180 likes | 387 Views
Security in DNS(DNSSEC). Yalda Edalat Pramodh Pallapothu. Agenda. What is DNS? Cashing in DNS Threats to the DNS What should match in DNS transaction? What is DNSSEC? DNSKEY, RRSIG, NSEC, DS DNSSEC issues. What is DNS?.
E N D
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu
Agenda • What is DNS? • Cashing in DNS • Threats to the DNS • What should match in DNS transaction? • What is DNSSEC? • DNSKEY, RRSIG, NSEC, DS • DNSSEC issues
What is DNS? • First step to communicate between computers which support IP is knowing IP address. • Memorizing four decimal numbers for each web site is difficult. • Memorizing host names are easier. • At beginning, SRI-NIC was responsible to maintain a single file containing IP addresses for hosts. • Internet grows rapidly and need to guarantee the uniqueness of IP addresses. • Creating an Internet distribution database (DNS).
Cashing in DNS • To reduce load on DNS server • caching mechanism for a specific period of time after a successful answer.
Threats to the DNS: • Most weaknesses in DNS fall into these categories: • Cache poisoning • Client flooding • Compromise of DNS server’s authoritative data
What should match in DNS transaction? 1 2 3 4 2 1 3 4
Other threats • Client flooding: client sends a query, but receives thousands of DNS responses from attacker • lake in authentication of responses, without strong authentication, the client can not verify the origin of response. • Compromise of DNS server’s authoritative data: attacker gains administrative privileges and plans to modify zone information
Need for more security • Original DNS did not include security. • Dependency of some commands on hostnames for authentication (“r” command in UNIX). • False information in DNS cause unexpected results. • appropriate security is needed to provide adequate protection in DNS, and it is accomplished through DNSSEC
DNSSEC • DNS Security Extension • Defines additional Resource Records • DNSKEY, RRSIG, NSEC and DS are four of those Resource Records.
DNSKEY It is the public key for the zone and is published in zone file. example.com. 86400 IN DNSKEY 256 3 5 ( AQPSKmynfzW4kyBv015MUG2DeIQ3) 86400 secs -> TTL of 1 day 256 -> Flag value which indicates it’s a zone key. 3 -> Protocol value 5 -> RSA/SHA1 , RR value is base64 encoding.
RRSIG RRSIG records store digital signatures that were created by signing the resource records associated with a domain using a DNSKEY. host.example.com. 86400 IN RRSIG A 5 3 86400 20030322173103 ( 20030220173103 2642 example.com. oJB1W6WNGv+ldvQ3WDG0MQkg5IEhjRip8WTr ) 86400 secs -> TTL A -> indicates that this is a signing of the A RRs for "host.example.com" 5 -> RSA/SHA1 …. ….
NSEC NSEC is used to provide proof of non- existense of any name within a zone. alfa.example.com. 86400 IN NSEC host.example.com. ( A MX RRSIG NSEC TYPE1234 ) The first four text fields specify the name, TTL, Class, and RR type (NSEC). The entry host.example.com. is the next authoritative name after alfa.example.com. in canonical order. The A, MX, RRSIG, NSEC, and TYPE1234 mnemonics indicate that there are A, MX, RRSIG, NSEC, and TYPE1234 RRsets associated with the name alfa.example.com.
DS The Delegation Signer (DS) RR contains the hash of the public key of the child zone. This record is signed by the parent zone's private key with a matching RRSIG RR. dskey.example.com. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A 98631FAD1A292118 )
DNSSEC issues • The average size of a DNS response message increases. • The zone file increases in size due to the addition of the additional DNSSEC records. • The number of DNS transactions increases due to the requirement to perform additional queries for zone public key records when constructing trust chains. • The client has to spend additional time validating the signed data and validating the public key, potentially slowing the resolution process. • The server has to generate new signatures over all RRset changes, which places an incremental load on the server function.
DNSSEC Reference • RFC 3833 A Threat Analysis of the Domain Name SystemRFC 4033 DNS Security Introduction and RequirementsRFC 4034 Resource Records for the DNS Security ExtensionsRFC 4035 Protocol Modifications for the DNS Security ExtensionsRFC 4398 Storing Certificates in the Domain Name System (DNS)NSEC3 - "DNSSEC Hashed Authenticated Denial of Existence" draft-ietf-dnsext-nsec3-06.txtDNS and Bind, 4th Edition, Paul Albitz and Cricket Liu, O'Reillywww.dnssec.org – A resource page for DNSSEC