securing dns infrastructure using dnssec - icann · 2015-09-17 · securing dns infrastructure...
TRANSCRIPT
SecuringDNSInfrastructureUsingDNSSECRamMohanExecutiveVicePresident,[email protected]
February28,2009
Agenda GettingStarted
FindingoutwhatDNSdoesforyou WhatCanGoWrong
ASurvivalGuidetoDNSSEC WhyTechiesCreatedDNSSEC WhatCanHappenWithoutDNSSEC
WhyShouldAnyoneCare Consequences ResponsibilitiesofNetworkOperators(ISPs),Registrars,Registries,
RootOperators,ICANNandothers TheRoadAhead
Signingtheroot Whatdomainnameownerscando
Q&ASession
mohan_dnssec
WhattheDNSisusedfor Web,Email,StreamingMedia,InstantMessaging–theInternetdependsontheDNS DNSdecidesifyoursitecanbereached DNSdeterminesifyouremailcanbedelivered
DNSistheInternetdirectoryandphonebook Providesdirectionsonwherecomputersareforeachdomainname
DNSPreventsOutagesandProvidesRedundancy DNSmismanagementcanresultin“Internetoutages”evenifyourInternetconnectionisworking
mohan_dnssec
WhatDoesTheDNSDoForYou Tellsmachineswheretogowhenyou:
Typeinawebaddress Sendanemail
Resolver
AmIonline?WhereshouldIgotogetmyanswer?‐MylocalInternetServiceProvider
Cache
DoIalreadyhavetheanswer?‐SendtheanswerbacktoresolverElse,contactDomainNameServer
NameServer
User ISP NameServerOperators
FindtheIPaddressSenditback
mohan_dnssec
WhyA8acktheDNS
Money Lotofmoneywaitingtobemade(stolen)whenecommerceandbankingiscompromised
Power ISPs,NetworkoperatorsandtheDanishInternetusercanbehijackedandforciblyredirected
Reducescredibilityanderodestrust Control
Allowsspyingonuserswithouttheirknowledgeorcontrol
mohan_dnssec
WhatCanGoWrong Forgery
TheDNSdatabeingreturnedtoyourISPcanbeforged Especiallyeasyonawirelessnetwork Result:Youaretransportedwhereyoudidnotmeantogo
Poisoning TheDNSdatacanbemodified
CausesyourISP’scachetohavevalidbutwronginformationonwheretogo
Eavesdropping CaninterceptyourDNSdataandjust“listen”beforepassingon
Otherthingsthatcangowrong: Alterationofzonedata‐Impersonationofmaster/cache‐Unauthorizedupdates
mohan_dnssec
2005ISPA8ack
InMarch‐April2005,usersofanISPhadspecificspyware,spamandpay‐per‐clicktrojans,fromredirectionsites
TheISP’scachehadhundredsofDNSnamesspoofed… AmericanExpress.com FedEx.com CitiCards.com DHL‐USA.com Sabre.com
Source:AllisonMankin
mohan_dnssec
July2008‐researcherDanKaminskydisclosesevidenceofmassiveInternetvulnerability Easy“cachepoisoning” ExposesallrecursiveDNSresolverstotakeover
AllowsallInternettraffictobehijackedoncompromisedDNSresolvers Lessthanonesecondtocompromiseavulnerableserver CompletelytransparenttoInternetuser
Worldwidecriticalproblem:DNSvendorsandothercompaniesissuedemergencypatches
mohan_dnssec
1) Breakpastmostusername/passwordpromptsonwebsites,nomatterhowthesiteisbuilt.
2) BreaktheCertificateAuthoritysystemusedbySSL,becauseDomainValidationsendsanemailandemailisinsecure.
3) ExposethetrafficofSSLVPNs,becausethecertificatecheckisnowcircumvented
4) Forcemaliciousautomaticupdatestobeaccepted5) Causemillionsoflinesoftotallyuntestednetworkcodetobe
exposedtoattack6) LeakTCPandUDPconnectivitybehindthefirewall,toany
website,inanattackwethoughtwealreadyfixedtwice7) Exposethetrafficoftoolsthatdon’tevenpretendtobesecure,
because“it’sbehindthefirewall”or“protectedbyasplit‐tunnelingIPsecVPN”.
mohan_dnssec Source:http://www.doxpara.com/
DNSSECExplained DNSSECistheInternet’sanswertoDNSIdentityTheft
ItprotectsusersfromDNSattacks ItmakessystemsdetectDNSattacks
AlmosteverythinginDNSSECisdigitallysigned AllowsauthenticationoftheORIGINoftheDNSdata EnsuresINTEGRITYoftheDNSdata
Digitallysigned=“PublicKeyCryptography” SecretPrivateKey,OpenPublicKey DNSMessagesarescrambledusingthePrivateKey–thePublicKeyis
neededtounscrambleit[a.k.a.“SIGNING”] YounowknowWHOsentthemessage(sinceprivatekeyisunique)
IfdataisMODIFIED,mangled,orotherwisecompromiseden‐route… Thesignatureisnolongervalid
DNSSEC=DNSSecurityExtensions
mohan_dnssec
TheChainofTrustIfItrustapublickeyfromsomeone,Icanusethatkeytoverifythesignature…andauthenticatethesource
Makesuretherootzonekeycanbetrusted Pointersintherootzonepointtolowerzones(com/org/info/deetc)
Eachpointerisvalidatedwiththepreviousvalidatedzonekey
OnlythekeyfortherootzoneisneededtovalidatealltheDNSSECkeysontheInternet
Howtoupdatethesekeysandpropagatethemarenotdoneyet
mohan_dnssec
TechnicalDetailsbehindDNSSEC
AUTHENTICATESeverysetofDNSdata–thisiscalledaDNSResourceRecordset,orRRs (Arecords,MXrecords,DNAMEs,etc,etc)
AuthenticatesabsenceofDNSdata xyz.icann.orgdoesnotexist
CreatesfournewDNSrecordtypes ValidatesusingChainOfTrust Eachanswerissigned DNSSEC:
ProvidesnoCONFIDENTIALITYofDNSdata NoprotectionagainstDenialofServiceattacks
SSL,IPSecarenotenough
mohan_dnssec
RolesandResponsibiliGes
Registrars,networkoperators,registries,ICANN,rootserveroperators…largenetworkmustcoordinateandinteract
CreateDNSSECCapableNameServersfortheTLDandlowerlevelzones
Putpoliciestogether Zonewalking
Howtohandlekeyrollover Howcanyouensurethatwhenthekeyhastobechanged,itispropagatedsecurely,safely,andquickly?
mohan_dnssec
DNSSECTrustAnchorRepositories(TAR)
ATrustAnchorRepository(TAR)canbedefinedasarepositoryorsetofrepositoriesthatmaybeusedforstoringSecureEntryPoint(SEP)akazonekeysforoneormoreDNSzones
InterimapproachtoimplementingDNSSEC
CompensatesfornosignedrootorTLDs ProvidessecurelocationstoobtainDNSSECvalidationinformation,
absentasignedrootzone ProposedtypesofTARs:
GlobalTARs CommunityofInterest(CoI)TARs LocalTARs
mohan_dnssec
Summary Rootmustbesigned! 6‐7ccTLDsalreadysigned .ORGhasannouncedplanstosignin1H2009 TrustAnchorRepositoriesallow“look‐aside”mechanismforDNSSEC
keys EvangelizetheneedforDNSSECatindustry–companies–
organizations Policiesmustbeestablished Whattoread:
Introductions:www.dnssec.net Tutorials:http://www.ripe‐ncc.org/training/dnssec/material/ Othermaterial:
http://www.nlnetlabs.nl/dnssec/ http://www.ripe.net/disi/
mohan_dnssec
MaketheDNSimmunetoDNSIdentityTheft
ImplementDNSSECattherootandTLDzones ImmunizationagainstDNShijacking
Proven“ChainofTrust”modelprotection PublickeycryptographywithstrongencryptionwillprotectDNSsystem
SecurestorageofkeysinTrustAnchorRepository Resultsinguaranteedlookupsinasafeenvironment
Buildastrongfoundationfordomainnameowners Allowsdomainnameownerstodigitallysigntheirdomains‐‐protectstheirnamesfromhijacking
mohan_dnssec
Talktoyourwebsitehostproviderortechnicalproviderabout“Signingyourzone”withaDNSSECkey Thiswillautomaticallyprotectvisitorstoyourwebsitefrombeinghijacked
Itwillincreasetheperceptionandrealityofsecurityforyourorganization
SignupwithmailingliststounderstandmoreaboutimplementingDNSSEC EliminateDNSidentitytheft Ensuresafetyforyourclients Improveyourbranding
mohan_dnssec
MailingLists
[email protected] operatorsanddevelopersworkingondnssec
[email protected] DNSEXTIETFworkinggroup(DNSprotocoldevelopment)
[email protected] DNSOPIETFworkinggroup(operationalDNSissues)
[email protected] RIPETechnicalSecurityworkinggroup
dns‐[email protected] RIPEDNSworkinggroup
mohan_dnssec
SecuringDNSInfrastructureUsingDNSSECRamMohanExecutiveVicePresident,[email protected]
February28,2009