400 likes | 667 Views
CmpE 526 Operating System and Network Security, Spring 2005. Presentation on DNS Security. Demet AYVAZ 07/04/2005. OUTLINE. DNS Overview DNS Security Threats Securing DNS Server-Client Security(DNSSEC) Server-Server Security(TSIG) Conclusion. DNS OVERVIEW What is DNS?. Root.
E N D
CmpE 526 Operating System and Network Security, Spring 2005 Presentation onDNS Security Demet AYVAZ 07/04/2005
OUTLINE • DNS Overview • DNS Security Threats • Securing DNS • Server-Client Security(DNSSEC) • Server-Server Security(TSIG) • Conclusion
DNS OVERVIEWWhat is DNS? Root • Distributed, hierarchical System mapping • Host Names to IP addresses • IP addresses to host names • Data organized as tree structure calledDomain Name Space edu mil com isi darpa usmc cisco nge quantico
DNS OVERVIEWDNS Components • The Database • Domain name space (DNS Tree) • Resource Records • The Server • Name Server • The Client • Resolvers
DNS OVERVIEWName Servers • Manages some portion of DomainName Space (Zone) • Assists clients in finding informationwithin the DNS tree • Multiple name servers can be authoritivefor one zone • Primary server: Server on which actual changes for zone data takes place. • Secondary server: Server which maintains copies of primary servers zone database
DNS OVERVIEWResource Records • Contain data associated with domainnames • A Resource Record (RR) has 6 fields • NAME: name of the owner • TYPE: the type of data hold • CLASS: class info (IN for internet) • TTL: Time period to cache record • RD Length: Length of data • RDATA: Resource data
Refreshes Recursive query Systemcall Response Resolver’s response References Iterative query Iterative query Referral Response DNS OVERVIEWResolver and Resolution Primary name server User program Name resolver Cache Local machine Name server Name server
DNS OVERVIEWCaching • Speeds up the resolution process • If answer is not in the cache, a recursive query is initiated • Resource Records kept in cachefor a limited time (TTL)
DNS Security ThreatsDNS Vulnerabilities • Original DNS design focused on data availability and did not include security • DNS zone data is replicated at multiple servers • Access to domain name space is not restricted • But the DNS design included no authentication • Any DNS response is generally believed • No attempt to distinguish valid data from invalid
DNS Security Threats Weaknesses of DNS • Cache Poisoning • Client Flooding • Dynamic Update Vulnerability • Information Leakage
DNS Security Threats Cache Poisoning • A weakness of DNS • DNS server has incorrect informationintentionally or nonintentionally • A result of trusting non authoritative information • Malicious cache poisoning is DNSspoofing
DNS Security Threats Client Flooding • A client makes a query and receivesand accepts thousonds of DNS responses • Result of “Lack of Authentication” • Client can not verify the origin of theresponses
DNS Security Threats DNSDynamic Update • Original DNS designs assumesmanual updates on zone files • DNS dynamic update protocal is a modification • Vulnerable to threats such asIP spoofing • Attacks: Deleting records malicious redirection
DNS Security Threats Man in the Middle Attack Root DNS Server www.darpa.mil A? www.darpa.mil A 192.5.18.19 Caching DNS Server mil DNS Server Client www.darpa.mil A 128.9.128.127 darpa.mil DNS Server First response wins. Second response is silently dropped on the floor.
SECURING DNS • It is necessary to have the security built into DNS systems • TSIG Transactions • Enhancements to secure Server-Server transactions • DNS Security Extensions (DNSSEC) • Enhancements to secure Server-Client transactions
SECURING DNSDNS Data Flow • Every flow is a potensial source of threat
DNSSECWhat isDNSSEC? • DNSSEC work group is formed in 1994 by IETF • Group designed security extensionsto DNS Protocol called DNSSEC
DNSSEC Services Provided by DNSSEC • DNS provides • Data Origin Authentication • Data Integrity Assurance • DNSSEC is designed to be interoperable with non-securityawere implementations
DNSSECChanges to DNS Protocol • DNSSEC adds four new RRs • SIGRR : Signiture resource record • KEYRR(DNSKEY): Key Resource Record • DS: Delegation Signer • NXTRR(NSEC): Next Secure • Two new message header bits • CD: Checking Disabled • AD: Authenticated Data
DNSSECOrigin Authentication and Integrity • Authenticity: Is the data published by the entity we think is authoritative? • Integrity: Is the data received the same as what was published? • Public Key cryptography is used toanswer these questions • signatures are used to check both integrity and authenticity of data
DNSSECKEYRR • Used to store public keys • Key RR of a name server accompany all its responses • Keeps the public key of a zone, a hostor a user in its RDATA field • Several key algorithms are supported: RSA/MD5, DSA, Diffie Helmen
DNSSEC KEYRR Record Format • 16 bits FLAGS • 8 bits protocol • 8 bits algorithm • public key of any length Example: Movie.edu. IN KEY 256 3 1 ( AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)
DNSSEC SIG RR • Stores the private key’s signaturefor a zone • Whenever a name server sends a response to a query, it runs it through a hash function and encyrpt the result with its private key
16 bits type covered 8 bits algorithm 8 bits labels covered 32 bit original TTL DNSSECSIGRR Record Format • 32 bit signature expiration • 32 bit signature inception • 16 bit key tag • signers name • signature field www.ripe.net. SIG A 1 3 3600 20010504144523 ( 20010404144523 3112 ripe.net. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )
DNSSECDS RR • Essentially a pointer to the next key in the chain of trust • Still in draft but expected to becomepart of the standard
DNSSECNXTRR • Used for non-existent domain names • Aim is to authenticate the non-existanceof a resource record • Tells which domain name comes after another one Example: Movie.edu. NXT bigt.movie.edu (NX, SOA, SIG, NXT)
DNSSECChain of Trust • Applied for data origin authentication • Verification tells the data is correctIt does not say anything about trusting or not to data • Public key is certified by a higher authority
KEY for com. ? It receives KEY, SIG RRs of com. host.foo.com. ? It receives the RRs: A, SIG, KEY . DNSSEC chain of trust Root name server of the DNS tree com. it. name server foo.com. polito.it.
TSIGWhat is TSIG? • A mechanism for protecting a message from resolver to server and vice versa • A keyed-hash is applied (like a digital signature)so recipient can verify message • Based on a shared secret - both sender andreceiver are configured with it
TSIGServices Provided by TSIG • TSIG provides • Authentication • Data Integrity • For this purpose, It uses • A one-way hash function called MD5 • symetric cryptography
TSIGTSIG Record • TSIG is a meta record • Never appears in zone files or caches • A signer adds TSIG record to a DNS message • The receiver removes and verifiesthe record
TSIGTKEY meta RR • The key shared by the name serverand the resolver • Not stored or cached in DNS • Do not appear on zone files • Usually less than 256 bits
TSIGKey Distribution • Key can be created by the server or resolver • In the case of server-assigned keying • Server produses keying material • Resolver sends a query asking for TKEY RR • In additional section it sends its ownpublic key • Server encrypts the keying material withresolver’s public key
CONCLUSION • The original DNS design is insecure • It has many weaknesses • DNSSEC and TSIG are modificationsto the original design to add security • They provide data origin authentication and data integrity • Confidentiality is not considered in extensions
REFERENCES • RFC 2535 “Domain Name Security Extensions”, Donald Eastlake, IBM,March 1999. • Paul Abitz, Cricket Liu, “DNS and BIND”,Third Edition, O’Reilley, Sebastopal, CA,1998. • RFC 3033 “Threat Analysis of the Domain Name System”, D. Atkins,August 2004. • RFC 4033: Security Introduction and Requirements”, R. Arends, R. Austin, 2005 • A. Lioy, F. Maino, M. Marian, D. Mazzocchi, “DNS Security”,Terena Networking Conferance, MAy 22-25, 2000. • http://compsec101.antibozo.net/papers/dnssec/dnssec.html