshop on wildlife conservation

Conservation workshop ( 5 days) Conservation workshop ( 5 days) Workshop on wildlife conservation

Photo Presentation Conservation Education and Communication Project ( CECP) Damodar Gaire , Project Coordinator Lamjung, Nepal CECP, RSG, UK April, 2010 Conservation workshop ( 5 days) Conservation workshop ( 5 days) Workshop on wildlife

190 views • 7 slides
Graph Algorithms with a Functional Flavour John Launchbury Oregon Graduate Institute j l@cse,

Graph Algorithms with a Functional Flavour John Launchbury Oregon Graduate Institute j l@cse,

Graph Algorithms with a Functional Flavour John Launchbury Oregon Graduate Institute j l@cse, ogi. edu Abstract. Graph algorithms have long been a challenge to program in a pure functional language. Previous attempts have either tended to be

289 views • 24 slides
Storage Tiering Storage Tiering Jason M. Coposky June 5-7, 2018 @jason_coposky iRODS User

Storage Tiering Storage Tiering Jason M. Coposky June 5-7, 2018 @jason_coposky iRODS User

Storage Tiering Storage Tiering Jason M. Coposky June 5-7, 2018 @jason_coposky iRODS User Group Meeting 2018 Executive Director, iRODS Consortium Durham, NC 1 iRODS Capabilities Packaged and supported solutions Require configuration not

656 views • 47 slides
VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate

32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE ictcm.com | #ICTCM 32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE #ICTCM Zoom to Infinity and Beyond with

406 views • 22 slides
Chrystie Hill Director, OCLC Community Relations OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw OCLC

Chrystie Hill Director, OCLC Community Relations OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw OCLC

Chrystie Hill Director, OCLC Community Relations OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw OCLC AMERICAS REGIONAL COUNCIL #OCLCalamw Knowledge Plan with confidence

288 views • 28 slides
Dirty Tricks in the Name of Quality Ian Dees Tektronix ian.s.dees@tek.com Hi, Im Ian. Im

Dirty Tricks in the Name of Quality Ian Dees Tektronix ian.s.dees@tek.com Hi, Im Ian. Im

Dirty Tricks in the Name of Quality Ian Dees Tektronix ian.s.dees@tek.com Hi, Im Ian. Im here to talk about dirty tricks in software construction.

798 views • 50 slides
Bringing your Python script to more users! Quick tour from CLI through GUI to Web app with image

Bringing your Python script to more users! Quick tour from CLI through GUI to Web app with image

Bringing your Python script to more users! Quick tour from CLI through GUI to Web app with image size reduction script EuroPython 2020 (2020/07/23) Takuya Futatsugi (a.k.a. nikkie) Hello EuroPython! Nice to meet you! Please call me

1.12k views • 85 slides
r r rs sr

r r rs sr

r r rs sr t r str rst t

663 views • 30 slides
Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of

Just-In-Time Code Reuse: On the Effec7veness of Fine-Grained Address Space Layout Randomiza7on Kevin Z. Snow, Fabian Monrose Lucas Davi,

819 views • 23 slides

More recommend