140 likes | 174 Views
Review DNS hierarchy, query, and record security. Learn about threats like man-in-the-middle attacks, denial of service, wildcards, and more. Understand security goals like data integrity and non-existence authentication. Explore components like resolvers, zones, and name servers to secure DNS effectively.
E N D
Domain Name System Security Cora Hussey and Roy Shea April 9, 2003
Threats to DNS • (A) Man in the middle • (B) ID guessing and query prediction • (C) Corrupt DNS server
Threats to DNS (Continued) • (A) Denial of service • (B) No authentication of non-existence • (C) Wildcards
DNS Security Goals • Data origin authentication • Data integrity • Authentication of non-existence
Changes to DNS • New resource records • Signature (SIG) • Key (KEY) • Delegation Signer (DS) • Next (NXT) • New bits in message header • Checking disabled (CD) • Authentic data (AD)
Security Aware Components • Resolver • Verifies digital signatures • Forms authentication chains • Dependent on security aware • recursive name server • proxy • zone • name server
Security Aware Components (Continued) • Stub Resolver • Ideally trusts • recursive name server • channel to recursive name server • Or set the Checking Disabled bit and verify the security chain itself
Security Aware Comonents(Continued) • Zone • Proper setting of TTL and SIG validity periods • Periodically update SIGs, forcing an SOA update • Name Server • Be able to include extended records in response to queries • Key management of zone signing keys and key signing keys
Questions • What attacks are still possible with DNS security? • Are wild cards worth the effort? • Is partial deployment beneficial? • What attacks does DNS security make possible? • Are their better methods to secure DNS?