more on dns and dnssec
play

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada - PowerPoint PPT Presentation

Jul 13, 2023 •360 likes •974 views

More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner Domain names Domain names are human friendly names to identify servers or services Arranged

  1. More on DNS and DNSSEC CS 161: Computer Security Prof. Raluca Ada Popa March 6, 2018 A subset of the slides adapted from David Wagner

  2. Domain names • Domain names are human friendly names to identify servers or services – Arranged hierarchically – www.google.com has: • .com as TLD (top-level domain) • google.com as a subdomain of com • www.google.com a subdomain of google.com

  3. Hierarchy of domain names empty domain … Top level domains: .com .edu google.com … www.google.com … www.mail.google.com

  4. Types of domain names (TLD) 1. Generic TLDs: .com, .edu 2. Country-code TLDs: .au .de .it .us

  5. Creating a domain name • Domain names are registered and assigned by domain-name registrars , accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), same group allocating the IP address space • Contact the domain-name registrar to register domain space

  6. Cybersquatting or Domain Squatting • Entities buying a domain in advance of it becoming desirable and later selling to the agency needing it for much more

  7. 2013: Microsoft vs. MikeRoweSoft The boy accepted an Xbox in exchange for the domain name

  8. DNS Overview • DNS translates www.google.com to 74.125.25.99: resolves www.google.com

  9. Name servers • To resolve a domain name, a resolver queries a distributed hierarchy of DNS servers also called name servers • At the top level are the root name servers, which resolve TLDs such as .com – Store the authoritative name server for each TLD (the trusted server for the TLD) – Government and commercial organizations run the name servers for TLDs – Name server for .com managed by Verisign

  10. A DNS Lookup 1. Alice goes to eecs.mit.edu on her browser 2. Her machine contacts a resolver to ask for eecs.mit.edu ’s IP address – The resolver can be a name server for the corporate network of Alice’s machine or of her Internet service provider 3. The resolver will try to resolve this domain name and return an IP address to Alice’s machine

  11. DNS Lookups via a Resolver root DNS server ( ‘ . ’ ) IP for eecs.mit.edu? 2 Don’t know, but ask .edu with IP 192…. 3 TLD (top-level domain) IP for eecs.mit.edu? server ( ‘ .edu ’ ) 4 local DNS server (resolver) 5 dns.poly.edu Don’t know but ask mit.edu at IP 18…. 6 7 IP for eecs.mit.edu? 1 8 authoritative DNS server IP is 18.2.1.1 (for ‘ mit.edu ’ ) dns.mit.edu 9 client( requesting host) xyz.poly.edu eecs.mit.edu

  12. DNS caching • Almost all DNS servers (resolver and name servers) cache entries, but with different cache policies

  13. DNSSEC • DNSSEC = standardized DNS security extensions currently being deployed • Aims to ensure integrity of the DNS lookup results (to ensure correctness of returned IP addresses for a domain name) Q: what attack is it trying to prevent? A: attacker changes DNS record result with an incorrect IP address for a domain

  14. Securing DNS Lookups • How can we ensure that when clients look up names with DNS, they can trust the answers they receive? • Idea #1: do DNS lookups over TLS (SSL)

  15. Securing DNS Using SSL/TLS root DNS server ( ‘ . ’ ) Host at xyz.poly.edu wants IP address for 2 www.mit.edu 3 TLD DNS server ( ‘ .edu ’ ) 4 local DNS server (resolver) 5 dns.poly.edu Idea: connections 6 7 {1,8}, {2,3}, {4,5} 1 8 authoritative DNS server and {6,7} all run ns.mit.edu over SSL / TLS requesting host xyz.poly.edu www.mit.edu

  16. Securing DNS Lookups • How can we ensure that when clients look up names with DNS, they can trust the answers they receive? • Idea #1: do DNS lookups over TLS (SSL) – Performance: DNS is very lightweight. TLS is not. – Caching: crucial for DNS scaling. But then how do we keep authentication assurances? – Security: must trust the resolver. Object security vs. Channel security How do we know which name servers to trust? • Idea #2: make DNS results like certs – I.e., a verifiable signature that guarantees who generated a piece of data; signing happens off-line

  17. Scratchpad – let’s design it together NS of google.com: what is IP of local DNS server business.google.com IP1 mail.google.com? (resolver) finance.google.com IP2 mail.google.com IP3 IP3 Q: How can we ensure returned result is correct? A: Have google.com NS sign IP3 Q: What should the signature contain? A: At least the domain name, IP address, cache time Q: How do we know google.com’s PK? A: The .com NS can give us a certificate on it

  18. Scratchpad – let’s design it together NS of google.com: local DNS server business.google.com IP1 (resolver) finance.google.com IP2 what is IP of mail.google.com IP3 mail.google.com? IP3 Q: How do we know .com’s PK? A: Chain of certificates, like for the web, rooted in the PK of the root name server Q: How do we know the PK of the root NS? A: Hardcoded in the resolvers Q: How does the resolver verify a chain of certificates?

  19. Scratchpad – let’s design it together NS of google.com: local DNS server business.google.com IP1 (resolver) finance.google.com IP2 what is IP of mail.google.com IP3 goose.google.com? It does not exist Q: How can we ensure returned result is correct? A: Have google.com NS sign the “no record” response sign(“goose.google.com” does not exist) But it is expensive to sign online. Q: What problem can this cause? A: DoS due to an amplification of effort between query and response.

  20. Scratchpad – let’s design it together NS of google.com: what is IP of local DNS server business.google.com IP1 goose.google.com? (resolver) finance.google.com IP2 mail.google.com IP3 It does not exist Q: How can we sign the no-record response offline? A: We don’t know which are all the domains we might be asked for, but we can sign consequent domains which indicates absence of a name in the middle, so its cacheable sign([“ga.google.com”, “mail.google.com”]) But it is expensive to sign online. Q: What problem can this cause? A: Enumeration attack. An attacker can issue queries for things that do not exist and obtains intervals of all the things that exist until it mapped the whole space.

  21. DNSSEC Now let’s go through it slowly…

  22. DNSSEC • Key idea: – Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the network or resolvers involved. • Remaining challenges: – DNS records change over time – Distributed database: No single central source of truth

  23. Operation of DNSSEC • As a resolver works its way from DNS root down to final name server for a name, at each level it gets a signed statement regarding the key(s) used by the next level • This builds up a chain of trusted keys • Resolver has root’s key wired into it • The final answer that the resolver receives is signed by that level’s key • Resolver can trust it’s the right key because of chain of support from higher levels • All keys as well as signed results are cacheable

  24. Ordinary DNS: www.google.com A? Client’s k.root-servers.net Resolver

  25. Ordinary DNS: www.google.com A? Client’s k.root-servers.net Resolver We start off by sending the query to one of the root name servers. These range from a.root-servers.net through m.root-servers.net . Here we just picked one.

  26. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 …

  27. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … The reply didn’t include an answer for www.google.com . That means that k.root-servers.net is instead telling us where to ask next , namely one of the name servers for .com specified in an NS record.

  28. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … This Resource Record ( RR ) tells us that one of the name servers for .com is the host a.gtld-servers.net . (GTLD = Global Top Level Domain.)

  29. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … This RR tells us that an Internet address ( “ A ” record) for a.gtld-servers.net is 192.5.6.30 . That allows us to know where to send our next query.

  30. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … The actual response includes a bunch of NS and A records for additional .com name servers, which we omit here for simplicity.

  31. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net Resolver We send the same query to one of the .com name servers we’ve been told about

  32. Ordinary DNS: www.google.com A? Client’s k.root-servers.net com. NS a.gtld-servers.net Resolver a.gtld-servers.net A 192.5.6.30 … www.google.com A? Client’s a.gtld-servers.net google.com. NS ns1.google.com Resolver ns1.google.com A 216.239.32.10 …

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010

DNSSEC Workshop @ ICANN Activities from the Region: - DNSSEC deployment in .pt 23 June 2010 Sara Monteiro Technical Infrastructure Service of DNS.PT Agenda ! About us ! Scope ! Goals ! Initiatives and Support ! Developments on .pt ! Next Steps

468 views • 11 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes

DNS and DNSSEC Management and Monitoring Changes Required During A Transition To DNSSEC Wes Hardaker <wes.hardaker@parsons.com> Overview Business Model Changes Relationship Requirements Relationship with your DNS parent

407 views • 25 slides
DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek

DNSSEC security without maintenance ... with the right software and registry Petr paek petr.spacek@nic.cz 2019-02-03 1w Redraw max 1y 6m 3m 1m 5d 1h 1d 30 ~ 19 % DNSSEC? Who cares? DNSSEC Validation Capability Metrics

433 views • 25 slides
DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC

DNSSEC usage sta-s-cs and some observa-ons SEE 5, Tirana Sergey Myasoedov 20.4.2016 DNSSEC history Defined by RFCs 4033-4035 March 2005 Root zone signed July 2010 March 2011 the biggest zone .com signed New GTLD

811 views • 32 slides
DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes

DNSSEC at Scale Dani Grant | DNS @ CloudFlare CloudFlare - Authoritative DNS provider (includes DNSSEC for free) - 4M+ domains - 40+ billion queries per day - 76 edge locations in 40 countries (growing) DNSSEC at Scale 1. Elliptic

597 views • 34 slides
CSC 411 Lecture 8: Linear Classification II Roger Grosse, Amir-massoud Farahmand, and Juan

CSC 411 Lecture 8: Linear Classification II Roger Grosse, Amir-massoud Farahmand, and Juan

CSC 411 Lecture 8: Linear Classification II Roger Grosse, Amir-massoud Farahmand, and Juan Carrasquilla University of Toronto UofT CSC 411: 08-Linear Classification 1 / 34 Todays Agenda Todays agenda: Gradient checking with finite

597 views • 34 slides
Ethnicity and the Meaning of Sound Change in Central Texas Douglas S. Bigham and Kathleen Shaw

Ethnicity and the Meaning of Sound Change in Central Texas Douglas S. Bigham and Kathleen Shaw

NWAV 39 San Antonio Variation and Change in Texas English Ethnicity and the Meaning of Sound Change in Central Texas Douglas S. Bigham and Kathleen Shaw Points, The University of Texas at Austin Texas English Associated with South

510 views • 21 slides
Logic and Knowledge Representation P r o g r a m m i n g a s p r o b l e m -

Logic and Knowledge Representation P r o g r a m m i n g a s p r o b l e m -

Logic and Knowledge Representation P r o g r a m m i n g a s p r o b l e m - s o l v i n g , F i r s t s t e p s i n P r o l o g 2 0 A p r i l 2 0 1 8 g s i l e n o @e n s t . f

1.31k views • 119 slides
Machine Learning Applications for Particle Accelerators Tuesday, February 27 through Friday,

Machine Learning Applications for Particle Accelerators Tuesday, February 27 through Friday,

Machine Learning Applications for Particle Accelerators Tuesday, February 27 through Friday, March 2, 2018 SLAC Accelerators LCLS-II SCRF linac and injector FACET-II CuRF (1 km) LCLS CuRF (1 km) SPEAR-3 LCLS Undulators Near Experiment

247 views • 9 slides
CIFER Community Identity Framework Keith Hazelton for Education and U. of Wisconsin-Madison

CIFER Community Identity Framework Keith Hazelton for Education and U. of Wisconsin-Madison

CIFER Community Identity Framework Keith Hazelton for Education and U. of Wisconsin-Madison Research Internet2 MACE VAMP, Utrecht 6 September 2012 2 What is CIFER, really? A developing practice of coordination across existing

440 views • 15 slides
How not to scale flows the cautionary tale of Howard 1|14 When was the second largest

How not to scale flows the cautionary tale of Howard 1|14 When was the second largest

How not to scale flows the cautionary tale of Howard 1|14 When was the second largest aircraft in history built? 1947 2|14 H-4 Spruce Goose, 1947 Photo from FAA (public domain) 3|14 H-4 Spruce Goose, 1947 Photo from San Diego

377 views • 14 slides
Beyond the Basics: Recent Developments in Global Data Privacy and Security David Bender Special

Beyond the Basics: Recent Developments in Global Data Privacy and Security David Bender Special

Beyond the Basics: Recent Developments in Global Data Privacy and Security David Bender Special Counsel, Data Privacy GTC Law Group Distinguished Fellow, Ponemon Institute The Universe of Current Privacy Concerns n The Privacy world is today

698 views • 40 slides
1 Link Layer: setting the context two physically connected devices: host-router,

1 Link Layer: setting the context two physically connected devices: host-router,

Network Layer Overview: network layer services virtual circuit and datagram Goals: networks whats inside a router? understand principles behind network layer IP: Internet Protocol services: IPv4 datagram format

344 views • 16 slides

More recommend