1 / 20

Domain Name System (DNS)

Domain Name System (DNS). Today & Tomorrow Day 2 - Group 5 Presented By: James Speirs Charles Higby Brady Redfearn. J. Overview. Day 1 Review DNS Exploit Types DNS SEC Public Key Infrastructure (PKI) DNS SEC Implementation Early DNS Fixes DNS SEC Proposals Which Is Best ?. C.

idalee
Download Presentation

Domain Name System (DNS)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Domain Name System (DNS) Today & Tomorrow Day 2 - Group 5 Presented By: James Speirs Charles Higby Brady Redfearn • J

  2. Overview • Day 1 Review • DNS Exploit Types • DNS SEC • Public Key Infrastructure (PKI) • DNS SEC Implementation • Early DNS Fixes • DNS SEC Proposals • Which Is Best? • C

  3. Day 1 Review • DNS • Bailiwick • Dan Kaminski • DNS Poisoning • SSL & HTTPS • B

  4. DNS Exploit Types • Cache poisoning • Dan Kaminiski  • HD Moore  • Metasploit • 10 seconds • Client flooding • No other DNS responses are received • Denial-of-Service (DoS) • Dynamic update • Everything freely available - no query required • Hosts file  • Malware attacks • J

  5. DNS SEC • Pros: • Can distribute public keys • email • IPs are distributed securely • Reliable  • Robust • Cons: • Rework of DNS infrastructure (UDP) • 10x larger packets  • 100x more resources • Easier to run DoS attack • Unbroken zone signing all the way to the root • C

  6. Public Key Infrastructure (PKI) • I ask the Certificate Authority (CA) to issue a certificate in my name • The CA validates my identity, then issues me a certificate • I present a certificate containing my identity to the user • The user doesn't know me, so they ask the CA to verify my identity • The CA checks that my certificate is valid: unaltered, unexpired, legitimate • The CA tells the user my certificate is valid • User now trusts me • B

  7. PKI Example

  8. DNS SEC Implementation "Report on the ccNSO’s DNSSEC Survey 2009," http://ccnso.icann.org/surveys/dnssec-survey-report-2009.pdf • C

  9. Early DNS Fixes • Transaction ID randomization • Source port randomization • B

  10. EvgeniyPolyakov • Cracked full-patched BIND 9 • In 10 hrs • With gigabit Ethernet • Trojan horse could do this within network • J

  11. De-Bouncing Double queries • Pros • Verified DNS queries • Easy to implement • Cons • Not enough bandwidth • Servers too busy • Easy to run DoS • C

  12. Abandon UDP Make all DNS traffic TCP • 3-way handshake to start • 2 for question/answer • 2 to shutdown • Pros: • No information limit • Can use PKI • Cons: • 7x more bandwidth • Need more hardware • Bridge UDP to TCP packeting • B

  13. 0x20 Case sensitivity • Case is preserved in DNS query  • Pros: • Random case can be sent • Reply can be verified • Authoritative Name Servers need no update • No bandwidth increase  • Easy to implement • Cons: • Querying servers need update • Client update • Query servers need hardware • J

  14. Domain Vouching Look-aside technology • Pros: • Distributed load • One party maintains all DNS info • Cons: • Bottleneck at voucher • Reliant on third-party service availability • DoS on third-party machine • URL redirection • example.com • example.voucher.com • C

  15. U.S. Controls All Department of Homeland Security (DHS) controls DNS activity • Pros: • Can we trust DHS?  • One authority? • U.S. dominance of Internet • Cons: • Politics • Any non-US government is opposed • Censorship • One authority • Trust • B

  16. PGP Signing Model Proven example for PKI • Pros: • Multiple non-governmental signers approve all keys • Peer approval • CA approval • Anyone approves • Create Root Key Set  • Distribute Root Key Sets • Distributed load • No single point of failure • Cons: • Someone has to approve your key • Some more hardware • Everyone has to do it • J

  17. Which Is Best? Class Discussion • C

  18. Summary • Everything depends on DNS • DNS SEC 9 yrs old • Lots of proposals • No perfect solution • PGP model seems best right now • Lots of work to do • Without DNS SEC, we're in trouble • B

  19. Questions ?

  20. Vocabulary • KSK - Key Signing Keys • ZSK - Zone Signing Key • RZM - Root Zone Maintainer • RKO - Root Key Operator • RZF - Root Zone File • RKS - Root Key Set  • ZKS - Zone Key Set

More Related