dnssec 101
DESCRIPTION
DNSSEC 101. Kevin Miller. DNS Underpins Everything. Email. VoIP. CMS. IM. Enterprise Systems. Web. DNS Underpins Everything. Email. VoIP. Inbound Email Volume. CMS. IM. Enterprise Systems. Web. Received Email Spam, virus filtering using DNS. 10+ DNS Queries Per Message. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/1.jpg)
•WWW.OIT.DUKE.EDU•
DNSSEC 101Kevin Miller
![Page 2: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/2.jpg)
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
![Page 3: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/3.jpg)
•WWW.OIT.DUKE.EDU•
DNS Underpins Everything
Web
Enterprise
Systems
VoIP
IMCMS
Inbound Email VolumeInbound Email Volume
Received EmailSpam, virus filtering using DNSReceived EmailSpam, virus filtering using DNS
10+ DNS QueriesPer Message
10+ DNS QueriesPer Message
![Page 4: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/4.jpg)
•WWW.OIT.DUKE.EDU•
Risks from DNS Attacks
• Impersonate your web site• Redirect your phone calls• Man-in-the-middle (password theft)• Reroute or block your email• Disrupt your network, application services• Attack vectors for malware (data theft)• Denial of service
Diagram source: Internet Storm Center
![Page 5: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/5.jpg)
•WWW.OIT.DUKE.EDU•
DNS Attack: Cache Poisoning
Where is website.com?Where is website.com?
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
Answer: 67.11.23.9Also, www.bank.com – 12.1.2.3
![Page 6: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/6.jpg)
•WWW.OIT.DUKE.EDU•
DNS Attack: Forgery
Where is educause.edu?Where is educause.edu?
Answer: 198.59.61.65Answer: 198.59.61.65
Answer: 12.1.2.3
Answer: 12.1.2.3
![Page 7: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/7.jpg)
•WWW.OIT.DUKE.EDU•
DNS Attack: Indirection
Where is educause.edu?Where is educause.edu?
Answer: 12.1.2.3
Answer: 12.1.2.3
![Page 8: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/8.jpg)
•WWW.OIT.DUKE.EDU•
DNS Attack: Amplification
60 byte request60 byte request
4000 byteresponse
4000 byteresponse
![Page 9: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/9.jpg)
•WWW.OIT.DUKE.EDU•
Software Defects
Buffer overflowOther vectors
Buffer overflowOther vectors
![Page 10: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/10.jpg)
•WWW.OIT.DUKE.EDU•
Risk Reduction To Date
• Improving weaknesses in DNS software– Patching software defects– Limiting cache poisoning opportunities
• Improve operational best practices– Restrict access to DNS recursers– Install anti-IP spoofing filters
• Improve host security– Anti-virus, anti-malware defenses
Photo source: BCP38
![Page 11: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/11.jpg)
•WWW.OIT.DUKE.EDU•
DNSSEC
• Cryptographically sign DNS records– Also the absence of records
• Maintains DNS architecture– Hierarchical, distributed signatures
• Significant risk reduction, if used widely– Protects you (www.school.edu)– Protects your users (www.bank.com)
![Page 12: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/12.jpg)
•WWW.OIT.DUKE.EDU•
What Can Be Done Now?
• Discover local implications– How do you manage DNS? What tools are used?– What impact would DNSSEC have?– Do your vendors support it?– Can you servers handle DNSSEC overhead?
• Begin building expertise, experience– Sign a test zone– Deploy a test DNSSEC recurser
• Deployment– Sign your zones– Utilize DNSSEC-enabled recurser with DLV
![Page 13: DNSSEC 101](https://reader036.vdocuments.net/reader036/viewer/2022062314/56813ebe550346895da928fd/html5/thumbnails/13.jpg)
•WWW.OIT.DUKE.EDU•
Additional Resources
• http://www.dnssec.net• http://www.bind9.net• http://www.dnsreport.com• http://www.dnssec-deployment.org/• http://www.uoregon.edu/~joe/port53wars/
port53wars.pdf• http://www.nanog.org/mtg-0606/damas.html