1 / 40

CmpE 526 Operating System and Network Security, Spring 2005

CmpE 526 Operating System and Network Security, Spring 2005. Presentation on DNS Security. Demet AYVAZ 07/04/2005. OUTLINE. DNS Overview DNS Security Threats Securing DNS Server-Client Security(DNSSEC) Server-Server Security(TSIG) Conclusion. DNS OVERVIEW What is DNS?. Root.

reynold
Download Presentation

CmpE 526 Operating System and Network Security, Spring 2005

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CmpE 526 Operating System and Network Security, Spring 2005 Presentation onDNS Security Demet AYVAZ 07/04/2005

  2. OUTLINE • DNS Overview • DNS Security Threats • Securing DNS • Server-Client Security(DNSSEC) • Server-Server Security(TSIG) • Conclusion

  3. DNS OVERVIEWWhat is DNS? Root • Distributed, hierarchical System mapping • Host Names to IP addresses • IP addresses to host names • Data organized as tree structure calledDomain Name Space edu mil com isi darpa usmc cisco nge quantico

  4. DNS OVERVIEWDNS Components • The Database • Domain name space (DNS Tree) • Resource Records • The Server • Name Server • The Client • Resolvers

  5. DNS OVERVIEWName Servers • Manages some portion of DomainName Space (Zone) • Assists clients in finding informationwithin the DNS tree • Multiple name servers can be authoritivefor one zone • Primary server: Server on which actual changes for zone data takes place. • Secondary server: Server which maintains copies of primary servers zone database

  6. DNS OVERVIEWResource Records • Contain data associated with domainnames • A Resource Record (RR) has 6 fields • NAME: name of the owner • TYPE: the type of data hold • CLASS: class info (IN for internet) • TTL: Time period to cache record • RD Length: Length of data • RDATA: Resource data

  7. DNS OVERVIEWResource Record Types

  8. Refreshes Recursive query Systemcall Response Resolver’s response References Iterative query Iterative query Referral Response DNS OVERVIEWResolver and Resolution Primary name server User program Name resolver Cache Local machine Name server Name server

  9. DNS OVERVIEWCaching • Speeds up the resolution process • If answer is not in the cache, a recursive query is initiated • Resource Records kept in cachefor a limited time (TTL)

  10. DNS Security ThreatsDNS Vulnerabilities • Original DNS design focused on data availability and did not include security • DNS zone data is replicated at multiple servers • Access to domain name space is not restricted • But the DNS design included no authentication • Any DNS response is generally believed • No attempt to distinguish valid data from invalid

  11. DNS Security Threats Weaknesses of DNS • Cache Poisoning • Client Flooding • Dynamic Update Vulnerability • Information Leakage

  12. DNS Security Threats Cache Poisoning • A weakness of DNS • DNS server has incorrect informationintentionally or nonintentionally • A result of trusting non authoritative information • Malicious cache poisoning is DNSspoofing

  13. DNS Security Threats Cache Poisoning Example

  14. DNS Security Threats Client Flooding • A client makes a query and receivesand accepts thousonds of DNS responses • Result of “Lack of Authentication” • Client can not verify the origin of theresponses

  15. DNS Security Threats DNSDynamic Update • Original DNS designs assumesmanual updates on zone files • DNS dynamic update protocal is a modification • Vulnerable to threats such asIP spoofing • Attacks: Deleting records malicious redirection

  16. DNS Security Threats Man in the Middle Attack Root DNS Server www.darpa.mil A? www.darpa.mil A 192.5.18.19 Caching DNS Server mil DNS Server Client www.darpa.mil A 128.9.128.127 darpa.mil DNS Server First response wins. Second response is silently dropped on the floor.

  17. SECURING DNS • It is necessary to have the security built into DNS systems • TSIG Transactions • Enhancements to secure Server-Server transactions • DNS Security Extensions (DNSSEC) • Enhancements to secure Server-Client transactions

  18. SECURING DNSDNS Data Flow • Every flow is a potensial source of threat

  19. DNSSECWhat isDNSSEC? • DNSSEC work group is formed in 1994 by IETF • Group designed security extensionsto DNS Protocol called DNSSEC

  20. DNSSEC Services Provided by DNSSEC • DNS provides • Data Origin Authentication • Data Integrity Assurance • DNSSEC is designed to be interoperable with non-securityawere implementations

  21. DNSSECChanges to DNS Protocol • DNSSEC adds four new RRs • SIGRR : Signiture resource record • KEYRR(DNSKEY): Key Resource Record • DS: Delegation Signer • NXTRR(NSEC): Next Secure • Two new message header bits • CD: Checking Disabled • AD: Authenticated Data

  22. DNSSECOrigin Authentication and Integrity • Authenticity: Is the data published by the entity we think is authoritative? • Integrity: Is the data received the same as what was published? • Public Key cryptography is used toanswer these questions • signatures are used to check both integrity and authenticity of data

  23. DNSSECKEYRR • Used to store public keys • Key RR of a name server accompany all its responses • Keeps the public key of a zone, a hostor a user in its RDATA field • Several key algorithms are supported: RSA/MD5, DSA, Diffie Helmen

  24. DNSSEC KEYRR Record Format • 16 bits FLAGS • 8 bits protocol • 8 bits algorithm • public key of any length Example: Movie.edu. IN KEY 256 3 1 ( AQOvhvXXU61Pr8sCwELcqqq1g4JJ CALG4C9EtraBKVd+vGIF/unwigfLOA O3nHp/cgGrG6gJYe8OWKYNgq3kDChN)

  25. DNSSEC SIG RR • Stores the private key’s signaturefor a zone • Whenever a name server sends a response to a query, it runs it through a hash function and encyrpt the result with its private key

  26. 16 bits type covered 8 bits algorithm 8 bits labels covered 32 bit original TTL DNSSECSIGRR Record Format • 32 bit signature expiration • 32 bit signature inception • 16 bit key tag • signers name • signature field www.ripe.net. SIG A 1 3 3600 20010504144523 ( 20010404144523 3112 ripe.net. VJ+8ijXvbrTLeoAiEk/qMrdudRnYZM1VlqhN vhYuAcYKe2X/jqYfMfjfSUrmhPo+0/GOZjW 66DJubZPmNSYXw== )

  27. DNSSECDS RR • Essentially a pointer to the next key in the chain of trust • Still in draft but expected to becomepart of the standard

  28. DNSSECNXTRR • Used for non-existent domain names • Aim is to authenticate the non-existanceof a resource record • Tells which domain name comes after another one Example: Movie.edu. NXT bigt.movie.edu (NX, SOA, SIG, NXT)

  29. DNSSECChain of Trust • Applied for data origin authentication • Verification tells the data is correctIt does not say anything about trusting or not to data • Public key is certified by a higher authority

  30. KEY for com. ? It receives KEY, SIG RRs of com. host.foo.com. ? It receives the RRs: A, SIG, KEY . DNSSEC chain of trust Root name server of the DNS tree com. it. name server foo.com. polito.it.

  31. DNSSECQuery and Response Messages

  32. TSIGWhat is TSIG? • A mechanism for protecting a message from resolver to server and vice versa • A keyed-hash is applied (like a digital signature)so recipient can verify message • Based on a shared secret - both sender andreceiver are configured with it

  33. TSIGServices Provided by TSIG • TSIG provides • Authentication • Data Integrity • For this purpose, It uses • A one-way hash function called MD5 • symetric cryptography

  34. TSIGTSIG Record • TSIG is a meta record • Never appears in zone files or caches • A signer adds TSIG record to a DNS message • The receiver removes and verifiesthe record

  35. TSIGTKEY meta RR • The key shared by the name serverand the resolver • Not stored or cached in DNS • Do not appear on zone files • Usually less than 256 bits

  36. TSIGKey Distribution • Key can be created by the server or resolver • In the case of server-assigned keying • Server produses keying material • Resolver sends a query asking for TKEY RR • In additional section it sends its ownpublic key • Server encrypts the keying material withresolver’s public key

  37. CONCLUSION • The original DNS design is insecure • It has many weaknesses • DNSSEC and TSIG are modificationsto the original design to add security • They provide data origin authentication and data integrity • Confidentiality is not considered in extensions

  38. REFERENCES • RFC 2535 “Domain Name Security Extensions”, Donald Eastlake, IBM,March 1999. • Paul Abitz, Cricket Liu, “DNS and BIND”,Third Edition, O’Reilley, Sebastopal, CA,1998. • RFC 3033 “Threat Analysis of the Domain Name System”, D. Atkins,August 2004. • RFC 4033: Security Introduction and Requirements”, R. Arends, R. Austin, 2005 • A. Lioy, F. Maino, M. Marian, D. Mazzocchi, “DNS Security”,Terena Networking Conferance, MAy 22-25, 2000. • http://compsec101.antibozo.net/papers/dnssec/dnssec.html

  39. Thanks for Listening

  40. QUESTIONS

More Related